SkillHub
SkillHubagent skills marketplace
Menu
All SkillsStacksKOLHotRankings
Sign inGet Pro
Back to skills
SkillHub ClubResearch & OpsFull StackData / AITesting

hunt-focus-definition

Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics.

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars
4,503
Hot score
99
Updated
March 20, 2026
Overall rating
C4.8
Composite score
4.8
Best-practice grade
B81.2

Install command

npx @skill-hub/cli install otrf-threathunter-playbook-hunt-focus-definition

Repository

OTRF/ThreatHunter-Playbook

Skill path: .github/skills/hunt-focus-definition

Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics.

Open repository

Best for

Primary workflow: Research & Ops.

Technical facets: Full Stack, Data / AI, Testing.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: OTRF.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

  • Install hunt-focus-definition into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
  • Review https://github.com/OTRF/ThreatHunter-Playbook before adding hunt-focus-definition to shared team environments
  • Use hunt-focus-definition for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: hunt-focus-definition
description: Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics.
metadata:
  short-description: Define a structured hunt hypothesis
---
# Define Hunt Focus

This skill synthesizes completed research on system internals and adversary tradecraft into a single, focused hypothesis that defines what specific attack pattern will be investigated in the hunt.

It is executed after research has been completed and before detailed hunt planning, environment scoping, or query development.

## Workflow

- You MUST complete each step in order and MUST NOT proceed until the current step is complete.
- You MUST NOT perform new web searches or introduce new research in this skill.

### Step 1: Synthesize Research Context

Establish the context required to define a focused hunt hypothesis using the outputs of prior research.

- Use the provided hunt research context.
- Draw only from:
  - System internals research findings
  - Adversary tradecraft research findings
  - Identified candidate abuse patterns
- Do NOT read additional reference documents or perform new research.

This step is complete when there is sufficient context to reason about a concrete, observable attack pattern.

### Step 2: Select a Single Attack Pattern

Select **one** attack pattern to focus the hunt.

- Choose the pattern that is:
  - Most realistic for the environment
  - Clearly observable based on expected telemetry
  - Actionable for hypothesis-driven investigation
- If multiple patterns exist, select the dominant one.

Do NOT select multiple patterns.

### Step 3: Generate the Hunt Hypothesis

Create a structured hunt hypothesis describing the selected attack pattern.

- Use the format defined in `references/hypothesis-template.md` within this step ONLY.
- Populate all required sections of the template.

Do NOT define time windows, environment scope, data sources, or constraints in this step.  
Those details are defined later when the hunt is assigned to a specific environment or operational context.

---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/hypothesis-template.md

```markdown
# Hunt Focus: [Insert Attack Pattern]

## Hypothesis Title
Use the format:  
“A threat actor might use [attack behavior] for [outcome].”

## Hypothesis Explanation
1–4 sentences describing the attack behavior being investigated, why it is relevant or plausible, how it aligns with known system behavior, and what observable system or behavioral effects would be expected if the activity occurred.

## Platform Context
- **Platform**: [Windows | Linux | macOS | Cloud | Other]

## ATT&CK Context (Optional)
- **Tactic**: [e.g., Execution, Persistence, Lateral Movement]
- **Technique**: [Technique name]
- **Technique ID**: [e.g., T1047]

*Only include this section if the mapping is clear from prior research.  
Do not force a mapping if uncertain.*
```
hunt-focus-definition | SkillHub