Sign up to save your podcasts
Or
Share Episode 2: THOR: Love and Thrunder
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 2: THOR: Love and Thrunder
Host Dave Johnson and co-host Tyler Zito sit down with Sydney Marrone and Lauren Proehl, co-founders of the THOR Collective, to explore the evolving world of threat hunting. This conversation covers the fundamentals of building a threat hunting program, how AI is transforming both offensive and defensive security, and the importance of community collaboration in advancing the practice of "thrunting."
Key topics & timestamps
What is the THOR Collective? (5:27 - 9:29)
Evolution of threat hunting (9:38 - 11:55)
- Early days: Hypothesis-driven, minimal scope, "running queries and hoping for the best"
- Today: Machine learning, advanced statistics, AI integration
- Expanding beyond internal networks to cyber threat intelligence
AI's impact on threat hunting (12:07 - 15:44)
- Threat side: Perfect phishing emails, AI-generated malware, reduced red flags
- Defense side: Lower barrier to entry, query translation, threat intel summarization
- Lauren: "Certified AI hater" but acknowledges augmentation potential
- Sydney: Amazed by AI capabilities but warns against over-reliance
How to start a threat hunting program (15:44 - 21:15)
- Start small, don't overcomplicate
- Adopt a framework (PEAK, SQRRL, Tahiti, or custom)
- Ensure the basics: Automate IOCs, focus on top of pyramid of pain
- Critical requirement: Dedicated time (not "downtime hunting")
- Essential tools + use what you have
Proving value and storytelling (24:05 - 28:14)
- Every hunt should have an output—you can't fail at threat hunting
- Findings include misconfigurations, missing logs, undocumented processes
- Turn yourself into a marketer for your program
- Use metrics, readouts, presentations tailored to executive preferences
- Hunt relevancy factors: Focus on what matters to YOUR organization
Documentation and process (31:33 - 36:14)
- Tyler's mountain rescue analogy: Document everything, even "negative" findings
- Create maps of searched areas and techniques used
- If it's not documented, it didn't happen
- Another hunter should be able to replicate your work entirely
- Baseline and map to frameworks like MITRE ATT&CK
Key quotes
"If you ask three people what threat hunting is, you'll get three different answers." - Dave Johnson
"The barrier to entry [to threat hunting] is going to be a lot lower, which is great, as long as people aren't relying on [AI] way too much." - Sydney Marrone
"Every single hunt should have an output... It's very hard to fail at threat hunting—you always find something." - Lauren Proehl
"If it isn't documented, it didn't happen." - Lauren Proehl
"The only way we win this is doing this together." - Lauren Proehl
Helpful links
- THOR Collective
- The Threat Hunters Cookbook by Sydney Marrone
- Blue Team Village at DEF CON
Production Credits
- Co-hosts: Dave Johnson and Tyler Zito
- Producer: Ben Baker
- Sponsor: Expel MDR
Connect
- Follow Expel (follow us on LinkedIn, X, and YouTube)
- Rate and review on your favorite podcast platform
The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.
View all episodes
By Expel MDRHost Dave Johnson and co-host Tyler Zito sit down with Sydney Marrone and Lauren Proehl, co-founders of the THOR Collective, to explore the evolving world of threat hunting. This conversation covers the fundamentals of building a threat hunting program, how AI is transforming both offensive and defensive security, and the importance of community collaboration in advancing the practice of "thrunting."
Key topics & timestamps
What is the THOR Collective? (5:27 - 9:29)
Evolution of threat hunting (9:38 - 11:55)
- Early days: Hypothesis-driven, minimal scope, "running queries and hoping for the best"
- Today: Machine learning, advanced statistics, AI integration
- Expanding beyond internal networks to cyber threat intelligence
AI's impact on threat hunting (12:07 - 15:44)
- Threat side: Perfect phishing emails, AI-generated malware, reduced red flags
- Defense side: Lower barrier to entry, query translation, threat intel summarization
- Lauren: "Certified AI hater" but acknowledges augmentation potential
- Sydney: Amazed by AI capabilities but warns against over-reliance
How to start a threat hunting program (15:44 - 21:15)
- Start small, don't overcomplicate
- Adopt a framework (PEAK, SQRRL, Tahiti, or custom)
- Ensure the basics: Automate IOCs, focus on top of pyramid of pain
- Critical requirement: Dedicated time (not "downtime hunting")
- Essential tools + use what you have
Proving value and storytelling (24:05 - 28:14)
- Every hunt should have an output—you can't fail at threat hunting
- Findings include misconfigurations, missing logs, undocumented processes
- Turn yourself into a marketer for your program
- Use metrics, readouts, presentations tailored to executive preferences
- Hunt relevancy factors: Focus on what matters to YOUR organization
Documentation and process (31:33 - 36:14)
- Tyler's mountain rescue analogy: Document everything, even "negative" findings
- Create maps of searched areas and techniques used
- If it's not documented, it didn't happen
- Another hunter should be able to replicate your work entirely
- Baseline and map to frameworks like MITRE ATT&CK
Key quotes
"If you ask three people what threat hunting is, you'll get three different answers." - Dave Johnson
"The barrier to entry [to threat hunting] is going to be a lot lower, which is great, as long as people aren't relying on [AI] way too much." - Sydney Marrone
"Every single hunt should have an output... It's very hard to fail at threat hunting—you always find something." - Lauren Proehl
"If it isn't documented, it didn't happen." - Lauren Proehl
"The only way we win this is doing this together." - Lauren Proehl
Helpful links
- THOR Collective
- The Threat Hunters Cookbook by Sydney Marrone
- Blue Team Village at DEF CON
Production Credits
- Co-hosts: Dave Johnson and Tyler Zito
- Producer: Ben Baker
- Sponsor: Expel MDR
Connect
- Follow Expel (follow us on LinkedIn, X, and YouTube)
- Rate and review on your favorite podcast platform
The Job Security Podcast explores the unique perspectives and stories of the people who make the cybersecurity industry what it is, whether they realize it or not.