< Back
Threat Hunting at Thales

Tags:

TCS BELUX Detect and respond
15 January 2026

Threat Hunting at Thales

What is Threat Hunting?

Threat hunting is a proactive cybersecurity practice in which skilled analysts actively seek out signs of malicious activity within an organisation’s network. Unlike traditional cybersecurity measures that depend on automated systems and predefined rules to detect threats, threat hunting takes a more hands-on, investigative approach. As Frederic HOARAU, Cybersecurity Subject Matter Expert at Thales, explains, this practice enables organisations to uncover hidden threats before they escalate, thereby strengthening overall resilience against sophisticated cyberattacks.

Different approaches to Threat Hunting

📌 Hypotheses-Driven Hunting: This approach starts with a hypothesis based on threat intelligence or known attack patterns. Analysts then search for evidence to support or refute the hypothesis.

📌 Indicator of Compromise (IOC) Hunting: This method involves searching for specific indicators that suggest a system has been compromised, such as unusual network traffic or file changes.

📌 Behavioural Hunting: Analysts look for abnormal behaviours within the network that deviate from the norm, which could indicate malicious activity.

Why is Threat Hunting needed?

Traditional cybersecurity methods, such as firewalls, antivirus software, and intrusion detection systems, are essential but often reactive. They rely on known threat signatures and predefined rules to identify threats. However, sophisticated attackers can bypass these defences using advanced techniques that traditional methods might miss.

Threat Hunting addresses these gaps by:

▪️ Proactively identifying threats: Instead of waiting for alerts, threat hunters actively seek out potential threats, often uncovering hidden or emerging threats that automated systems might overlook.

▪️ Enhancing detection capabilities: By correlating data from various sources and understanding the unique aspects of the network, threat hunters can identify subtle signs of compromise.

▪️ Reducing dwell time: The time a threat remains undetected within a network is critical. Threat hunting helps reduce this dwell time, minimizing potential damage.

▪️ Cover blind spots: The hypothesis that an incident occurred based on the threat intelligence allows the threat hunters to verify if this threat or type of threat would have been detected within the organisation if it had really occurred, and so detect potential blind spots.

▪️ Forensic: Investigating missed threats, like following an intrusion test, allows us to understand where the cybersecurity infrastructure failed to detect the attack and how this could be detected in the future.

In summary, threat hunting is a crucial component of a robust cybersecurity strategy. It complements traditional methods by adding a proactive layer of defence, ensuring that organisations stay ahead of sophisticated cyber threats.

What Threat Hunting requires?

To start implementing threat hunting within an organisation, several key elements are essential.

First and foremost, highly skilled personnel are required, including cybersecurity analysts with extensive experience and a deep understanding of threat landscapes. These professionals must possess a broad range of competencies, from network security and incident response to malware analysis, monitoring engineering and forensic investigation. 

Threat Intelligence is another critical component, providing the necessary context and insights to identify potential threats. The organisation must also have a mature cybersecurity posture, with well-established policies, procedures, and technologies in place.

Quality data sources are vital, as threat hunters rely on accurate and comprehensive data to detect anomalies and indicators of compromise.

Additionally, Threat Hunting is a time-intensive process, requiring dedicated time and resources to conduct thorough investigations and analyses.

A strong knowledge of multiple frameworks like MITRE, HMM, PEAK, Cyber Kill Chain etc. is mandatory to structure the threat hunting methodology.

A perfect knowledge of the organisation’s infrastructure, policies and operations allows identification of the scenarios, detection, blind spots and remediation.

By combining these elements, an organisation can effectively embark on a proactive threat hunting journey, enhancing its overall security and resilience against cyber threats.

Threat Hunting at Thales: A cross-services cybersecurity solution

In response to client needs, Thales has built a cross-functional threat hunting capability by uniting the strengths of four expert teams: CSIRT, NetSec, Cloud Security, and SOC Engineering and Monitoring.

📌 CSIRT brings deep expertise in incident response and threat intelligence, supported by our dedicated CERTs such as TCS-CERT, CSIRT SOC, and CSIRT France, ensuring comprehensive protection across all domains.

📌 NetSec contributes technical and operational knowledge of customer infrastructure and network security.

📌 Cloud Security ensures threat coverage in cloud environments and mitigates cloud-native risks.

📌 SOC Engineering and Monitoring handles detection engineering, log management, and alerting systems.

This synergy enables us to deliver new, unified threat detection and response capabilities tailored to modern attack landscapes.

Each team’s active involvement fosters a delivery-focused collaboration that is both agile and impactful. Together, we are not just responding to threats, we are hunting them proactively, enhancing our clients' security posture and delivering real operational value. By leveraging the strengths of each team, we create a comprehensive security framework that adapts to the ever-evolving threat landscape.

Our collaborative approach ensures that we stay ahead of potential risks, allowing us to identify vulnerabilities before they can be exploited. Regular training sessions and knowledge-sharing initiatives keep our teams informed about the latest trends in cybersecurity, ensuring that we are always equipped with the most current information and tools.

By combining their efforts, these teams are developing and deploying new competencies that significantly bolster our customers' cybersecurity posture. This unified approach ensures that we stay ahead of emerging threats and continue to provide top-notch security.

Each team and actor participate in this strong cooperation and delivery-based cohesion. Together, we are not just reacting to threats. We are actively seeking them out to create a safer environment for our clients.

Acronyms

CSIRT: Computer Security Incident Response Team.

A specialised team responsible for handling and responding to cybersecurity incidents within an organisation.

TCS-CERT: Thales Cyber Solutions – Computer Emergency Response Team (Belgium and Luxembourg)

A regional CERT team dedicated to managing and mitigating security incidents in the BELUX region.

CSIRT SOC: Security Operations Centre for CSIRT in Spain and Portugal

A unit that monitors, detects, and responds to security threats for the CSIRT in these countries.

CSIRT France: Computer Security Incident Response Team France

The French branch of the CSIRT, focusing on incident response and cybersecurity operations.

NetSec: Network Security

Refers to the measures and practices used to protect the integrity, confidentiality, and availability of computer networks.

SOC: Security Operations Centre

A centralised facility where security professionals monitor, analyse, and respond to cybersecurity threats in real time.

Contact us

Discover more on this topic

cards image

Beyond the SOC as a detection center: holistic cybersecurity operations in the coming age
cards image

What is threat Hunting ?

cards image

Cyber Threat Intelligence Ep 2 - Nicolas talking about the Context and Strategy office