F3EAD Cycle in Cyber Threat Intelligence

The F3EAD Cycle is a combination of the cyber threat intelligence cycle and the security operations (SecOps) cycle. F3EAD is an acronym for Find, Fix, Finish, Exploit, Analyze, Disseminate. The first 3 steps are part of the security operations cycle, and the last 3 are part of the intelligence cycle.

The F3EAD Cycle as used in information security is based on the F3EAD Cycle developed by US special operations forces for use in conventional warfare.

CTI analysts can use the F3EAD Cycle to study the adversary and provide intel that decision-makers can use to outmaneuver the adversary. CTI analysts can use the F3EAD Cycle to collaborate with incident response (IR) teams when responding to an incident.

Photo by Igor Sporynin on Unsplash

F3EAD Cycle Steps


Identify the adversary, proactively and/or reactively. Determine the threats you need to address. Define the problems you need to solve. Use internal and external intel to define these items.


Think fixate or fix your eyes on. Identify the adversary’s presence in the network. Determine what systems they’ve compromised, how they’re moving through the network, what communications channels they’re using, etc. Identify problems you encounter.


Stop the adversary’s activity in the network (contain, mitigate, or eradicate them). Solve the problems you’ve identified in the previous steps.


This is the Collection step from the intelligence cycle. Gather the relevant raw data from the previous steps so that you can analyze it in the next step. Collect IoCs and TTPs.


This is the Analysis step from the intelligence cycle. Analyze the data from the Exploit step to understand the adversary and their TTPs. Use structured analytical techniques. Prepare suggestions on how to detect, mitigate, and remediate the adversary. Make the intel ready to share.

If during analysis you discover additional items that require investigation, ensure that it’s done, sooner or later.


This is the Dissemination step from the intelligence cycle. Share the intel with the relevant audience(s), in the appropriate format(s). Ensure that it’s actionable.

This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Seeking a cyber threat intelligence (CTI) or OSINT job. I'm a CTI, OSINT, & cybersecurity enthusiast; bookworm; and fan of Tolkien & LEGO.