Connect with us

Hi, what are you looking for?


Incident Response

The OODA Loop: The Military Model That Speeds Up Cybersecurity Response

The OODA Loop can be used both by defenders and incident responders for a variety of use cases such as threat assessment, threat monitoring, and threat hunting.

Time is a precious commodity especially in cybersecurity. Cybercriminals can be in and out of victim environments in less than 24 hours of initial access. Professional cybercriminals and advanced persistent threats (APTs) leverage zero-day vulnerabilities, easily rendering software developers clueless.

When a cyberattack strikes, defenders have only minutes to detect and respond. The faster the detection, the sooner a virus can be arrested from spreading. The faster the response time, the sooner the enemy can be outmaneuvered. To win this race against time, defenders need two things: 1) a robust decision-making model that aids in swift but accurate decision-making; and 2) real-time status checks on the entire infrastructure, allowing security teams the chance of making informed decisions.

Enter the OODA Loop Military Model and its Security Application

The OODA loop is a military mental model developed in the mid-20th century by Air Force strategist Col. John Boyd to boost decision-making skills for fighter pilots during aerial combats.

The OODA loop consists of four iterative phases: Observe, Orient, Decide and Act. “Observe” refers to building a comprehensive picture of the situation. “Orient” means connecting with reality, avoiding cognitive biases, and developing a deep awareness of the situation and its context. “Decide” translates to making decisions based on observations, but not jumping to conclusions. “Act” is about implementing or acting on the decision made.

The OODA loop is a versatile model which can obviously be applied to cybersecurity. It can be used both by defenders (and incident responders) for a variety of use cases such as threat assessment, threat monitoring, and threat hunting. The success of the OODA loop is highly dependent on the quality of security signals and data used for decision making. In other words, poor quality data equals poor decisions and vice versa.

Using SASE to Harness the OODA Loop

Security complexity is one of the biggest roadblocks to effective and timely threat detection. It’s common practice to deploy many disparate security tools (anywhere from 45 to 75 on average) to address a host of threat vectors and security use cases. As a result, security tools are unable to “connect the dots,” failing to produce timely, accurate, and contextual security data for effective decision-making. Because data and applications have moved to the cloud together with users who are working remotely, blind spots come into the picture over which security teams have no data insight or control over.

Advertisement. Scroll to continue reading.

SASE is a single-pass, cloud-native architecture that tackles the complexity problem by converging multiple security controls (such as data leakage prevention, secure web gateway, zero trust network access, cloud access security broker and other controls) into a single service. Consolidated security tools and native integrations result in real-time visibility over network traffic spanning endpoints, multi-cloud, applications, identities, devices, and Internet of Things. Real-time data is then enriched with contextual details like location and identity, empowering security teams with finer security control and more informed decision-making. The SASE backbone also enables immediate threat response against zero-day exploits via virtual patching. In other words, SASE significantly enhances the OODA loop process because it sees all network flows (‘Observe’), contextualizes all the data it receives (‘Orient’), invokes the policy that needs to be applied (‘Decide’), and enforces policies across the entire infrastructure end-to-end (‘Act’). 

Final Thoughts

The OODA Loop is designed for rapid decision-making in highly stressful situations, familiar territory for any security team. Because threats are growing in sophistication, there is a need for faster response times; control and visibility becomes more urgent.  The key is having this visibility into all data and its context. By enriching data with context, security teams can make informed policy decisions. Enforcing these policies consistently requires a convergence of security functions.  With single-pass processing, security teams can make informed data-driven decisions, enforce the right policies immediately, accelerate their desired security outcomes and fast-track their journey to cyber resilience.

Written By

Etay Maor is Senior Director of Security Strategy for Cato Networks. Previously, he was Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and a MA in counter-terrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.