Towards a Cognitive-Support Tool for Threat Hunters

TL;DR

This paper introduces the Threat Hunter Board, a prototype tool designed to support threat hunters' cognitive and collaborative work by externalizing reasoning and organizing leads, based on design propositions and heuristics.

Contribution

It presents a novel cognitive-support tool for threat hunters, operationalizing design propositions and heuristics to enhance their investigative processes.

Findings

Prototype demonstrates feasibility through cognitive walkthrough

Design heuristics provide a framework for evaluating cognitive support

Initial evaluation shows potential for supporting threat hunting tasks

Abstract

Cybersecurity increasingly relies on threat hunters to proactively identify adversarial activity, yet the cognitive work underlying threat hunting remains underexplored or insufficiently supported by existing tools. Building on prior studies that examined how threat hunters construct and share mental models during investigations, we derived a set of design propositions to support their cognitive and collaborative work. In this paper, we present the Threat Hunter Board, a prototype tool that operationalizes these design propositions by enabling threat hunters to externalize reasoning, organize investigative leads, and maintain continuity across sessions. Using a design science paradigm, we describe the solution design rationale and artifact development. In addition, we propose six design heuristics that form a solution-evaluation framework for assessing cognitive support in threat hunting tools. An initial evaluation using a cognitive walkthrough provides early evidence of feasibility, while future work will focus on user-based validation with professional threat hunters.