Threat hunting plays a critical role in early detection of attacks and adversaries. It constitutes a proactive approach that is human lead and that actively searches for suspicious activities rather than passively relying on technology to automatically detect and alert on potential attacker’s activity. Early detection and investigation of such activities allow organizations to stop attacks before they can do damage.


ONE9 hunters are alerted by triggers that could potentially indicate malicious behavior. It could be a detection that has too low a level of criticality for Alpha host to act on independently, such as a firewall being disabled. This behavior could be a standard practice used by an administrator to temporarily get a job done, or it could be an adversary carrying out an attack. By tracking the context, the ONE9 can understand whether it's an adversary or a legitimate user.

RaptorX ONE9

Threat Hunting

Continuously hunting for adversaries on a 24x7 basis, reducing false negatives by augmenting existing security capabilities and covering gaps in advanced threat detection and incident response, resulting in reduction and even elimination of attacker’ dwell time.


Guided Response

Threat hunters partner with your security operations team to provide clarity on the adversaries and guidance on how to contain it, reducing response time to a minimum.



Alert Prioritization

Uniquely identify the most urgent adversaries in your network and resolves false positives.



Based on that trigger, ONE9 will conduct an in-depth forensic analysis. For example, they will examine how many times that action took place in the entire environment. In this example, if it was run by 450 out of 500 machines, then the likelihood is high that it was normal administrative behavior. But if it was run on only a handful of machines, ONE9 hunters might dig further.


At that point, ONE9 analysts might also look into the "ancestry" of the activity. This could involve examining the main process that triggered the detection, and looking up a level to see what system process initiated that activity, to find indications as to whether it was a standard process or something that looks suspicious. If it does appear potentially malicious, they'll keep moving up the chain of activity to find the initial point of origin.


If it was a malicious file at the heart of the activity, the team will start dissecting it to see what other behaviors might be associated, whether it involves password or credential dumping, or something more complex. The team will gather a full spectrum of information about the attack, including time of day and conditions when it was executed, and compare that against data pulled from RaptorX entire threat intelligence data pool. That data is then compiled into a comprehensive report that is sent both to the customer's Alpha host dashboard and via an alert email direct to the customer’s security team. See email examples below. For ONE9 customers, the team can also take immediate remediation action on the customer’s behalf, based on an agreed upon response playbook.

RaptorX DNA               RaptorX Alpha             ONE9             Company