// Turn a signal into testable hunt hypotheses, scope, datasets, and success criteria
Show available THRUNT threat hunting commands and artifact layout
Map available telemetry, query surfaces, tenants, retention windows, and investigation blind spots
Initialize a threat hunting case from a signal, detection, intel lead, or analyst suspicion
Initialize a threat hunting program with an environment map, tool inventory, huntmap, and empty execution directories
Create phase plans for a threat hunt with exact telemetry tasks, receipts, and query outputs
Publish a hunt as a case report, escalation, detection promotion, or leadership summary
| name | hunt-shape-hypothesis |
| description | Turn a signal into testable hunt hypotheses, scope, datasets, and success criteria |
| argument-hint | [signal-or-phase] |
| allowed-tools | Read, Bash, Write, AskUserQuestion, Task |
HYPOTHESES.md, SUCCESS_CRITERIA.md, and HUNTMAP.md remain the source of truth.
Updates:
.planning/HYPOTHESES.md.planning/SUCCESS_CRITERIA.md.planning/HUNTMAP.md.planning/STATE.mdAfter this command: Run /hunt-plan 1 or /hunt-run 1 if plans already exist.
<execution_context> @.github/thrunt-god/workflows/hunt-shape-hypothesis.md @.github/thrunt-god/templates/hypotheses.md @.github/thrunt-god/templates/success-criteria.md @.github/thrunt-god/templates/huntmap.md </execution_context>
Execute the hypothesis-shaping workflow from @.github/thrunt-god/workflows/hunt-shape-hypothesis.md. Drive toward hypotheses that can be proven, disproven, or left explicitly inconclusive.