How Threat Hunting Really Works with Piotr Czopik of Recorded Future

Threat Hunting Beyond Automation: Why Human Investigation Still Matters in Modern Cybersecurity 

In cybersecurity, there is always a temptation to believe that the next tool will solve the problem. A better SIEM. A smarter EDR. More automation. More AI. Better dashboards. Better alerting. And while all of those things absolutely matter, this episode of the NEVERHACK Estonia Cybercast delivers an important reminder: even in a world of increasingly automated SOC operations, human-led threat hunting still plays a critical role. 

In this conversation, Louis Zezeran is joined by Piotr Czopik from Recorded Future for an engaging and highly practical discussion on what threat hunting actually is, why it remains essential, and how cyber threat intelligence helps security teams investigate what standard security controls can miss. Recorded during NEVERHACK Estonia’s Client Day 2026 in Tallinn, the episode combines technical insight with accessible explanation, making it useful not only for cybersecurity practitioners, but also for business leaders who want to better understand how modern defense really works. 

Threat hunting is not what most people think 

One of the strongest opening ideas in the episode is that threat hunting is often misunderstood. It is easy to imagine it as a glamorous activity: analysts rapidly tracking intruders in real time, uncovering hidden malware with cinematic precision, and “hacking back” through advanced tooling. Piotr quickly grounds the conversation in reality. 

Real threat hunting is far less dramatic and far more disciplined. 

According to Piotr, a huge portion of a threat hunter’s job is learning. Not just occasional learning, but constant learning. Studying attacker techniques. Reading research. Understanding processes inside operating systems. Learning how legitimate tools behave. Understanding the relationships between processes, directories, commands, and network activity. That foundation is what allows an analyst to later identify something unusual. 

That is an important lesson for any organization building cyber capability. Strong security is not just about buying technology. It is about building understanding. The best threat hunters do not merely search for known bad files. They understand normal behavior deeply enough to recognize when something subtle is off. 

Attackers reuse what works — and defenders can use that against them 

A particularly useful theme in the episode is the idea that attackers are creatures of habit. Piotr explains that threat actors, like anyone else, tend to repeat methods that have worked for them before. If a certain playbook helps them compromise systems efficiently, they are likely to keep using it across different victims until defenders force them to adapt. 

This matters because it gives defenders an opportunity. 

Rather than reacting only to isolated indicators, defenders can study patterns: tactics, techniques, and procedures. That is where intelligence becomes powerful. If you can identify the methods that an adversary repeatedly uses, you can disrupt not just one attack, but an entire approach. Piotr ties this to the “pyramid of pain” concept discussed in the episode. Simple indicators like hashes are easy for attackers to change. But once defenders start detecting the behaviors, commands, and workflows attackers rely on, they create real operational friction. 

That does not mean attackers stop. But it does force them to slow down, rethink, and invest more effort. And in cybersecurity, increasing attacker cost is often a meaningful win. 

Why advanced threats are difficult to find 

One of the episode’s most valuable moments comes when Louis and Piotr unpack a practical threat-hunting demonstration. In the demo, malware was intentionally placed on a Windows system and disguised to look like a legitimate process. That was not just a lab trick. It reflected a real defensive challenge. 

Attackers rarely announce themselves. 

Malicious code is not usually named something obvious like “malware.exe.” Instead, it is often disguised using familiar names, expected directories, or processes that blend into the environment. In the example discussed, the malware was deliberately named in a way that would create confusion with a legitimate component already present in the system. That is exactly the sort of camouflage attackers use in real-world intrusions. 

This creates a key challenge for analysts. Even when they know what they are looking for, finding suspicious behavior can be difficult. And in real incidents, they often do not know. They may only have small fragments: a process launched from an unusual directory, odd command execution, suspicious outbound connections, or a pattern of activity that seems slightly wrong but does not immediately trigger a standard alert. Threat hunting is the work of connecting those small fragments until the larger picture becomes visible. 

For listeners, this is one of the most practical insights in the episode. Security is not always about catching obviously malicious behavior. Often it is about identifying what looks normal at first glance, but behaves abnormally under scrutiny. 

The gap between automated detection and real investigation 

Another major takeaway from the conversation is the distinction between automated SOC operations and bespoke investigation. 

Modern security tools are powerful. They use rules, detections, machine learning, automation, and AI to triage huge volumes of events. That capability is essential. No team could manually inspect everything. But the episode makes clear that even the best tools do not catch everything. Advanced attackers know how security controls work. They know how to operate quietly. They know how to hide within legitimate tools and expected system behavior. 

This is where threat hunting becomes indispensable. 

Threat hunting is not a replacement for automation. It is a complement to it. The automated SOC handles scale, repetition, known signals, and rapid response. Threat hunters focus on ambiguity, edge cases, subtle anomalies, and the things that fall between standard rules. That is why the conversation between Louis and Piotr feels especially relevant today. In an era filled with promises that AI will detect everything, this episode offers a more mature view: automation is essential, but human expertise remains irreplaceable. 

Where Recorded Future fits in 

For many listeners, one of the most useful parts of the episode will be the explanation of what a cyber threat intelligence platform actually does. 

Piotr explains that Recorded Future gathers intelligence from a wide range of sources across the internet, including open, deep, and dark web sources, and can analyze suspicious files in sandbox environments to understand how they behave. That intelligence is not just passive reporting. It can be turned into something operationally useful. Analysts can use that behavioral intelligence to generate rules and hunt for related activity within their own SIEM or EDR tools. 

That matters because the most useful intelligence is actionable intelligence. 

A security team does not only want to know that a threat exists somewhere in the world. They want to know what it means for their own environment. What behaviors should they search for? What threat actors are most relevant to their sector? Which techniques are associated with those actors? Which suppliers or partners increase their exposure? This is where intelligence can make threat hunting more focused, more efficient, and more strategic. 

In the episode, Piotr explains that Recorded Future can help organizations understand which threat actors are more likely to target them based on factors such as industry, third parties, and technology stack. That is a powerful concept. Instead of hunting blindly, teams can prioritize their efforts based on who is most likely to come after them and how those actors usually operate. 

Why this matters for smaller companies too 

A standout theme in the episode is the relevance of all this for smaller organizations. 

Many smaller businesses still assume that cybercriminals are only interested in large enterprises, major brands, or government institutions. Louis pushes back on that view, and Piotr reinforces the point. Smaller organizations are often targeted because they are easier to breach. In other cases, they are targeted because they are connected to larger organizations through supply chains, vendor relationships, software dependencies, or shared access. 

This is one of the most important messages for the audience. 

You do not need to be a global enterprise to be a useful target. You may simply be the easiest route to someone else. Or you may be a quick payday because your defenses are weaker. Either way, the risk is real. The discussion around third-party intelligence and supply-chain visibility makes this especially relevant for organizations that work closely with customers, contractors, technology vendors, or critical service providers. 

In practical terms, that means cybersecurity cannot be thought of only as internal protection. It is also about understanding your ecosystem. Who do you depend on? Who depends on you? Which relationships increase your exposure? And what would an attacker see if they profiled your business from the outside? 

Key lessons listeners can apply 

This episode gives listeners several practical lessons they can use right away. 

First, do not assume your existing tools see everything. Mature security programs recognize detection gaps and actively hunt for what standard controls may miss. 

Second, focus on behavior, not just indicators. File hashes and known signatures are useful, but advanced defenders look for suspicious commands, process execution patterns, unexpected directories, unusual network behavior, and other contextual clues. 

Third, use threat intelligence to prioritize. Knowing which actors target your industry, region, supply chain, or technology stack helps you hunt smarter. 

Fourth, think beyond your own perimeter. Your suppliers, contractors, and partners may all influence your risk. 

And finally, remember that strong cybersecurity still depends on human skill. The best tools in the world are most effective when paired with analysts who know how to investigate, interpret, and ask the right questions. 

Why you should listen 

This episode matters because it cuts through cybersecurity buzzwords and gets back to something real: how defenders actually find threats in messy, imperfect, real-world environments. 

If you are a SOC analyst, it will give you a clearer framework for understanding the value of intelligence-led hunting. If you are a CISO or IT leader, it will help you think more realistically about where automation helps and where human expertise is still necessary. If you are a business leader, it will help you understand why threat intelligence and threat hunting are not optional extras, but essential parts of resilience in a world where attackers are patient, adaptive, and increasingly specialized. 

Listen now to hear Louis Zezeran and Piotr Czopik unpack the reality of threat hunting, the role of Recorded Future, and the practical ways intelligence can help organizations detect what others miss. 

Visit our website for more episodes, insights, and cybersecurity expertise from NEVERHACK Estonia. And if you want more conversations like this, subscribe to the NEVERHACK Estonia Cybercast and stay tuned for future episodes.