Threat Hunting Resources and Glossary

Below we have compiled an extensive list of useful resources - articles, frameworks, guides and more - for further reading about Threat Hunting. And also a Glossary of Terms.

We hope you find these helpful.

Threat Hunting Resources on

Threat Hunting ResourcesView

The following is a consolidated list of all useful links referenced on the various pages on this site that cover threat hunting.

Glossary of TermsView


Advanced Persistent Threat. i.e. a Threat Actor capable of gaining unauthorized access to a network and remain undetected for an extended period.

Attack Surface

A term used to characterize how vulnerable an IT environment is to potential attack. If it is said that an IT environment has a large attack surface, this means there are a large number of potential ways in which a hacker may attack. A small attack surface indicates limited opportunities for attack.

Attack Vector

An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors come from Threat Actors exploiting system and/or human vulnerabilities.


A list of entities that are blocked or denied privileges or access. Often refers to a list of IP addresses


Another name for Blacklist


Command and Control. Generally used when referring to a C&C Server: i.e. the server configured by Threat Actors to communicate with machines that have been hacked/compromised. C&C servers are generally the source of malicious payloads and the destination for exfiltrated data.


Another name for C&C


Common Vulnerabilities and Exposures. Refers to publicly known vulnerabilities. The Mitre organization maintains a database of CVEs


Common Weakness Enumeration. A categorization system for CVEs maintained by Mitre. CVEs refer to individual vulnerabilities specific to certain software/hardware, whereas CWEs refer to generic types of vulnerabilities


Department of Homeland Security [USA]

DLP Software

Data Loss Prevention Software. Detects and prevents data loss exfiltration by monitoring endpoints, storage, and network traffic


Refers to network traffic within an IT environment (distinct from north-south traffic)


Endpoint Detection and Response. Tools that detect actual and/or traces of suspicious activity on end points such as servers and PCs.


The unauthorized transfer of information from a system.

Exploit Kit

(Verb) To attack a weakness in an IT system to accomplish some malicious action. (Noun) Generally refers to a specific method/procedure/software used to exploit a known vulnerability.

Honey Pot

A deliberate vulnerability and/or fake data intended to attract malicious actors. Generally monitored, a honeypot is often used as an early warning sign of malicious activity. Sometimes used as a decoy. Sometimes used by security firms and researchers to gather intelligence.


High Risk Users


High Value Asset


Intrusion Detection System. Monitors networks and systems for malicious activities or policy violations


Intrusion Prevention System. An IPS is an IDS with the ability to execute real-time responses to active attacks and violations. Also see Next Gen Firewall.


Indicator of Attack. A clue that an attack may have occurred and/or is occurring. Or a precursor to an attack. A successful attack results in compromise.


Indicator of Compromise. A clue that data exfiltration and/or harm may have occurred and/or is occurring

Lateral Movement

Refers to Threat Actors obtaining access to other machines after their initial infiltration of one machine


Managed Security Service Provider. A provider of outsourced SOC services.

Next-Gen Firewall

"A firewall that goes beyond port/protocol inspection and blocking to add application-level inspection and intrusion prevention. Industry convergence has resulted in a next generation firewall being functionally equivalent to an IPS."


Refers to network traffic between an IT environment and the public internet. Diagrams tend to show the internet above the IT environment.


Open Source intelligence in this context refers to publicly available threat intelligence (as opposed to threat intelligence that you pay for).


A fraudulent attempt to get someone to take an action by pretending to be trustworthy via electronic message, most commonly email or SMS. See also Spear Phishing.


A scripting language built into Microsoft Windows that allows for the automation of system administration tasks.


Potentially Unwanted Application.


Security Operations.


Security Operations Center.


Security information and event manager / management.


Phishing that is targeted at, and tailored to, a specific individual. Distinct from regular phishing which is broadcast and not tailored.


The act of modifying file timestamps. Usually in the context of malicious activity, to hide that a file is newly or recently modified.

Threat Actor

An individual, group, organization, government, or government sponsored entity that conducts or has the intent to conduct malicious activities.


Tactics, Techniques and Procedures


A flaw or misconfiguration in hardware or software. Threat Actors exploit vulnerabilities to perform attacks and/or gain unauthorized access.


Virtual Machine

Further Glossary Reading: