Hunt Hypotheses That Survive Cross-Examination

A hypothesis should state what you expect to see, what would disprove it, and how long you will look before pausing. If you cannot name a disproof, you are storytelling.

We ask three prompts: What assumption about attacker behavior is explicit? What benign activity could mimic it? What is the smallest dataset slice that could answer the question? The third prompt prevents “search the universe” spirals.

Time boxing is not laziness; it is respect for analyst calories. Pair every hunt with a visible timer and a scribe. When the timer ends, write negatives with the same care as positives.

Share hunts internally with a short peer red-team. One colleague plays skeptical reviewer for five minutes. The friction is where vague verbs get replaced with observable claims.