hunt-focus-definition

The hunt-focus-definition skill is a critical planning component of the Threat Hunter Playbook, designed to bridge the gap between open-ended security research and actionable investigation. It empowers threat hunters to transition from broad thematic analysis of adversary tradecraft to specific, observable patterns within a target environment. This skill is intended for security researchers, SOC analysts, and threat hunters who need to impose structure on their investigative workflows before beginning complex data analysis or query development. By enforcing a standardized process of research synthesis, the skill ensures that subsequent hunt activities are grounded in verified system behaviors and adversary tradecraft, reducing the likelihood of scope creep or unfocused detection efforts.

• Synthesizes diverse research inputs including system internals, MITRE ATT&CK techniques, and adversary tradecraft documentation.

• Enforces a multi-step logical progression: context synthesis, selection of a single dominant attack pattern, and hypothesis generation.

• Generates structured, testable hunt hypotheses using established templates to ensure consistency across different hunting teams.

• Eliminates ambiguity by forcing the hunter to narrow down a broad topic into one concrete, actionable attack pattern.

• Supports the 'Plan' phase of the Threat Hunting lifecycle, preventing premature query writing before the investigative intent is fully defined.

• Use this skill after completing your initial research phase but strictly before defining environment-specific scopes, selecting data sources, or writing detection queries.

• The skill requires pre-existing research findings as input; it does not perform live web searches or external information gathering.

• Output acts as a foundational blueprint for subsequent hunt planning steps, such as mapping telemetry requirements or developing specific analytics.

• Strictly avoid defining time windows or specific environment constraints during this phase; these are operational details determined after the hypothesis is solidified.

• The workflow is designed to be deterministic and should be followed sequentially to maintain the integrity of the hunt planning process.