ArchiveCyberOODA Original

The Five Modes of HACKthink

HACKthink is the name I use with to describe applying a hacker’s mindset to solving complex problems or finding innovative solutions.  It is derived from the original endearing definition of hacker, which implies someone who likes to tinker and take things apart to figure out how they work and to make them better.

As a white hat hacker for over 25 years, I’ve applied HACKthink to a great many information security and technology problems, but have also used the same approach to thinking to solve hard problems in other domains.  In addition to HACKthink being used an an overall methodology for decision making, risk reduction, and opportunity development – there are five unique sub-modes that can provide value as stand-alone elements. After all, problems are just opportunities with a different risk profile.

Red Think

Red Think involves seeing the landscape from the perspective of your adversary or competitor.  This approach has many different names including having an adversarial mindset (popularized by consultancies like FusionX and the team at or “turning the map” in some military domains as pointed out by Endgame’s Nate Fick.  While the model is popular amongst cyber and physical security professionals, it can also be deployed in more rigorous environments. In 2001 the Terrorism Research Center built a complete immersion Red Think style training program called Mirror Image where U.S. & Canadian military, law enforcement, and intelligence professionals we dropped as recruits into a replica of a bin Laden training camp in Afghanistan.  

To successfully adopt the mindset of your adversary, you need to have realistic models regarding adversary capabilities, their tactics, techniques, and procedures (TTP), and their foundational motivations.  You can also use Red Think approaches to look at how competitors might innovate in the market. For example, if you had to address a market without your own tools or solutions, how would you do so?

As a result, Red Think also allows you to try and develop solutions without the use of your own tools or with limited capabilities or resources that can drive unexpected innovation.  

This is useful in answering questions like:

  • How would a competitor solve the same problem with different solutions?
  • One they’ve breached my perimeter, where will an attacker go next on my network?
  • How would terrorists communicate without the Internet or data networks?
  • What if I want to engage in a missile attack, but I don’t have any missiles?  The type of thinking that allowed the 9/11 terrorists to hijack a plane and “Kill with a Borrowed Sword” by weaponizing our own infrastructure against us.

Time-shifted Thinking

Time-shifted thinking is useful in overcoming our cultural or organizational bias towards thinking in the near-future to take a longer-view approach.

Time-shifted thinking allows us to project our adversarial or competitive model into the future and propose multiple potential pathways or outcomes.  When thinking in terms of multiple outcomes, you can then evaluate what actions need to be taken now to achieve each outcome. This approach works in identifying both risks and opportunities. If an adversary seeks to degrade your power infrastructure in five years, what actions do they have to take now to ensure the highest probability of a successful outcome in the future?  How would that activity differ from current activities we are trying to detect? How do you need to think about detection and defense differently?

As I’ve noted many times in the past, our adversaries display a characteristic I call “time-shifted intent” and Time-shifted thinking helps us think through these adversarial possibilities.

Time-shifted thinking also allows us to think outside our current priorities or pressing threats and make sure we devote time to taking the long view.  The risks and opportunities of today are not the same risks and opportunities of tomorrow and using time-shifted thinking can help drive future focused solutions.

Deferred Thinking

Deferred thinking can be used to agree to solve a problem in the future to avoid any sort of fast thinking bias. By shifting a defined problem to the future without a proposed solution, you can derive the benefits of slow thinking and eliminate some of your cognitive or solution bias from the equation. While I’m a big fan of quick thinking (make a decision in seven breaths like the Samurai did) and fast OODA Loops, Deferred thinking does free up intellectual headroom to defer solution analysis to a future date.  In all likelihood, your brain will be thinking about the solution in the interim and you’ll come to the appointed time with new ideas.

In college, I could defer coding bugs for 24 hours or even over night and wake-up with the solution.  I’d refer to this strategy as getting myself out of an over focused situation. It is important to understand which problems require immediate decision making and which can be deferred to a future date.  Not all decisions are urgent and the best solutions may take time to emerge.

For deferred thinking you just need to clearly state the problem you are trying to solve and then set a date in the future to address it.

Chaos Thinking

Chaos thinking is an approach that combines unassociated elements to form a new way of thinking about a particular problem or over-stimulating the process with new ideas.  

With Chaos thinking you look to draw from unrelated or unexpected disciplines to define new approaches to a problem or develop an innovative solution.  In one mode of chaos thinking, you force unrelated elements into the equation and try and put them into the context of the issue you are thinking about. The result is a ad-hoc Cards Against Humanity style mash-up that drives new ideas or forces us to think about a problem or opportunity from an uncomfortable or unfamiliar mindset.  

To be successful the process also requires an overstimulation of new ideas.  You don’t just mash up one concept with another, you mash up several dozen progressively over time.  If the chaos concepts you are introducing are completely unfamiliar, you can build research time into the equation which helps draw experiences from unrelated disciplines into your learning cycle.  For example, a company looking to leverage AI technology in new industries might create a Chaos thinking mash-up that combines AI with each of the 15 slowest growing industries in the U.S.

At investment companies, they often refer to finding “white spaces” and Chaos thinking is one method you might use to identify them.  

In most instances, a chaos concept emerges as having real value to thinking about the problem, but in the very least the process creates an intellectual shift that lets you re-emerge at the drawing board with a fresh perspective and headspace to take on the problem in a renewed manner.

Signal Thinking

The last mode of thinking is Signal thinking, which focuses on tweaking a set of inputs you can consume to best inform your decision making.  In a world of noise, there are lots of signals available. There are signals in the market, in the media, in social media, from experts, and from the fringes.

If you establish a baseline for signals over time, you’ll develop an ability to engage in Signals thinking which allows you to identify or develop data points that enable intelligent action.

In 2015, I made a controversial prediction about emergent Russian information warfare attacks.  My basis for the prediction was a variation in a single signal, but it was enough of a variation to impact my threat modeling around Russian cyber attacks enough to go on the record in front of a roomful of intelligence and national security experts.  The signal was right and I still get comments from folks in that audience.

For a period of five years, I also sponsored and ran a prediction market comprised of 100 top intelligence analysts that made market predictions around global events with astonishing accuracy.  Prediction markets can serve as a great way to identify exemplar analysts or unanticipated trends and outcomes to inform Signal thinking.

An important part of the process is keeping a Signal journal that allows you to informally track items of significance that you can revisit and review over time. Each week, I publish a variation of my Signal journal in my free Global Frequency newsletter –  my personal distillation of important data points from the past week. I also commit to reading one book a week, including books well outside my established areas of expertise.

In 1999, I started a mailing list called RealNews that curated global news content from trusted sources to inform the decision-making process. Today that mailing list celebrates its 20th anniversary and is published as the OODA Loop Pulse report with over 15,000 mailing list subscribers and tens of thousands of web visitors per month.  If you are looking for some highly curated signals, you might start there.

Is HACKthink right for you?

Documenting approaches to thinking like this always runs the risk of criticism from competent and passionate professionals.  My intent here is to highlight what has worked for me across hundreds of engagements over the past 25 years in hopes that you might find something of value to build into your own thinking strategies.  

We often discuss OODA Loops in terms of time compression and advantage, but we should also be thinking about OODA Loops from a more strategic perspective.  Not all actions can happen immediately, and HACKthinking approaches can be incredibly useful to drive both short and long-term approaches as well as orient towards solutions that might be outside the known spectrum.

If you’d like to get me involved in helping your organization explore or apply these principles, I’m always available to help with the other experts at OODA LLC.  If you have any feedback or thoughts I’d love to hear from you.

Matt Devost

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see