Threat hunting often fails less because of tooling and more because of weak framing. When the available time window is short, the ability to form and refine a credible hypothesis matters more than adding one more dashboard or data source.
This work examined how cyber threat intelligence, existing incident context, and operational constraints can be combined into a faster hypothesis-generation process. The goal was not just to create a theory-heavy model, but to improve practical investigative efficiency.
It reflects a pattern that runs through a lot of my work: take an activity that is usually treated as loosely intuitive, then make its reasoning more explicit and reusable.