Threat Hunting - Service Data Sheet


We understand that each client will have different infrastructure, processes and work teams. This is why our Threat Hunting service starts with meetings between the client and our CYCON (Cyber Consulting) team, who will be responsible for understanding the networks, applications and functioning of all processes to adapt the Threat Hunting service for each specific case. Moreover, throughout this consultancy we will analyze the different tools used by our clients in order to integrate them into the Threat Hunting service.

In parallel with this, our Engineering team will be in charge of implementing (or giving all the necessary support for) the infrastructure deployment, making it a quick and easy implementation. Our service allows for different architectures according to the needs of our clients, making it possible to host our server within the client’s installations, or on our own Data Centers.

Once the hardware installation is finished, our CYBOPS (Cyber Operations) team will be responsible for deploying and monitoring the forensic agent used to provide the service, as well as launching the Threat Hunting on the client’s devices. The forensic agent installed to carry out the Threat Hunting has an almost null impact on the machine’s performance.

Lastly, our analysts will be responsible for analyzing the threats found by the platform as well as for searching for the IOCs and TTPs that cannot be automated in the devices.

During this whole process, our CTI team (Cyber Threat Intelligence) will be perfectly synchronized with our client’s team, making the most of the information obtained by both teams in order to constantly feed the Threat Hunting service.

During the operation of our service we will have different critical levels:

Level Name Description Operation mode Reporting Threat review
L5 LOW Everything is normal and there are no known significant threats 16×5 Daily Every hour
L4 MODERATE Recent campaign detects a relevant actor. An attack is plausible but not probable. 16×5 Daily Every 30 min.
L3 HIGH Relevant activity by a target actor or campaign within the same sector/industry 16×7 Twice a day Real time
L2 SEVERE Recent active campaign or actor, possible for the company to be affected 18×7 Twice a day Real time
L1 CRITICAL We have found a threat within our client’s devices, or an incident is highly probable according to our threat intelligence (CTI). 24×7 Three times a day Real time

Our clients will obtain large amounts of information from this service, which will help them understand the current status of their equipment and devices better. It will also feed their own processes and procedures.

Intelligence: in collaboration with the client’s experts, our CTI experts will create IOCs and TTPs that can be used for Threat Hunting as well as to feed other processes and procedures.

Daily reports: Our clients will also receive daily reports explaining the Threat Hunting status as well as all the information related to the threats found in their systems. Specifically, the daily reports issued are:

  • Executive report: including all the relevant information such as number of processed devices and false positives found, number of agents installed, etc.
  • Hit report: comprised of all Hits, both positive and negative, as well as a detailed explanation of the main characteristics and impact of each of them.
  • Agent report: providing the status of all forensic agents installed.
  • Final report: we will provide a recommendations report based on what we have seen during the service delivery. This will either be delivered on completion of the service delivery, or periodically if a continuous Threat Hunting service is being provided.