WatchGuard Blog

How are IT leaders and their MSPs approaching threat hunting?

Companies are increasingly aware of the importance of creating detection and hunting capacities that help to keep their business’s future from being put at risk.

The popularity of threat-hunting services is a consequence of detecting ever more persistent attacks, which also last longer and longer. On top of this, cybercriminals also have ever more tactics to avoid traditional defense measures. As well as detecting attacks, it is increasingly important to try to get ahead of cyberattacks so that the detection gap is reduced as much as possible.

In this ecosystem, Threat Hunting stands out as one of the most important trends of the last few years in corporate cybersecurity. But to understand why Threat Hunting is such an important concept nowadays, it is vital to understand exactly what it is: a discipline that organizations need to stop thinking of not as a nice-to-have but as a must-have. It should be a continuous function, not a point in time, as it is essential in any robust cybersecurity program.

The most important feature of Threat Hunting for IT leaders and their MSPs is its approach: here, we are talking about a proactive approach to threats. This means that it is not a response to incidents, although this concept is connected, since from the investigation results and its conclusions, it is possible to establish new attack or compromise indicators. Threat-hunting measures aim to cover what more traditional tools cannot see. Then, the threat hunters conduct their investigations, which unravel the principal cause, gain an immediate response, and guide the action plan to successfully reduce the attack surface.

How IT Leaders and MSPs are Approaching Threat Hunting

There are tens of thousands of hackers in the world, trained by governments, security companies, and criminal organizations. They carry out targeted attacks with proprietary malware and even make use of legitimate applications and goodware to stay hidden.

One of its main operations is malwareless attacks, where the attacker assumes the identity of the administrator after gaining their network credentials one way or another and, to all intents and purposes, seems to be the network administrator going about their job. As no malware of any kind is used, security systems must be able to recognize this type of attack by spotting anomalous behavior of users on the corporate network. Technologies capable of doing these tasks are an integral part of the concept of Threat Hunting.

However, organizations lack the budget, technology, processes, and team of experts needed to do this from scratch. This year’s SANS Threat Hunting Survey shows that threat-hunting resourcing is an “ever-growing staffing nightmare,” with 73% of this year’s respondents claiming that one of their biggest challenges is finding skilled staff. This is a 7% increase over 2022 and a whopping 43% increase over 2021.  This makes it impossible for most companies to build and grow their defenses at the same rate as cybercrime evolves.

Building a Threat Hunting Team

As we can see, it is clear that proactivity is a key skill for a good threat hunter. But it is not the only one. Below, we’ll go over the characteristics that every threat-hunting professional should have.

  • Technical knowledge: Before undertaking any threat-hunting process, it is vital to have professionals with knowledge and experience in cybersecurity. They need to know the focus of traditional endpoint protection tools (EPP), but also the new approach: Endpoint Detection and Response (EDR), which involves the use of real-time monitoring tools, something that is vital for threat hunting.
  • Corporate and geopolitical vision: cyberattackers are becoming more professional and belong to organizations or even states. Threat hunters must therefore know the corporate and geopolitical context that may be motivating these cyberattacks. Technical knowledge is fundamental, but it is increasingly necessary to have ideas that bring us closer to a more general vision in order to get ahead of cyberattacks.
  • Creativity: the first step in the threat-hunting process is to create hypotheses in order to seek out potential threats. The threat hunter must therefore come up with possible scenarios, bearing in mind numerous elements and attack vectors that may not be so obvious to traditional cybersecurity solutions.
  • Mastery of the empirical method: once hypotheses have been created, the next step in the threat-hunting process is to validate them, search for evidence, and discover patterns. These stages are similar to those followed by a research scientist. As such, threat hunters need to understand work methods based on analysis and evidence. Threat hunters are not so different from scientists who make great discoveries.

Managed security service providers enable a wide array of proactive security capabilities, including alert monitoring, prioritization, investigation, and threat hunting. They use sophisticated endpoint, network detection, and response solutions, applying artificial intelligence models to correlate and prioritize advanced threats.

Defining Threat Hunting Objectives

The main challenge that stops IT teams from carrying out Threat Hunting is time. Time is needed to search for threats, to gather data, and to create valid hypotheses. What’s more, it’s also needed in order to investigate indicators of attack—IOAs and IOCs—and attack patterns. As such, time is key.

Threat-hunting platforms ought to be capable, among other things, of monitoring the behavior of computers, the applications running on them and, in particular, their users. These requirements are yet another challenge, bearing in mind the fact that the human factor is key to complementing the automatization process: hiring qualified experts can be another difficult and costly process, and building or operating the necessary tools yet another considerable expense, one that many IT departments cannot afford.

Unique Threat Hunting Challenges for MSPs 

There are three main challenges they have to face: Poor efficiency of the security solutions that make them waste too much time in false-positive alerts, and the lack of security skills and processes to efficiently hunt, detect, prioritize, investigate, and respond.

Pulse- MSP Challenges of Threat Hunting

By adding threat hunting to their arsenals, MSPs can offer customers better protection and more reliable threat detection before any damage can be done, while shoring up defences against any future attacks.

Invest in Proactive Security Services

Most leaders at MSPs, 62% of them, invest in more skilled staff while 52% in better EDR/NDR solutions. They are considered the most impactful investment for improving the threat-hunting practice, especially for larger security service providers.

Pulse- MSP investment in proactive security services


73% of the MSPs use EDR solutions as part of their threat-hunting approach and 55% NDR solutions. 45% consider endpoint activity the most valuable data source when hunting and investigating incidents.

EDR soc


The WatchGuard report: the state-of-the-art threat hunting in MSPs provides an in-depth analysis of MSPs’ adoption, challenges, and maturity level of MSPs when providing threat hunting services to their customers.

Build Your Threat Hunting Team With WatchGuard

WatchGuard Endpoint Security is a Cloud-native, advanced endpoint security portfolio that protects businesses of any kind from present and future cyberattacks. Its flagship solution, WatchGuard EDPR, powered by artificial intelligence, immediately improves the security posture of organizations. It combines endpoint protection (EPP) and detection and response (EDR) capabilities with Zero-Trust Application Service and Threat Hunting Service to help MSPs efficiently provide automated prevention, detection, and response services with end-to-end threat hunting services.

Our Threat Hunting Service, included in WatchGuard EDR and WatchGuard EPDR, enables MSPs to add a hunting service as part of their offering. It allows the detection of threats before damage is done and improves defenses against future attacks on their customers.

You can also learn more about how by reading our latest eBook: Are you ready to take your managed security service to the next level?  and start your threat-hunting path with WatchGuard Advanced Endpoint Security.

Share this: