Open in app

Sign in

Write

Sign in

OODA LOOP: The Security Operation Framework

Shreenkhala Bhattarai
2 min readMar 3, 2025

--

The OODA loop, also known as Boyd’s Cycle, is a decision-making model created by military strategist and US Air Force Colonel John Boyd to describe how people and organizations may win in an unpredictable and chaotic environment. Col. Boyd thought that a strategist employing the OODA decision-making process may gain an edge by swiftly observing and understanding an adversary’s behavior. Accepting the chaos associated with quick analysis and learning is more effective than the opponent helps a decision-maker to look unpredictable and induce chaos in the decision-making of the adversary.

The OODA loop is a four-stage process for decision-making: observe, orient, decide and act. A strategist should cycle through these phases often and rapidly as part of their analysis and decision-making process.

Observe
This stage is all about the collection of information from the environment.
For a SOC, this translates to the collection function, the ability to
see the network and endpoint data required to spot an attack.

Orient
Of all the phases, the orient phase has one of the largest impacts as
it is where we try to interpret the situation given the data presented
to us. For security operations, this is taking the content from the
available network and endpoint data and using it to form a hypothesis
of what might be occurring. Without a team trained to understand
attacks or the available information, this stage may lead to an incorrect
interpretation of the data or a slower-than-necessary response.

Decide
In this stage, it is time to decide, given your interpretation of events from the
orient stage, the next best move to take against your opponent. For security
operations, this is deciding on how to best disrupt attackers such that we
will be able to have an advantage over them in the coming loop iterations.
For a SOC, effectiveness in this stage often comes down to experience and
training on how to best respond to any given situation. Playbooks and
incident response procedures may be of large assistance at this stage.

Act
The action stage is all about following through on the course of action
decided upon at the deciding stage. In the SOC, this can be translated
to your ability to quickly respond to an attack. Do you have the
permission and tools and procedures in place to act fast and minimize
damage? The act stage leads to the feedback of the impact of your
action to the next iteration of the observer step, where the SOC will
need to see if the action taken had the desired consequences.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Blue Team
Cybersecurity
Information Security

--

--

Shreenkhala Bhattarai
Shreenkhala Bhattarai

Written by Shreenkhala Bhattarai

120 Followers
29 Following

SOC Team Lead @ CryptoGen Nepal

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams