// Execute a hunt phase with parallel telemetry work, query logging, receipt generation, and optional wave targeting
Show available THRUNT threat hunting commands and artifact layout
Map available telemetry, query surfaces, tenants, retention windows, and investigation blind spots
Initialize a threat hunting case from a signal, detection, intel lead, or analyst suspicion
Initialize a threat hunting program with an environment map, tool inventory, huntmap, and empty execution directories
Create phase plans for a threat hunt with exact telemetry tasks, receipts, and query outputs
Publish a hunt as a case report, escalation, detection promotion, or leadership summary
| name | hunt-run |
| description | Execute a hunt phase with parallel telemetry work, query logging, receipt generation, and optional wave targeting |
| argument-hint | <phase> [--wave N] [--gaps-only] [--interactive] |
| allowed-tools | Read, Bash, Write, Task, AskUserQuestion, WebSearch |
Documented flags are available behaviors, not implied active behaviors.
Treat --wave N, --gaps-only, and --interactive as active only when the literal token appears in $ARGUMENTS.
If none of these tokens appear, run the standard full-phase execution flow.
The execution boundary is the shared THRUNT runtime contract:
QuerySpecthrunt-tools runtime list-connectors, thrunt-tools runtime doctor, thrunt-tools runtime smoke, thrunt-tools pack render-targets, and thrunt-tools runtime execute--wave N executes only a single wave and must not mark the whole phase complete until no incomplete plans remain.
Creates or updates:
.planning/QUERIES/*.md.planning/RECEIPTS/*.mdSUMMARY.md.planning/STATE.md.planning/HYPOTHESES.md when new pivots emerge.planning/HUNTMAP.md when phase status changesAfter this command: Run /hunt-validate-findings <phase>.
Active flags must be derived from $ARGUMENTS.
Do not infer that a flag is active just because it is documented in this prompt.
--interactive is active only if the literal --interactive token is present in $ARGUMENTS.
If none of these tokens appear, run the standard full-phase execution flow.
<execution_context> @.github/thrunt-god/workflows/hunt-run.md @.github/thrunt-god/templates/query-log.md @.github/thrunt-god/templates/receipt.md @.github/thrunt-god/templates/summary-standard.md </execution_context>
Execute the hunt run workflow from @.github/thrunt-god/workflows/hunt-run.md. Every non-trivial claim must cite receipts. Parallelize by telemetry domain when it helps. When query execution occurs, treat `/hunt-run` as a `QuerySpec` producer and normalized-result consumer. If the requested phase has not been planned yet, stop and instruct the operator to run `/hunt-plan ` first instead of improvising execution. Keep query-log `related_receipts` and receipt `related_queries` links exact and bidirectional for artifacts created in the run. Before closing out, update `HYPOTHESES.md`, `STATE.md`, and `HUNTMAP.md` so hypothesis confidence and phase completion match the receipts actually collected. When updating `HUNTMAP.md`, sync all affected surfaces: phase checkbox, per-plan checklist entries, and the progress table row for the executed phase. When onboarding or debugging a real connector, use `thrunt-tools runtime doctor []` before running hunts, and use `thrunt-tools runtime smoke []` for a live read-only certification query. When a phase is explicitly pack-backed, prefer `thrunt-tools runtime execute --pack ` or inspect the generated specs with `thrunt-tools pack render-targets ` before running.