RoleCybersecurity

Threat Hunter

Hypothesis-driven hunts across telemetry, proactive, low-alert, high-judgment.

The verdict

A real specialism at mature orgs, a marketing label at most others. Only worth chasing once you've already proven the analytical instincts in SOC or IR.

Pick this if

You can frame a hypothesis and disprove it without ego
You're fluent in at least one query language under pressure
You read threat intel like a working document, not a magazine
You're comfortable working without alerts to react to

Skip this if

You've never run a structured investigation end-to-end
You want a clean queue, hunting is open-ended by design
You expect the title to come without the IR and detection background it assumes

What "doing well" looks like in the seat

Your hunts produce detections that ship and stay shipped
You find live activity that the alerting pipeline missed
Your writeups change how the SOC thinks about a TTP
Red team starts adjusting because of your work

The bit you're probably underestimating

Most orgs that advertise threat hunter actually want a senior SOC analyst with extra duties. Real hunt programmes are rare, well-funded, and selective. If the role doesn't have a dedicated hunt cadence, ringfenced time, and someone above you who's done it before, you'll spend most of your week on tickets and call yourself a threat hunter on LinkedIn. Check the maturity before you take the title.

Tradeoffs at a glance

Hover any chip for the calibrated meaning. Ratings are directional, not absolute.

Promotion ceiling

High, senior hunter / threat research lanes pay well.

Who actually gets in

+Detection Engineer
+Senior SOC
+IR analyst

Common misconceptions

−That tooling makes the hunter, it's domain knowledge and patience.

Where this leads

Detection Engineering
CTI Analyst
IR

Certifications people pair with this

GIAC GCIA

Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.

Tech you'll see

Splunk

Pathways that pass through here

Where this fits

Roles connect to pathways, certs and other roles. Use one to test the next.

Pathways that touch this

Roles to consider

Certifications in scope

Perspectives that bear on this

The realistic SOC analyst path
Most guides describe the job a SOC analyst wishes they had. Here's the one they actually do.

The serious next step

You've read about the role. The harder question is whether it's the right one for you.

A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.

Plateau zone

The flat year nobody warns you about, named and timed.

Reality vs Fantasy

Your actual five-year curve against the one you've been sold.

What to sit and what to skip

Each cert on your list: useful, optional, or skip, with reasons.

The call

A single written judgment on whether your plan holds up.

Tradeoff spectrum

What you're giving up for what you're choosing, plotted.

Decisive factors

The two or three things that will actually make or break this.

See what a Career Verdict looks like £25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All roles