A comprehensive study guide covering the threat hunting process, open-source intelligence (OSINT) techniques, Google hacking, profiling methods, DNS/web harvesting, AbuseIPDB, the deep and dark web, and bug bounty programs.
Threat hunting is a proactive cybersecurity technique designed to detect threats that have not been discovered by normal security monitoring. Unlike incident response — which is reactive — threat hunting assumes the adversary is already inside and goes looking for them, rather than waiting for an alert to fire.
It differs from penetration testing too: a pen tester tries to break in to demonstrate weakness; a threat hunter analyzes data already flowing through your existing tools. Threat hunting is therefore less disruptive while still being highly effective at surfacing hidden compromises.
Core assumption of threat hunting: the existing detection rules have already failed. If automated monitoring had caught the threat, you would already know about it. You are hunting specifically for what has slipped through.
The threat hunting workflow
Step 1
Establish hypothesis
Derived from threat modeling — what high-likelihood, high-impact events could occur? Who wants to target us and how?
Step 2
Profile threat actors
Use threat intelligence to build scenarios — TTPs, objectives, likely target systems. Insider? Hacktivist? Nation-state? APT?
Step 3
Hunt with tools
Analyze logs, process lists, network traffic, file system and registry changes via SIEM. Correlate across hosts for patterns.
Step 4
Identify method
Determine how the malicious process executes. What attack vector enabled it? Can it be blocked or whitelisted against?
Step 5
Feed back findings
Use results to rewrite detection rules, improve signatures, reduce attack surface, and harden critical assets.
A concrete hunt example
Threat intelligence reports a new piece of Windows malware with no available signatures. A threat hunt might proceed as follows:
Phase A
Analyze outbound network traffic for connections to suspicious domains or C2 servers identified in threat intelligence and reputation databases. Build a list of hosts sending that traffic.
Phase B
On flagged hosts, inspect the running process list. Which process opened the suspicious connection? Is it a legitimate service or something that needs investigation?
Phase C
Compare all infected hosts. Are they running the same malicious process, or are different variants being used to evade detection? Look for commonalities across victims.
Phase D
Identify the execution method — what triggered the malicious process? Implement whitelisting, blacklist the vulnerable application, or apply mitigating controls until a patch is available.
Five benefits of threat hunting
Benefit 1
Improved detection
Every evasion path discovered during a hunt feeds back into updated rule sets, detection algorithms, and custom scripts — reducing the blind spots exploited by this adversary in future attacks.
Benefit 2
Intelligence integration
Threat hunting correlates external threat intelligence with internal logs, creating actionable intelligence that neither source could produce alone.
Benefit 3
Reduced attack surface
Hunting reveals the full scope of how an adversary entered and moved through the network — enabling targeted reduction of those specific access paths.
Benefit 4
Locked attack vectors
Understanding the attacker's TTPs allows you to add controls — close ports, restrict interfaces — that block those specific vectors even before signatures exist.
Benefit 5
Critical asset identification
Hunting reveals which assets adversaries consistently target, enabling you to bundle those assets with enhanced monitoring and prevention layers as priority hardening targets.
Threat hunting is resource-intensive — it consumes significant analyst time and tooling. The investment is justified because it surfaces threats that would otherwise remain undetected for months, and the findings directly strengthen your automated detection for the next incident.
2
Open-Source Intelligence (OSINT)
OSINT is the ability to gather and use publicly available information, along with the tools used to aggregate and search it. Defenders use OSINT to understand their own external exposure; attackers use OSINT to profile targets before launching attacks.
Exam scope note: On the current CySA+ exam, OSINT questions focus on open-source threat data and intelligence sources — not on your ability to conduct hands-on OSINT. The techniques below are valuable for real-world practice and threat hunting scenario-building, but won't be heavily tested.
Four primary OSINT sources attackers exploit
Public web
Indexed information
Physical addresses, executive names, press releases, job postings. Job ads in particular reveal technology stacks — "looking for a senior Kubernetes engineer" tells an attacker exactly which platform to target.
Social media
People & relationships
Facebook, LinkedIn, and Twitter reveal employee names, roles, relationships, travel patterns, and personal interests — all usable for targeted social engineering or spearphishing.
HTML & source code
Technical fingerprinting
Web page source code often embeds server hostnames, internal IP addresses, OS version strings, file paths, developer names, and admin credentials in comments. All readable without authentication.
Metadata
Hidden document data
Published Word, Excel, or PDF documents contain metadata: author names, company names, software versions, and file paths. Extracting this metadata is a standard reconnaissance step.
3
Google Hacking & Shodan
Google hacking is not hacking Google's servers — it is an OSINT technique that uses advanced Google search operators to locate vulnerable web servers, exposed applications, and sensitive data inadvertently published on the internet.
Key Google search operators
Operator
Syntax
What it does
Example
Exact phrase
"..."
Returns only results containing the exact phrase in quotes
"Jason Dion"
NOT / exclude
-term
Removes results containing the specified word or phrase
CySA -"Dion Training"
AND / OR
& / OR / |
Requires both terms (AND) or accepts either term (OR)
Jason & Dion
Site scope
site:
Restricts results to a specific domain
site:diontraining.com
File type
filetype:
Returns only files of the specified type
filetype:xls password
In title
intitle:
Finds pages with a term in their HTML title tag
intitle:"WebView Login"
In URL
inurl:
Finds pages with a term in the URL string
inurl:admin
Related
related:
Finds sites similar to the specified domain
related:diontraining.com
Reading a Google dork query
google.com/search — query breakdown
# Full query: filetype:xls password site:diontraining.com
filetype:xls→ return only Excel spreadsheet files password→ the file must contain the word "password" site:diontraining.com→ restrict results to this domain only
# Combined meaning: find any .xls file on diontraining.com containing "password" # Zero results = good. The domain is not exposing credential spreadsheets.
The Google Hacking Database (GHDB)
The GHDB, maintained by Offensive Security, is a curated library of pre-built "Google dork" queries optimized for finding vulnerable systems, exposed login pages, misconfigured devices, and sensitive files. Analysts use it to test their own exposure; attackers use it as a reconnaissance shortcut.
GHDB dork example 1
intitle:"WebView Login" "alcatel lucent" — identifies Alcatel-Lucent switches and routers with publicly accessible login pages.
Shodan (shodan.io) is a search engine specifically optimized for finding internet-connected devices — not web pages. It continuously scans the entire internet and uses banner grabbing to identify devices by firmware version, OS, and application, then indexes them. Shodan surfaces thermostats, webcams, ICS/SCADA systems, and any other IP-connected device that is publicly reachable.
Defender use
Search your own IP ranges and hostnames on Shodan to discover which of your internet-facing devices have been identified as vulnerable — before an attacker does. Especially critical for IoT and industrial devices.
What Shodan exposes
Device type, firmware version, open ports, geographic location, hosting provider, and known vulnerabilities — all passively indexed without interacting with your systems.
Exam tip: You do not need to construct Google dork queries from scratch on the exam. You should be able to read a query in a proxy log and identify what the person was searching for — e.g. if you see filetype:pdf site:target.com password, you should recognize this as a Google dork seeking password-containing PDFs on a specific domain.
4
Email & Social Media Profiling
Email harvesting is an OSINT technique that gathers email addresses associated with a given domain, enabling an attacker to build a target list for social engineering, spearphishing, or credential stuffing campaigns.
# Once format is known, attacker guesses other addresses: ceo@diontraining.com john.smith@diontraining.com← if CEO name is known from LinkedIn support@diontraining.com operations@diontraining.com
Email harvesting methods
Method 1
Google search wildcards
Searching *@diontraining.com on Google returns any page that has published an email address with that domain — career pages, press releases, support pages, social media.
Method 2
Email dossier validation
Tools like centralops.net test guessed email addresses against the mail server and confirm whether they're valid — without sending an email. Attackers build clean lists before launching campaigns.
Method 3
Purchased lists
Spam brokers and legitimate sales-lead services sell bulk email lists. An attacker can acquire thousands of organizational addresses for minimal cost.
Method 4
theHarvester
A command-line penetration testing tool that automates email and subdomain harvesting across an organization's internet presence — primarily used in pen test reconnaissance phases.
Social media profiling & aggregation tools
Collected email addresses lead directly to social media profiles, enabling an attacker to build a comprehensive picture of an individual's interests, habits, relationships, and geographic patterns — all usable in targeted social engineering. OSINT aggregation tools automate this collection across multiple platforms:
pipl.com
People search
Aggregates personal information from social networks, public records, and web sources to build individual profiles.
peeku.com
Social aggregation
Collects and correlates social media activity and interests across platforms for a given individual.
echosec.net
Geo-social intelligence
Aggregates social media posts by geographic location — useful for tracking movements and identifying physical whereabouts.
theHarvester
CLI tool
Command-line penetration testing tool for automated subdomain and email harvesting across an organization's public footprint.
Defensive implication: Organizations should consider deliberately ambiguous email address formats (e.g., jd1234@company.com) for high-value targets like executives, at the cost of internal usability. More practically, training employees to recognize social engineering that leverages personal information is the most scalable defense.
5
DNS & Website Harvesting
WHOIS lookups
WHOIS is a public database of all registered domains and their registered administrators. Looking up any domain reveals its owner, administrative contact, email, phone number, and registrar details — a trivial but valuable reconnaissance step that requires no technical skill.
DNS zone transfers
A DNS zone transfer is a legitimate mechanism for replicating DNS database records across DNS servers. When a DNS server is misconfigured to allow zone transfers from any source, an attacker can download the entire DNS zone file — revealing all subdomains, internal server names, and IP address mappings for a target organization.
zone transfer commands (concept only — not required for exam)
# Windows — using nslookup interactive mode: C:\>nslookup >set type=any← request all record types >ls -d target.com← attempt zone transfer
# macOS / Linux — using dig: $dig axfr target.com @ns.target.com axfr = full zone transfer request if misconfigured: all DNS records copied to attacker's machine
Exam tip: You do not need to memorize the nslookup or dig zone transfer commands. You need to understand the concept: a misconfigured DNS server can expose all internal DNS records — subdomains, server names, IP addresses — to any requestor, providing a detailed map of the internal network to an attacker.
Website (web) harvesting
Website harvesting copies the complete source code of a target website to a local machine for offline analysis. Tools often called "website rippers" or "website copiers" download all linked pages, scripts, and assets. Analysts use this for static code analysis — finding old/forgotten pages, weak authentication implementations, hardcoded credentials, or verbose error pages that reveal infrastructure details.
DNS harvesting reveals
Subdomains, hosting provider, administrative contacts, internal server naming conventions, IP address assignments — the network map.
Web harvesting reveals
Forgotten pages, weak code patterns, hardcoded secrets in comments, server version headers, file path structures, and input validation weaknesses.
6
AbuseIPDB
AbuseIPDB (abuseipdb.com) is a community-driven database of IP addresses reported for abusive behavior — hacking, phishing, spamming, and other malicious activity. The database is built by a global community of security professionals who actively report malicious IPs, and it is freely accessible for lookup and integration.
Primary use
Proactive IP blocking
Organizations monitor inbound traffic against AbuseIPDB to block connections from known-malicious IP addresses before an attack can cause damage. Integrates with firewalls, IDS, and SIEM rules.
DDoS response
Attack source identification
During a DDoS, use AbuseIPDB to cross-reference the attacking IP addresses, confirm malicious status, and build a block list to stop the attack in progress.
Log monitoring
Suspicious activity triage
Failed login storms, unusual traffic spikes — cross-reference the source IPs against AbuseIPDB to quickly determine whether you are under attack or experiencing a benign anomaly.
Individual use
Email source checking
Received a suspicious email? Check the originating IP against AbuseIPDB to determine whether it has been flagged for phishing or spam before deciding how to respond.
Limitation: AbuseIPDB data is community-sourced and therefore not 100% reliable. False positives and bad-faith reports occur. Always use AbuseIPDB as one layer within a broader security decision — never as the sole basis for blocking or incident response actions.
7
The Deep Web & Dark Web
The terms deep web and dark web are frequently confused but refer to different things. Neither is fully synonymous with illegal activity — though the dark web certainly concentrates it.
Surface web
Publicly indexed by search engines. Anyone can find it via Google or Bing. Includes most websites, blogs, news, and social media. Represents approximately 4–5% of total internet content.
Deep web
Not indexed by search engines. Requires credentials or direct URLs. Includes private databases, medical and scientific research, university libraries, government databases, subscription services. Not inherently illegal.
Dark web
A specific portion of the deep web accessible only via specialized software (Tor — The Onion Router). Characterized by anonymity, encryption, and significant criminal activity: stolen data, malware markets, illicit services.
How cybersecurity professionals use each layer
Deep web use
Vulnerability research
Research known vulnerabilities in specific systems, monitor for newly published exploit methods, and access academic and government security research not available via public search engines.
Dark web use
Threat monitoring
Monitor for stolen employee or customer data, compromised credentials, and leaked intellectual property. Track criminal groups' TTPs and tool pricing to gauge threat sophistication and trending attack types.
Operational security warning: Accessing the dark web without proper precautions can expose your identity and location to the very criminals you are monitoring. Always use appropriate security measures — isolated environments, Tor best practices, no personal credentials — and follow your organization's legal and compliance guidelines before engaging with dark web resources.
Intelligence value of dark web pricing: Tracking the market price and availability of common attack tools and services on dark web marketplaces gives analysts a real-time gauge of criminal capability and intent — rising demand for specific exploit types often precedes a wave of related attacks.
8
Bug Bounty Programs
A bug bounty program is a crowdsourced security testing approach in which companies offer financial rewards to ethical hackers and security researchers who discover and responsibly disclose vulnerabilities. It gives organizations access to a large pool of external security expertise they could never fully replicate internally.
How a bug bounty engagement works
1
Company defines scope
The organization specifies which systems, applications, and domains are in-scope for testing, establishes rules of engagement, and sets the reward structure (cash, swag, recognition).
2
Researcher registers
Registration is mandatory before testing begins. A registered researcher is an ethical hacker operating under the program's terms — testing without registration is unauthorized access and a criminal act.
3
Researcher hunts & discovers
The researcher tests in-scope systems, identifies vulnerabilities, and documents findings — including reproduction steps, severity, and potential impact — without causing harm or disruption.
4
Responsible disclosure
Findings are submitted through the company's designated channel (online form or secure email). NDAs or legal agreements signed at registration govern confidentiality of the report.
5
Company triages & remediates
The organization replicates and verifies the finding, prioritizes by severity and impact, develops a fix, and issues the agreed reward. High-quality programs maintain transparent SLAs for response time.
Benefit to organizations
Access to a globally distributed pool of security researchers with diverse skillsets who test public-facing attack surface in ways internal teams may not think to. Especially valuable for catching publicly visible vulnerabilities.
Benefit to researchers
Financial reward, professional recognition, and portfolio-building in a legal and structured environment. Many professional penetration testers supplement income through bug bounty programs.
Internal participation
Employees can also participate in internal bug bounties — testing internal systems not accessible to external researchers, helping the organization improve its security posture from the inside.
Legal requirement: Always register before testing. Testing a system without authorization — even with good intentions — constitutes unauthorized access under computer crime laws in most jurisdictions. Registration transforms you from a criminal to a protected ethical hacker.
Exam
Quick Reference Cheat Sheet
Threat hunting
Proactive (vs. reactive IR). Assumes existing rules have failed. Starts with hypothesis → actor profiling → hunt via SIEM → identify execution method → feed back into detection rules.
OSINT sources
Public web, social media, HTML/source code, document metadata. Exam focus = open-source threat data feeds, not hands-on OSINT techniques.
Google hacking
Advanced operators: filetype:site:intitle:inurl:- (NOT). GHDB = pre-built dork library at Offensive Security. Exam: read a dork, don't build one.
Shodan
Search engine for internet-connected devices (not web pages). Uses banner grabbing. Defenders use it to find their own exposed IoT/ICS devices before attackers do.
Email harvesting
Gather emails → infer format → guess other addresses → validate with tools like centralops.net → use for spearphishing. theHarvester automates subdomain + email collection.
DNS zone transfer
Legitimate DB replication mechanism. Misconfigured servers allow any requester to download all DNS records (subdomains, IPs, server names). Know the concept, not the nslookup/dig commands.
AbuseIPDB
Community-driven malicious IP database. Used for proactive blocking, DDoS source ID, log triage, and email source checking. Not 100% reliable — use as one layer, not sole basis for decisions.
Deep vs. dark web
Deep = not indexed (research DBs, subscription services) — mostly legal. Dark = Tor-required, anonymous, criminal activity common. Defenders monitor dark web for stolen data and threat actor TTPs.
Bug bounties
Crowdsourced pen testing with rewards. Must register before testing — unregistered testing = crime. Scope defined by company. Internal and external participation models both exist.