By Jeremy Ventura, Field CISO, Myriad360
I remember the first time I stood in front of a security operations team that was absolutely buried in alerts. Every console screamed urgency—red flags for phishing, unpatched servers, suspicious network anomalies—yet nobody could decide which fire to fight first. Half the room wanted a deep investigation into an external IP; the other half was convinced we had a rogue insider. Meanwhile, the CFO and CIO were clamoring for updates, not just about what was happening, but how it threatened the business. The chaos felt overwhelming.
That chaos isn’t unique. A survey revealed that 56% of large companies handle over 1,000 security alerts daily, and 83% of IT security professionals experience alert fatigue. The sheer volume leads to burnout—64% of DFIR professionals cite alert fatigue as a major stressor. It’s no surprise that 65% of security pros have considered quitting due to alert overload and lack of visibility.
A turning point for me came when I stumbled on a military concept called OODA: Observe, Orient, Decide, Act. Fighter pilots entrust their lives to it, when a fraction of a second can mean the difference between success and death. It sounded extreme, but I realized that modern cyber incidents carry their own heightened stakes—just measured in data breaches and operational shutdowns instead of fiery ruin. We needed a structured way to cut through the noise.
Decision-Making Under Pressure
OODA serves as a robust decision-making model for cyberattacks, emphasizing real-time status checks across infrastructure to enable informed decisions. In my early days, I tried to handle incidents by skimming logs and seeing which alerts had the highest severity scores. But that approach left too many questions: was the severity real or just a typical “critical” classification from a scanning tool? Could a single “high” on a revenue-generating server be worse than ten “criticals” on systems nobody used?
The paralysis from data overload is real. 68% of cybersecurity decision-makers say they feel "paralyzed" by the sheer volume of alerts, leading to stress and delays in response. I remember scheduling a half-day “fire drill” where we’d run through a hypothetical breach. Someone in finance balked, saying, “Why do we need four hours for a fake crisis?” Well, when a real crisis hits, you can’t afford to waste time deciding who’s in charge, which logs matter, or whether to shut down a system. You either respond decisively or risk real damage.
That’s where I found OODA so valuable.
Observe: Sort the relevant signals from all the background chatter. If it’s a flood of ransomware alerts, gather key facts—which endpoints were flagged, where else do we see suspicious activity? Crucially, you’re not analyzing them to death—you’re just collecting meaningful data so you can pivot quickly.
Orient: This is the step many teams neglect. They see a thousand urgent alerts and try to fix them all. Orientation is where you put context around what you’ve observed. Which servers are mission-critical? Which alerts might be false positives? Do we suspect any links to known threat groups? When done well, Orientation stops that flood of data from overwhelming you.
Decide: This shouldn’t be a drawn-out debate. Sure, you’d like perfect information, but that never exists in the middle of an active incident. If you linger, you give attackers more time. A failure to act quickly can be catastrophically expensive—Clorox’s 2024 cyberattack resulted in $57M-$65M in costs due to decision delays.
I once had an incident where we discovered malicious traffic leaving an accounting server. By the time we realized it was an exfiltration pipeline, data had been moving out for hours. If we’d waited a day to decide, we’d have suffered triple the damage. OODA teaches you to make the best decision you can, given the context you built in Orientation, then move.
Act: Isolate the server, block the malicious IP, review service accounts, notify the incident response vendor—whatever the immediate step requires. Once you act, you don’t just breathe a sigh of relief. You return to Observe, because the landscape is now changing again. Attackers evolve; your environment shifts.
Reassessment as a Necessity, Not an Option
OODA loops you right back to taking in new data, rechecking orientation, and making the next call. It’s a cycle that never really ends, which is exactly what makes it so effective. 49% of organizations haven’t reassessed the security of remote access tools they adopted during COVID-19, leaving them vulnerable to unmanaged third-party access and operational risks. If hackers pivot to a new tactic, you’re already geared to quickly Observe and Orient against this fresh information.
I’ve used OODA to guide organizations through everything from zero-day vulnerabilities to supply chain exploits. In a supply chain breach, for example, you might Observe a sudden spike in unexpected connections from a third-party vendor, Orient by checking if this vendor normally runs that volume of traffic, then Decide whether to block those connections or request more logs from them, and finally Act by either quarantining or fast-tracking an investigation. Crucially, you don’t stop once you’ve blocked the IP—maybe that vendor needs a deeper review to ensure they weren’t just one hop in a broader attack chain. That cyclical vigilance is what keeps you a step ahead.