As an extension of your security team, we are focused on understanding the risks to your organization, by leveraging the security signal your investments generate. Hunting is a way of further managing the risks that your organization is facing. We extend our focus beyond post-compromise activity to proactive monitoring of events/data that aren’t being surfaced by your existing security investments.

What Is Hunting?

In short, hunting is a proactive effort that applies a hypothesis to discover suspicious activity or areas of risk that may have slipped by your security devices. We do not rely solely on our customers' security devices to detect and generate alerts on certain activities. We generate investment value by querying the devices for a bulk set of data, which we analyze based on our hypothesis. 


With hunting, we assume that something already failed and you're compromised. The attacker has gotten past the perimeter (inside the network) and we’re looking for them. Because we don’t know where the attacker is hiding or who they’re trying to impersonate, we start with a theory based on common tactics attackers use.

We use the MITRE ATT&CK Framework as our guide to developing new hunting theories. It outlines the tactics and techniques attackers commonly use at each stage of the attack lifecycle. Events that match our theory become investigative leads for an analyst to further review.

What’s Our Process?


Step 1: Expel uses a library of hunting techniques to pick from, representing hypotheses to detect risk at various stages of the attack lifecycle. Engagement managers work with you to select hunting techniques or a series of techniques that work best for you, based on your technology stack and available hunts at Expel.

Step 2: Our hunting platform (Jager) uses Scavenger to schedule data collection in your environment to fit the hypotheses of the hunts available in your environment. This includes sorting, filtering, calculating, enriching and down-selecting data based on specific logic.

Step 3: Engagement managers start a hunt for our SOC analysts to run, based on feedback from the customer and the data collected by our hunting platform.

Step 4: Jager generates an output of items that meet the hypothesis of the hunt and prepares them for analyst review by uploading the results to Workbench.

Step 5: The SOC analysts use Jupyter Notebooks to analyze and triage the post-processing results from Jager. Jupyter Notebooks include customer context, tuning suppressions, enrichment, graphs, charts, tables and tools to help the SOC analysts identify indicators of risk from a bulk set of post-processing results.

Step 6: The SOC analysts tag records which they think you should know about. The tagged records are uploaded to the Workbench Findings report as well as a finding note from the analyst.


  • Malicious 
    Events identified as Malicious indicate attacker behavior or indicate serious risk. Malicious findings are generally accompanied by recommended containment and remediation actions or resilience recommendations.

  • Suspicious
    Events identified as Suspicious are events which cannot be confirmed. Either they're similar to some system administration type activities or further analysis of the event wasn't available through security tech and OSINT. These events can present risk and need further customer validation to determine if the activity is expected.

  • Notable 
    Events identified as Notable are likely benign but noteworthy and can present limited risk to you.