// Create phase plans for a threat hunt with exact telemetry tasks, receipts, and query outputs
Show available THRUNT threat hunting commands and artifact layout
Map available telemetry, query surfaces, tenants, retention windows, and investigation blind spots
Initialize a threat hunting case from a signal, detection, intel lead, or analyst suspicion
Initialize a threat hunting program with an environment map, tool inventory, huntmap, and empty execution directories
Publish a hunt as a case report, escalation, detection promotion, or leadership summary
Execute a hunt phase with parallel telemetry work, query logging, receipt generation, and optional wave targeting
| name | hunt-plan |
| description | Create phase plans for a threat hunt with exact telemetry tasks, receipts, and query outputs |
| argument-hint | <phase> |
| allowed-tools | Read, Bash, Write, Task |
HUNTMAP.md remains the source of truth for phase layout and sequencing.
Creates or updates:
.planning/phases/[phase-slug]/CONTEXT.mdPLAN.md files.planning/STATE.md.planning/HUNTMAP.md when phase metadata changesAfter this command: Run /hunt-run <phase>.
<execution_context> @.github/thrunt-god/workflows/hunt-plan.md @.github/thrunt-god/templates/context.md @.github/thrunt-god/templates/phase-prompt.md </execution_context>
Execute the hunt planning workflow from @.github/thrunt-god/workflows/hunt-plan.md. Plans must name the telemetry source, intended evidence, and required receipts.