Compromise Assessment vs Threat Hunting


What is the difference between a compromise assessment and threat hunting? How do each contribute to Endpoint Protection?

ITCS user
33 Answers

author avatar

Threat hunting typically comes before a compromise assessment.

Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.

author avatar

A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.

Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs. 

Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.

author avatar

This is an excelent article dealing with it.


Find out what your peers are saying about CrowdStrike, SentinelOne, Cisco and others in Endpoint Protection for Business (EPP). Updated: September 2021.
534,299 professionals have used our research since 2012.