Skip to content
Hunto AI Hunto AI Knowledge Base

Understanding Process

Understanding Automated Threat Hunting Operations

Core Discovery Workflow

Section titled “Core Discovery Workflow”

Discovery operates through structured execution cycles called “runs,” each following a systematic process designed to maximize threat detection while minimizing resource consumption and false positives.

Execution Framework

Section titled “Execution Framework”

Scheduled Operations: Discovery runs according to predefined schedules—daily, weekly, or custom intervals based on your security requirements. These schedules ensure continuous coverage without overwhelming your systems or analysts with excessive data.

Layered Investigation: Each run employs a depth-based approach, starting with your primary assets and expanding outward through connected relationships. Depth 0 examines your direct assets, Depth 1 investigates immediate connections, and subsequent depths explore increasingly distant relationships.

Pipeline Processing: Discovery uses configurable flows—specialized scanning modules that perform specific threat hunting tasks. These flows operate in sequence, with each contributing unique intelligence perspectives to create comprehensive threat profiles.

Key Configuration Elements

Section titled “Key Configuration Elements”

Assets as Starting Points: Your Asset Inventory provides the foundation for all Discovery operations. Each asset becomes a “target” for investigation, with the system methodically processing every target through the configured pipeline.

Flow Selection: Different flows serve different purposes—domain enumeration, credential monitoring, brand impersonation detection, or dark web scanning. You can enable specific flows based on your security priorities and risk profile.

Depth Configuration: Depth settings control how far Discovery expands from your original assets. Higher depths provide broader coverage but consume more resources and may introduce less relevant findings. Lower depths focus on immediate threats with faster processing times.

Checkpoint System: Discovery automatically saves progress at regular intervals, creating recovery points that allow interrupted operations to resume without losing completed work. This resilience ensures consistent coverage even during system maintenance or unexpected interruptions.

Process Status Management

Section titled “Process Status Management”

Discovery provides real-time visibility into operational status through multiple levels of monitoring:

Schedule Status:

  • Active: Normal operation with runs executing according to schedule
  • Inactive: Temporarily suspended, no new runs initiated
  • Ongoing: Current run in progress
  • Paused: Manually suspended, can be resumed from checkpoint

Run Status:

  • Scheduled: Queued for execution at designated time
  • Running: Active processing of targets through configured flows
  • Completed: Successful completion of all planned operations
  • Failed: Terminated due to errors, may resume from last checkpoint

Flow-Level Tracking: Individual scanning modules report their status independently, allowing granular visibility into which specific operations are active, completed, or experiencing issues.

This multi-tiered status system enables precise monitoring and troubleshooting, ensuring Discovery operations remain reliable and effective.