Cyber Threat Hunting Tools: 13 SOC Analysts Use (2026)
Cyber threat hunting tools every SOC analyst needs: Sigma, YARA, KQL, Velociraptor, Wireshark, Zeek, MISP and more — grouped by layer with code examples.

The cyber threat hunting toolkit divides cleanly across four stages of the hunt loop: query and detection languages (Sigma, YARA, KQL, SPL), endpoint visibility (Velociraptor, osquery, Sysmon), network analysis (Zeek, Suricata, Arkime, Wireshark), and intel enrichment (MISP, VirusTotal). The thirteen tools below are the ones analysts actually reach for at each stage, and the skill that separates effective hunters is not knowing the most tools but knowing which one answers the question in front of you.
Hunting starts where the alert queue ends: a hypothesis about attacker behavior that has not fired any detection, tested against raw telemetry. This guide maps each tool to that loop — hypothesis, data collection, pivot on indicators, detection encoding — and shows where a tier-1 analyst growing into proactive hunting should start.
What Is Threat Hunting and Why Does It Need Its Own Toolkit?
Threat hunting is the practice of proactively searching through telemetry for attacker behavior that has not yet triggered an automated detection. SANS threat hunting surveys consistently find that organizations with mature hunting programs shorten detection times substantially compared to those relying solely on reactive alerting. That gap exists because sophisticated attackers specifically study and evade known detection signatures. Hunters look for behavioral patterns, not signatures.
The toolkit exists because hunting spans multiple data domains simultaneously. You might start with a hypothesis about credential theft derived from a MITRE ATT&CK technique, query endpoint logs with osquery for evidence of LSASS access, pivot to network data in Zeek to see where those credentials may have been used, enrich suspicious IPs in MISP, and then encode your finding as a Sigma rule so the next instance gets caught automatically. No single tool covers that full arc.
Query and Detection Layer
This layer is where hypotheses become search queries, and where findings become portable detection rules. It is the highest-leverage layer to master first because it sits at both ends of the hunt loop.
1. Sigma
Sigma is a vendor-neutral, YAML-based rule format for SIEM detections. Think of it as the source language: you write a rule once in Sigma and convert it to Splunk SPL, KQL, Elastic EQL, or QRadar AQL with the sigmatools converter. The SigmaHQ repository currently contains more than 3,000 community-maintained detection rules organized by ATT&CK technique.
Best for: Detection engineers, tier-2 and tier-3 analysts who want portable rules that survive platform migrations.
Skill it builds: Writing platform-independent detection logic; understanding the relationship between log fields and attacker behavior.
Free and open source. No license required.
Here is a minimal Sigma rule detecting a process spawning a remote PowerShell session, a common lateral movement indicator:
title: Remote PowerShell Session Initiated
status: experimental
description: Detects a process launching PowerShell with remoting parameters
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- 'New-PSSession'
- 'Enter-PSSession'
condition: selection
falsepositives:
- Legitimate administrative remoting
level: medium
tags:
- attack.lateral_movement
- attack.t1021.006A hunter who can read and write Sigma rules can translate findings from any hunt into a detection that protects the organization going forward. That encoding step is what separates a hunt from a one-off investigation.
2. YARA
YARA is a pattern-matching engine for identifying and classifying malware files and memory regions. It is the tool threat hunters and malware analysts use when they need to ask: "Does any file in this environment match the structural characteristics of this malware family?" The YARA documentation covers the full rule syntax; community rule sets from Malpedia and YARA-Rules on GitHub give you thousands of starting points.
Best for: Hunting for specific malware families across disk and memory during endpoint triage; enriching EDR telemetry with file-level pattern matching.
Skill it builds: Malware structural analysis; understanding file format internals; writing pattern-based signatures from threat reports.
Free and open source. Compiles and runs on Windows, Linux, and macOS.
3. KQL (Microsoft Sentinel / Defender)
KQL (Kusto Query Language) is the query language for Microsoft Sentinel, Defender for Endpoint, and the entire Microsoft security stack. If your organization runs on Microsoft infrastructure, KQL fluency is non-negotiable for hunting. The official KQL reference is thorough; Microsoft also maintains a hunting queries repository with hundreds of real-world examples.
Best for: Hunting across Microsoft 365 Defender, Sentinel, and Azure logs in environments with a Microsoft-first security stack.
Skill it builds: Time-series analysis; behavioral baselining; correlating events across multiple Microsoft data sources in a single query.
Here is a KQL snippet hunting for accounts with an unusual spike in failed authentication, a pattern consistent with password spraying:
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != "0"
| summarize FailedAttempts = count(), DistinctUsers = dcount(UserPrincipalName)
by IPAddress, bin(TimeGenerated, 1h)
| where FailedAttempts > 50 and DistinctUsers > 10
| order by FailedAttempts desc4. Splunk SPL
SPL (Search Processing Language) is the query language for Splunk, the most widely deployed enterprise SIEM. A large percentage of SOC analyst job postings list Splunk experience, and the underlying SPL query skills transfer to detection engineering, hunting, and incident response. Splunk's free training covers the fundamentals at no cost; Splunk also offers a free developer instance.
Best for: Enterprises running Splunk SIEM; analysts who want the most direct path to commercial SOC tooling familiarity.
Skill it builds: Log search, statistical analysis, and correlation in a production-scale SIEM; building dashboards and saved searches; writing detection SPL that feeds automated alerting.
Note
KQL and SPL are syntactically different but conceptually parallel: both are columnar query languages designed for event-stream data. If you learn one deeply, the other takes days rather than months to pick up.
Endpoint Visibility Layer
The endpoint is where most of the interesting attacker behavior happens. These three tools give you process-level, file-level, and system-event-level visibility that SIEM log forwarding alone cannot provide.
5. Velociraptor
Velociraptor is an open source endpoint visibility and digital forensics platform built specifically for threat hunting at scale. Where an EDR passively collects telemetry, Velociraptor lets you push live queries to hundreds or thousands of endpoints simultaneously and get results back in seconds. The official documentation explains the VQL (Velociraptor Query Language) that drives it; the project is maintained by the Velocidex team and has active community artifact sharing.
Best for: Hunting campaigns that need to ask the same question across an entire endpoint fleet; live forensic collection without physically touching machines.
Skill it builds: Fleet-wide endpoint querying; live forensic artifact collection; building hunt notebooks that other analysts can reuse.
Free and open source. Production-ready for enterprise use.
6. osquery
osquery is a tool that exposes the operating system as a relational database, letting you query running processes, network connections, loaded modules, and file integrity using SQL. Originally built by Meta and now a CNCF project, osquery runs as an agent and supports scheduled queries, event subscriptions, and fleet management through osctrl or similar. ATT&CK Navigator overlays are a good source of hypotheses to turn into osquery SQL queries.
Best for: Lightweight endpoint telemetry collection when a full EDR is not deployed; custom data collection for specific hunt hypotheses; open source environments.
Skill it builds: SQL-based endpoint querying; understanding OS internals through a structured lens; integrating endpoint data with SIEM pipelines.
Free and open source.
Here is an osquery SQL example hunting for processes that have established outbound network connections to non-standard ports, a common command-and-control pattern:
SELECT p.name, p.pid, p.path, p.cmdline, p.parent,
c.local_address, c.remote_address, c.remote_port, c.state
FROM processes p
JOIN process_open_sockets c ON p.pid = c.pid
WHERE c.state = 'ESTABLISHED'
AND c.remote_port NOT IN (80, 443, 53, 25, 22)
AND c.remote_address NOT LIKE '10.%'
AND c.remote_address NOT LIKE '192.168.%'
ORDER BY p.name;7. Sysmon
Sysmon (System Monitor) is a Windows system service that logs detailed process creation, network connection, and file creation events to the Windows event log. It is the foundational telemetry source for Windows endpoint hunting: without it, you are working with a fraction of the context available. The Microsoft Sysinternals documentation covers installation and configuration; SwiftOnSecurity's sysmon-config provides a widely used baseline configuration that balances coverage with log volume.
Best for: Enriching Windows endpoint telemetry sent to a SIEM; providing the process-creation, parent-child relationships, and hash data that detection rules depend on.
Skill it builds: Windows event log architecture; understanding what telemetry is available before writing a detection that depends on it; tuning log volume without losing signal.
Free. Distributed as part of the Sysinternals suite.
Warning
Sysmon must be configured carefully. The default installation logs very little; an aggressive configuration can generate millions of events per hour on active endpoints. Start with SwiftOnSecurity's baseline, then tune by environment.
Network Analysis Layer
Endpoint telemetry shows what happened on a machine. Network telemetry shows where that machine talked, for how long, and what it sent. Lateral movement, data exfiltration, and command-and-control activity are often most visible at the network layer.
8. Zeek
Zeek (formerly Bro) is an open source network analysis framework that transforms raw packet captures into structured log files: conn.log for connection metadata, dns.log for DNS queries, http.log for HTTP sessions, and dozens more. The CISA advisory on network detection recommends network flow analysis for detecting lateral movement, and Zeek is the dominant open source tool for that analysis. The Zeek documentation is extensive; Security Onion ships Zeek pre-configured alongside Suricata and Elastic.
Best for: Network behavior analysis; building baselines for DNS, HTTP, and connection patterns; detecting anomalous protocols and beaconing.
Skill it builds: Network protocol analysis; log-based traffic analysis; writing Zeek scripts for custom protocol detection.
Free and open source.
9. Suricata
Suricata is a high-performance open source intrusion detection and prevention engine maintained by the Open Information Security Foundation (OISF). It speaks the same signature format as Snort, supports the Emerging Threats ruleset, and can operate in inline IPS mode or passive IDS mode from packet captures. Suricata's protocol parsers extract application-layer metadata from TLS, HTTP, DNS, and dozens of other protocols even when traffic is only sampled.
Best for: Signature-based network threat detection; applying community rulesets to network traffic without writing every rule from scratch; network-level coverage in environments where endpoint agents are incomplete.
Skill it builds: Network intrusion detection; writing and tuning network signatures; understanding protocol behavior and evasion techniques at the packet level.
Free and open source.
10. Arkime (formerly Moloch)
Arkime is an open source, large-scale, full packet capture and indexing system. While Zeek and Suricata work from metadata and parsed logs, Arkime stores the actual packet data, giving hunters the ability to reconstruct sessions, extract files from network transfers, and investigate exactly what bytes were sent across the wire. The Arkime project page covers deployment; it is often deployed alongside Zeek in a complementary stack.
Best for: Investigations that require full packet reconstruction; extracting transferred files from network captures; validating hypotheses that network metadata alone cannot confirm.
Skill it builds: Full packet analysis; session reconstruction; understanding when metadata is sufficient versus when you need the raw capture.
Free and open source. Requires significant storage for full packet retention at enterprise scale.
13. Wireshark
Wireshark is the most widely used open source packet analyzer, providing a graphical interface for capturing and inspecting network traffic at the individual frame level. Where Zeek produces structured logs and Arkime indexes full PCAP at scale, Wireshark is the analyst's scalpel: you open a specific capture file, filter to the conversation you care about, and inspect the exact bytes exchanged. The Wireshark documentation is thorough; the project ships with hundreds of protocol dissectors out of the box.
Best for: Deep packet inspection during incident response; reconstructing specific sessions from PCAP evidence; validating whether a suspected C2 beacon matches the expected protocol structure.
Skill it builds: Protocol-level network forensics; reading hex dumps and reassembled streams; understanding TLS handshake structure, DNS query format, and HTTP/2 framing at the wire level.
Free and open source. Runs on Windows, Linux, and macOS.
Note
Wireshark reads from a live interface or from PCAP files produced by Zeek, Arkime, or tcpdump. In a typical hunt, Zeek gives you the behavioral summary that identifies which conversation to inspect, and Wireshark gives you the forensic detail that confirms what happened inside it.
Intel and Enrichment Layer
Hunting hypotheses need grounding in real-world threat intelligence. These tools tell you whether an indicator you found has documented malicious history and connect your hunt to the broader threat landscape.
11. MISP
MISP (Malware Information Sharing Platform) is an open source threat intelligence platform for sharing, storing, and correlating indicators of compromise, threat actors, and intelligence reports. Originally developed by CIRCL (Computer Incident Response Center Luxembourg), MISP is used by hundreds of government CERTs, ISACs, and large enterprises to share threat intelligence under controlled trust models. The MISP project documentation covers both deployment and the data model.
Best for: Organizations that share threat intel within a sector ISAC; correlating internal findings against community IOC feeds; enriching hunt hypotheses with structured attacker attribution.
Skill it builds: Threat intelligence lifecycle management; IOC curation and correlation; understanding threat actor attribution methodology.
Free and open source.
12. VirusTotal
VirusTotal is a web-based platform that aggregates results from more than 70 antivirus engines, sandbox analyses, and OSINT sources to provide reputation and behavioral data on files, URLs, IP addresses, and domains. Every SOC analyst uses it for rapid enrichment; threat hunters use the intelligence features for pivoting: given a malicious hash, VirusTotal can show related files, infrastructure, and behavioral indicators that expand a hunt hypothesis into a campaign map.
Best for: Quick enrichment of any indicator found during a hunt; pivoting from a single IOC to related infrastructure; correlating findings against community-observed malicious behavior.
Skill it builds: IOC enrichment workflows; infrastructure pivoting; reading and interpreting sandbox analysis reports.
Free tier available. The free tier covers individual lookups sufficient for lab and investigation work; enterprise intelligence features require a paid subscription.
The Full Hunt Loop: How These Tools Work Together
The tools above are not a shopping list. They are a workflow. A complete hunt looks like this:
You start with a hypothesis drawn from a threat report, a new ATT&CK technique relevant to your environment, or an anomaly your detection engineering team flagged as uncovered. You formulate a specific, falsifiable question: "Is there evidence of LSASS credential dumping that occurred outside change windows in the past 30 days?"
You query your endpoint telemetry. If you have Sysmon, you query process creation events for known credential dumping tool signatures via SPL or KQL. If you have Velociraptor deployed, you push a live VQL artifact to all Windows hosts simultaneously and collect LSASS access events directly.
You find a candidate host. You pivot to network data in Zeek's conn.log to see whether that host made unusual outbound connections in the same time window. You extract a suspicious domain and enrich it in MISP and VirusTotal to confirm whether it has documented malicious history.
You confirm the behavior is real. You encode your detection in Sigma so it runs as an automated alert going forward, and document the IOCs in MISP for sharing.
That loop is the job. The tools are just the instruments.
Free forever · No credit card
Train on real alerts, with zero consequences
Practice triage on realistic alert volume in a live SOC console. Free forever — no credit card.
| Tool | Layer | Free/Open Source? | Core Skill It Builds |
|---|---|---|---|
| Sigma | Query / Detection | Yes | Portable detection rules |
| YARA | Query / Detection | Yes | Malware pattern matching |
| KQL | Query / Detection | Free tier | Microsoft stack hunting |
| Splunk SPL | Query / Detection | Free dev edition | Enterprise SIEM querying |
| Velociraptor | Endpoint | Yes | Fleet-wide live forensics |
| osquery | Endpoint | Yes | SQL-based OS telemetry |
| Sysmon | Endpoint | Yes (Windows) | Windows event enrichment |
| Zeek | Network | Yes | Network behavior analysis |
| Suricata | Network | Yes | Network signature detection |
| Arkime | Network | Yes | Full packet capture |
| Wireshark | Network | Yes | Deep packet inspection |
| MISP | Intel / Enrichment | Yes | Threat intel sharing |
| VirusTotal | Intel / Enrichment | Free tier | IOC enrichment and pivoting |
How to Build This Skillset Without a Lab Budget
The most common objection to learning threat hunting tools is infrastructure: standing up Velociraptor, Zeek, and MISP requires machines, data, and time. A few paths forward require minimal investment.
Security Onion provides a single deployable that bundles Zeek, Suricata, and Elastic together. You can run it in a VM on a laptop. The Security Onion documentation walks through a lab setup in an afternoon.
The DetectionLab project builds a complete Windows Active Directory environment with Sysmon, osquery, and a Splunk SIEM pre-configured, using Vagrant and VirtualBox. It is the closest available approximation of a real enterprise environment for free.
For the query layer specifically, Microsoft provides a free KQL playground with sample security data. Splunk's Boss of the SOC datasets are freely available for download and provide realistic event data to build SPL queries against.
The alert triage skills that precede hunting are covered in the alert triage guide. Understanding what a SOC analyst does at each tier is the structural context that makes hunting make sense. Much of the endpoint telemetry hunts run on comes through an EDR console, so fluency with one of the best EDR tools is a practical prerequisite alongside familiarity with Windows Event IDs.
Hunting rewards analysts who already read alerts fluently. If your triage instincts are still forming, SOCSimulator's training operations give you the alert volume and verdict feedback that build the baseline pattern recognition hunting depends on.
Frequently Asked Questions
- What tools are used for threat hunting?
- The core threat hunting toolkit spans four layers: query and detection (Sigma, YARA, KQL, Splunk SPL), endpoint visibility (Velociraptor, osquery, Sysmon), network analysis (Zeek, Suricata, Arkime), and intel enrichment (MISP, VirusTotal). Most hunters use tools from all four layers in a single hunt, starting with a hypothesis, querying logs, pivoting on indicators, and then encoding the finding as a detection rule.
- Is threat hunting different from SOC analysis?
- Yes, but they share the same tooling. SOC analysis is reactive: an alert fires, and you triage it. Threat hunting is proactive: you form a hypothesis about attacker behavior that may not have triggered any alert, then go looking for evidence in raw telemetry. Tier 1 and Tier 2 analysts triage; Tier 3 and senior analysts hunt. Most threat hunters started as SOC analysts and carry the same SIEM, EDR, and network skills into hunting work.
- What should a beginner learn first for threat hunting?
- Start with a query language: KQL (for Microsoft Sentinel and Defender) or Splunk SPL depending on your environment. Then add Sigma, which abstracts detection logic across platforms. Once you can write and read detection rules, add endpoint visibility via osquery or Sysmon. Network tools and intel enrichment platforms come next. You do not need all thirteen tools on day one; you need depth in two or three before breadth in the rest.
- Are threat hunting tools free?
- Most of the core tools are free and open source: Sigma, YARA, osquery, Sysmon, Zeek, Suricata, Arkime, Wireshark, Velociraptor, and MISP are all open source with no licensing cost. VirusTotal has a free tier sufficient for individual enrichment lookups. Commercial SIEM platforms (Splunk, Sentinel) have free or community editions for lab use. The cost in threat hunting is not software licenses; it is the data infrastructure needed to collect and store telemetry at scale.
- What are the main cyber threat hunting techniques?
- The three core threat hunting techniques are hypothesis-driven hunting, indicator-of-compromise (IOC) based hunting, and machine-learning-assisted hunting. Hypothesis-driven hunting starts with a specific, falsifiable question derived from MITRE ATT&CK or a recent threat report, then tests it against telemetry. IOC-based hunting starts from a known bad indicator -- a hash, IP, or domain -- and searches for evidence of that indicator across the environment. Machine-learning-assisted hunting uses statistical baselines to surface anomalies that no hypothesis predicted. In practice, experienced hunters use all three: a hypothesis defines the search, IOCs narrow it, and statistical outliers catch what the hypothesis missed.
- What two Windows tools are most commonly used for threat hunting?
- Sysmon and PowerShell are the two Windows-native tools most commonly used for threat hunting. Sysmon provides the detailed process creation, network connection, and file creation events that detection rules and hunt queries depend on; without it, Windows event logs lack parent process information, command-line arguments, and process hashes. PowerShell enables live endpoint querying and artifact collection through tools like PowerShell remoting and the Windows Management Instrumentation interface. For fleet-scale hunting on Windows environments, Velociraptor complements both by letting hunters push VQL queries to all Windows hosts simultaneously and retrieve results in seconds.
Field notes
New walkthroughs and detections, in your inbox
A short email when we publish something worth your time. No spam, unsubscribe in one click.
Community
Continue the conversation
Discuss this with analysts who are actively training and working in the field.
Related Articles

Best SIEM Tools in 2026: 10 Platforms Ranked
Best SIEM tools ranked for 2026: Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security, and more — reviewed from a SOC analyst training perspective.

Open Source SIEM Tools: 7 for Your Home Lab (2026)
Open source SIEM tools let you build real detection skills at zero cost. Here are 7 worth running in a home lab, ranked by what they actually teach.

SIEM Use Cases: 10 Every SOC Runs (With Detection Logic)
SIEM use cases explained with detection logic sketches, data sources, and tuning notes for the 10 detections every SOC team operates.