// the detection hunter method
Every tool DetectionHunter uses is mapped to a stage of the lifecycle. Tools only create value when they are connected to a repeatable detection engineering method.
→
→
→
→
continuous loop · tap any phase to see the tools that power it
phase · learn
Learn
// purpose
Understand attacker behavior, Windows internals, telemetry sources, and detection opportunities before building anything.
// tools used & why
- MITRE ATT&CKMap adversary tactics, techniques, and procedures.
- MITRE ATT&CK T1059.001Primary technique focus for PowerShell abuse.
- NIST CSF 2.0Connect detection engineering to cyber resilience outcomes.
- NIST SSDFFrame validation discipline and secure development.
- Windows InternalsUnderstand processes, parent-child chains, and command-line telemetry.
- IOA & IOC conceptsSeparate behavior-based detection from artifact-based detection.
// output
Detection hypothesisATT&CK mappingExpected attacker behaviorRequired telemetry listInitial detection objective
// example
Before detecting PowerShell EncodedCommand abuse, the hunter learns why attackers encode commands, where it surfaces in Windows logs, and which ATT&CK sub-technique it maps to.
// feeds into next phase
A clear detection hypothesis and telemetry shopping list for Build.
// related labs