What does effective threat hunting actually look like inside large, complex environments? In this episode of Ahead of the Breach, we sit down with Matthew Winters of T. Rowe Price to unpack what it means to hunt threats at scale and why the hardest part isn’t finding suspicious behavior, but deciding where to look in the first place.
Matthew brings a practitioner’s perspective shaped by years in SOC operations, incident response, and enterprise environments. The conversation moves well beyond tools and techniques, focusing instead on mindset, prioritization, and how defenders can think more strategically about disrupting attackers.
Threat Hunting Versus IR, Red Teaming, or CTI
One of the biggest challenges Matthew highlights is that threat hunting is often misunderstood internally. It’s frequently lumped in with incident response, red teaming, or threat intelligence. While it may borrow pieces from each, it serves a different purpose.
Threat hunting exists to confront survivorship bias in security programs: the blind spots created by what tools don’t alert on and what defenders assume isn’t happening. The goal isn’t to respond to alerts, but to proactively surface what’s being missed and convert unknown unknowns into measurable risk.
That distinction matters, especially for organizations trying to build or justify a hunting function. Without shared definitions, teams struggle to align expectations, scope, and outcomes, often before the work even begins.
How Modern Adversaries Blend In
When asked about the most effective attacker techniques he’s seen, Matthew doesn’t point to flashy exploits or novel malware. Instead, he describes something subtler and far harder to detect: adversaries who behave exactly like legitimate administrators.
Rather than running noisy discovery commands, attackers increasingly learn environments the same way employees do: reading internal documentation, browsing SharePoint, and quietly understanding how systems fit together. In large organizations where roles overlap and access is broad, this kind of behavior is almost indistinguishable from normal work.
Defending against that requires more than signatures or indicators. It demands context, visibility, and a willingness to question whether "normal" behavior really makes sense for a given user at a given moment.
From Data Overload to Signal
A recurring theme in the conversation is analysis paralysis Enterprise environments generate enormous volumes of data, and knowing where to start can feel overwhelming, especially for newer hunters.
Matthew’s approach starts simple:
- Get familiar with the dataset by looking at extremes: the biggest, smallest, rarest, and most frequent values
- Separate automated activity from human behavior by analyzing patterns over time
- Only then apply more advanced analytical techniques
This process helps narrow the field before deeper analysis, reducing noise and focusing effort where anomalies are more likely to matter.
Graph Theory and the "Jenga Tower" of Adversary Tradecraft
Where the conversation really sharpens is Matthew’s use of graph theory to prioritize hunting efforts. He describes attacker behavior as a kind of Jenga tower: interconnected techniques stacked together to achieve an objective.
Not all blocks are equal. Some techniques are interchangeable; others are structurally critical. By modeling adversary behavior as a graph, and applying concepts like betweenness centrality, defenders can identify which techniques matter most and where removing a single block could collapse an entire attack path.
This approach reframes threat hunting away from subjective prioritization (this looks interesting) toward evidence-based decisions rooted in how attackers actually operate.
Start Where It Hurts the Attacker Most
When it comes to where defenders should focus first, Matthew is pragmatic. Initial access may be attractive, but it’s often difficult to meaningfully stop. Execution, on the other hand, is concrete and frequently unavoidable for attackers.
If defenders can disrupt execution paths, they force adversaries back toward noisier, riskier techniques like social engineering. That shift alone can dramatically change the defender’s advantage.
For those just starting out in threat hunting, his advice is simple: don’t wait for the perfect plan. Pick a dataset you understand, start exploring, and build confidence through action.
Why This Conversation Matters
This episode isn’t about chasing the latest detection trend or adopting yet another framework. It’s about how defenders can think more clearly, prioritize more effectively, and spend limited time where it actually makes an impact.
Matthew’s perspective reminds us that threat hunting is as much about decision-making as it is about data and that the most effective hunters are the ones who understand how attackers build, not just how they break.
