Red Teaming and Threat Hunting are disciplines that, when present in an organization, can signify the maturity of its cybersecurity program. While one simulates attacks to test defenses, the other investigates signs of malicious activity that may have gone unnoticed. But what happens when these actions are based on generic assumptions or purely theoretical threats?

The answer: wasted effort.

This is where the discipline of Cyber Threat Intelligence (CTI) comes in, contributing with real tactics, techniques, and procedures (TTPs) from active adversaries. CTI transforms poorly substantiated simulations into relevant tests and fills hunting activities with context, turning them into purposeful investigations. Real-world intelligence guides your investments, resulting in a true reduction of risk.

Uniting Forces: Red Team, Threat Hunting, and CTI

All three disciplines share a common goal: to understand and combat adversary behavior. The convergence between them enhances results exponentially.

• With CTI, the Red Team can test real-world situations by simulating attacks.
• With CTI, Threat Hunting can access intelligence that helps it investigate where it really matters when searching for signs of intrusion.
• CTI provides the fuel for both: context, behavior, and intent.

This integration breaks down silos and creates a direct line between what the adversary is doing out there and what security teams should be testing and looking for internally.

Real TTPs: The Link Between Intelligence and Action

TTPs—Tactics, Techniques, and Procedures—are the most concrete way to represent an adversary’s behavior. They help us understand how and with what tools adversaries operate.

Today, MITRE ATT&CK is the primary knowledge base on TTPs, something like the periodic table of elements. Just as the periodic table helps us understand the composition of molecules, MITRE ATT&CK helps us understand the multiple possible combinations of techniques in an attack. There are two differences: the set of techniques in MITRE ATT&CK is much larger than the number of elements in the periodic table, and TTPs change over time, so MITRE ATT&CK needs to be constantly updated.

For example, when explaining the behavior of the adversary APT29, one might document that, among its procedures, it abuses the schtasks.exe binary. This is part of a technique documented as “Scheduled Task/Job,” which involves abusing the operating system’s task scheduling mechanism. This technique falls under the “Persistence” tactic, which groups the various ways an adversary can remain active on a device even after a reboot.

By guiding activities with CTI findings and using this “language” of TTPs across teams, Red Team and Threat Hunting activities become based on real cases. Security ceases to be generic and becomes specific, contextualized, and effective.

CTI Enriching the Red Team

Based on TTPs documented in MITRE ATT&CK and analyses of active campaigns, the intelligence team can build adversary profiles. With this, the Red Team can:

• Simulate groups like Lazarus, FIN7, or Turla with technical and strategic realism.
• Use tools like MITRE Caldera™ and many others from the Red Team universe based on real behaviors.
• Deliver reports that test controls and processes in the real world.

The result? Tests that push for evolution not only in technology security but also help improve processes and organizational readiness.

CTI Powering Threat Hunting

On the defensive side, threat intelligence provides actionable hypotheses for proactive investigations, such as:

• “This group has a history of using DNS tunneling—are we seeing this pattern?”
• “This command-and-control infrastructure was recently used in campaigns against our sector—do we have traffic going to it?”
• “This malware achieves persistence via DLL side-loading—do we have logs of this type of loading on endpoints?”

By guiding searches based on known TTPs and ongoing campaigns, hunting becomes intentional and measurable.

A Practical Scenario

Imagine the CTI team identifies an active campaign using the Vidar infostealer, installed via another malware called FakeBat. The Red Team sets up a scenario simulating the delivery and data extraction based on this vector. Threat Hunting, in turn, creates queries to identify communications with related domains, execution of obfuscated binaries, and the creation of temporary files in directories commonly used by infostealers. Each team acts independently but is driven by the same real threat. This generates cross-functional learning, control evolution, and a strengthened security posture.

Concrete Benefits of Integration

✅ More relevant Red Teams: Their attacks simulate real adversaries, not just generic vulnerabilities.

✅ More targeted hunting: Searches are based on threats with a real probability of occurrence.

✅ Fewer false positives: Analysts investigate with context, not just signatures.

✅ A culture of collaboration: CTI ceases to be an isolated report and becomes a valuable input for the entire team.

How to Start

1. Choose a real adversary based on your sector, geography, or attack history (e.g., APT28).
2. Map this actor’s TTPs using MITRE ATT&CK.
3. Develop an emulation scenario (Red Team) and a correlated hunting hypothesis.
4. Document the results and feed the intelligence loop with learnings.

How Resonant Can Help

The intelligence generated by Resonant’s CTI keeps this crucial loop running, which is essential for integrating your Red Team and Threat Hunting personnel. We can transform the Red Team into more than a purely technical exercise and Threat Hunting into more than a shot in the dark.

When you base your actions on the TTPs of a real adversary, your defense stops being passive and becomes proactively threat-oriented.

Are you testing and hunting for real threats or operational ghosts? Talk to the Resonant team and discover how to turn noise into practical action.