The correct answer isStructured threat hunting. In this scenario, the SOC team has alreadyconfirmed malicious activity—a compromised user account, anomalous VPN access, and indicators consistent with data exfiltration. Once an incident has been validated and attributed to adversary behavior, the next professional step is to performstructured threat huntingto uncover additional attacker actions across the environment.

Structured threat hunting ishypothesis-drivenand based on known attacker tactics, techniques, and procedures (TTPs), often mapped to frameworks such asMITRE ATT&CK. Here, the team can form hypotheses like:“If the adversary accessed the file server for exfiltration, they may have also attempted lateral movement, persistence, or privilege escalation.”Analysts then systematically query endpoint, identity, VPN, file server, and network telemetry to confirm or disprove these hypotheses.

Option A (Unstructured) is typically used at the earliest stages when little is known and analysts are exploring weak signals or anomalies without a defined adversary model. That phase has already passed in this case. Option B (AI-driven) refers to tooling or analytics methods rather than a threat hunting methodology. Option C (Proactive) is a general mindset applied to all hunting activities, not a specific hunting type used to investigate known attacker behavior.

From a professional SOC and threat hunting perspective, structured hunting enablesfull attack chain reconstruction. It helps identify secondary objectives such as data staging locations, additional compromised accounts, persistence mechanisms, and command-and-control activity. The outcome is a more complete understanding of the breach, improved containment, and stronger detection logic for future incidents.

This approach reflects mature security operations:once compromise is confirmed, hunt the adversary—not just the alert. Structured threat hunting ensures attackers are fully evicted and prevents repeat compromise through overlooked footholds.