F3EAD: Find, Fix, Finish, Exploit, Analyze, Disseminate
Originally a US Special Operations Forces (USSOF) targeting doctrine, F3EAD fuses the operations side (Find → Fix → Finish) with the intelligence cycle (Exploit → Analyze → Disseminate). Adapted to Cyber Threat Intelligence to close the ops–intel gap. The key insight: the cycle is a loop, not a pipeline -- Disseminate feeds the Find of the next cycle.
The F3EAD loop
1. Find — Identify the threat
Proactive and reactive identification of adversary activity. The Find phase is fed by intelligence requirements (PIRs), tipping from partners, anomaly reports, and the Disseminate outputs of prior F3EAD cycles.
- Who
- Intel + SOC (tipping, intel reqs, PIRs, OSINT, dark-web)
- Defender goal
- Surface the actor, campaign, or activity that warrants attention.
- Primary deliverables
- Named actor, campaign, or hypothesis
- Priority Intelligence Requirements (PIRs)
- Initial collection plan
- Common pitfalls
- Skipping PIRs -- results in undirected hunting and noisy reports.
- Treating Find as a one-off. It is continuous; every cycle re-opens it.
- Framework mapping
- Maps loosely to ATT&CK Reconnaissance + Resource Development.
Walk an incident through F3EAD
A 6-step click-through using the Lazarus / Copperhedge sample already in the platform'sAI Report showcaseas the running example. Click a step to jump to that phase.
Step 1 of 6 · Find
Tip: Lazarus exploiting CVE-2025-55182
A partner feed + a CTF IoC report named Lazarus exploiting CVE-2025-55182 against financial / blockchain infra. The platform pulls the sample into the AI Report showcase.
Artifacts produced at this step
- PIR: "Is Lazarus using CVE-2025-55182 against our React/Next.js surface?"
- Initial collection plan: greynoise + ctfiot + our perimeter logs
next: Fix
F3EAD vs. the other frameworks on the platform
F3EAD is a process framework. It does not replace ATT&CK, the Kill Chain, or Diamond; it sits beside them as the loop that turns their outputs into action.
| Framework | Kind | What it answers | Primary user | On the platform | Note |
|---|---|---|---|---|---|
| F3EAD | process | How does the team operate end-to-end on a target? | CTI + SOC + IR | /ti/f3ead | Closes the ops-intel feedback loop. Pairs with every other framework here. |
| Lockheed Kill Chain | content | What phases did the intrusion pass through? | DFIR + SOC | /d/kill-chain | Linear, 7 phases. Criticised for being too sequential for modern intrusions. |
| MITRE ATT&CK | content | Which specific techniques did the adversary use? | Detection eng + CTI | /ti/mitre | The shared vocabulary. F3EAD uses ATT&CK inside the Analyze phase. |
| Diamond Model | content | Who did what to whom, and how? | CTI + IR | /d/diamond | Per-event reconstruction. Slots into Analyze. |
| ACH | process | Which hypothesis best explains the evidence? | CTI analysts | /ti/ach | Structured analytic technique used inside the Analyze phase. |
| Insider Threat Matrix | content | What motive, means, preparation, or infringement is in play? | Insider-threat teams | /ti/insider-threat-matrix | Domain-specific framework. Sits inside Fix for insider-led cases. |
References
- FM 3-05.40 (Army Special Operations Forces) — the doctrinal origin of the F2T2EA / F3EAD targeting cycle.
- JP 3-05.1 (Joint Special Operations) — joint doctrine for the targeting pipeline F3EAD is derived from.
- SANS FOR578 — Cyber Threat Intelligence — the canonical CTI adaptation of F3EAD taught in industry training.
- CREST (UK) — Cyber Threat Intelligence maturity guidance — the ops–intel feedback loop is treated as a maturity marker.
- MITRE ATT&CK Blog: "F3EAD: Operationalizing Cyber Threat Intelligence" (2018) — the write-up that pushed F3EAD from SOF doctrine into the CTI mainstream.
- NIST SP 800-61 rev 2 — Computer Security Incident Handling Guide — the IR phases (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity) that the Finish phase aligns to.