Hunt Like They Fight: How The DoD's Joint Targeting Cycle Can Help Improve Your Threat Hunts

Integrating Military Targeting Strategy into Cyber Threat Hunting

It is essential to explore structured and strategic approaches for countering them. One such methodology lies in adapting principles from military doctrine—specifically the Department of Defense’s Joint Targeting Cycle—to cybersecurity operations. While originally intended for kinetic operations, this framework provides valuable insights that can enhance cyber threat hunting processes when appropriately translated.

Understanding the Joint Targeting Cycle

Joint Publication 3-60 (JP 3-60) provides the foundation for how joint military forces identify and engage targets. It offers operational guidance that shapes decision-making in high-stakes environments. The publication defines a “target” as any person, place, or object considered for action that may impact an adversary’s capabilities.

Targets are grouped into four key types:

  • Facilities: Physical locations or infrastructures that serve critical roles in a broader system.

  • Individuals: Key people whose actions directly influence system functions.

  • Virtual Assets: Digital elements like software or networks essential to operational success.

  • Equipment: Tools or machinery that support the effectiveness of a system.

This categorization helps military planners understand not just what to target, but why it matters strategically.

Applying Targeting Phases to Cyber Operations

The Joint Targeting Cycle comprises six distinct phases, each of which can be thoughtfully reimagined for cybersecurity:

  1. Define the Mission (Commander’s Intent):
    Begin by clarifying the purpose of the cyber hunt. Are you looking to detect insider threats? Identify an advanced persistent threat (APT)? Knowing the ‘why’ gives the hunt focus.

  2. Target Decomposition (Target Development & Prioritization):
    Break down the systems or environments under scrutiny into smaller components. This allows for smarter allocation of resources and helps identify where risk is concentrated.

  3. Capability Assessment:
    Analyze which tools, technologies, and skills are available to effectively detect, analyze, and mitigate threats. This step is analogous to assessing available weaponry or tactics in traditional military planning.

  4. Resource Coordination (Force Alignment & Approval):
    Ensure leadership is aligned with the plan and that legal and ethical standards are reviewed. In cybersecurity, this could involve verifying compliance with internal policies and national regulations.

  5. Operational Execution:
    This is where the active threat hunting occurs—collecting data, analyzing patterns, investigating anomalies, and identifying malicious activity in real time.

  6. Review and Improve (Assessment & Feedback):
    Once the hunt concludes, teams should assess what worked, what didn’t, and how future operations can improve. Feedback loops are critical for building resilient and adaptive security practices.

Comparative Insight: CIA vs. Military Targeting

The CIA’s approach to precision targeting shares similarities with the military’s method but often moves through a streamlined process. While both adhere to strategic rigor, the CIA emphasizes speed and decisiveness, adjusting the framework to meet operational demands more swiftly. This suggests that while structure is important, adaptability is just as critical—especially in fast-moving domains like cyber.

A Civilian Parallel: SANS Cyber Threat Hunting Model

The SANS Institute proposes a cyber threat hunting model that, though different in structure, shares conceptual overlap with military frameworks. It emphasizes:

  • Purpose Definition: Understand the threat before investigating.

  • Scoping: Focus efforts on key systems and teams.

  • Resource Review: Identify available data sources and tools.

  • Pre-Hunt Validation: Ensure the hunt is legally and operationally sound.

  • Execution: Carry out the investigation as planned.

  • Post-Hunt Analysis: Evaluate and improve for next time.

Both models stress intentional planning and measured execution—hallmarks of successful threat hunting operations.

Why This Framework Matters

Too often, organizations initiate threat hunts without a clear rationale or roadmap. This can result in wasted effort, misinterpretation of data, or missed opportunities. Borrowing principles from military planning offers several advantages:

  • Strategic clarity without rigidity

  • Scalable frameworks adaptable to different threat levels

  • Stronger alignment between security teams and business goals

  • Improved communication across technical and non-technical stakeholders

In short, understanding both the why and the how behind every investigation leads to more effective and defensible security practices.

Conclusion

Threat hunting is more than a reactive search for malicious activity—it’s a strategic discipline. By incorporating concepts from the Joint Targeting Cycle, cybersecurity professionals can shift from passive monitoring to proactive engagement. This transformation depends on thoughtful planning, cross-team coordination, and continuous refinement of methods.

As cybersecurity matures, approaches rooted in proven doctrines—military or otherwise—can offer the structure and adaptability needed to stay ahead of evolving threats.

Be sure to check out this video, where Dan Gunter from Insane Cyber presents an insightful breakdown of how the Department of Defense’s Joint Targeting Cycle.

See how Insane Cyber transforms security

Our products are designed to work with
you and keep your network protected.