HEARTH is an open library of threat hunting hypotheses — drafted by hunters, refined by AI, and organized around the PEAK framework. Browse what works. Paste a CTI link, get a hunt. Contribute one back.
Every hunt in HEARTH is classified into one of three categories from the PEAK threat hunting framework. They're not levels — they're different muscles. Use the right one for the job in front of you.
A specific theory about adversary behavior, and the evidence you'd expect to find. Classic threat hunting — write it down, then go look. "An adversary uses DLL side-loading via a signed app to maintain persistence."
Understand "normal" before you can spot the anomaly. Inventory parent-child process trees. Map the long tail of user agents. Find what you didn't know you had.
Algorithmic and ML-powered approaches. Clustering, statistical baselines, outlier detection — let the data surface threats you wouldn't think to look for.
Drop a threat intel report URL into the pipeline. HEARTH fetches the article, summarizes the TTPs, validates technique IDs against MITRE ATT&CK, checks the library for duplicates, and drafts a complete hypothesis you can review, edit, and merge.
$ hearth ingest https://mandiant.com/resources/blog/apt-living-off-the-land
→ resolving · brotli · readability-lxml fallback
✓ content extracted · 4,218 words · 12 IOCs
→ analyzing with claude-sonnet-4-6 · drafting hypothesis…
tactic : TA0003 Persistence
technique : T1547.001 Registry Run Keys / Startup
confidence: 0.92 · MITRE validated
✓ hypothesis drafted · 312 words · PEAK = Flames
→ checking 162 hunts for similarity…
! 2 weak matches found · jaccard 0.31, 0.27
✓ opened PR #0231 · awaiting Keeper review
Hypothesis. An adversary establishes persistence by dropping a malicious DLL adjacent to a signed Microsoft binary in a user-writable directory, then registering the binary as a Run key — bypassing application allow-lists that trust the signer rather than the path.
Every hypothesis is a versioned markdown file — readable, forkable, runnable. Start with the featured hunt of the week, or filter the full library by tactic, data source, or PEAK category.
A stolen refresh token is replayed from a new ASN within minutes of issuance, against a tenant the original user has never accessed. The hypothesis: legitimate token use clusters tightly by ASN and geography within the first 24 hours — replay shows up as a sharp deviation.
// Token replay outside expected ASN cluster SigninLogs | where ResultType == "0" | where AuthenticationProtocol == "oAuth2" | summarize asns = make_set(NetworkLocationDetails), first = min(TimeGenerated) by UserId, SessionId | where array_length(asns) > 1 | where first > ago(24h) | project UserId, SessionId, asns, first
HEARTH is built by working hunters. The Keepers maintain the framework and review every PR — and — contributors and counting have submitted hunts from the trenches of their own SOCs.
"A hypothesis written down is worth ten in someone's head. HEARTH is the place we write them down — together."
"Threat intel without action is decoration. HEARTH turns CTI into something you can actually run on Monday."