Applying the Military's F3EAD Framework to Cyber Threat Intelligence

Applying the Military's F3EAD Framework to Cyber Threat Intelligence

In today's cyberthreat landscape, intelligence can alert you to new and emerging global threats that may affect your network operations. Intelligence can help you identify actors who may be targeting your organization or its executives and provide insights to help you prepare or take action.


The Global Threat Intelligence Center (gTIC) at FishNet Security uses a version fo the F3EAD framework, designed by the U.S. Military's Special Operations Forces, to gather information from a variety of internal and external sources, analyze it for usefulness and disseminate it as actionable intelligence.


“F3EAD, pronounced “F-three-e-a-d” or “feed,” is a version of the targeting methodology utilized by the special operations forces responsible for some of the most widely publicized missions in support of overseas contingency operations.” – Lieutenant General Michael Flynn, U.S. Army


F3EAD Model


F3EAD Model




- Identifying the question to be answered and researching applicable malware, threat actors and other events as detected by our Secure365: Managed Security Services team.




- Collecting information from an all-source, fusion process for comprehensive, pertinent data analysis. Our gTIC is able to look at raw data from internal research projects, consulting engagements, client environments and external feeds.




- Processing, examining and deploying analysis results to determine additional information needed.




- Collecting initial analysis results and information from the Finish phase. This step may result in the beginning of a new information gathering cycle.




- Creating actionable intelligence from the information, data and results of the previous phases.




- Communicating intelligence across multiple channels. Our gTIC distributes information through one-on-one support, a weekly newsletter and a client web portal (currently in beta testing).