TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Frameworks

What Is F3EAD? The Targeting Cycle for Threat Intelligence

Borrowed from military special operations, F3EAD tightly fuses 'finding and finishing' a threat with exploiting and analyzing what you learn — creating a fast loop between action and intelligence.

By TI News Feed Editorial Team7 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

F3EAD — pronounced "F-three-E-A-D" and standing for Find, Fix, Finish, Exploit, Analyze, Disseminate — is a six-phase cycle that tightly integrates operations and intelligence. It originated in military special-operations targeting, where teams needed to act on a target and then immediately turn what they learned into intelligence for the next operation. The security community has adapted F3EAD as a model for threat intelligence, threat hunting, and incident response, because it captures something the traditional intelligence cycle can underplay: the powerful feedback loop between doing something about a threat and learning from it.

In short: F3EAD is a loop where operations and intelligence feed each other. You find and neutralize a threat, then mine everything you gathered to fuel the next round — action and analysis driving each other in a continuous cycle.

Two halves: operations and intelligence

F3EAD's elegance is that it joins two phases of work that are often separated:

  • The operations half — Find, Fix, Finish — is about locating and acting on a threat.
  • The intelligence half — Exploit, Analyze, Disseminate — is about turning what the operation uncovered into actionable intelligence.

The key insight is that these aren't separate workflows handed between siloed teams; they're one continuous cycle where the output of operations directly fuels intelligence, and that intelligence directly drives the next operation.

The six phases of F3EAD

  1. Find: identify the threat or target — for example, detecting a malicious actor, campaign, or indicator in your environment.
  2. Fix: pinpoint and confirm it — determine the scope, location, and details of the threat, establishing exactly what and where it is.
  3. Finish: take action — neutralize, contain, or remediate the threat (in a security context, this overlaps with incident response).
  4. Exploit: gather and extract everything of value from the operation — the malware, infrastructure, credentials, and artifacts the threat left behind.
  5. Analyze: turn that raw material into intelligence — understanding the adversary's TTPs, attribution, and what it means.
  6. Disseminate: share the resulting intelligence with those who need it, so it informs defenses and the next Find phase — closing the loop.

F3EAD vs the intelligence lifecycle

F3EAD is often compared with the classic threat intelligence lifecycle (direction, collection, processing, analysis, dissemination, feedback). They're complementary rather than competing. The traditional lifecycle describes how intelligence is produced in general; F3EAD is more action-oriented and operational, explicitly building the response action (Find, Fix, Finish) into the cycle and tightly coupling it with intelligence production. Where the classic lifecycle can feel like intelligence flowing to operations, F3EAD treats them as a single fused loop. Many teams actually run the intelligence lifecycle inside the Exploit-Analyze-Disseminate half of F3EAD.

F3EAD in security operations

F3EAD maps naturally onto modern detection and response. Consider a threat-hunt or incident: you Find suspicious activity, Fix its scope by investigating affected systems, Finish by containing and eradicating it, then Exploit the incident by collecting the malware samples, C2 infrastructure, and indicators involved, Analyze them to understand the adversary and produce detections, and Disseminate that intelligence to harden defenses and seed the next hunt. This is what makes F3EAD so valuable for security: it ensures that every incident or hunt doesn't just end, but actively makes the organization smarter and better defended for next time.

Why F3EAD is valuable

  • It operationalizes intelligence, ensuring analysis leads to action and action produces analysis.
  • It creates a fast feedback loop, so lessons from one engagement immediately improve the next.
  • It breaks down silos between operations teams and intelligence teams by treating them as one cycle.
  • It maximizes the value of every incident, turning response into a source of durable intelligence.

From the battlefield to the SOC

F3EAD's power comes from its origins. It was developed and refined in military special-operations and counterterrorism contexts, where units needed to act on a target and instantly turn whatever they captured into intelligence that enabled the next operation — a relentless, self-reinforcing tempo. The key lesson the security community drew from it is that operations and intelligence should not be separate, sequential activities, but a single, fast loop. This is why F3EAD resonates so strongly with modern detection and response, where the speed of the feedback loop between acting on a threat and learning from it directly determines how quickly defenders improve. It complements rather than replaces decision models like the OODA loop (Observe, Orient, Decide, Act); where OODA describes fast individual decision-making, F3EAD structures the full operations-to-intelligence cycle.

Putting F3EAD into practice

Adopting F3EAD is less about new tools and more about discipline and culture. The crucial habit it instills is never letting an engagement simply end. When a threat hunt or incident wraps up, F3EAD insists you don't close the ticket at "Finish" — you push through Exploit, Analyze, and Disseminate, extracting every indicator, technique, and lesson and feeding it back into your detections, your blocklists, and your next hunt. Teams that internalize this find that their intelligence library and detection coverage grow steadily with every incident, rather than each one being handled and forgotten. The model also clarifies roles: it makes explicit that your responders and your analysts are part of one cycle, which encourages the kind of close collaboration that siloed teams often lack.

Where threat intelligence fits

F3EAD is fundamentally a threat intelligence model — its entire second half is intelligence production, and its first half is driven by intelligence about what to find. It pairs especially well with threat hunting, where the cycle turns each hunt into both a defensive action and a new intelligence product. Adopting F3EAD is a way of guaranteeing that your operations and your intelligence reinforce each other rather than running on separate tracks.

The bottom line

F3EAD — Find, Fix, Finish, Exploit, Analyze, Disseminate — is a targeting cycle that fuses operations and intelligence into one continuous loop, so acting on a threat and learning from it become inseparable. Adapted from military operations, it's a powerful model for threat intelligence, hunting, and incident response because it ensures every engagement produces intelligence that strengthens the next. To feed the Find phase of your own F3EAD loop, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is F3EAD?

F3EAD stands for Find, Fix, Finish, Exploit, Analyze, Disseminate — a six-phase cycle that tightly integrates operations and intelligence. Originating in military special-operations targeting, it's been adapted by the security community for threat intelligence, hunting, and incident response.

What are the six phases of F3EAD?

Find (identify the threat), Fix (pinpoint and confirm its scope), Finish (take action to neutralize it), Exploit (gather everything of value from the operation), Analyze (turn that material into intelligence), and Disseminate (share the intelligence to inform defenses and the next cycle).

What is the difference between F3EAD and the intelligence lifecycle?

The classic intelligence lifecycle describes how intelligence is produced in general. F3EAD is more action-oriented, explicitly building the response action (Find, Fix, Finish) into the cycle and fusing it with intelligence production (Exploit, Analyze, Disseminate). Many teams run the lifecycle inside F3EAD's intelligence half.

How is F3EAD used in cybersecurity?

In a hunt or incident, you Find suspicious activity, Fix its scope through investigation, Finish by containing and eradicating it, Exploit the incident by collecting malware and indicators, Analyze them to understand the adversary and build detections, and Disseminate the intelligence to harden defenses and seed the next hunt.

Why is F3EAD valuable for threat intelligence?

It operationalizes intelligence by ensuring analysis leads to action and action produces analysis, creates a fast feedback loop so lessons improve the next engagement, breaks down silos between operations and intelligence teams, and turns every incident into a source of durable, reusable intelligence.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

FundamentalsThe Threat Intelligence Lifecycle: All 6 Stages ExplainedDetectionWhat Is Threat Hunting? A Practical GuideOperationsWhat Is Incident Response? The Incident Response Lifecycle ExplainedDetectionIndicators of Compromise (IOCs): The Complete Guide