Top Threat Hunting Metrics & Outcomes

Hunting Activity Overview

During August 2025, our analysts initiated 2,770 threat hunts across our customer base. Of these, 225 hunts were elevated for deeper analysis based on activity observed during the initial review. Following further investigation, 49 hunts were confirmed to involve malicious activity and were escalated to customers as incidents.

Threat hunting is the proactive search for threats that may bypass automated security tools or display previously unobserved tactics and techniques. At Fortra, our threat hunting goal is simple: Detect potential threats early and escalate timely alerts, to keep your environment secure.     

This process demonstrates the strength of our wide-to-narrow approach: by leveraging data across our entire customer base, we start from a broad perspective and progressively focus on specific threats as activity is identified. This ensures that potential risks are not viewed in isolation, but within the wider context of evolving attack patterns.

MITRE ATT&CK Tactics

To provide context, the MITRE ATT&CK framework is a globally recognized knowledge base of adversary tactics, techniques, and procedures (TTPs). It helps security teams understand how attackers operate, map their activities, and develop more effective detection and response strategies. By referencing ATT&CK, we can illustrate where threats fall within the attack lifecycle and provide customers with actionable insight into potential risks.

The information below incorporates the data from all escalated threat hunts during August. Hunts that often span multiple MITRE ATT&CK tactics, reflecting how attackers chain techniques together to achieve their objectives. The top five tactics observed during August 2025 were:

1. Execution (TA0002) – This is when an attacker actively runs malicious code on a system. It’s the stage where a threat moves from testing or probing to attempting to compromise devices or networks. Examples include running malware, executing scripts, or launching commands to gain control. Detecting activity at this stage prevents attackers from moving deeper into the network or disrupting services. 
   Learn more → TA0002

2. Initial Access (TA0001) – How attackers first gain entry to a network or system. Common methods include phishing emails, exploiting vulnerable applications, or using stolen credentials. Think of it as the “door” an attacker uses to get inside. Early detection helps block or contain attacks before they escalate. 
   Learn more → TA0001

3. Reconnaissance (TA0043) – Attackers gather information about a target before acting, such as scanning networks, researching employees, or identifying weaknesses. Essentially “spying” to plan the next move. Detecting this early allows us to disrupt attacks before they escalate. 
   Learn more → TA0043

4. Credential Access (TA0006) – Techniques used to steal account credentials, like passwords or tokens. Attackers can use these to escalate privileges, move laterally across the network, or access sensitive information. Early detection prevents them from gaining broader access and reduces the risk of further compromise. 
   Learn more → TA0006

5. Defence Evasion (TA0005) – Methods attackers use to avoid detection, such as disabling security software, hiding files, or obfuscating activity. Identifying these attempts ensures that malicious activity does not go unnoticed and allows defenders to maintain visibility into ongoing threats. 
   Learn more → TA0005

Chart providing a complete breakdown of all Mitre tactics and the total amount times they were linked to escalated incidents for August 2025

MITRE ATT&CK Techniques

While tactics describe why an attacker acts, techniques explain how they do it in practice. During August 2025, the following five techniques appeared most often in the hunts we escalated to customers:

1. Phishing (T1566) 
   Attackers often rely on human error rather than technology. Phishing involves sending deceptive emails or messages designed to trick individuals into clicking a malicious link, opening a harmful attachment, or revealing their login details. It remains one of the most common and effective entry points for attackers, which is why early detection and user awareness are so important. 
   Learn more → T1566

2. Cloud Infrastructure Discovery (T1580) 
   As more organizations move critical services to the cloud, attackers increasingly try to map out what resources are there—such as servers, storage, and security settings. This reconnaissance step helps them plan how to exploit weaknesses. Detecting this activity allows us to stop attackers before they misuse cloud environments. 
   Learn more → T1580

3. Hide Artifacts (T1564) 
   Once inside a system, attackers don’t want to be noticed. They may try to hide files, processes, or logs to cover their tracks and avoid detection. By uncovering these attempts, we prevent attackers from operating unnoticed and ensure malicious activity cannot be disguised as normal behaviour. 
   Learn more → T1564

4. Subvert Trust Controls (T1553) 
   Modern systems rely on trust mechanisms—like digital certificates, code signing, or authentication checks—to verify that software and users are legitimate. Attackers may attempt to bypass or manipulate these safeguards to appear trustworthy. Identifying and escalating these attempts helps preserve the integrity of systems and stops attackers from blending in. 
   Learn more → T1553

5. Protocol Tunnelling (T1572) 
   Attackers often need a hidden communication channel to move data or maintain control of compromised systems. Protocol tunnelling is the practice of disguising malicious traffic inside normal-looking network activity, making it harder to spot. Detecting this ensures that covert channels are blocked and attackers cannot maintain a foothold in the environment. 
   Learn more → T1572

These techniques, combined with the top tactics, provide a fuller picture of attacker behaviours and the type of activity our threat hunting is designed to detect.