In this video, Dan Gunter from Insane Cyber presents an insightful breakdown of how the Department of Defense’s Joint Targeting Cycle—originally developed for strategic military operations—can significantly enhance the structure and effectiveness of cyber threat hunting. By adapting this six-phase model, organizations can improve their threat detection, reduce biases, and better align their cybersecurity initiatives with business and mission objectives.
The Joint Targeting Cycle, derived from military doctrine (Joint Pub 3-60), is a structured, six-phase approach designed to coordinate complex operations across military branches and domains (land, sea, air). This iterative cycle ensures clarity of purpose, adaptability, and effective resource allocation.
Commander’s Intent
Identify the objective or reason behind the operation.
In cyber terms: Define why a threat hunt is being initiated (e.g., detecting insider threats, specific APT groups).
Target Development & Prioritization
Decompose the target into components for prioritization.
For cybersecurity: Break down systems or networks to focus threat hunting efforts.
Capabilities Analysis
Evaluate tools and methods to engage the target effectively.
In cyber: Assess detection capabilities, analytic tools, and coverage.
Force Alignment & Approval
Align resources and secure leadership buy-in.
This can include legal reviews and resource availability in cyber operations.
Execution
Conduct the operation (or threat hunt).
Pull and analyze data, monitor systems, investigate anomalies.
Assessment & Feedback
Evaluate outcomes, identify lessons, and feed them into the next cycle.
Feedback loops are essential for continuous improvement.
Dan and his colleague Mark Seitz created a SANS paper titled “A Practical Model for Conducting Cyber Threat Hunting”, which adapts the Joint Targeting Cycle for cybersecurity. Their model follows a similar phased structure:
Purpose: Define the “why” before starting.
Scope: Determine what parts of the organization or infrastructure are in focus.
Equip: Assess available data, tools, and resources.
Plan Review: Ensure the hunt is legally and operationally viable.
Execute: Begin the hunt based on the refined plan.
Feedback: Reflect on effectiveness and apply lessons.
This framework encourages teams to plan before acting, helps avoid cognitive and procedural biases, and ensures every hunt is measurable and justifiable.
Many organizations rush into threat hunting with assumptions instead of purpose, which often leads to ineffective or misaligned efforts. This hybrid approach rooted in military strategy provides:
Structure without rigidity
Adaptability to dynamic threats
Clear alignment with business goals
Improved interdepartmental collaboration
The model helps both technical teams and executive leadership understand the “why” and “how” behind a cybersecurity operation.
Threat hunting isn’t just about tools or data—it’s about intentional, strategic thinking. By borrowing and adapting concepts from the military’s Joint Targeting Cycle, cybersecurity professionals can transform their threat hunting programs into proactive, disciplined, and adaptive systems.
If you’re looking to mature your threat hunting practices, start by defining your purpose—not your hypothesis.
Follow Insane Cyber for more details on threat hunting, and schedule a demo to see Valkyrie in action.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
