🎯 Threat Hunter

🎯

Threat Hunter

Proactive Defender

🎭 Archetype

"I hunt threats before they know they're being hunted."

💪 Strengths

Advanced Detection: Finding sophisticated and hidden threats
Attack Prediction: Anticipating threat behavior and evolution
Intelligence Analysis: Using threat intelligence effectively
Proactive Defense: Stopping attacks before they cause damage

🎯 Focus Areas

• Hidden threat detection and hunting
• Threat intelligence and attribution analysis
• Attack prediction and evolution assessment
• Advanced persistent threat investigation

🎪 Roleplay Tips

• Think beyond the immediate threat: 'What else might be here?'
• Use threat intelligence to predict attacker next moves
• Be proactive: look for what hasn't been found yet
• Consider the broader campaign beyond this incident

🎲 Game Modifiers

🎲
+3 Threat Detection
Advanced hunting, hidden threat discovery
🎲
+2 Intelligence Analysis
Attribution, campaign analysis
🎲
+1 Attack Prediction
Evolution assessment, behavior forecasting

When You Shine

You activate when the team gets comfortable. Round 2 (scope confirmation) and Round 3 (is it really over?) are your key moments, because that’s when assumptions get tested. When Detective thinks they’ve found the root cause and Protector is ready to contain, you’re the one who asks “but what else is here?”

You also activate early if initial indicators look more sophisticated than expected. A single phishing email is one thing; a phishing email using a custom dropper that calls back to fresh infrastructure suggests a different class of threat entirely. The sooner you identify that pattern, the sooner the team adjusts its response.

During Round 1 you’re building hypotheses: if this is what it appears to be, where else might the attacker be? By the time the team is ready to contain in Round 2, you should have hunt results that either confirm scope or expand it. Either answer is valuable.

Earning Your Bonuses

  • +3 Threat Detection:
    • “I run a hypothesis-driven hunt for lateral movement beyond the known systems”
    • “I check for persistence mechanisms the initial scan didn’t catch”
    • “I look for the attacker’s footprint in systems we haven’t examined yet”
  • +2 Intelligence Analysis:
    • “I compare the TTPs to known threat actor profiles – this matches a specific group’s behaviour”
    • “I use the IoC to pivot and find related attacker infrastructure”
    • “I assess whether this is targeted or opportunistic”
  • +1 Attack Prediction:
    • “Based on this actor’s known playbook, their next move is probably…”
    • “I assess the re-infection risk through the same vector if we don’t patch X before we bring systems back online”

Questions to Drive the Game

  1. “Are we sure we’ve found everything – is there lateral movement we haven’t examined?”

    Confirming scope before containment is complete means the team doesn’t face a second incident discovery a week later. This question is the checkpoint that prevents an “all clear” being called too early.

  2. “Do these tactics match a known threat actor or campaign?”

    Attribution isn’t about assigning blame – it’s about predicting next moves. A known actor profile tells you what they typically do after initial access, which gives the team a roadmap of what to look for before it happens.

  3. “What persistence mechanisms should we look for beyond the obvious one?”

    Sophisticated attackers plant multiple persistence methods. Removing the visible one without checking for others means you’ve cleaned the symptom and left the cause intact.

  4. “Even after we clean this up – could the same vector be used again immediately?”

    If the initial access vector hasn’t been closed, cleanup is temporary. This question forces the team to confirm that remediation addresses the root cause, not just the consequence they can see.

  5. “Is there attacker infrastructure we should report or block proactively?”

    Known C2 infrastructure can be shared with threat intelligence communities or blocked network-wide. Your pivot from a single IoC to attacker infrastructure is the contribution that extends protection beyond the current incident.

Working With Your Team

  • Detective finds the initial evidence; you look beyond it for what’s hidden – treat their IoCs as starting points for your hunt rather than conclusions, and ask them directly what they haven’t had time to investigate yet
  • Tracker provides network data; you use it to identify C2 infrastructure and pivot outward – combine their connection logs with your TTP knowledge to map the attacker’s broader footprint beyond the immediate incident
  • Crisis Manager needs your scope assessment before committing to a remediation plan – give them a clear answer early: “scope is confirmed” or “there may be more; hold containment for 20 minutes”; don’t leave them in ambiguity at a decision point
  • Communicator uses your attribution findings for regulatory and executive reporting – precise attribution and campaign scope directly affect what the organisation is legally required to disclose and to whom

Interaction frequency across a typical 3-round session:

%%{init: {'theme': 'base', 'themeVariables': {'background': 'transparent', 'edgeLabelBackground': 'transparent', 'lineColor': '#6b7280'}, 'flowchart': {'curve': 'basis'}}}%%
graph LR
    DET(["🔍 Detective"]):::det -->|"55% · initial evidence"| THR
    TRK(["📡 Tracker"]):::trk -->|"65% · network data"| THR
    THR(["🎯 Threat Hunter"]):::focal -->|"65% · scope"| CRI(["⚡ Crisis Manager"]):::cri
    THR -.->|"45% · attribution"| COM(["📢 Communicator"]):::com
    THR -.->|"35% · eradication"| PRO(["🛡️ Protector"]):::pro
    classDef focal fill:#e8a020,stroke:#b07010,color:#111,font-weight:bold
    classDef det fill:#2563eb,stroke:#1d4ed8,color:#fff
    classDef pro fill:#16a34a,stroke:#15803d,color:#fff
    classDef trk fill:#0891b2,stroke:#0e7490,color:#fff
    classDef cri fill:#dc2626,stroke:#b91c1c,color:#fff
    classDef com fill:#7c3aed,stroke:#6d28d9,color:#fff

Badges

All badges are available to everyone. As Threat Hunter you’ll most naturally contribute to:

  • 💻 Endpoint Security Protector of Digital Workstations – awarded for advanced malware detection, behavioural analysis, and persistence mechanism discovery; hunting beyond the obvious initial find is exactly the kind of depth this badge rewards
  • 🌐 Network Security Guardian of Digital Highways – awarded for C2 infrastructure identification, lateral movement detection, and network threat intelligence; your ability to pivot from a single indicator to a broader campaign maps directly to the technical proficiency criteria
  • 🏭 Critical Infrastructure Security Protector of Essential Systems – awarded for ICS/SCADA threat awareness, IT/OT security knowledge, and advanced persistent threat investigation in operational environments