PumaHunter is an offline threat-hunting workbench — it turns a vague hunch into a structured, documented, hypothesis-driven hunt that produces real outputs for detection engineering. No server, no account, no telemetry.
Hunt programs (workspaces) — one per client, engagement, or environment. Switch, rename, and recolor them from the tabs at the top.
Three-stage hunt lifecycle — Scope (write the ABLE hypothesis, map ATT&CK techniques, pick data sources), Hunt (work analysis steps, capture and triage findings), and Conclude (declare the outcome, log improvements).
ABLE hypothesis builder — every hunt is framed as Actor · Behavior · Location · Evidence, with a searchable MITRE ATT&CK technique picker. The question is falsifiable before you run a single query.
12-hunt library — ready-to-run templates (8 foundational + 4 advanced/enterprise) mapped to ATT&CK, with real Event IDs and Sysmon/SPL/KQL queries, good-vs-bad guidance, and false-positive notes. Or paste a threat-intel advisory and PumaHunter matches it to the library to start a hunt.
Threat-actor profiles — browse intrusion sets (FIN7, APT29, Volt Typhoon, …), see how much of each one's tradecraft you've hunted, and scope a new hunt to an actor in one click. Open from the Actors tab or press 6.
ATT&CK coverage map — see which techniques you've hunted, how many hunts cover each, and where evil was found; export a MITRE ATT&CK Navigator layer. Open from the Coverage tab or press 4.
Visibility gaps — see which data sources your hunts call for but you haven't collected, ranked by how many hunts each would unlock. Open from the Gaps tab or press 5.
Hand off to PumaCase / PumaRisk — export a hunt's findings as a detection-handoff backup: to PumaCase for active response, or PumaRisk for the risk register.
Hunt reports — export a Markdown or RTF write-up of any hunt (with exec summary and ATT&CK table) for handoff to detection engineering or leadership.
Teaching layer — each stage panel includes a collapsible guide covering the ABLE framework, analysis discipline, disposition rules, and improvement types. The Pyramid of Pain and a glossary are one click away in the hunt footer.
Backup & restore — the Export button writes a .pumapack of every program (⌘/Ctrl+S saves a quick .json backup); Import or drag-drop restores either.
New to hunting? Open the Method tab, then instantiate a library hunt and follow the stage-guide prompts.
The hunt loop
Threat hunting is proactively searching for attacker activity that evaded your detections. It is not "go look at logs" — it is testing a specific, falsifiable idea about what an adversary is doing in your environment.
1 · Scope. Write an ABLE hypothesis: an Actor performing a Behavior in a Location you can see, leaving Evidence in a named data source. Map it to ATT&CK. Define what would prove or disprove it (success criteria). A good hypothesis is falsifiable — you can describe the data that would prove you wrong.
2 · Hunt. Work through your analysis steps, data source by data source. Write the query before you run it. Record the result of every step — even "nothing found." Triage each finding: benign, suspicious, malicious, or inconclusive. Escalate anything malicious immediately; don't wait for the hunt to close.
3 · Conclude. Declare the outcome: proven, disproven, inconclusive, or still open. Then produce at least one improvement: a new detection rule, a visibility gap you found, a response playbook update, or a baseline that makes the next hunt faster. A hunt that finds nothing but creates a detection still won.
Hunt for behaviors, not indicators. Aim at the top of the Pyramid of Pain — TTPs and tools are durable detection targets. An adversary can rotate a hash in minutes; changing their technique takes weeks.
Open the ⬡ PoP button in any hunt footer for the full Pyramid of Pain reference, or ? Glossary for term definitions.
Where your hunts live
Every hunt program is stored in your browser's localStorage, on this device and this browser only. Nothing is uploaded anywhere.
This is the whole database. If you clear site data, use a private window, switch browsers, or lose the device, your hunts are gone. Back up regularly.
Backing up
The Export button saves every program to a single .pumapack file; ⌘/Ctrl+S saves a quick .json backup. Restore either with Import, or by dragging the file onto the window.
Clear all local data
Danger zone. This erases every PumaHunter program in this browser. Export a backup first.
Type DELETE EVERYTHING to confirm:
?
Open this help
⌘/Ctrl + S
Save a quick .json backup
N
New blank hunt
1 / 2 / 3
Dashboard / Hunts / Library
4
ATT&CK Coverage view
5
Visibility Gaps view
6
Threat Actors view
Esc
Close hunt / dialog / menu
About PumaHunter
PumaHunter is a lightweight, offline threat-hunting workbench that runs entirely in your browser. It is built for technically capable people — analysts, incident responders, sysadmins — who can query their own data but have never been handed a repeatable hunt method. The same "teach by doing" stance as PumaTTX.
This tool is provided as-is, for informational and productivity purposes only. It is not professional security advice. All hunting decisions, findings, and escalations are your own.
About PumaWorx
PumaWorx is a suite of offline, single-HTML productivity apps that run entirely in your local browser. The entire suite is a personal, open source vibecoding project.
This is an offline single-HTML app. No data goes to or from the internet — no server, no account, no telemetry. Your hunts live in your web browser's localStorage — on this device, in this browser, and nowhere else.
Your data is YOUR responsibility.
Clearing this site's data, opening it in a private window, switching browsers, or losing this device erases every hunt. Back up regularly — the topbar Export button saves a .pumapack you can re-import or drag back onto the window.