Logo
Cybersecurity

Why Threat Hunting Is the Only Way to Stop Attackers Who Are Already Inside

Most organizations detect breaches after 194 days of attacker activity already inside their network. ITSEC Asia, the cybersecurity leader in Indonesia, explains why Threat Hunting is the proactive discipline that changes that equation for good.

Ajeng HadeAjeng Hade
|
Mei 12, 2026
Why Threat Hunting Is the Only Way to Stop Attackers Who Are Already Inside

Introduction

Here is a question every security leader should sit with: if an attacker entered your network six months ago, would you know? According to IBM's Cost of a Data Breach Report 2024, the average time to identify a breach now stands at 194 days, nearly half a year of undetected attacker activity operating freely within enterprise infrastructure. Prevention tools, no matter how sophisticated, have already demonstrated they cannot close that window on their own. Firewalls, antivirus software, and multi-factor authentication are necessary. They are not sufficient.

The organizations that understand this distinction are the ones investing in threat hunting: the proactive, intelligence-driven practice of searching for adversaries who have already bypassed the perimeter and are operating in silence. ITSEC Asia, the cybersecurity leader in Indonesia with operations across Singapore, Australia, and the UAE, works with organizations across these regions to build this exact capability before the next breach makes it urgent.

Sources: IBM Cost of a Data Breach Report 2024

The Gap That Reactive Security Cannot Close

The fundamental flaw in reactive cybersecurity is architectural. Security Operations Centers monitor known threat signatures and fire alerts when something matches an established pattern. Endpoint detection tools watch for behaviors that resemble known malware. These systems are valuable, but they are built around what is already understood. Sophisticated threat actors, including nation-state groups and advanced ransomware operators, have spent years learning how to operate within the boundaries of what detection systems consider normal.

CrowdStrike's Global Threat Report documents how attacker breakout time (the window between initial access and lateral movement through a network) has collapsed to just 62 minutes for the fastest observed intrusions, with the average sitting at under three hours. By the time a signature-based alert fires, the attacker has already moved. Threat hunting inverts this dynamic entirely. Rather than waiting for an alert to signal that something went wrong, threat hunters operate from the assumption that a capable attacker is already present and begin searching the environment for indicators of that presence. It is the difference between responding to fire alarms and sending investigators to find smoldering wires before the building ignites.

Sources: CrowdStrike Global Threat Report 2024 · IBM Cost of a Data Breach Report 2024

How Threat Hunting Actually Works

Threat hunting is a hypothesis-driven discipline, not a passive monitoring function. A threat hunter begins with an assumption grounded in threat intelligence and then queries the environment specifically for evidence of adversarial behavior. This process relies on high-fidelity telemetry: comprehensive endpoint logs, network flow data, authentication records, and cloud activity feeds that provide the raw material for investigation. According to SANS Institute research on threat hunting maturity, organizations at higher maturity levels move from ad hoc investigation to structured, repeatable hunt programs with defined hypotheses, documented procedures, and measurable outcomes.

A mature threat hunting program typically operates across three core activities: 

• Hypothesis Formation: Each hunt begins with a threat intelligence-informed assumption, for example that a specific actor group known to target financial institutions tends to abuse Windows Management Instrumentation for lateral movement, and then validates or disproves that assumption through deep log analysis.

• Telemetry Analysis: Hunters examine endpoint behavior, authentication anomalies, unusual network flows, and privilege escalation patterns that automated tools routinely miss because they do not match known-bad signatures.

• Detection Engineering: Every completed hunt, whether it surfaces an attacker or confirms a clean environment, produces refined detection logic that improves the automated systems the SOC relies on going forward.

MITRE ATT&CK, the globally recognized framework cataloging adversary tactics, techniques, and procedures, provides the structured vocabulary threat hunters use to formulate hypotheses and ensure consistent coverage across the kill chain. Organizations that align their hunting programs to ATT&CK demonstrate systematic thinking about attacker behavior rather than chasing individual incidents in isolation.

Sources: SANS Institute: Threat Hunting Maturity Model · MITRE ATT&CK Framework

The Industries That Cannot Wait for an Alert

The consequences of skipping threat hunting are not evenly distributed. Organizations in healthcare, financial services, critical infrastructure, and telecommunications carry disproportionate risk because they hold data and control systems that sophisticated adversaries explicitly prioritize. The Ponemon Institute's 2024 research places the average cost of a healthcare data breach at USD 9.77 million, the highest of any sector for the fourteenth consecutive year. These numbers are not driven primarily by the cost of breach response. They are driven by the cost of undetected attacker dwell time: the months during which an adversary moved through a network, exfiltrated data, and established persistence before anyone noticed.

Regulatory frameworks governing these industries have also begun to reflect this reality. NIST's Cybersecurity Framework 2.0 explicitly incorporates continuous monitoring and proactive threat detection as core security functions. Regulators in Indonesia through BSSN's national cybersecurity strategy and internationally through frameworks like the EU's NIS2 Directive increasingly expect organizations to demonstrate active threat detection capability, not merely perimeter defense. For organizations operating in these environments, the question is no longer whether threat hunting belongs in the security program. It is whether the capability is mature enough to be effective when it is needed most.

Sources: Ponemon Institute Data Breach Research · NIST Cybersecurity Framework 2.0 · BSSN National Cybersecurity Strategy

Build Threat Hunting Readiness Before the Incident Forces It

The organizations that keep getting compromised twice are not unlucky. They are operating without the investigative and proactive capability that would tell them, with certainty, whether an attacker is present right now and what changed after the last incident. Threat hunting closes that gap by turning passive telemetry into active intelligence and converting security spend from a reactive cost center into a genuine risk reduction function.

The time to build this capability is before an attacker makes it necessary. ITSEC Asia provides threat hunting, digital forensics, and incident response capabilities for organizations across Indonesia, Singapore, Australia, and the UAE. If your organization wants to assess its current threat hunting maturity or build proactive detection capability before an incident forces the conversation, speak with our security specialists.

👉 Consult with our security specialists https://itsec.asia/contact

Share this post

You may also like

Here is How Application Security Works to Protect Your Systems and Data
Cybersecurity

Here is How Application Security Works to Protect Your Systems and Data

INTRODUCTION Nowadays applications are at the center of digital business operations. From mobile banking and e-commerce platforms to internal enterprise systems, organizations rely heavily on applications to serve customers and manage data. However, as applications become more complex and interconnected, they also become one of the most common targets for cyberattacks. In fact, web applications are responsible for a large percentage of data breaches worldwide. The Verizon 2024 Data Breach Investigations Report indicates that cybercriminals frequently exploit web applications as an attack vector. This growing threat raises an important question, “Are your applications truly secure against modern cyber threats?” One of the most effective ways to protect applications is through application security, a proactive approach to identifying and fixing vulnerabilities before attackers can exploit them. Source: verizon.com [https://www.verizon.com/business/resources/reports/dbir/],    A REAL-WORLD EXAMPLE: WHEN AN UNSECURED API EXPOSES MILLIONS Let's look at something that actually happened to Trello in early 2024.In January 2024, a hacker found a weakness in Trello's system, specifically, a part of the app called a REST API. This API had a

ITSEC AsiaITSEC Asia
|
Apr 17, 2026 — 6 minutes read
How IoT Devices Are Expanding the Cybersecurity Attack Surface
Cybersecurity

How IoT Devices Are Expanding the Cybersecurity Attack Surface

INTRODUCTION When people hear “IoT security, [https://itsec.asia/services/ot-ics-cybersecurity]” they often assume it’s something only IT teams need to worry about. In reality, IoT security affects everyday users, households, and businesses alike.* From smart home devices to office surveillance systems, connected devices are now part of critical daily operations. The more devices we connect, the wider the potential attack surface becomes. Here’s the part no one really talks about: Many IoT environments are deployed quickly for convenience, not necessarily designed with security as the top priority. It’s not negligence. It’s just how fast technology moves. Source: aciano.net [https://aciano.net/blog/iot-security-risks/], cio.com [https://www.cio.com/article/3990581/iot-security-challenges-and-best-practices-for-a-hyperconnected-world.html?] THE IOT LANDSCAPE NOWADAYS Security used to focus on protecting networks with firewalls and perimeter defenses. Today, attackers are shifting their focus to easier targets: user credentials, weak device authentication, misconfigured cloud dashboards, and unpatched firmware.  Today, attackers are more interested in: * User credentials * Weak device authentication * Misconfigured cloud dashboards * Unpatched firmware IoT devices often rely on cloud platforms for monitoring, analytics, and control. That means IoT security is no longer just about the

ITSEC AsiaITSEC Asia
|
Mar 06, 2026 — 5 minutes read
Why Annual Penetration Testing Is No Longer Enough in Today's Threat Landscape
Cybersecurity

Why Annual Penetration Testing Is No Longer Enough in Today's Threat Landscape

If you only went to the doctor once a year, you probably would not assume you were perfectly healthy for the other 364 days. Health changes over time. New conditions can develop, existing issues can worsen, and unexpected problems may arise between checkups. That is why people increasingly rely on regular monitoring and preventive care rather than waiting for an annual appointment to discover something has gone wrong. Cybersecurity works in much the same way. For many years, annual penetration testing has been considered a cybersecurity best practice. Organizations schedule an assessment, receive a report, address the findings, and repeat the process the following year. In relatively static environments, this approach provided a reasonable level of assurance. Modern organizations, however, no longer operate in static environments. Cloud adoption has accelerated. APIs have become essential to digital services. Development teams deploy updates continuously, and third-party integrations have become increasingly common. As organizations move faster, their attack surfaces evolve just as quickly. A system that was secure six months ago may look very

ITSEC AsiaITSEC Asia
|
Jan 09, 2026 — 7 minutes read

Receive weekly
updates on new posts

Subscribe