OODA Loop
Observe → Orient → Decide → Act
Col. John Boyd's decision cycle for gaining tempo advantage. Execute faster loops than your adversary to control the engagement.
The Fighter Pilot's Insight
"He who can handle the quickest rate of change survives."
— Col. John Boyd, USAF
During the Korean War, American F-86 Sabres consistently defeated Soviet MiG-15s despite the MiG having superior specs on paper. Boyd studied why. He discovered the F-86 had two advantages: a bubble canopy for better visibility and hydraulic controls for faster maneuvers.
These advantages let F-86 pilots complete observation-to-action cycles faster than their opponents. Boyd formalized this into the OODA Loop: whoever cycles faster dictates the terms of engagement.
The Four Phases
Observe
Gather raw data from the environment
SIEM alerts, network logs, threat feeds, user reports. Continuously scan for new information.
Cyber Application
EDR telemetry, firewall logs, DNS queries
Orient
Synthesize observations with context
The CRITICAL phase. Connect data to threat intel, past experiences, and mental models. Form situational awareness.
Cyber Application
MITRE ATT&CK mapping, threat correlation, baseline comparison
Decide
Select a hypothesis or action
Boyd viewed decisions as hypotheses to test. Choose a course of action based on your orientation.
Cyber Application
Incident playbooks, escalation decisions, containment strategy
Act
Implement the decision
Execute the plan. Critically, acting creates NEW observations, feeding back into the loop.
Cyber Application
Block C2, isolate hosts, preserve evidence, remediate
Orient is the Critical Phase
Boyd emphasized that Orient is the schwerpunkt (center of gravity) of the loop. It's where raw data becomes understanding. Without proper orientation, you're just reacting to noise.
Orient is shaped by: genetic heritage, cultural traditions, previous experiences, and new information synthesis. It's your mental model of reality—and it can be wrong.
OODA in the SOC (Bonus Insight)
Observe
SIEM, EDR, NDR
Orient
Threat Intel, MITRE ATT&CK
Decide
Playbooks, Analysts
Act
SOAR, XDR
AI augments Orient—pattern recognition at superhuman speed compresses the loop.