F3EAD + Adversarial Thinking for Strengthening Strategic Planning

F3EAD is a concept used in military special operations and intelligence gathering. It stands for Find, Fix, Finish, Exploit, Analyze, and Disseminate. In the context of modern security, F3EAD can be applied as a framework for how modern security teams should operate in an environment characterized by constant volatility, uncertainty, and evolving threats. Essentially you need to look at it as a way to identify threats and vulnerabilities (Find), contain the threat (Fix), eliminate the threat (Finish), leverage lessons learned and adapt your own TTPs and controls (Exploit), understand what led to the attack (Analyze) so we can go gather more intelligence, and share it (Disseminate).

It’s an ongoing cycle that requires every team member, from the most junior to the most seasoned, as well as senior leaders and the CISO, to bring their best "thinking like an adversary" mindset. F3EAD it’s a good framework for internal use within a driven and successful security organization.

One thing that is still missing is the ability to apply that same adversarial mindset to enhance corporate and organizational strategic planning and process development. Especially in more traditional business, where CISOs and other senior security leaders are often seen more as a compliance requirement than anything else.

I think it’s time executive leadership and the market in general understand that a good security professional is someone that is not static or stagnant, but rather someone who moves forward and adapts. Someone that can bring immense value to strategic planning.

We deal in uncertainties and chaos. That’s the world of security. And it has a lot in common with VUCA (Volatility, Uncertainty, Complexity, and Ambiguity), a framework used to describe the chaotic and unpredictable nature of the modern world, including business and organizations.

We need to change what CISOs and Senior Security Leadership do and how they do it. Senior security professionals need to bring that adversarial way of thinking to the top and help build a more resilient and stronger business or organization. As security professionals, we need to help methodically strengthen planning and strategies by asking the right questions and helping senior executives to stay prepared. Remember the 7 Ps: Proper Prior Planning Prevents Piss Poor Performance.

To that end, I’d like to bring in a process that can turn this approach into an actionable reality. A process designed to enhance the resiliency of a strategy and its goals by encouraging executives to think like adversaries and actively “attack” the plan.

I’m calling it F3EAD + A and it’s a very early Alpha version. I’m open to (realistic) suggestions. One caveat: no checklists and no compliance BS. Checklists are useful for tasks that require specific, safety actions, like a pilot checking the plane, engine, or flaps, or when setting up a new system with basic security hardening, access controls, and endpoint protection. But in the world of adversarial thinking, relying on checklists will limit security's effectiveness and lead to stagnation. And stagnation equals death, so that's a no-go.

(Shameless plug: this is one of the services we are building for Black Arrows. The process described below is a compressed version of the one the advisory from Black Arrows can bring to an organization.)

Process Outline

1. Define or Describe the Strategy Clearly

• What is the core objective?
• What are the key assumptions?
• What outcomes are expected?

2. Assume the Role of an Adversary

• Who would want this strategy to fail?
• What are their motivations (competitors, market shifts, threats, internal resistance)?
• What tactics would they use to exploit weaknesses and gaps?

3. Stress-Test the Strategy

• How would an adversary attack or undermine this plan?
• Where are the biggest vulnerabilities?
• If this plan were reversed, would it still hold up?
• What unintended consequences could arise?

4. Explore Alternative Actions

• What happens if key assumptions prove false?
• What are the risks of executing this plan as is?
• Are there better, more resilient alternatives?

5. Simulate Worst-Case Scenarios

• If the strategy completely fails, what caused it?
• How quickly could the company adapt?
• What contingency plans must be in place?

6. Refine and Strengthen

• Adjust the strategy based on identified weaknesses, gaps, and vulnerabilities.
• Strengthen key areas by closing identified gaps.
• Implement continuous monitoring and testing.

7. Repeat Regularly

• Apply this process before launching new strategies.
• Conduct periodic reviews to adapt to evolving threats.
• Ensure ongoing resilience by rethinking assumptions.

F3EAD + A Framework. Key Actions, Tools, and Outputs

1. Define or Describe the Strategy Clearly

Objective: Establish a comprehensive understanding of the strategy before stress-testing and red teaming it.

Key Actions:

• Document the strategy, including core objectives, scope, stakeholders, and key success factors.
• Identify critical assumptions that influence success (e.g., market trends, competitor behavior, regulatory factors).
• Define expected outcomes and establish measurable key performance indicators (KPIs).

Tools & Templates: Strategy Statement Template

• Objective: [Define strategic goal]
• Key Assumptions: [List key assumptions]
• Expected Outcomes: [Define measurable results]

Expected Output: A clear and concise strategic statement with key assumptions and outcomes defined.

2. Assume the Role of an Adversary

Objective: Identify potential disruptors and their motivations.

Key Actions:

• Analyze internal and external adversaries (competitors, market disruptors, threats, dissatisfied stakeholders).
• Identify potential motivations (financial gain, market capture, regulatory control, brand damage/reputational issues).
• Assess attack tactics (price wars, misinformation, cyberattacks, talent poaching, lobbying).

Tools & Templates: Threat Actor Profile Template

• Adversary Type: [Competitor, criminal, insider threat]
• Motivation: [Why would they oppose the strategy?]
• Tactics Used: [Methods of disruption]

Expected Output: A Threat Actor Matrix outlining potential adversaries and likely attack scenarios.

3. Stress-Test the Strategy

Objective: Identify vulnerabilities and gaps and simulate how adversaries could exploit them.

Key Actions:

• Conduct a strategic and systemic Red Team exercise: A group acts as adversaries to find weaknesses.
• Use Pre-Mortem Analysis: Imagine the strategy has failed; identify causes.
• Reverse the Strategy: What happens if the opposite plan is followed? Would it work better?

Tools & Templates: Red Team Playbook

• Scenario: [Describe attack scenario]
• Identified Vulnerabilities and Gaps: [Vulnerability found]
• Mitigation Strategy: [How to counteract]

Expected Output: A comprehensive list of weaknesses and gaps with actionable recommendations for mitigation.

4. Explore Alternative Actions

Objective: Develop fallback plans and alternative strategies.

Key Actions:

• Generate three alternative strategic approaches.
• Develop Plan B and Plan C to pivot if needed.
• Assess each option using a risk vs. reward matrix.

Tools & Templates: Scenario Planning Worksheet

• Grid/Table with: Scenario, Potential Impact, Strategic Response

Expected Output: A set of contingency plans ensuring flexibility and resilience.

5. Simulate Worst-Case Scenarios

Objective: Test the resilience of the strategy under extreme conditions.

Key Actions:

• Conduct “What if?” scenario testing for catastrophic events (regulatory collapse, data breaches, major competitor moves).
• Role-play responses through war-gaming sessions.
• Assess time-to-recovery metrics and damage control measures.

Tools & Templates: Crisis Response Framework

• Crisis Event: [Define scenario]
• Immediate Response: [First actions to take]
• Recovery Plan: [Steps for resilience]

Expected Output: A refined crisis response plan ensuring rapid adaptability.

6. Refine and Strengthen

Objective: Implement strategic improvements to close identified gaps.

Key Actions:

• Apply corrective actions to fix vulnerabilities found in stress testing.
• Conduct iterative review cycles for ongoing validation.
• Assign accountability for risk monitoring and strategic adaptation.

Tools & Templates:

• A clear and simply outlined Risk Handling Plan in the format of Risk/Handling Action

Expected Output: A finalized, fortified strategy document with built-in resilience.

7. Repeat Regularly

Objective: Maintain strategy strength through continuous evaluation.

Key Actions:

• Schedule quarterly (or at minimum twice a year) strategic and systemic “Red Team” reviews.
• Monitor threat, competitive, and market intelligence in real-time.
• Adjust strategy based on new adversarial threats.

Tools & Templates:

• Quarterly Strategic Audit: Checklist for ongoing review.
• Competitive Threat Intelligence Tracker: Logs emerging risks.
• Market and Security Threat Dashboard: Visual tracking of external threats.

Expected Output: A continuously evolving strategy that remains robust against future challenges.

To Close

To ensure a resilient and more secure business strategy, we need to help executives think like an adversary, identifying weaknesses and issues in their strategy and plans before competitors, market shifts, or malicious actors do. F3EAD + A structured process can help leaders test, refine, and strengthen strategic plans by simulating attacks, exploring alternative views, and challenging key assumptions.

Hold quarterly F3EAD + A sessions to help them understand "What Could Go Wrong." Bring security to the table by assisting businesses in becoming more resilient and better equipped to navigate the world of VUCA.