SHOW NOTES

In our latest episode of SecOps Weekly, Red Canary threat hunters Brittany Sattler and Andrew Sharpe discuss how threat hunting programs evolve from simple, ad-hoc activities to mature, scalable operations.

Throughout the conversation, they explore the journey from early-stage threat hunting using basic tools and queries to sophisticated programs that handle multiple data sources and environments. The discussion covers key challenges organizations face as they scale, including managing diverse data sources, ensuring consistency across analysts with different skill levels, and maintaining efficiency as data volume grows.

The experts highlight practical solutions like DuckDB for local analytics processing and emphasize the complementary relationship between threat hunting and detection engineering. They also address how to make hunting results actionable through automation and standardized workflows, while noting the ongoing value of both manual analysis and systematic approaches in mature security operations.

TIMESTAMPS

• 00:00 – Intro
• 00:46 – Welcome to SecOps Weekly
• 01:11 – How threat hunting evolves at scale
• 03:23 – How hunting starts
• 05:10 – Why scaling becomes necessary
• 07:53 – As things grow: More people, more data, more variation
• 08:33 – Friction appears: Nothing breaks, but everything slows down
• 11:30 – Where the challenge shifts
• 16:08 – The data doesn’t stay fixed
• 20:10 – Handling data scale
• 21:35 – Solving the data volume problem
• 27:50 – Enabling the analyst