// Map available telemetry, query surfaces, tenants, retention windows, and investigation blind spots
Show available THRUNT threat hunting commands and artifact layout
Initialize a threat hunting case from a signal, detection, intel lead, or analyst suspicion
Initialize a threat hunting program with an environment map, tool inventory, huntmap, and empty execution directories
Create phase plans for a threat hunt with exact telemetry tasks, receipts, and query outputs
Publish a hunt as a case report, escalation, detection promotion, or leadership summary
Execute a hunt phase with parallel telemetry work, query logging, receipt generation, and optional wave targeting
| name | hunt-map-environment |
| description | Map available telemetry, query surfaces, tenants, retention windows, and investigation blind spots |
| allowed-tools | Read, Bash, Write, AskUserQuestion, Task |
Creates or updates:
.planning/environment/ENVIRONMENT.md.planning/MISSION.md.planning/HYPOTHESES.md.planning/STATE.mdUnknown tenants, tools, retention windows, access paths, and blind spots must remain TBD until the operator confirms them.
Confirmed environment facts should replace existing TBD markers immediately; only unresolved fields should stay TBD.
After this command: Run /hunt-shape-hypothesis or /hunt-plan 1.
<execution_context> @.github/thrunt-god/workflows/hunt-map-environment.md @.github/thrunt-god/templates/environment-map.md </execution_context>
Execute the environment-mapping workflow from @.github/thrunt-god/workflows/hunt-map-environment.md. Prefer concrete environment facts over generic best practices. Preserve existing analyst notes. Default behavior is to preserve confirmed facts and leave unknown values as `TBD` rather than populating simulated environment details. Replace `TBD` only where live workspace evidence or direct operator input confirms the fact.