This study addresses the lack of systematic understanding of threat hunters’ cognitive processes in cybersecurity. Through participatory observation and semi-structured interviews, we conducted a qualitative empirical investigation—yielding the first evidence-based cognitive evolution model for threat hunting. The model characterizes how analysts dynamically construct and iteratively refine mental models during real-world operations. From our data, we distilled 23 core human-factor requirements, which informed five actionable, human–machine collaboration design principles for security analytics tools. Our work bridges a critical gap in threat hunting human factors research and provides both a theoretical foundation and practical guidelines for developing next-generation, cognition-centered security analysis systems.

With security threats increasing in frequency and severity, it is critical that we consider the important role of threat hunters. These highly-trained security professionals learn to see, identify, and intercept security threats. Many recent works and existing tools in cybersecurity are focused on automating the threat hunting process, often overlooking the critical human element. Our study shifts this paradigm by emphasizing a human-centered approach to understanding the lived experiences of threat hunters. By observing threat hunters during hunting sessions and analyzing the rich insights they provide, we seek to advance the understanding of their cognitive processes and the tool support they need. Through an in-depth observational study of threat hunters, we introduce a model of how they build and refine their mental models during threat hunting sessions. We also present 23 themes that provide a foundation to better understand threat hunter needs and suggest five actionable design propositions to enhance the tools that support them. Through these contributions, our work enriches the theoretical understanding of threat hunting and provides practical insights for designing more effective, human-centered cybersecurity tools.