How the ideas of a Korean War F86 fighter pilot can improve your Cyber Risk Operations Center
In 2004 as I prepared to board a flight to Tokyo, I strolled through a bookstore in ATL’s international concourse looking for something to occupy my mind during the 14 hour flight. Just as I was about to head to my gate empty-handed, I noticed a book that I had just read a review about in Georgia Tech’s alumni magazine concerning a not-so-famous but immensely influential fighter pilot who began his journey of making a dent in the universe as an F86 fighter pilot in the Korean War.
Although I grabbed the book and purchased it without so much a flip through its pages, I didn’t start reading it until our flight took off from Atlanta. Time seemed to stop for the next half day of my life until I found myself reading the last page as we began our descent into Narita’s airspace. In those last moments on approach to Tokyo, I knew that my life was permanently altered. In fact, it led me down a rabbit hole of discovery that I’m still following.
The book I devoured on this long flight was Boyd: The Fighter Pilot Who Changed the Art of War by Robert Coram. It’s understandable if you aren’t currently familiar with the late Colonel John Boyd. Although quite a bit has been written about him, Col. Boyd never wrote much for formal publications. Almost all of his material and ideas were communicated via briefings—very long briefings that were mostly published on overhead slides.
So while I won’t go into all the details of Col. Boyd’s theories, the motivations for them, and eventual influences, I’ll summarize here what he accomplished. When he was 33, he published the “Aerial Attack Study” for the USAF, which brought the state-of-the-art aerial dogfighting tactics to print, completely changing those tactics of air forces worldwide. The F15, F16, and A10 aircraft owe much to his influence through his Energy-Maneuverability (E-M) Theory, which he developed with USAF mathematician Thomas Christie.
As if all that were not enough, the most significant and influential ideas—the ideas that resonated the most with me—that Col. Boyd developed and advanced throughout the branches of the US military, other national militaries, and eventually businesses around the world are those related to his so-called OODA loop. If you have been influenced by Col. Boyd, you can likely attribute that to his OODA loop concept.
What is the OODA Loop?
Col. Boyd developed the OODA loop as a means to address conflict in highly fluid, high tempo, and high risk engagements with an opponent, whether they are nation state enemies, terrorists, market competitors, or cyber criminals. His idea is that the OODA loop concept practiced by a team of “soldiers” allows them to reconcile the ambiguity and uncertainty of the battlefield (the “fog of war” in the arena of conflict) into meaningful interpretations about what really is occurring on the ground in order to develop strategies and tactics that overwhelm and subdue the enemy. The flow of idea formation and action is accomplished by Observing, Orienting, Deciding, and Acting, all connected through a cycle—hence, the so-called OODA loop.
At Resilience, we use concepts based on the OODA loop in our Cyber Risk Operations Center (ROC), based on the experiences of Mike McNerney (USAF), our SVP of Security who leads our ROC.
“The question of how to fight back—successfully—requires more than just new or better technology. It requires a mindset shift. As a former US Air Force Officer who also served at the Pentagon and US State Department before moving to the private sector, I believe that the military provides a useful framework for this shift. Specifically, our current cyber warfare crisis closely mirrors the challenges the US military faced at the outset of the Global War on Terror in the early 2000s. American troops were bogged down by insurgent networks that were resilient, adaptable, and difficult to predict. It wasn’t until General Stanley McChrystal implemented a new engagement framework that the tide turned for our troops, eventually leading to their elimination of the leader of Al-Qaeda. McChrystal’s strategy increased surprise raids from 18 per year to over 10 per night, forcing his team to proactively hunt down threats before they could escalate.”
Our cyber Risk Operations Center (ROC) emerged in response to the mission set forth by our CEO, Vishaal (USAF call sign “V8”) Hariprasad, to Mike McNerney: keep the good guys ahead of the bad guys. Mike interpreted the commander’s intent of the directive as “move faster than the adversary [can comprehend].” The ROC feedback loop is therefore designed to change the reality of our portfolio—its attack surface—faster than it can be exploited, at least in aggregate. We do that by adhering to the OODA loop, similar to the way Gen. McChrystal changed the reality of the terrorists networks’ ability to reconstitute faster than they could adapt.
We believe that employing this concept contributes effectively to managing a modern integrated risk management system (that includes risk transfer through insurance) in which, unlike in property and casualty insurance, we can’t rely on large amounts of stable data. The reason, of course, is that cybersecurity addresses an active threat of malicious adversaries who learn and evolve their strategies and tactics. It’s as if we’re at war.
That’s because we are at war.
While I would argue that although business often contains elements of conflict similar to war, it is not war. Treating it like war can lead to misallocated attention on competitors rather than the real goal of wooing the customer. But while business-at-large may not be war, cybersecurity is as close as it comes to war in the business world.
As you might guess, more complexity lies beneath the elements of the OODA loop acronym. To get the OODA loop right, you need to understand the complexity and the nuance. First, though, let’s understand what the OODA loop is not.
What the OODA Loop Is Not
The OODA loop is not a process. This understanding has been promoted by some in an attempt to make the OODA loop more accessible to a broader audience.Their attempt at simplification looks like that depicted in Figure 1, which you have probably seen if you already have some exposure to Col. Boyd’s concepts. I’ll call this the naive OODA loop. The idea conveyed by the naive OODA loop is that active agents first observe their surroundings and collect information. Then they form an opinion or judgement about what is really going on. Then they decide what to do. Then they act. Rinse and repeat.

Figure 1: The naive OODA loop depicted as a step process.
Can you feel the marching, staccato effect in the description? It feels as if there is a pause in the transition from step to step. You can almost hear a management consultant say in a meeting, “We have now completed the observation stage. Let’s move on to orientation.” Agents who mature this process flow, as the simplified thinking goes, increase their speed of going through the loop. If they do this faster than the adversary, the adversary loses the ability to keep pace. Losing pace leads to the adversary’s collapse.
This simplification sounds like a level of distillation that makes the OODA loop pragmatic. Unfortunately, although this depiction contains elements of truth, it misleads practitioners from gaining the practice and insights that Col. Boyd intended. This will lead to surprisingly unfavorable outcomes, largely due to the case that the adversary uses the correct understanding that countervails the naive one. Adversaries want to win, too.
What the OODA Loop Really Is
Figure 2 depicts the OODA loop as Col. Boyd conceived, refined, and promoted it throughout the remainder of his career. Look closely. The OODA loop functions properly as a feedback system, not a process loop. Let’s examine the elements of the loop to understand how it works.

Figure 2: The real OODA loop depicted as a feedback system. While it incorporates a feed forward flow of information and actions, it also turns back through a feedback loop that updates the need to recalibrate dynamically one’s observation of the world.
Observe. The act of surveillance, gaining information, tuning in on signals, and collecting data—formally or informally—captures the essence of the Observe element. But key to understanding this element is that the output is vague and uncertain. It does not necessarily produce absolute, objective facts. Since the world is complex, and its complexity increases as the scale and tempo of conflict increases, we can only expect that the ambiguity we experience likewise increases as our ability to collect information reliably degrades and anxiety amplifies.
Orient. The center of mass of the OODA loop is orientation. We might think of Orientation as the source of wisdom that converts observations and measurements into judgments and interpretations about the meaning of the world. Even if our observations were completely free of uncertainty, “facts” really don’t speak for themselves. We must interpret them within a broader context that can only be understood through a multiplicity of filters and models to get to their meaning in relation to our objectives and preferences for the world. While volume and quality of information is good, those with better judgment are best at discerning patterns and making sense of them.
Decide. This element depicts the effort of developing hypothetical alternatives for action and evaluating them for their potential payoff value. Of course, in the context of combat, agents don’t have the luxury of developing formalized evaluations. Instead, they are trained to make value distinctions quickly, then move on. Fortunately, not all conflicts proceed at the pace of active combat. In business, we usually have the time to develop proper decision analyses to understand the payoffs, the risks, and what we need to do to buy down the risk of the most beneficial alternatives.
Act. This is where decisions become reality as resources are committed to a course of action. Col. Boyd appended this element with the word “test” (see Fig. 2, Act element) because no decision that gets acted on should necessarily represent a full scale commitment of resources without the benefit of course correction along the way. Acting is testing, experimenting. Experimenting changes the world. And that brings us back to observing the results of acting.
All of these elements are activated and updated more or less in parallel and in real time, much like the components of a heating and air conditioning system of a building, which is also a feedback control system.
The power of the OODA loop emerges from three distinct patterns. First, agents that challenge and update their orientation of the world with a faster clock speed are able to formulate decision alternatives faster. Updating faster also means avoiding the mistake of dwelling too long on a self-satisfied belief that one’s judgement is complete and perfectly clear. Once you believe that you see the world clearly, you have about thirty seconds to live, essentially, because the adversary has pulled you into an illusion they have created for you to enjoy, however briefly. Good orientation relies on maintaining some level of ambiguity by always asking “how do I know that?”
Second, OODA loop maturity leads to creating decision alternatives that represent hybrid ideas from disparate and multiple domains of inspiration. It helps agents avoid the trap of thinking that the way they’ve always done things is the way they should continue to do things. (This is especially dangerous because it subjects you to rapid pattern recognition by the adversary.) From the perspective of engaging an adversary, the hybrid solutions put out for testing should be surprising and novel, shifting quickly from one action to another.
This brings up an important understanding about speed. Going back to his early contribution to codifying aerial tactics, Col. Boyd noted that aircraft that dominated aerial combat were not only capable of high speed but were also capable of quickly switching through maneuvers (“fast transients”). In fact, Boyd observed that maneuverability contributes more to success than raw speed. Recall how Mike McNerney described that successfully overwhelming Al-Qaeda included accelerating their surprise raid cycle from 18 per year to 10 per night. It’s not just moving faster that matters; it’s doing surprisingly different things faster that matters.
This brings us to the third pattern. Surprise disrupts orientation; the judgment about the state of the world. When an adversary is confronted by surprising moves, they must quickly make sense of the situation. If another surprise move occurs before their sense-making is adequately informed, they must reorient again. This disruption in their feed forward-feedback loop prevents them from deciding and acting, revealing a persistent pattern of behavior that becomes predictable. That predictable pattern provides an advantage to the dominating agent to shape the course of conflict to their own preferences. As the world becomes more and more unpredictable to the adversary, it also becomes increasingly bewildering. The ensuing anxiety amplifies to the point of panic, eventually leading to the collapse of their will to contend.
A Day in the Loop
Not long ago, as Resilience analysts in our Risk Operations Center monitored threat intelligence feeds, dark web forums, and other clandestine sources, they detected a shift in criminal cyber gang Scattered Spider’s tactics. In this specific case, our analysts observed lookalike domains and fake Okta login pages that were intended to target various industries, including financial services and insurance.
Sense making through the orientation process begins almost as soon as a concerning signal is detected. What did this mean for us and our clients? By quickly analyzing the adversary’s methods, such as adversary-in-the-middle (AiTM) attacks, social engineering, and SIM-swapping techniques, Resilience analysts assessed the potential impact on targeted or potentially targeted organizations. Using behavioral analysis, the team mapped Scattered Spider’s tactics, techniques, and procedures to frameworks like MITRE ATT&CK to better understand the group’s objectives and capabilities. The ROC team also collaborated with other cybersecurity organizations, ISPs, and threat intelligence groups to validate their findings and gather additional insights about Scattered Spider’s activities. As an insurance company, we found ourselves included among the potential victims.
Decision making follows sense making in the feed forward pathway of the loop. Decision making in this case does not mean committing to action immediately but rather conceiving potential actions to take and evaluating their costs, benefits, and knock-on effects. Based on their understanding of the situation “in the net,” we determined which stakeholders, internally and externally, to notify and raise awareness to the circumstances identified.
Resilience analysts recommended proactive measures to our customers and elected to take additional steps to further enhance our ability to observe. They responsibly disclosed to all necessary stakeholders the details and circumstances of the current action, which included notifying respective hosting companies and organizations identified as dependencies for the discovered assets. In this case, we advised that hosted Okta login pages should be removed. Analysts coordinated with registrars and hosting providers to report and take down malicious domains. These actions didn’t permanently suppress Scattered Spider, of course, but they did help to shape the adversarial landscape to the good actors’ benefit. And we keep fighting and applying pressure.
Where Do We Go From Here?
Col. Boyd’s ideas about the OODA loop informs the behavior of our Cyber ROC. We use these to shape the cybersecurity landscape to the advantage of our clients and others. Much of the motivation to do this arises from the need to create a new kind of risk management service that operates within a system of active conflict with malicious, adversarial agents.
This new kind of risk management product and service, if it is to be effective, must expand beyond our own ROC. We need our clients and brokers to participate in new and surprising ways. Everyone in this ecosystem must play a new role in the loop because we simply aren’t dealing in the kind of system that static, passive risk transfer typically operates. We have to change the way we Observe, Orient, Decide, and Act.