SANS 2025 Threat Hunting Survey shines the light on why behavioral threat hunting can do what AI and IOC-hunts can’t do alone.
The SANS Institute released the results from its fourth annual survey of threat hunting trends across the globe — the SANS 2025 Threat Hunting Survey: Advancements in Threat Hunting Amid AI and Cloud Challenges.
The report emphasizes the growing threat from one of the most difficult cybersecurity challenges posed by advanced threat actors today — “Living off the land” (LOTL) tactics. LOTL is when an adversary uses trusted operating system components and tools to evade detections for traditional indicators of compromise (IOCs).
“We find that ‘living off the land’ techniques remain the most prevalent tactic across all adversary groups, reinforcing the need for behavior-based threat hunting,” the authors write in the report, SANS 2025 Threat Hunting Survey: Advancements in Threat Hunting Amid AI and Cloud Challenges, which is available from the SANS Institute’s website.
This key finding makes it imperative that organizations not only have top-tier cyber threat intelligence (CTI) to identify state-sponsored and financially motivated threat actors, but the ability to operationalize their CTI and stop threat actors who use LOTL tactics to evade IOC-based detections. Intelligence-driven behavioral threat hunting is how organizations can identify advanced threat behaviors inside their environment and neutralize threats to critical business data, systems, and networks.
The report identifies the key challenge posed by persistent skills shortages as more organizations choose in-house threat hunting programs over outsourcing this critical security capability. It also highlights the difficulties of hunting for threats across clouds and current limits on the use of artificial intelligence (AI) for threat hunting.
But as more organizations stand up in-house behavioral hunt capabilities, there are signs many are struggling to measure threat hunting effectiveness and identify metrics that demonstrate business value. The survey findings also emphasize the need for greater support to maintain structured, consistent, and repeatable threat hunt processes that reduce risk and improve visibility of threats. A lack of rigorous metrics and reporting makes it more challenging to demonstrate business value and, in turn, secure funding for a proactive security capability that is critical for neutralizing threats that routinely evade IOC-based detection.
Six key takeaways from the SANS 2025 Threat Hunting SurveySome 76% of organizations saw LOTL in nation-state attacks, making it the top technique used by nation-state threats.LOTL behaviors were used in 49% of ransomware attacks — up from 42% in last year’s report.More organizations are building in-house threat hunting programs as organizations fully outsourcing threat hunting dropped to 30%, down from 37% last year.Skilled staffing shortages were cited by 61% of organizations as a primary barrier to the success of threat hunting programs.The impact of AI-based techniques on uncovering threat actors remains limited.Measuring threat hunt effectiveness and metrics is a key challenge. Some 61% reported manually tracking the effectiveness of threat hunting, up from 43% in last year’s report. Organizations not measuring success rose to 38% from 28% last year.
Intel 471 intelligence and threat hunt analysts have documented and developed hunts for numerous LOTL techniques that have cross-pollinated from APTs to ransomware actors. LOTL is part of a broader set of methods that advanced adversaries use to bypass detections for IOCs, such as known malicious IP addresses and domains used for command-and-control (C2) for malware. Threat actors frequently change IOCs, limiting their value for threat hunting undetected threats. This is why Intel 471 threat hunt content specifically targets adversary behaviours — tactics, techniques, and procedures (TTPs), which threat actors are reluctant to change, particularly when they are part of a group’s standard operating procedures (SOPs) and have taken time and effort to create.
The SANS Institute report highlights the top observed adversary techniques to help security teams identify when threat hunting should be used and when a detection-based approach is better. For example, the second most popular technique for APT and ransomware groups alike was off-the-shelf tools, such as Cobalt Strike, a penetration-testing tool that is commonly abused by threat actors.
When detections for off-the-shelf tools exist, a detection-led approach is a better fit. Likewise, if detections for LOTL techniques do not exist, a more effective approach is behavioral threat hunting, according to the SANS Institute. In other words, don’t threat hunt for things you can detect, but do threat hunt for unknown things you currently cannot.
Source: SANS 2025 Threat Hunting Survey
The survey also found a declining number of organizations are fully outsourcing their threat hunting, down from 37% in 2024 to 30% in 2025. Organizations managing threat hunting internally rose to 58%, from 45% in 2024. While managed services and outsourcing have traditionally alleviated hiring challenges, this may prove less suitable for threat hunting. The authors conclude organizations are prioritizing internal expertise, visibility, and operational control over their security investigations.
“Outsourcing can introduce challenges, such as a potential disconnect between the organization’s unique systems and the nuanced threat landscape, along with risks in data governance and continuity in a cybersecurity strategy,” the report notes.
Despite more organizations building up internal threat hunting capabilities, fewer organizations are formally measuring the effectiveness of their threat hunting programs. Only 51% do today compared to 64% in 2024, while the number of organizations not measuring success rose from 28% in 2024 to 38%. Additionally, the number of organizations manually tracking the effectiveness of threat hunting rose from 43% in 2024 to 61%. These figures suggest that organizations with in-house programs that create their own hunt content could benefit from centralized hunt management tools that help document and measure hunt metrics, such as findings, remediations, and TTPs covered by their hunt queries.
“Without clear metrics, organizations risk inefficient allocation of resources, making it harder to justify continued investment in threat hunting,” the authors write.
Speaking on the SANS Institute’s 2025 Threat Hunting Survey Q&A panel, Intel 471 Senior Threat Hunt Analyst, Scott Poley, shared his insights on the practical use of AI for creating durable threat hunt queries today and in the future.
In the future, AI could play a more vital role in hunting, particularly in structured threat hunting programs that prioritize consistent, repeatable hunts. AI could help threat hunters identify subtle but significant differences between results after running the same hunt queries for behaviors many times in an environment.
“One of the big wins is if you could automate any part of the process with threat hunting. In threat hunting — and the reason why hunts are not ‘detections’ — you expect more than just one result and often end up with a mixture of noise and valuable data,” explains Poley.
“I like to think of [threat hunting] almost like running a report routinely and doing that comparison of results from report to report. I think automation or AI can help to flag differences that stand out from the last time you hunted this type of behavior or this type of technique.”
Creating effective behavioral threat hunt queries requires a lot more research than people think. AI however can already augment this research by helping analysts understand the significance of intelligence that depends on context. “As more people dive into threat hunting, they're realizing how much of a burden research is to do effective threat hunting,” said Poley.
AI today can also help threat hunters manage reporting on threats, findings, misconfigurations, and mitigations that improve security posture and risk. AI can help threat hunters translate tactical reporting into strategic intelligence reports for management who need a wider lens on threats to business services.
“A really important thing in threat hunting is showing value. We have to communicate to a lot of audiences. How you deliver that message and that value can be complicated when you deal with very technical material,” said Poley.
The SANS Institute’s 2025 survey findings highlight the growing need for organizations to move beyond IOCs and take a proactive, intelligence-driven approach. As more organizations bring threat hunting in-house, having the right tools and threat intelligence to support internal teams is crucial. Intel 471’s HUNTER platform is built for this approach, delivering pre-validated behavioral hunt queries designed for most major SIEM, EDR, NDR, and XDR platforms.
The HUNTER Community Edition provides access to dozens of these hunt packages, offering:
Sign up at no charge for your HUNTER Community Edition account to see how it can support your threat hunting operations.
In July 2025 threat actors exploited zero-day vulnerabilities in on-premises Microsoft SharePoint servers in an incident known as ToolShell. In this case study, we conduct a threat hunt for ToolShell-related activity.
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.