New indicators that are identified during the threat hunt may force the modification of the existing threat hunt hypothesis. For example, in the course of a threat hunt for indicators of an Emotet infection, threat hunters uncover the use of the Windows system internal tool PsExec, to move laterally in the internal network. From here, the original hypothesis should be changed to reflect this new technique, and any indicators should be incorporated into the continued threat hunt.

Another option available to threat hunters regarding new indicators that are discovered is to begin a new threat hunt, utilizing the new indicators as the initiating event. This action is often leveraged when the indicator or TTP identified is well outside the original threat hunting hypothesis. This is also an option where there may be multiple teams that can be leveraged. Finally, indicators may also necessitate moving from a threat hunt into incident response. This is often a necessity in cases where data loss, credential compromise, or the infection of multiple systems have occurred. It is up to the hunt team to determine at which point the existing hypothesis is modified, or a new hypothesis created, or, in the worst-case scenario, an incident is declared.