explaingit

otrf/threathunter-playbook

4,551PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

An open-source reference library of threat hunting techniques mapped to MITRE ATT&CK, with Jupyter notebooks you can run in a browser to practice detections against pre-recorded data without a live lab.

Mindmap

mindmap
  root((repo))
    What it does
      Hunt documentation
      Detection examples
      ATT&CK mapping
    Format
      Jupyter notebooks
      Runnable in browser
      Pre-recorded datasets
    Structure
      Tactics and techniques
      Threat hypotheses
      Query examples
    Use cases
      Security training
      Hunt planning
      Detection engineering
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run a notebook in your browser to see how a specific MITRE ATT&CK technique is detected without setting up a lab.

USE CASE 2

Use the playbook as a template to write your own threat hunting procedures that map to ATT&CK.

USE CASE 3

Study pre-written detection queries for specific attacker techniques to build or improve security monitoring rules.

USE CASE 4

Use the AI-assisted workflow structure to plan and document a hunt before running it in a real environment.

Tech stack

PythonJupyter

Getting it running

Difficulty · easy Time to first run · 5min

Notebooks can be run directly in a browser via Binder with no local installation required.

Published under an open-source license, see the repository for the specific terms.

In plain English

The Threat Hunter Playbook is an open-source reference project for cybersecurity professionals who do threat hunting, meaning they actively look for signs of attackers inside a network rather than waiting for alerts to fire. The project documents how to plan a hunt, what to look for, and how to write up findings in a way that others can learn from and reuse. All of the content is organized around the MITRE ATT&CK framework, which is a widely used public catalogue of tactics and techniques that attackers use after they have already broken into a system. By mapping each hunt to that catalogue, the playbook keeps its coverage consistent and comparable across different teams. The hunt documents are written as Jupyter notebooks, which are files that mix plain explanations, data analysis code, and query examples in one place. These notebooks are designed to be executable: you can run them against pre-recorded security datasets to see how a detection works without needing a live environment. A cloud-based service called Binder lets you open and run them directly in a browser without installing anything. The project is in a transition period where it is adding AI-assisted workflow support. The idea is not to hand hunting over to AI but to use it to help structure the planning stage, where a hunter defines what they are looking for, what data sources are relevant, and what a suspicious pattern would look like. A companion system called Agent Skills packages those reasoning steps into explicit workflows that both humans and AI tools can follow. The project is community-driven, maintained primarily by two security researchers, and published under an open-source license. Full documentation lives at threathunterplaybook.com.

Copy-paste prompts

Prompt 1
I want to practice detecting lateral movement techniques from MITRE ATT&CK. Help me find the right Threat Hunter Playbook notebook and explain what it checks for.
Prompt 2
I want to write a new threat hunting playbook entry for a specific ATT&CK technique. Help me structure it using the same format as the existing notebooks.
Prompt 3
The Threat Hunter Playbook mentions AI-assisted planning with Agent Skills. Help me design a workflow where I describe a hunting hypothesis and the AI structures it into a formal hunt plan.
Prompt 4
Show me how to open and run a Threat Hunter Playbook notebook using Binder so I can practice without installing anything locally.
Open on GitHub → Explain another repo

← otrf on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.