This study addresses the limitations of existing threat hunting tools in supporting cognitive externalization, clue organization, and cross-session continuity, which hinder effective collaboration and reasoning among threat hunters. Building upon prior research on mental model construction and sharing, the authors propose six design heuristics to evaluate the cognitive support capabilities of threat hunting tools. Guided by these heuristics, they developed and implemented a prototype system, Threat Hunter Board. Employing the design science research paradigm and cognitive walkthroughs, the development and preliminary evaluation demonstrate the tool’s feasibility in enhancing cognitive and collaborative workflows. This work lays the groundwork for future empirical studies with professional users.

Cybersecurity increasingly relies on threat hunters to proactively identify adversarial activity, yet the cognitive work underlying threat hunting remains underexplored or insufficiently supported by existing tools. Building on prior studies that examined how threat hunters construct and share mental models during investigations, we derived a set of design propositions to support their cognitive and collaborative work. In this paper, we present the Threat Hunter Board, a prototype tool that operationalizes these design propositions by enabling threat hunters to externalize reasoning, organize investigative leads, and maintain continuity across sessions. Using a design science paradigm, we describe the solution design rationale and artifact development. In addition, we propose six design heuristics that form a solution-evaluation framework for assessing cognitive support in threat hunting tools. An initial evaluation using a cognitive walkthrough provides early evidence of feasibility, while future work will focus on user-based validation with professional threat hunters.