Threat Hunter Salary and Cost in 2026

What threat hunting is, and what it is not

Threat hunting is hypothesis-driven proactive search. The hunter starts with a question (often informed by threat intelligence, recent incident patterns, or MITRE ATT&CK coverage gaps), translates that question into data queries across SIEM and EDR, executes the queries, and either finds evidence of attacker activity or documents the absence of it. The output is one of three things: a confirmed incident handed to Tier 2/3 for response, a new detection rule (because the hunt revealed a real attacker behaviour that should fire automatically next time), or a documented coverage gap (the hunter could not effectively answer the question because the necessary telemetry was missing or noisy).

What threat hunting is not: it is not Tier 1 alert triage with a fancier title, it is not re-running the SOC's existing detections, and it is not the work of running an EDR console looking for red squares. The distinction matters because organisations that staff a "threat hunter" and then assign them to Tier 2 work get neither hunting nor an effective Tier 2 analyst (the hunter is over-paid for Tier 2 and under-engaged in the role). Real threat hunting requires protected time (typically 60% to 80% of the week) and explicit hypothesis-driven methodology.

The most quoted operational definition comes from SANS and the Threat Hunting Project: hunts should be hypothesis-driven, repeatable (so a hunt that works in week 3 can be re-run in week 27 to detect new occurrences), and outcome-tracked. The mature programmes report on hunts executed per month, hunts resulting in detection content, hunts resulting in incident handoff, hunts resulting in documented gaps, and MITRE ATT&CK technique coverage measured both before and after the hunt cycle.

Cost build and salary data

Threat hunter base salary is concentrated at the high end of the SOC role distribution because the supply pool is small. The BLS OEWS does not isolate threat hunters as a distinct role, but Glassdoor and Levels.fyi data for the specific "Threat Hunter", "Senior Threat Hunter", or "Cyber Threat Analyst" titles cluster at $150,000 to $220,000 base in the US median, with the 90th percentile reaching $250,000 to $280,000 in high-cost metros and at the largest financial-services / defence-industrial-base employers.

Fully loaded cost adds 28% benefits ($42,000 to $62,000), specialised tooling ($15,000 to $30,000 for hunting platforms, threat intel feeds, sandbox access), training and certifications ($8,000 to $20,000 for SANS courses, GIAC certifications, conferences), and manager allocation ($10,000 to $25,000). Total fully-loaded cost lands at $200,000 to $300,000 per FTE per year. The high end reflects high-cost metro positioning, rich tooling, and a generous training budget; the low end reflects a more modest configuration in a lower-cost market.

Regional variance is large. Threat hunters in San Francisco, New York, Washington DC, or Boston routinely command $230,000+ base salary because the demand from large financial-services firms, federal contractors, and big tech absorbs most of the regional supply. Lower-cost metros (Atlanta, Charlotte, Phoenix) land $130,000 to $170,000 base, with comparable capability. International threat hunters in Dublin, Belfast, or Bucharest are around 40% to 60% of US rates.

When to add the role

Threat hunting is a maturity investment. An organisation with an immature alerting layer (high false-positive rate, gaps in basic detection coverage, missing log sources) gets very little incremental value from a threat hunter because the alerting layer is missing the obvious threats that hunting would otherwise catch as side effects. The right sequencing is: detection engineering first (close coverage gaps and reduce noise), then maturity work on the SOC operating model (defined SLAs, clear escalation paths, post-incident review discipline), then threat hunting on top of that foundation.

The typical org-size and timing pattern is: 2,500 to 5,000 employees, 18 to 36 months into a mature SOC programme, after the SANS SOC maturity model assessment lands the SOC at level 3 (managed) or above. Hiring a hunter before reaching that maturity wastes the role's most valuable trait, which is the ability to find attacker activity that alerting missed. If alerting is missing 30% of attacker activity (because of coverage gaps, not because the attackers are subtle), the hunter ends up finding the obvious things alerting should have caught, which is alarming but not the right use of a $250K analyst.

See the SOC maturity model page for the maturity progression and where hunting fits.

ROI math: what does a hunter find?

A mature threat hunting programme at 5,000+ employee scale typically discovers 4 to 8 confirmed intrusions per year that the alerting layer missed. SANS 2024 Threat Hunting Survey reports that 45% of organisations running formal hunting programmes report 1 to 3 discoveries per quarter, with the higher-frequency band concentrated in financial services and large SaaS. Each discovery typically lands in the "early-stage" phase of an intrusion (initial access, persistence, reconnaissance) rather than at the active-exfiltration or ransomware-deployment phase, which is where the ROI math gets interesting.

The IBM Cost of a Data Breach 2024 reports the average cost of a contained breach at $4.88M and the cost of an uncontained breach 25% to 50% higher. The mean dwell-time reduction from finding an intrusion early is roughly 60 to 90 days, which translates to $1M to $3M of avoided breach cost per discovery. Multiplied by 4 to 8 discoveries per year, the hunter's expected value lands at $4M to $24M annually, against a fully-loaded cost of $200K to $300K. The expected-value math is wildly favourable, with the caveat that the realised benefit only shows up when the hunter actually catches an intrusion that would have gone to breach.

The expected-value math is also wildly variable. A year where the hunter catches zero confirmed intrusions still has positive value (because the hunter built detection content, identified coverage gaps, and improved overall SOC maturity), but the headline ROI number is harder to defend at board level. Organisations that struggle with the ROI conversation often shift to measuring "hunts executed", "MITRE technique coverage improvement", and "detection rules shipped" rather than "intrusions discovered" because the leading indicators are more consistent than the lagging outcome.

Outsourced hunting alternatives

Several MDR providers offer threat hunting as a service component. CrowdStrike Falcon OverWatch is the best-known, pricing at roughly $30 to $80 per endpoint per year incremental to the EDR subscription. For a 5,000-endpoint organisation that is $150K to $400K per year for outsourced hunting. Red Canary, ReliaQuest, and Expel offer similar services at comparable price points.

Outsourced hunting is good for portfolio-level threats: indicators of compromise pulled from MDR-wide telemetry, new TTPs first observed at other customers, vulnerabilities being actively exploited. It is less good for environment-specific threats: insider risk, specific business application abuse, supply-chain anomalies relevant to one customer. Most mature enterprises run both: outsourced hunting for breadth, in-house hunting for depth specific to the environment.

For mid-market organisations that cannot justify an in-house hunter (under 2,500 employees), outsourced hunting via MDR is the right entry point. The economics work: $150K to $300K incremental for a mature outsourced hunting capability is materially cheaper than the $250K fully-loaded in-house hunter plus the maturity investment required to make the in-house role effective.

Related pages

Frequently Asked Questions