Home
Blog
Investigations
February 13, 2026
7
min read

Beyond the APT Chase: Why You May Be Hunting the Wrong Things (And How to Fix It)

There is a critical visibility gap where operational anomalies go unnoticed because teams cannot distinguish signal from noise. The piece positions Command Zero’s "Business Context" and "Table Filters" as the essential solution, enabling the encoding of institutional knowledge directly into investigations. By transforming manual noise reduction into persistent baseline enforcement, the platform facilitates a practical progression to innovative hunting maturity (HMM3).

AI
Security Operations
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

During my 24 years in security operations, from Air Force information warfare to tier-3 SOC work, I’ve watched hundreds of organizations chase the same impossible dream: becoming the team that discovers the next major threat group, like APT1. Teams pour resources into threat hunting programs, hire expensive consultants, and build elaborate procedures to track advanced persistent threats. Yet most of them never progress beyond procedural hunting that follows someone else’s playbook.

The irony? While they’re hunting for nation-state adversaries, their environment is full of missed signals:

  • Locked-out service accounts that suddenly unlock at 3 AM.  
  • New administrative accounts created without change tickets.  
  • That legacy application mysteriously updated itself over the weekend.  
  • Shadow IT sprawl that nobody’s tracking.  

These aren’t sexy Active Persistent Threat (APT) indicators, but they’re the organizational anomalies that matter for most security teams.

The problem isn’t that organizations lack hunting ambition. The problem is they’re stuck in what David Bianco’s Cyber Hunting Maturity Model describes as HMM1 (Hunting Maturity Model 1) or HMM2 (Hunting Maturity Model 2), capable of searching for known indicators or following published procedures, but unable to develop the contextual understanding needed to hunt effectively in their own environment. And that’s because they’re missing something fundamental: The ability to understand what “normal” looks like in their specific organizational context.

The Maturity Trap: Why Most Organizations Get Stuck at HMM2

The Cyber Hunting Maturity Model, originally developed by Sqrrl’s David Bianco (who also co-created the PEAK framework at Splunk), defines five levels of hunting capability. Most organizations with active hunting programs operate at HMM2,the procedural level. They can follow analysis procedures created by others, they collect substantial amounts of data, but they haven’t developed the capability to create new hunting methodologies tailored to their environment.

Here’s what that looks like in practice:

  1. At HMM0 (Initial), organizations rely entirely on automated alerting. They’re not hunting at al, they’re waiting for their EDR or SIEM to tell them something’s wrong.
  1. At HMM1 (Minimal), teams start incorporating threat intelligence. When a new report about credential dumping techniques drops, analysts search their historical data for those specific indicators. It’s hunting, but just barely.
  1. At HMM2 (Procedural), organizations implement published hunting procedures. They’re running the playbooks they find on GitHub, following frameworks from vendor blogs, executing searches based on MITRE ATT&CK techniques. This is where most “mature” hunting programs actually live.
  1. The jump to HMM3 (Innovative) requires creating novel analysis procedures specific to your environment.  
  1. And HMM4 (Leading) means automating those successful hunts so they run continuously without manual intervention.

What prevents organizations from progressing beyond HMM2?  

It’s not lack of tools or data. It’s lack of organizational context. You can’t create effective hunting procedures for your environment if you don’t understand what normal behavior looks like in that environment. And you can’t automate hunts if you can’t distinguish signal from noise.

The PEAK Problem: Great Framework, Missing Foundation

Splunk’s PEAK framework (Prepare, Execute, Act with Knowledge) provides an excellent structure for conducting hunts. It defines three hunt types:

  • Hypothesis-Driven: Form a theory about potential threats and test it
  • Baseline: Establish normal behavior and hunt for deviations
  • Model-Assisted (M-ATH): Use machine learning to identify anomalies

The framework is solid. The challenge is the “Knowledge” component that’s supposed to inform every phase. PEAK assumes you have deep understanding of your organizational context, business processes, normal user behavior, expected system interactions, legitimate administrative patterns. For most organizations, that knowledge exists only in the heads of senior analysts who’ve been there for years. It’s not encoded, not searchable, and walks out the door when they do.

This is where baseline hunting, the foundation of the PEAK framework, breaks down in practice. You’re supposed to establish what’s normal and hunt for deviations. But how do you define “normal” across thousands of users, hundreds of applications, and constantly changing business processes? How do you distinguish between “unusual” and “malicious” when you lack the organizational context to make that judgment?

Hunting Beyond Threat Actors: The Visibility Gap Nobody Talks About

Here’s the uncomfortable truth: most organizations don’t have an APT problem. They have a basic visibility problem. While security teams are searching for sophisticated adversary tactics, their environment is generating organizational signals that never get investigated:

  • Identity sprawl: Service accounts that haven’t been used in months, suddenly authenticating. New accounts created outside the provisioning system. Privilege escalations that don’t match any approval workflow.
  • Configuration drift: Applications updating without change tickets. Firewall rules modified by unknown processes. Group policy changes that nobody authorized.
  • Operational anomalies: Users locked out repeatedly at unusual times. File shares suddenly accessible to broader audiences. Database connections from unexpected sources.
  • Shadow IT: Cloud services nobody knew existed. Third-party integrations bypassing security review. Data exports to unfamiliar destinations.

These aren’t advanced persistent threats. They’re organizational reality, the things happening in your environment that should trigger investigation but never do because nobody has time to look, nobody has context to interpret them, and nobody has a way to distinguish genuine anomalies from everyday variation.

Traditional threat hunting focuses on adversary behavior. But there’s a whole category of hunting that’s equally important: organizational hunting. Understanding what’s actually happening in your environment, identifying changes that matter, and surfacing the operational signals that indicate problems before they become incidents.

The Missing Piece: Business Context as a Hunting Accelerator

The jump from HMM2 to HMM3 requires developing analysis procedures specific to your organization. But you can’t create those procedures without understanding organizational context. This is where Command Zero’s approach transforms the hunting paradigm.

Command Zero’s new business context feature allows teams to encode organizational knowledge directly into their investigations. Instead of treating every login from an unusual location as equally suspicious, you can incorporate context about business travel, remote work patterns, or expected geographic presence. Instead of flagging every new account creation, you can reference onboarding schedules, contractor patterns, or seasonal hiring cycles.

This is more than just metadata tagging. Its encodes the institutional knowledge that senior analysts carry in their heads into a queryable, shareable form that makes investigations faster and more accurate.

Here’s a concrete example from a customer engagement: Their security team was investigating credential stuffing attempts and kept getting distracted by legitimate password failures. Users traveling internationally, VPN misconfigurations, SSO integration issues, all generating “suspicious” authentication failures that required manual review to dismiss.

By encoding business context about expected travel patterns, known VPN issues, and legitimate authentication variation, they transformed their hunting capability. Suddenly the real credential stuffing attempts stood out clearly because the noise was contextualized and filtered appropriately. They progressed from running someone else’s credential stuffing detection procedure (HMM2) to developing a custom hunt specific to their organization’s authentication patterns (HMM3).

Table Filters: Turning Baseline Hunting Into Something Usable

The PEAK framework’s baseline hunting approach makes perfect sense in theory: establish normal behavior, then hunt for deviations. In practice, this is where most hunting programs fail. The volume of “unusual but legitimate” activity overwhelms the handful of genuinely suspicious events.

Command Zero’s table filters solve this by allowing teams to save and apply organizational context directly to their hunt results. You’re not just filtering out noise, you’re building a persistent understanding of what “normal” looks like in your specific environment.

Say you’re hunting for unusual administrative account usage. You pull all accounts with elevated privileges that authenticated in the last 24 hours. The list has 847 entries. Most are legitimate, service accounts, administrative tasks, scheduled maintenance. But somewhere in there might be an actual compromise.

With table filters, you can encode that organizational knowledge:  

  • Filter out service accounts that authenticate every Tuesday for scheduled backup
  • -Exclude administrative users who regularly work third shift
  • Surface accounts that have never authenticated from this IP range before  
  • Highlight privilege escalations that don’t correlate with approved change tickets

The filters persist. Next time you run this hunt, those 847 entries become 23 items requiring investigation. The legitimate baseline is encoded and reusable. You’re not rediscovering what “normal” means every time you hunt.

This is how you progress from HMM2 to HMM3. You’re not just following a published procedure for hunting unusual administrative access, you’re creating a customized hunt that incorporates your organizational context, making it repeatable and progressively more refined.

From Reactive Searching to Proactive Investigation

Traditional hunting programs focus on threat actor tactics: “Let’s hunt for lateral movement techniques,” “Let’s search for credential dumping,” “Let’s look for persistence mechanisms.” These are valid hunts, but they’re reactive. You’re searching for things adversaries have already done in other environments.

Organizational hunting flips this model. Instead of asking “What might an adversary do?”, you ask “What’s changing in my environment that I don’t understand?” This surfaces:

  • Locked accounts that unlock themselves
  • New privileged users appearing outside provisioning workflows

  • Legacy applications suddenly updating without patching schedules
  • File shares with permission changes nobody authorized
  • Database access patterns that don’t match known applications

These signals exist in every environment. Most organizations never investigate them because they lack the context to distinguish signal from noise and the tooling to make such investigation efficient.

Command Zero’s federated investigation approach combined with business context and table filters makes this organizational hunting practical. You can query across identity providers, application logs, and infrastructure systems simultaneously. You can apply organizational context to filter expected behavior. You can save those filters as reusable procedures that get progressively more refined.

This is the path from HMM2 to HMM3 to HMM4. You start by following published hunting procedures. You add organizational context to customize those procedures for your environment. You encode that context into table filters that make the hunts repeatable. Eventually, you automate the highest-value hunts so they run continuously, surfacing organizational anomalies without manual intervention.

The Maturity Accelerator: Encoding Knowledge into Investigation Patterns

Most organizations get stuck at HMM2 because progression to HMM3 requires institutional knowledge that isn’t documented anywhere. Senior analysts know that certain accounts always authenticate at odd hours. They understand which applications generate expected failed login attempts. They recognize legitimate administrative patterns versus suspicious privilege escalation.

That knowledge exists as tacit expertise. When those analysts leave, it walks out with them.

Command Zero’s approach encodes that knowledge into investigation patterns that persist and improve over time:

  • Business context captures organizational reality: travel patterns, work schedules, legitimate system behavior
  • Table filters encode filtering logic: what’s expected, what’s unusual, what requires investigation
  • Questions  represent investigation methodology: how expert analysts approach specific scenarios

This transforms hunting from an individual skill into an organizational capability. New analysts aren’t starting from zero—they’re building on encoded expertise from their predecessors. Hunts become progressively more refined as organizational context accumulates and filters become more sophisticated.

Practical Maturity Progression for Hunting

The Cyber Hunting Maturity Model and PEAK framework both describe what advanced hunting looks like. Command Zero provides the mechanism to actually achieve it:

From HMM1 to HMM2: You can execute published hunting procedures across federated data sources. Questions give you pre-built investigation patterns that work across multiple systems simultaneously.

From HMM2 to HMM3: Business context and table filters let you customize those procedures for your specific environment. You’re not just following someone else’s playbook—you’re adapting it to your organizational reality.

From HMM3 to HMM4: As you identify high-value hunts, you can encode them into automated investigations that run continuously. Table filters that started as manual noise reduction become automated baseline enforcement.

The progression isn’t theoretical. It’s a practical path enabled by tooling that makes organizational context queryable and investigation patterns reusable.

Redefining What Hunting Actually Means

Threat hunting has become synonymous with APT detection. Everyone wants to be the team that discovers the next major campaign. But for most organizations, that’s not where the value lies.

The real value is in organizational visibility. Understanding what’s changing in your environment. Identifying unauthorized modifications before they become incidents. Surfacing the operational anomalies that indicate problems: accounts created outside process, applications updated outside change control, permissions modified without authorization.

This isn’t less sophisticated than APT hunting—it’s differently sophisticated. It requires deep understanding of your specific organizational context, the ability to distinguish legitimate variation from genuine anomalies, and the tooling to make such investigation efficient rather than overwhelming.

Command Zero’s business context and table filters transform this from aspirational to achievable. You can encode organizational knowledge, build reusable investigation patterns, and progressively refine your understanding of what “normal” looks like in your environment.

That’s how you progress up the maturity curve. Not by chasing advanced persistent threats you’ll probably never encounter, but by building the organizational visibility that lets you hunt effectively for the things that actually matter in your specific environment.

And sometimes—when you have that foundation of organizational context and investigation capability—you’ll be ready when the APT actually shows up.

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

The "Tierless" SOC: What Happens When Junior Analysts Disappear?

The cybersecurity industry faces a paradox: AI is successfully automating "tier-1" grunt work, but in doing so, it is destroying the foundational apprenticeship that trains senior analysts. Historically, junior analysts built vital pattern recognition by triaging thousands of routine alerts. Without this "manual" phase, a "missing middle" has emerged—juniors are now expected to handle complex investigations without the environmental context or investigative intuition usually gained through repetition. To bridge this gap, SOCs must shift to an "Apprentice-in-the-Loop" model. By using expert-built, executable Questions, Command Zero codifies senior-level methodology into a guided framework. This allows juniors to "sit shotgun" with expert thinking on real cases from day one. Instead of grinding through false positives, the next generation of analysts will develop through structured, AI-augmented exposure, democratizing high-level expertise and accelerating career growth in a tierless environment.
Eric Hulse
Jan 13, 2026
6
min read
Investigations
Highlight

2026 SOC Resolution: Stop Machine Speak. Level up Investigations with Natural Language

SOC analysts waste critical time translating investigations into complex query languages like SPL, KQL, and SQL instead of hunting threats. Natural language investigation platforms eliminate this cognitive burden, enabling analysts at all skill levels to conduct sophisticated investigations by simply asking questions. Pre-built investigative sequences should operationalize expert methodology across common use cases like impossible travel and suspicious activity analysis, standardizing excellence while breaking down data silos across endpoints, identity providers, and cloud environments. Question-based approaches create reinforcement learning feedback loops, continuously improving investigation quality through analyst validation. By removing syntax barriers, junior analysts gain advanced capabilities while senior investigators accelerate case closure. As alert volumes surpass human capacity in 2026, natural language interfaces become essential for SOC scalability. Modern security operations teams should expect tools that close complex cases in minutes through AI-assisted analysis and autonomous investigative flows, fundamentally transforming how they handle evolving threats.
James Therrien
Jan 7, 2026
5
min read
Investigations
Highlight

Investigating Service Principal Attacks with Graph API Activity Logs

Service principal attacks are escalating, with threat actors like Midnight Blizzard and Storm-0501 exploiting non-human identities to compromise enterprise environments. These attacks historically succeeded because reconnaissance activity—enumeration of users, groups, and roles—remained invisible to defenders through traditional directory audit logs. Microsoft's new GraphAPIAuditEvents table in Defender XDR Advanced Hunting changes this by capturing all Graph API requests, including reads, writes, and failures. This preview feature provides unprecedented visibility into service principal activity, enabling security teams to detect enumeration attempts, privilege escalation, and OAuth abuse before attackers execute their primary objectives. Leveraging Microsoft’s new GraphAPIAuditEvents, Command Zero automates the detection of previously invisible reconnaissance—such as permission enumeration—that legacy logs miss. By embedding expert knowledge into AI-assisted investigation frameworks, the platform correlates disparate data points (IPs, tokens, API calls) to expose complex attack chains. This transforms raw logs into finished investigations in minutes, enabling SOC teams to close the visibility gap and maximize productivity without sacrificing control or transparency.
Kiki Preteau
Dec 23, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All