Building a threat hunting team

Threat hunting is not just about the tools or techniques; it’s about the people behind the process, including your in-house capabilities, and external partnerships.

Mario Daigle profile picture
Mario Daigle

September 3, 20245 minute read

A man and women sit at desks that are facing each other. The image shows them in tilted profile, with the man's desk more visible than the woman's. Both of the people are working at computers. The man's computer screens are visible and show a cybersecurity display. The background of the image displays a server room. In the bottom right corner, there is a magnifying glass symbol with a bug inside. Everything except the symbol has a blue overlay.

In our previous discussions, we’ve delved into the daily life of a threat hunter, explored the collaborative nature of their work, and highlighted the tools they rely on. Now, as we shift our focus to the strategic side, it’s crucial to consider how to build a threat hunting team that aligns with your organization’s unique needs. 

As we’ve seen, threat hunting is not just about the tools or techniques; it’s about the people behind the process. Our earlier posts discussed how threat hunters operate in a fast-paced, ever-changing environment, where staying informed and collaborating effectively are key to success. Building an effective threat hunting team requires careful consideration of in-house capabilities, potential benefits of external partnerships, and a keen understanding of your security stack. 

This is the 9th post in our ongoing “The Rise of the Threat Hunter” blog series. To learn more about the series check out the introduction here or read last week’s post “How to support threat hunters.”  

Developing an in-house team 

Creating an in-house threat hunting team offers the advantage of aligning your security efforts with the specific needs and objectives of your organization. By having a team that is intimately familiar with your industry, infrastructure, and threat landscape, you can ensure that your defense strategies are tailored and highly effective. Additionally, an internal team can seamlessly integrate with other security functions, fostering a unified approach to cybersecurity. 

However, the journey of building an in-house team is not without its challenges. As we all know the demand for skilled threat hunters is high, and the work requires a unique blend of technical expertise, analytical thinking, and continuous learning. To attract and retain top talent, it’s essential to create an environment that supports ongoing education, collaboration, and innovation. A well-supported team will be more engaged and better equipped to stay ahead of emerging threats. 

The value of external expertise 

While an in-house team provides deep integration and a tailored approach, external partnerships can bring valuable perspectives and specialized skills. Cybersecurity firms and managed security services providers have the advantage of working across various industries and encountering a wide range of threats. This exposure allows them to bring fresh insights and cutting-edge threat intelligence to your organization. 

External experts can also help fill gaps in your team’s knowledge or capacity, particularly during times of heightened risk or when facing new, complex threats. Their ability to scale quickly and provide immediate support can be invaluable, especially if your organization lacks the resources to maintain a large in-house team. 

Balancing in-house and external resources 

The decision between developing an in-house team and leveraging external resources doesn’t have to be mutually exclusive. Many organizations find that a hybrid approach—combining the strengths of both—offers the best protection. An in-house team can handle day-to-day threat hunting activities and maintain a deep understanding of the organization, while external partners can provide additional support, specialized expertise, and a broader perspective when needed. 

In this hybrid model, the key is to ensure that both in-house and external teams are aligned and communicate effectively. By doing so, you can create a comprehensive threat hunting strategy that is both resilient and adaptable to the ever-changing threat landscape. 

Understanding the security stack for effective hiring 

It is also essential for hiring organizations to understand their specific security stack when building a threat hunting team. The tools and technologies that make up your security stack directly influence the skills and expertise required in your threat hunters. For example, a team protecting a large organization with a robust set of tools may be able to hire threat hunters who specialize in individual tools where as a small organization may be looking for someone with broad expertise.  

By having a clear understanding of your security stack, you can better identify the specific skill sets and experiences that are most relevant to your needs. This ensures that you hire the right candidates who can maximize the effectiveness of your security tools and contribute to a robust and proactive threat hunting capability. 

Hiring for success 

As you look to build out your threat hunting team, the personas outlined in the University of Victoria Threat Hunter report are a powerful tool to help identify the specific qualities they need in candidates. For instance, if you seek a creative leader, a persona reflecting those traits can guide your search. Similarly, if analytical problem-solving is crucial, you can focus on candidates who fit that profile. 

Using personas allows for targeted job descriptions, attracting the right candidates and setting clear expectations. During interviews, personas serve as reference points to ensure candidates possess the qualities that will complement your team and meet your organization’s needs. Incorporating personas into your hiring strategy fosters informed decisions, ensuring a well-rounded threat hunting team capable of addressing dynamic cybersecurity challenges. 

Conclusion 

Building a threat hunting team is a critical step in securing your organization against advanced threats. Whether you choose to develop your capabilities in-house, seek external expertise, or adopt a combination of both, the focus should always be on fostering a team that is proactive, well-informed, and capable of responding to the dynamic challenges of cybersecurity. By understanding your organization’s security stack and carefully balancing the teams internal strengths with external support, you can create a robust defense strategy that keeps your organization safe in a rapidly evolving digital world. 

Learn More about OpenText Cybersecurity 

Ready to enable your threat hunting team with products, services, and training to protect your most valuable and sensitive information? Check out our cybersecurity portfolio for a modern portfolio of complementary security solutions that offer threat hunters and security analysts 360-degree visibility across endpoints and network traffic to proactively identify, triage, and investigate anomalous and malicious behavior. 

Share this post

Share this post to x. Share to linkedin. Mail to
Mario Daigle avatar image

Mario Daigle

Mario is a seasoned product management and operations executive with over 25 years of experience building and refining product offerings in general analytics, applied analytics, cloud and SaaS, and cybersecurity. Mario spent the early years of his career in the Business Intelligence and Analytics space, leading several teams including platform and OEM strategy for Cognos before, during, and after the IBM acquisition in 2008. In 2013, Mario joined Series A startup Interset to help lead its pivot into cybersecurity, which pioneered a best-of-breed analytic approach to optimize for insider and advanced threat detection. With important partners such as In-Q-Tel, Interset had a successful outcome, culminating with the acquisition by Micro Focus in 2019. Mario currently leads Enterprise Cybersecurity Engineering and Product Management at OpenText, which includes application security, identity and access management, data security, forensics, as well as threat detection capabilities. Startup-minded, Mario continuously seeks to make balanced, unbiased decisions by seeking the most accurate information and context from the best experts.

See all posts

Stay in the loop!

Get our most popular content delivered monthly to your inbox.

Sign up