The collection on this page includes content from produced exclusively for OODA members (if you are not a member yet review the benefits of this network and sign up here). Our research team is led by OODA founders Bob Gourley and Matt Devost and they leverage their extensive past performance in operational cybersecurity in the reports presented here. We also provide pointers to the most recent cybersecurity reporting from our Daily Pulse Report, as well as a list of other resources we see as credible on the topic of cybersecurity.

If you would like to recommend a resource for this page, please email us at

OODA Loop Analysis

The Intelligent Enterprise Series: Special reports from OODA focused on corporate intelligence

Useful Standards For Corporate Intelligence: Based on lessons learned from the US intelligence community and corporate America

Optimizing Corporate Intelligence: Tips and best practices and actionable recommendations to make intelligence programs better.

A Practitioner’s View of Corporate Intelligence: insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making.

An Executive’s Guide To Cognitive Bias in Decision Making: Cognitive Bias and the errors in judgement they produce are seen in every aspect of human decision-making, including in the business world. Companies that have a better understanding of these cognitive biases can optimize decision making at all levels of the organization, leading to better performance in the market.

Quick Hits from the 2020 Verizon Data Breach Report

The annual Verizon Data Breach Report has become a reliable and consistent source of cybersecurity attack trends over the past several years. Verizon has just released this year’s report with the largest number of contributing organizations ever. Here is OODA’s hot take.

Quick Hits from the 2020 Verizon Data Breach Report

Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict

“You’ve got to read what this kid is writing out of his basement at the University of Vermont…” – recently retired CIA officer to intelligence and military colleagues in 1994. A candid 25 year retrospective on a thesis that launched a tremendous amount of dialogue and action on the issues of information warfare, cyberterrorism, and cybersecurity. See:

Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict

Deception Needs to be an Essential Element of Your Cyber Defense Strategy

In the cyber defense community, we talk about a wide-range of risk mitigating technologies, strategies, and activities.  We talk about attacker deterrence and increasing costs for the attacker.  We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis. Here’s why one of the most compelling emerging use cases for increasing attacker costs is through the use of deception. For more see: Deception Needs to be an Essential Element of Your Cyber Defense Strategy

The Executive’s Guide to Cyber Insurance

This special report provides an overview of the dynamic trends underway in the cyber insurance market, including actionable information that executives can put to use right now in determining the right approach to using cyber insurance to transfer risk. The report also provides insights which can be of use to any tech firm seeking to partner with insurance companies to enhance services to the market. For more see: The Executive’s Guide to Cyber Insurance

What You Really Need To Know About the California Consumer Privacy Act (CCPA)

There is something you really need to know about the State of California. They have optimized around a key function that they do very very well. They know how to collect money from corporations. They know how to collect taxes, and know how to levy large fines and collect on them. The business that owes California money will pay, and the State will likely do everything in their power to make sure they pay as much as the law allows. Keep this in mind as you read our guidance on the CCPA. For more see:  What You Really Need To Know About the California Consumer Privacy Act (CCPA)

The Cyber Threat to NASA Artemis Program:

NASA is enabling another giant leap for humanity. With the Artemis program, humans will return to the Moon in a way that will enable establishment of gateways to further exploration of not just the Moon but eventually the entire solar system. The initial expenses of the program will return significant advances for scientific understanding and tangible economic returns. As Artemis continues, the project will eventually deliver improvements for humanity that as of yet have only been dreamed of. But there are huge threats. For more see: The Cyber Threat To Artemis


Security In Space and Security of Space:

The last decade has seen an incredible increase in the commercial use of space. Businesses and individual consumers now leverage space solutions that are so integrated into our systems that they seem invisible. Some of these services include: Communications, including very high-speed low latency communications to distant and mobile users. Learn more at: OODA Research Report: What Business Needs To Know About Security In Space Also see: Is Space Critical Infrastructure, and the special report on Cyber Threats to Project Artemis, and Mitigating Threats To Commercial Space Satellites


Traveling Executive’s Guide to Cybersecurity:

Traveling executives are frequent targets for cyber espionage. This report provides guidance for executives and their security teams on how to protect their information and technology while on the go. Produced by OODA co-founders Matt Devost and Bob Gourley, the report provides best practices, awareness of threats, and a deep understanding of the state of technology. A tiered threat model is provided enabling a better tailoring of actions to meet the threat. For more see:  OODA Releases a Traveling Executive’s Guide to Cybersecurity

For Executive Protection, Physical and Cyber Security Have Fully Converged

Managing the nexus between physical and cyber security is possible with a deliberate mindset and full cooperation and integration between the two teams.  Physical security practitioners should view cyber defense experts as a vital component of their risk management strategy. For more see: For Executive Protection, Physical and Cyber Security Have Fully Converged

OODA Best Practices for Agile Cybersecurity:

Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense.  We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries. Read more at the OODA Special Report on Best Practices for Agile Cybersecurity.


Additional Cyber Security Reporting and Analysis:

Cyber Threats to the 2020 Tokyo Summer Olympics: The Olympic Games remain one of the most-watched events in the world, with billions tuning in across digital platforms and traditional broadcasting channels.

Mitigating Risks To America’s Cognitive Infrastructure: Our most important infrastructure is also our most neglected.

Observations From America’s Most Public Cyber Attacks: Lessons for all of us

11 Habits of Highly Effective CISOs: What does it take to be a highly effective CISO?

Cyber Sensemaking: Lessons for enhanced cybersecurity across multiple domains including government, corporate, think tank and academic.

Election Security Initiatives are falling short: According to the GAO

The CMMC: What business needs to know about how DoD will measure your security posture

Essential Management Strategies for Cybersecurity: Management lessons learned and essential actions to mitigate risks

10 Red Teaming Lessons Learned Over 20 Years – Red teaming is one of the most valuable things you can do within your organization.  OODA CEO and Co-Founder Matt Devost offers up his top ten red teaming lessons learned from over two decades of red teaming across hundreds of engagements.

The Five Modes of HACKthink – Explores how to use a hacker mindset to solve complex problems and unlock opportunity.

The State of the Cybersecurity Community: An update following RSA 2019 – OODA Experts provide their perspective on the RSA 2019 conference including a list of 30+ companies to watch.

Email – The Often Overlooked Cybersecurity Risk – Are silly email mistakes putting your sensitive data and customer PII at risk or in violation of GDPR. Matt Devost breaks down four real life examples that highlight inadvertent email risks.

Here’s What the New U.S. Intelligence Strategy Says About Cyber Threats – The United States intelligence strategy for 2019 has been released, covering seven specific themes.  Here’s how the United States Intelligence Community will deal with cyber threats: “Despite growing awareness of cyber threats and improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years to come.

Def Con – The highest yield cyber security event of the year.

The 5G Supply Chain Blindspot – This is the place few are looking regarding 5G security

Is Organized Crime Using Ransomware To Take Real World Competitors Offline? – Sure looks like it. Examine why and how here.

Flaws In The U.S. Vulnerabilities Equities Process: Deep insights from our own expert Cindy Martinez.

Vulnerabilities, the Search for Buried Treasure, and the US Government: Analysis from noted expert and cybersecurity thought leader (and OODA network member) Jason Healey.

Here is How the FBI Wants You To Protect Your Audio/Visual Devices: From an FBI bulletin

CISA Outlines Agency’s Strategic Intent: Vision of the Cybersecurity and Infrastructure Security Agency

The Key To A Defensible Cyberspace: A look at the work of Jason Healey and the NY Cyber Task Force

How a Presidential Commission Was Tracking Hackers in 1996: New insights into the President’s Commission on Critical Infrastructure Protection

Maturing The Cyber Threat Intelligence Field into a Discipline: based on a career in operational intelligence

Cybersecurity and Technology Due Diligence: Resources that will keep you informed before and during due diligence