The correct answer is Transitioning from reactive to proactive threat hunting to identify unknown threats and vulnerabilities . This directly aligns with both the Threat Hunting Maturity Model and the strategic goals of the Pyramid of Pain , which emphasizes increasing the adversary’s cost by detecting behaviors and tactics rather than easily changeable indicators.

Reactive security operations focus on alerts, signatures, and known indicators such as hashes, IP addresses, and domains—the lowest and least painful levels of the Pyramid of Pain. While necessary, these controls are easily bypassed by sophisticated adversaries. Proactive threat hunting represents a higher maturity level, where analysts actively search for unknown, stealthy, or novel attacker behaviors that have not yet triggered alerts.

Option D (automating detection of known threats) improves efficiency but does not meaningfully increase adversary pain, as attackers can rapidly change known indicators. Option B provides preparedness benefits but does not directly shift detection capabilities. Option A focuses on compliance, which is necessary for governance but largely irrelevant to adversary behavior.

By transitioning to proactive hunting, organizations focus on TTP-based detection , such as credential misuse patterns, abnormal lateral movement, persistence mechanisms, and command-and-control behaviors. These detections operate higher in the Pyramid of Pain—tactics, techniques, and procedures—forcing attackers to significantly retool and increasing the likelihood of early detection.

From a CISO-level perspective, this shift reflects mature security leadership: compliance keeps you legal, automation keeps you efficient, but proactive threat hunting keeps you resilient against advanced threats .

The correct answer is attack path analysis using identity relationships . Cloud breaches increasingly occur through misconfigured identity permissions , not software flaws.

Attack path analysis maps trust relationships, role assumptions, permissions, and access boundaries to understand how attackers can pivot through identity systems. This is especially relevant in cloud environments where:

Roles can assume other roles

Permissions are inherited

Overprivileged identities are common

Option A is too abstract and does not capture privilege chaining. Option B assumes malware execution, which is unnecessary in identity-based attacks. Option D measures severity but does not model attacker movement.

Professional threat hunters and cloud security teams rely on attack path analysis to:

Identify privilege escalation paths

Detect identity blast radius

Prioritize remediation of high-risk relationships

This directly supports proactive hunting and aligns with identity-first security principles .

Therefore, option C is correct.

The correct answer is document findings and create permanent detections . While containment actions are necessary, they are incident response tasks , not threat hunting outcomes.

Cisco’s threat hunting lifecycle emphasizes that once malicious behavior is confirmed, teams must:

Document attacker techniques

Identify detection gaps

Convert findings into automated detections

Options A and B are tactical responses that address the current incident but do not prevent recurrence. Option D delays improvement and increases risk.

Operationalizing hunt findings ensures:

Repeated attacker behavior is detected automatically

Future dwell time is reduced

SOC maturity increases

This step directly aligns with the CBRTHD blueprint’s focus on continuous improvement and feedback loops between hunting and monitoring.

Therefore, Option C is the correct answer.

The correct answer is Simple . The exhibit shows an EDR query filtering on specific IPv4 addresses , which are classic Indicators of Compromise (IOCs) . Within the Pyramid of Pain model, IP addresses sit at the lowest level , representing the least painful indicators for adversaries to change.

The Pyramid of Pain categorizes detection indicators by how costly they are for attackers to replace:

Simple → Hashes, IP addresses, domain names

Easy → Network artifacts (URI patterns, user-agent strings)

Challenging → Host artifacts (registry keys, file paths, mutexes)

Tough → Tactics, Techniques, and Procedures (TTPs)

In this scenario, the threat-hunting team is querying EDR telemetry for outbound connections to known C2 IP addresses . While this is a valid and common detection technique—especially for rapid containment—it provides minimal long-term defensive value. Attackers can easily rotate C2 infrastructure by changing IPs, using cloud hosting, fast-flux DNS, or proxy networks.

Option C (Easy) would apply if the team were hunting for network artifacts , such as suspicious URI paths or protocol misuse. Option B (Challenging) would involve host-based artifacts , like malware persistence keys or file system changes. Option A (Tough) represents the highest maturity—detecting adversary behavior and techniques , such as beaconing patterns, lateral movement workflows, or credential abuse—none of which are present here.

From a professional threat-hunting standpoint, IP-based detections are best used as short-term controls for blocking known threats or scoping an incident. Mature organizations use them as a starting point, then pivot toward higher-fidelity detections that sit higher on the Pyramid of Pain and impose greater operational cost on attackers.

In summary, querying known C2 IP addresses corresponds to the Simple level of the Pyramid of Pain, making Option D the correct answer.

The correct answer is correlating attacker behavior across multiple MITRE ATT & CK techniques . This approach focuses on behavioral detection , which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to as living-off-the-land techniques —intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may be no malicious files at all . Options A and D sit at the lowest levels of the Pyramid of Pain , making them easy for adversaries to evade.

By correlating behavior across multiple ATT & CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detect how the attacker operates rather than what tools they use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into a high-confidence attack pattern is how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of the Threat Hunting Maturity Model and the top of the Pyramid of Pain , making option B the correct answer.

The correct answer is analyzing abnormal behavior patterns across identity, endpoint, and network telemetry . This approach represents the foundation of modern threat hunting and directly addresses adversaries who deliberately avoid traditional detections.

Advanced attackers increasingly rely on living-off-the-land techniques , stolen credentials, and legitimate administrative tools such as PowerShell, WMI, RDP, and cloud APIs. These activities rarely generate malware signatures or known IOCs, making alert-driven and signature-based defenses insufficient. As a result, mature threat hunting programs shift focus toward behavioral analysis and anomaly detection .

Option A and D rely on static indicators such as IPs, domains, and hashes. These sit at the lowest levels of the Pyramid of Pain and are trivial for attackers to change. Option B is purely reactive and limited to known malware, offering little value against stealthy intrusions.

By correlating identity logs (authentication patterns, geolocation anomalies), endpoint telemetry (process execution, parent-child relationships), and network activity (unusual connections, lateral movement patterns), hunters can detect Indicators of Attack (IOAs) rather than waiting for confirmed compromise. This enables identification of credential misuse, privilege abuse, and lateral movement even when no malware is present.

This methodology aligns with MITRE ATT & CK TTP-based hunting , which focuses on tactics and techniques instead of tools or infrastructure. It also reflects a higher tier in the Threat Hunting Maturity Model , where organizations proactively search for unknown threats rather than responding to alerts.

In professional SOC environments, this shift dramatically increases detection coverage against advanced adversaries and reduces dwell time. Therefore, option C is the most accurate and strategically sound answer.

The correct answer is small, periodic outbound connections to a rare destination . Beaconing is a hallmark of command-and-control (C2) communication, particularly in stealthy malware campaigns.

Attackers design C2 channels to:

Minimize bandwidth usage

Blend into normal traffic

Avoid triggering threshold-based alerts

As a result, beaconing traffic often consists of low-volume, regular intervals connecting to the same external destination. Cisco Secure Network Analytics is purpose-built to detect this type of behavioral anomaly using NetFlow and telemetry analysis.

Option A suggests data exfiltration rather than beaconing. Option B is too broad and unspecific. Option D relates to denial-of-service or scanning activity, not C2.

This hunting technique aligns with MITRE ATT & CK – Command and Control and is explicitly covered in the CBRTHD blueprint under network-based threat hunting. Detecting beaconing behavior forces attackers to significantly alter their communication strategy, increasing their operational cost.

Therefore, Option C is the correct and Cisco-aligned answer.