Historical data analysis in security operations: the role of retrospective search

This essay was written by Sergey Soldatov, Kaspersky’s Head of Security Operations Center. It explores the unique role of threat hunting in detecting advanced persistent threats (APTs) that evade automated security solutions, positioning it as a critical component of a modern SOC’s detection and response strategy. Drawing from real-world detection practices, it outlines how threat hunting complements alert-driven SOC operations through retrospective analysis and hypothesis-driven investigation, using telemetry data such as EDR/NDR logs.