Skip to content
Vigil Security
Language
Threat Hunting

Threat hunting for Portuguese SMEs — what it is and when you need it

Most SMEs have antivirus; almost none do threat hunting. What it is, when an SME crosses from "antivirus is enough" to "I need more", and how to get the capability without building an in-house SOC.

Quick answer: Threat hunting is the active search for attackers already inside your network that reactive tools (antivirus, EDR) missed. An SME needs it when operating in a regulated sector (NIS2 EE/EI), holding high-value assets, or after a first incident. It cuts median dwell time from over 80 days to under 10.

Most Portuguese SMEs have antivirus. Some have EDR. Almost none do threat hunting. And it isn't for lack of need — the CNCS Risks & Conflicts 2025 report documents a clear rise in sophisticated attacks that deliberately evade reactive tools. Threat hunting is the answer to that kind of threat: actively searching for what nobody has detected yet.

This guide explains what threat hunting actually is, when an SME crosses from "antivirus is enough" to "I need more", and how to acquire the capability without standing up an in-house SOC.

Antivirus reacts. Threat hunting searches.

The mental difference between reactive and proactive tooling is simple but often misunderstood.

Antivirus / traditional EDR reacts. It compares files and behaviours against a known-threat database (signatures, hashes, behavioural patterns). When there's a match, it alerts or blocks. It's excellent at what it knows. It's blind to what it doesn't.

Threat hunting searches. It starts from the opposite premise: assume attackers already have a foothold and haven't been detected. Instead of waiting for an alert, it investigates weak signals — an unusual outbound connection to a foreign IP, a service account logging in outside business hours, a legitimate process (PowerShell, certutil) behaving atypically. Hunters generate hypotheses ("an attacker who persisted via scheduled task would communicate like this — would we see it?"), look for evidence, and investigate.

This difference matters because the most dangerous attackers know how to evade reactive tooling. In real incidents investigated in Portugal in 2024-2025, the median time between initial compromise and detection (dwell time) was over 80 days when the only defence was reactive. In organisations with active threat hunting, this drops below 10 days.

In 80 days, an attacker moves laterally, catalogues data, escalates privileges, installs redundant persistence, and prepares exfiltration or ransomware. In 10 days, they rarely move past the initial foothold.

The 3 modes of threat hunting

It's not a single activity — there are three distinct modes, each suited to different use cases.

1. Structured (hypothesis-driven). The hunter starts from a specific hypothesis based on known tactics (MITRE ATT&CK). Example: "If an attacker used Mimikatz to extract credentials, there should be anomalous access to lsass.exe in the last 30 days." They investigate logs, find or fail to find evidence, document. The most systematic mode and the one that scales best.

2. Situational (intelligence-driven). The hunter receives a threat-intelligence indicator (IoC) — an IP, hash, domain — associated with a known actor operating in their sector. They investigate whether evidence of that indicator exists in the network. Example: "CNCS published IoCs for a campaign against Portuguese retail; let's check everything that talked to those domains in the last 60 days."

3. Anomaly-driven. The hunter investigates signals that deviate from baseline normal — without a pre-formed hypothesis, but with instinct. Example: "This service account normally makes 200 requests/day; yesterday it made 12,000. Why?" The hardest mode to automate, and the one most dependent on experience.

In practice, mature programs combine all three. SMEs starting out tend to focus on mode 2 (cheaper, best effort/value ratio) and expand into 1 and 3 as they mature.

When an SME needs threat hunting

There are red flags that indicate antivirus + EDR is no longer enough:

  • Regulated sector (NIS2 EE/EI, banking, healthcare, critical infrastructure). DL 125/2025 doesn't use the term "threat hunting", but the CNCS framework's "Substantial" level requires continuous monitoring and anomalous-behaviour detection — which in practice means hunting.
  • High-value assets. Intellectual property, payment-card data (PCI-DSS), clinical data (GDPR), financial data (DORA). The cost of a silent exfiltration far exceeds the cost of hunting.
  • Critical supply chain. If you serve clients in regulated sectors, they will demand evidence of advanced detection capability. Hunting is the defensible answer.
  • You've already had an incident. After the first serious incident, hunting stops being optional. Leadership wants to know whether other attackers are still on the network — and that question only gets answered through hunting.
  • Size > 100 employees or > €20M turnover. From this size, the attack surface is too large to rely exclusively on reactive detection.

If none of this applies, threat hunting may be overkill. Antivirus + EDR + tested backups + MFA cover most of the risk for a small, non-regulated SME without especially attractive assets.

The metrics that matter

Three central metrics for evaluating a threat-hunting program:

  • MTTD (Mean Time to Detect). Median time between initial compromise and detection. In organisations without hunting, median 80+ days. With mature hunting, below 10 days.
  • MTTR (Mean Time to Respond). Median time between detection and containment. Good hunting identifies not only the entry point but the full blast radius — which accelerates response.
  • Dwell time. Total time an attacker spends on the network before being expelled. Combines MTTD + eradication time. The metric that best reflects real risk.

Beware of vanity metrics. "Number of alerts investigated" says little — it may mean lots of false positives. "Number of hunting queries created" says even less. Focus on MTTD and dwell time.

In-house vs managed: what changes in practice

Building internal hunting capability is expensive and slow. To run 24/7 (which NIS2 effectively requires for EEs), you need at least:

  • 6 analysts on rotation. 3 shifts × 2 analysts, with coverage for holidays, training, sickness.
  • Tooling. SIEM (€30k–€100k/year), enterprise-grade EDR (€20k–€80k/year), threat-intel feeds (€10k–€30k/year), optional SOAR platform.
  • Sector-specific threat intelligence. Expensive, with a learning curve.
  • Process, runbooks, playbooks. 6 to 12 months to mature.

Total cost of ownership for a functional in-house SOC runs €500k–€1M/year for an SME with 100–250 employees. Unviable for most.

The alternative is an MSSP. An MSSP with a dedicated SOC and hunting team distributes those costs across dozens of clients, delivering the same capability for €1,500–€8,000/month — a fraction of the cost. The real loss is an abstraction layer: hunters don't know your organisation as well as an internal team would, and depend on good communication and solid onboarding to be effective.

The hybrid model — small internal team (1-2 people in business hours) + MSSP for 24/7 and advanced hunting coverage — tends to be the best compromise for SMEs with 100–500 employees in regulated sectors.

Threat hunting + NIS2: which controls it satisfies

For SMEs in NIS2 scope, threat hunting contributes directly to compliance with several Article 27 controls:

  • Control 2 (incident management): hunting accelerates detection and is responsible for reducing time-to-CNCS-notification within the 24-hour deadline.
  • Control 6 (network security and monitoring): hunting is the active form of this control; it satisfies the implicit "continuous monitoring" requirement at the "Substantial" level.
  • Control 9 (vulnerability management): hunting frequently discovers exploited vulnerabilities that scanners didn't detect.

It is not legally mandatory to implement threat hunting per se — there is choice in how to satisfy these controls. But for EEs in critical sectors, it's the most defensible form and the one that best demonstrates "due care" before the CNCS in a post-incident scenario.

How to start without standing up an in-house SOC

For an SME that decides to move forward:

  1. Run an honest inventory. Which systems are critical? What high-value data exists? What tooling is in place (EDR, SIEM, centralised logs)? Without this, hunting has no foundation.
  2. Choose an MSSP with real hunters. There's a real difference between MSSPs that only do alert triage and those with structured hunting capability. Ask: "What was the last sophisticated attack you detected via hunting that didn't come from an automated alert?"
  3. Define initial scope. Hunting across all endpoints + critical servers is a good starting point. Add cloud workloads and identity in the second quarter.
  4. Establish baseline metrics. Measure MTTD and dwell time from day 1. Without a baseline, there's no measurable improvement.
  5. 4–8 week onboarding. Hunters need to learn your network, identify critical systems, map VIP users, understand normal patterns before they can detect anomalies.
  6. Quarterly review. Hunting use cases evolve with the threat landscape. Meet with the MSSP every 3 months to review hypotheses, metrics, and adjustments.

Well-implemented threat hunting pays for itself on the first significant detection. The return rarely shows in month 1 — it becomes obvious when, in month 6 or 9, an incident is caught in days that would have taken months.

Next steps:

Simão Ribeiro

Founder of Vigil Security. 24/7 SOC, threat hunting and NIS2 compliance for Portuguese SMEs.