The Best Threat Hunting Tools for 2023

The term “threat hunting” means searching through an IT system for malicious activities. These activities might be happening at the moment or they might have already occurred

Threat hunting systems are rarely sold as standalone packages. Instead, this is a technique that is used as part of a cybersecurity service.

Here is our list of the nine best threat hunting tools:

1. SolarWinds Security Event Manager EDITOR’S CHOICE One of the most competitive SIEM tools on the market with a wide range of log management features. Get a 30-day free trial.
2. ManageEngine Vulnerability Manager Plus (FREE TRIAL) Use this system to check your endpoints and network devices for weaknesses that represent security threats. Runs on Windows Server. Start 30-day free trial.
3. ManageEngine Log360 (FREE TRIAL) This on-premises package includes a SIEM for threat hunting with a threat intelligence feed and activity analysis to hone the accuracy of attack detection. Runs on Windows Server. Start a 30-day free trial.
4. VMWare Carbon Black Endpoint An EDR that is based in the cloud but includes data collectors installed on monitored devices.
5. CrowdStrike Falcon Overwatch A full security operations center provided on a subscription basis that includes a SaaS EDR system, called Falcon Insight, plus technicians to run the software and security analysis for manual threat hunting.
6. Trend Micro Managed XDR A subscription service that offers both software-based and human threat hunting that will implement responses automatically to shut down attacks.
7. Cynet 360 An innovative cloud-based cyber defense system that diverts intruders away from valuable assets through a Deception module that also exposes malicious activity to scrutiny and analysis.
8. Exabeam Fusion Offered in SIEM and XDR formats, both options use the same threat hunting routines. This is a cloud platform.
9. Rapid7 InsightIDR A SIEM and XDR service that can be added to other services from the same cloud platform, such as a threat intelligence feed.

The threat hunter is the search tool that scours through activity data, looking for signs of unwanted behavior.

The types of systems that have threat hunting built into them are:

• Anti-virus (AV)
• Endpoint detection and response (EDR)
• Extended detection and response (XDR)
• Security information and event management (SIEM)
• Intrusion detection systems (IDSs)
• Intrusion prevention systems (IPSs)
• Cyber threat intelligence (CTI)

You will notice that firewalls are not included in the list. Although firewalls scan traffic, their activities are not generally classified as threat hunting. A firewall filters traffic.

Threat hunting strategies

Threat hunting systems look through system data for indicators of attack or unusual behavior. The source of that data is usually captured performance data and log messages. Threat hunting can be performed on a device but it is more effective if all activity data from all of the devices on a network are pooled in one central location. This enables the threat hunter to look for malicious activities that travel between devices so the cybersecurity system can spot and block a spreading attack.

Threats might be implemented in the form of software or manual activity by an individual. In almost all events, the malicious activity will be carried out within an authorized user account.

If an outsider is using a valid account, it will be due to an account takeover. This can occur because of weak security in the form of crackable passwords. Hackers can also get account credentials by tricking users into a disclosure.

If the malicious actor is a staff member, the user concerned might have been tricked or threatened into acting on behalf of an outsider. A disgruntled employee might want to damage the business by stealing or disclosing sensitive data or selling data for financial gain.

Although the software is usually involved in a malicious event, this is not always malware or unauthorized systems installed by a hacker. The authorized applications that you have installed for use by company workers can process and move data and they can serve malicious insiders and intruders as well.

Automated and manual threat hunting

Threat hunting processes are built into cybersecurity software. However, threat hunting can be a human activity as well. A data viewer with search and sorting facilities enables a cybersecurity specialist to analyze data and make inquiries into possible misuse of data.

Although a system manager might notice something odd about user account activity and want to investigate further, threat hunting is more usually an activity carried out by dedicated professionals. Not many businesses are large enough to be able to afford to keep a qualified cybersecurity specialist on staff, so these experts are more likely to be encountered working for consultancies and get involved in a client company’s data when called in to sort out an emergency.

Businesses can create an ongoing contract for consultancy services by signing up for a managed security package, which includes both the protection software and the services of cybersecurity experts to analyze data in the event of anomalies that the software cannot categorize.

The best threat hunting tools

The field of threat hunting offers a range of configurations and they encompass on-premises software packages, SaaS platforms, and managed services. When seeking out good examples of threat hunting systems to recommend, we need to be aware that different sizes and types of businesses will have different needs. Therefore, it is impossible to recommend a single package that can be easily identified as the best option available.

With these criteria in mind, we identified reliable cybersecurity tools that include excellent threat hunting procedures. We made sure to include on-premises, SaaS, and managed service options.

1. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds Security Event Manager is the best option for those system managers that want to keep everything in-house. The package runs on your server and explores all other endpoints across the network. This system operates on live network performance data, drawn from sources, such as the Simple Network Management Protocol (SNMP) as well as log messages.

Key Features:

• Log file collectors
• On-premises
• Sensitive data manager
• Compliance auditing
• Signature-based threat hunting

The package includes connectors that interface to applications and extract event data. The system also includes a file integrity monitor that records access to files and changes made to their contents. This is a sensitive data manager that supervises nominated files and folders.

The performance readouts and log messages then get converted into a common format, which is called “consolidation”. The tool presents these records to the threat hunting module for analysis.

The malicious activities that the threat hunter detects can be stopped immediately. This threat hunter is a signature-based service that looks for indicators of attack. The system includes a list of responses, which are called correlation rules. These specify an action to take if a threat is detected. Those actions can be blocking traffic from and to a specific IP address, suspending a user account, shutting down a process, and deleting a file.

SolarWinds Security Event Manager installs on Windows Server and it is available for a 30-day free trial.

2. ManageEngine Vulnerability Manager Plus (FREE TRIAL)

Vulnerability Manager Plus provides a strategy to prevent threats from succeeding rather than waiting and looking for threats that are in progress. This is a system hardening package that scans endpoints and network devices, such as firewalls and gateways.

Key Features:

• Scans for security weaknesses
• Patch manager
• Protects Windows, macOS, and Linux
• Configuration hardening

This ManageEngine package scans endpoints and internet-facing devices. It spots configuration errors that provide opportunities for intruders and it identifies out-of-date operating systems and software packages. In some cases, those old software systems need to be completely replaced. However, where updates are available, the Vulnerability Manager Plus system will find those patches and schedule them for rollout.

The patch manager that forms part of the Vulnerability Manager Plus package will order patches according to known dependencies and it also gives you a chance to test the patches before they are applied.

Vulnerability Manager Plus addresses the system weakness that poorly planned elevated accounts and abandoned user accounts present. It identifies where credentials need to be tightened and where access rights management can be improved.

ManageEngine Vulnerability Manager Plus installs on Windows Server. There is a Free edition that covers up to 25 endpoints. The two paid versions are the Professional edition to manage a LAN of more than 25 devices and the Enterprise edition, which is designed to protect endpoints on multiple sites. You can get either of the paid versions on a 30-day free trial.

ManageEngine Vulnerability Manager Plus Start 30-day FREE Trial

3. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 provides a SIEM system for threat hunting. This detection service is enhanced by a threat intelligence feed, which provides a list of known attacker addresses and methods. The system is also informed by a user and entity behavior analytics (UEBA) service that cuts out false positive alerting by establishing a baseline of normal activity.

Key Features:

• Scans through logs
• Collects data from endpoints and cloud platforms
• Gathers network activity data
• Threat intelligence feed

There are many other modules in this on-premises package that enable the system to automatically block malicious activity by malware, intruders, or insiders. These include cloud access security broker (CASB) to enforce security on cloud platforms, behavior analysis to spot insider threats and account takeovers, access logging and file integrity monitoring to block data theft, and security orchestration, automation, and response (SOAR) to coordinate the automated responses to threats between all the tools in the package and third-party systems.

The SIEM requires log messages as its source data and so the Log360 system includes a log manager that collects, consolidates, and then stores messages. This service is also useful for compliance auditing and reporting. This system can be used to report for PCI DSS, GDPR, FISMA, HIPAA, SOX, and GLBA. This system also provides protection for Active Directory implementations, which is also a requirement of many data protection standards.

ManageEngine Log360 is an on-premises package that runs on Windows Server. It is able to collect data from all your other operating systems, network devices, and cloud services. This system is available for a 30-day free trial.

ManageEngine Log360 Start 30-day FREE Trial

4. VMWare Carbon Black Endpoint

VMware Carbon Black Endpoint protects multiple endpoints. Each enrolled endpoint has an agent installed on it and that unit communicates with the cloud-based Carbon Black data processor.

Key Features:

• Threat intelligence feed
• Anomaly detection
• SOAR
• Fast threat hunting

A network agent also communicates with third-party security tools as part of a technique that is called security orchestration, automation, and response (SOAR). The SOAR system gathers information from third-party security tools, such as firewalls, and adds this to the pool of information that is collected in the cloud.

The threat hunting module in the Carbon Black package is called Predictive Cloud Security, which is notable for its ability to search through large collections of data very quickly. The detection of a threat triggers response instructions that are sent to the device agents and also to the third-party tools that are enrolled in the SOAR system.

The SaaS package implements threat hunting per client and then pools all discovered data for a central search for all clients. This central threat hunting provides threat intelligence about hacker campaigns and warns clients ahead of the attack. You can request a demo of the VMWare Carbon Black Endpoint system.

5. CrowdStrike Falcon Overwatch

CrowdStrike Falcon is a cloud platform of security tools that include an EDR, called Insight,  and an XDR. The EDR coordinates with CrowdStrike on-device systems and the XDR adds on SOAR.

Key Features:

• Anomaly-based
• Local threat hunting
• Consolidated cloud-based threat hunting

The one product of CrowdStrike that runs on endpoints is a next-generation anti-virus package, called Falcon Prevent. This performs its own threat hunting and implements defense responses. If the buyer of Falcon Prevent has also subscribed to one of the cloud-based systems, the AV acts as an agent to it.

Both Falcon Insight and Falcon XDR perform threat hunting in the cloud on the pool of data uploaded from all endpoints enrolled in the plan. This threat hunting process can be enhanced with a threat intelligence feed, called Falcon Intelligence.

A business that doesn’t want to keep a security expert on staff would be missing out on the benefit of manual threat hunting and expert security analysis. CrowdStrike caters to this need with the Overwatch package. This is a full security operations center that provides system-wide threat detection and response management for subscribing clients. This is the Falcon XDR SaaS package with security analysts added on.

The Overwatch plan includes an installation of Falcon Prevent on every endpoint. You can get a 15-day free trial of CrowdStrike Falcon Prevent.

6. Trend Micro Managed XDR  

Trend Micro Managed XDR is a SOC-for-hire plan that adds the services of security specialists to the Trend Micro Vision One system security package. Vision One is a SaaS XDR with on-device agents and SOAR, reaching out to third-party security tools.

Key Features:

• Multi-level threat hunting
• Security analysts
• SOAR

The Vision One service is a cloud coordinator of on-device Trend Micro endpoint-resident AVs that perform their own threat hunting locally. These units upload activity data to the Trend Micro server for enterprise-wide threat hunting. The Trend Micro threat detection system is called Zero Trust Risk Insight. It looks for anomalous access to applications, identifying insider threats and intrusion.

The managed service includes automated systems and expert analysts. Manual threat hunting reduces the inconveniences of infrequent legitimate tasks being blocked by automated EDR processes. Analysis can also produce recommendations for system hardening.

You can get access to a demo system, which is called the Vision One Test Drive.

7. Cynet 360 AutoXDR Platform

Cynet 360 AutoXDR Platform includes a threat hunting layer that gathers information on malicious activity from third-party on-site tools. This platform is resident in the cloud and it provides several utilities to help the on-site automated systems detect threats.

Key Features:

• Cloud-based
• Local data collectors
• Deception techniques

The threat identification services of Cynet 360 include sandboxing and a honeypot system that provides a fake teaser to hackers, drawing them to an analysis unit.

As well as its own research lab structure, the Autonomous Breach Protection system in Cynet 360 gathers local information through agents in a network called Sensor Fusion. The threat hunting process deploys user and entity behavior analytics (UEBA) to assess the intent of regular business traffic around the network and blocks malicious activity through SOAR.

Cynet offers a 14-day free trial of The AutoXDR platform.

8. Exabeam Fusion

Exabeam Fusion is a cloud platform with on-site agents that implements threat detection, investigation, and response (TDIR). The package can operate as an XDR or a SIEM. The tool draws in source data from its on-site agents to feed into the threat detection module that operates in the cloud.

Key Features:

• Anomaly-based threat hunting
• UEBA
• Compliance reporting

The Exabeam Fusion threat hunting service uses anomaly detection, which is built on UEBA for activity baselining. The service can be tailored to specific data protection standards requirements and then it will also automatically generate compliance reporting.

The system relies on log information for source data and it can interface directly with a list of software packages through a library of connectors. The service will also consolidate and store logs for manual threat hunting analysis and compliance auditing.

You can assess Exabeam Fusion with a demo.

9. Rapid7 InsightIDR

Rapid7 is a cloud platform of cybersecurity modules. You select which services you want from the menu of options and those packages slot together. The cloud system is called Rapid7 Insight and the XDR package on that platform is called InsightIDR – IDR stands for “incident detection and response” and it can also be used as a next-gen SIEM.

Key Features:

• SIEM
• Threat intelligence
• Both anomaly and signature-based

The InsightIDR service requires agents to be installed on protected endpoints. The uploaded logs that are gathered by those agents provide the source material for SIEM searching and they will also be stored in log files for manual threat hunting and compliance auditing.

Rapid7 provides a threat intelligence feed into the threat hunting service, which is called the Attack Behavior Analytics (ABA) module. That ABA system is signature-based but it interacts with anomaly-based UEBA searches to provide a blended threat hunting strategy.

Another package available on the Insight platform is Insight Connect, which extends the capabilities of InsightIDR by adding SOAR connectors.

You can assess Rapid7 InsightIDR with a 30-day free trial.