Between Frameworks, Methodologies, and Operational Reality: A Critical Reflection on Modern Threat Hunting – Incident Response

In recent years, especially working closely with Threat Hunting and IR operations, I have encountered countless frameworks and methodologies where we often talk about reference frameworks, methodologies and “structured” approaches to convert uncertainty into tactical action. MITRE ATT&CK, PEAK, TaHiTI, DHH, ACTA, Diamond Model, Cyber Kill Chain… familiar names in our work environment, yet they seem more like part of an aspirational discourse than something that, in the day-to-day of many organizations, is used with a real foundation—often more to sell a service than to truly enable capability.

Paradoxically, the frameworks that promise discipline have at times become a sort of “conceptual collection,” recited as credentials but not integrated strategically into our clients’ environments.

It is common to see organizations choose a framework as if it were selecting a firewall brand: exclusive, definitive, unquestionable. But I have asked myself many times, and now I ask you: can a single framework truly support the dynamic complexity of modern cyberattacks?

If we speak honestly, no. And that is a conversation I wanted to open.

Today, instead of marrying a methodology, we talk about organizational capability, operational maturity and contextual adaptability. A framework should not be interpreted as a rigid constraint, either for the internal team or the client, but as a guide that strengthens as it adapts to the environment, the level of available telemetry, the exposure surface and the human ability to execute, learn and evolve.

In practice, real value appears when there is operational synergy between both sides. Many times the adoption of a framework is sold as a unilateral benefit for the client, but to be honest, it is a win-win: the greater the adoption and alignment of the model by both provider and client, the greater the service’s effectiveness.

That shared maturity not only increases the impact of Threat Hunting and Incident Response, but also helps justify additional investment, since the client sees tangible and goal-oriented results, and not only theory or promises of future improvement.

What we rarely say out loud is that no framework is universally sufficient: MITRE ATT&CK gives us language and structure, but it doesn’t tell us when to stop the investigation thread or how to prioritize a hypothesis in a client with partial EDR coverage. PEAK speaks to us about statistical rigor and evolutionary cycles, but how do you apply it where basic SIEM discipline is not yet achieved? TaHiTI offers clarity to plan and document hypotheses, but without solid telemetry sources, its value fades. Diamond Model remains brilliant for retrospective analysis, but requires analytical maturity that many teams—especially in our country—are still developing.

Viewed from the outside, these frameworks look like magical solutions; from the inside, they are pieces of a larger puzzle that many organizations still lack: security culture, gradual investment, risk-based prioritization and a continuous learning approach where each contributes to program maturity.

The most interesting part is that they should be combined—but in practice many don’t. We bias ourselves to define strategy around a single model: ATT&CK to map adversary behaviors. Diamond Model to understand relationships and vectors. TaHiTI to structure hypotheses. PEAK to measure impact and evolution. It is a living assembly, an operational ecosystem.

And here’s an uncomfortable point: many organizations adopt frameworks as a symbol of maturity without having the fundamentals to execute them. Maturity does not begin when we declare the use of a framework; it begins when we correlate telemetry, document hypotheses, execute iterative hunts, measure impact, adapt playbooks, and feed back both our operation and our clients'.

The key is not only to know the frameworks but to understand their prerequisites: visibility, telemetry, progressive automation, a coherent service model, mastery of adversary behavior and above all critical ability to question our own operation.

Every client is a different universe. A bank with a 24/7 SOC, advanced EDR and orchestrated IT can adopt PEAK deeply; a small business just starting observability will gain more by adapting MITRE to its context and focusing on IoC/IoA and targeted hunts.

We also tend to forget that ROI in Threat Hunting and IR is not only a financial number; it is reduction of dwell time, decreased reputational impact, strengthening of the defensive model, proactive detection and institutional learning. Living metrics—not static reports, which are the most common output in operations.

Perhaps the most important point is this: adoption is not copying. The most mature thing an organization can do is not “follow a framework,” but understand it, integrate it and transform it. In cybersecurity, what is static becomes obsolete; what is adaptable evolves.

Each framework offers a different lens to view an adversary, and the real differentiator is not the tool, but the hunter who knows when to use each one.

At the end, the uncomfortable question is: are we collecting frameworks or building operational intelligence?

If I’ve learned anything in these years—though it’s little and I still have much more to learn—it’s that Threat Hunting – IR cannot operate with a rigid philosophy or predefined recipe; it is a strategic discipline that, well-applied, forces us to think, question and evolve along with threats.

And perhaps that is the true essence: not seeking the perfect framework, but intelligent and conscious adaptation that turns theory into real capability.

The question is not which framework we use, but how much real capability we build from it.

Maturity is not declared: it is evidenced in risk reduction, continuous learning, and the evolution of our defenses against the speed of the adversary, and in generating real context for our clients—not intangible figures.

Threat Hunting is not following a framework: it is thinking like an adversary and operating with defensive intelligence.

And now, what do you think?