NIST 800-53 r5 · Controls catalogue · Family RA
RA-10Threat Hunting
Establish and maintain a cyber threat hunting capability to: Search for indicators of compromise in organizational systems; and Detect, track, and disrupt threats that evade existing controls; and Employ the threat hunting capability {{ insert: param, ra-10_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (8)
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1190 Exploit Public-Facing Application Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Hunting tracks data exfiltration or unauthorized disclosure of sensitive information as a key threat indicator. |
CWE-284 | Improper Access Control | 4,832 | Threat hunting directly searches for indicators of unauthorized access or control violations that bypassed preventive mechanisms. |
CWE-287 | Improper Authentication | 4,730 | Hunting detects anomalous authentication patterns or successful bypasses that allow persistent unauthorized entry. |
CWE-269 | Improper Privilege Management | 2,907 | Privilege abuse or escalation attempts are detectable via indicators that threat hunting is designed to surface. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Anomalous use of hard-coded credentials can be uncovered through behavioral and log analysis during hunts. |
CWE-506 | Embedded Malicious Code | 80 | The capability explicitly searches for embedded malicious code and backdoors as indicators of compromise. |
CWE-912 | Hidden Functionality | 79 | Hunting identifies hidden functionality used for persistence or evasion after initial compromise. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||