Running queries in a SIEM is a technique. PROWL is a program. The difference is structure — every hunt in PROWL starts with a documented hypothesis grounded in threat intelligence, executes through a defined workflow that captures the full methodology, classifies every outcome in a structured finding record, and contributes to a cumulative coverage map and analytics dataset that measures and improves the program over time. A SIEM query produces a result. PROWL produces institutional knowledge.

A hunt hypothesis is a structured statement that defines what the hunter is looking for, why they believe it might be present, which MITRE ATT&CK technique it targets, and what data sources will be used to investigate it. PROWL guides hypothesis development using the If-Then-Via framework — if this threat actor or technique is present, then this behavior should be observable, via this data source. CIPHER surfaces relevant threat actor TTPs, active campaigns, and recent intelligence hits directly in the hypothesis workspace — giving hunters a targeted starting point grounded in real-world adversary behavior rather than intuition or generic technique libraries.

PROWL connects directly to CIPHER's entity registry and threat actor profiles. When a hunter opens a new hypothesis, CIPHER surfaces relevant threat actors, their known TTPs, their active campaigns, and any recent RSS intelligence hits that suggest increased activity. Threat actor TTPs map directly to MITRE ATT&CK techniques in the hunt hypothesis — giving the hunter a pre-populated starting point that reflects the actual threat landscape. Hunt findings that confirm a known actor's TTP feed back into CIPHER — enriching the entity record with environmental evidence and strengthening the intelligence picture for every future hunt.

PROWL supports five hunt workflow stages — Planning, Active, Findings Review, Published, and No Findings. Each stage has defined inputs and outputs that ensure every hunt produces a complete record regardless of outcome. Planning captures the hypothesis and methodology before execution begins. Active tracks the real-time investigation as it progresses. Findings Review documents and classifies the outcome. Published marks True Positive findings that have been escalated and documented. No Findings marks hunts that found no evidence of the targeted behavior — which is itself a valuable data point for coverage tracking.

Every action taken during a hunt is documented within the hunt record in real time — queries run, data sources accessed, observations made, threads followed and abandoned, and decisions taken at each stage of the investigation. Every note is timestamped and attributed to the analyst who added it. The hunt record builds itself as the work progresses — so any analyst who picks up a hunt in progress starts exactly where the previous analyst left off, and any analyst who reviews a completed hunt can replicate the methodology without asking.

Every hunt in PROWL concludes with a structured classification — True Positive, False Positive, or Inconclusive. True Positive findings capture the full technical detail of what was confirmed — affected systems, observed behaviors, timeline of activity, MITRE technique validated, evidence collected, and analyst confidence assessment. False Positive findings document the reasoning that determined the behavior to be non-malicious. Inconclusive findings capture what was investigated, what was found, and what additional data or access would be needed to reach a definitive conclusion.

A True Positive finding triggers two simultaneous actions. First, the hunter declares an incident directly in SHIELD from within the PROWL finding record — carrying the full hypothesis, all collected evidence, the complete hunt methodology, the confirmed MITRE technique, and the affected systems forward automatically. The response team starts with complete context rather than a blank incident record. Second, PROWL routes a detection engineering request to BLADE — specifying the technique confirmed, the data source that revealed it, and the behavioral indicators that distinguished malicious from benign activity. The finding closes the detection gap that allowed the threat to go undetected.

False Positive findings are documented with the full reasoning that determined the behavior to be non-malicious — preserving the analysis that future analysts won't need to repeat. The finding routes to BLADE as tuning intelligence — specifying the behavior that generated noise and the characteristics that distinguished it from genuine threat activity. False Positives are not wasted hunts. They are documented contributions to the detection engineering program that prevent the same investigation from happening twice.

Every hypothesis and every completed hunt in PROWL carries a MITRE ATT&CK tactic and technique mapping. As hunts are completed, PROWL builds a cumulative coverage map — a live picture of which techniques have been hunted, how recently, how many times, and with what outcome. Techniques that have never been hunted surface as explicit gaps. Techniques that are known TTPs of threat actors in CIPHER are flagged as priority coverage targets. The coverage map connects directly to BLADE — techniques with confirmed findings but no detection rule generate automatic detection engineering requests.

PROWL captures a comprehensive analytics dataset covering the full program — yield rate by analyst and technique family, ATT&CK coverage trends, hypothesis quality scores, hunt velocity, detection impact from BLADE, and intelligence utilization rates. The hunt lead sees the operational picture for program management. The CISO sees the strategic picture for board reporting and investment justification. Both views feed directly into SCOUT's executive reporting layer — turning the work hunters do every day into the evidence leadership needs to demonstrate program maturity without requiring a separate reporting effort to produce it.

Every completed hunt is recorded in the PROWL coverage map with the date, the analyst, and the outcome. When a new hypothesis targets a technique that has recently been hunted, PROWL surfaces the previous hunt record — showing the methodology that was used, the outcome that was produced, and whether the technique has been covered by a detection rule since the last hunt. Hypothesis prioritization deprioritizes recently covered techniques in favor of gaps — ensuring the program expands its coverage rather than circling familiar territory.

Every completed hunt enters the PROWL hunt library — fully documented, fully searchable, and fully available to every analyst on the team. Hunts that produced True Positive findings are tagged as high-value references and surfaced as starting points for future hypothesis development. The methodology, the queries, the data sources, and the indicators that proved most useful are preserved in enough detail to be replicated by any analyst without asking the one who originally ran the hunt. When an experienced hunter leaves the team, everything they documented stays — the program retains the knowledge even when it loses the person.

Yes. Hunt records in PROWL are shared workspaces — every team member can view, contribute to, and track any active hunt in real time. Notes added by one analyst are immediately visible to all others. For complex hunts requiring multiple data source specialists or extended investigation periods, multiple analysts can contribute to the same hunt record concurrently without overwriting each other's work. The full contribution history — every note, every query, every observation, attributed to the analyst who added it — is preserved throughout.

PROWL sits at the proactive edge of the SCOUT operational chain. It draws intelligence from CIPHER to generate targeted hypotheses, escalates True Positive findings directly to SHIELD for incident response, routes detection gaps and tuning intelligence to BLADE for detection engineering improvement, and contributes ATT&CK coverage data to TIME for threat model refinement. Every hunt PROWL completes makes the intelligence, response, detection, and modeling capabilities of the full SCOUT platform stronger — closing the loop between proactive hunting and the reactive and strategic functions that depend on what hunting discovers.

PROWL feeds a comprehensive set of program reports into SCOUT's reporting layer — hunt yield rate by time period and technique family, ATT&CK coverage expansion trend, analyst performance and productivity metrics, detection engineering impact from hunting findings, intelligence utilization rates by source, and hypothesis quality scores. Reports are available on demand or on a scheduled basis and feed directly into SCOUT's executive dashboard — giving CISOs the evidence to demonstrate hunting program maturity, justify continued investment, and brief the board on the proactive security posture the program represents.