Episode 45 — Select courses of action that change outcomes
In Episode 45, Select courses of action that change outcomes, we shift from understanding threats to actively shaping what happens next. Up to this point, much of the focus in security work has been on visibility, detection, and analysis, which are all essential, but none of them stop an adversary on their own. This episode is about what you do once you know something bad is happening or is about to happen. Choosing the right defensive action is not about reacting emotionally or reaching for the loudest control, but about deliberately influencing the attacker’s ability to continue. The goal is to move from observation to intervention in a way that actually changes the trajectory of the intrusion.
Courses of action represent the concrete options you have when responding to an adversary, and they generally fall into patterns such as denying, disrupting, or deceiving the threat actor group. Denial focuses on removing access, blocking paths, or hardening targets so the attacker cannot proceed. Disruption aims to interfere with the attacker’s operations, slowing them down or forcing mistakes without necessarily ejecting them immediately. Deception introduces false information or environments that waste the attacker’s time and reveal their behavior. These options are not mutually exclusive, but they are different levers, each with its own impact, risk, and visibility. Understanding these differences helps you avoid defaulting to the same response every time, regardless of context.
A critical part of selecting a course of action is comparing the cost of your defensive move against the potential damage from the ongoing attack. Cost here is broader than money, because it includes operational disruption, user frustration, lost productivity, and even reputational impact inside the organization. Shutting down a critical system may stop an attacker, but it may also halt business operations in a way that exceeds the harm the attacker would have caused. On the other hand, doing nothing because a response feels inconvenient can allow a small intrusion to become a major incident. Effective defenders constantly weigh these tradeoffs, not in abstract terms, but in the specific context of what is happening right now. This comparison is what separates thoughtful response from reflexive response.
One of the easiest mistakes to make is choosing a response that causes more disruption than the actual attack itself, especially under pressure. Security teams are often empowered to take strong actions, and those actions can feel reassuring in the moment. However, if your response locks out hundreds of users to stop activity affecting one endpoint, you may lose credibility and support from the business. This does not mean you should avoid decisive action, but it does mean you should calibrate it. The severity of the response should align with the severity and scope of the threat. When teams consistently overreact, leadership becomes hesitant to approve future actions, even when they are truly needed.
Intelligence plays a key role in predicting how an attacker might react to your specific defensive actions. An experienced adversary does not simply disappear when blocked, they adapt. If you block one command and control path, they may switch to another. If you reset credentials, they may escalate privileges elsewhere. By understanding the attacker’s capabilities, objectives, and past behavior, you can anticipate these reactions and plan accordingly. This does not require perfect foresight, but it does require thinking one or two steps ahead. The more you treat response as an interactive process rather than a one-time event, the more effective your actions become.
A useful mental model is to imagine a chess game where every move you make is designed to block the opponent’s options. In chess, you rarely win by reacting only to the last move your opponent made. Instead, you think about how your move constrains their future moves. Defensive actions in cybersecurity work the same way. Blocking a single indicator may stop one tactic, but changing the environment can force the attacker into less effective or more detectable behavior. When you view response through this lens, you stop chasing individual actions and start shaping the overall engagement. That mindset leads to outcomes that favor the defender over time.
Another way to think about courses of action is as the different tools in a security professional’s belt. No single tool is right for every situation, and relying on one tool exclusively creates predictable patterns that attackers can exploit. Sometimes the right move is a quiet containment that preserves evidence. Other times it is an aggressive block that prioritizes immediate safety. Sometimes it is observation combined with deception to learn more before acting. Knowing which tool to use, and when to switch tools, is a mark of maturity. It also requires coordination, because some tools require approval, communication, or preparation before they can be used effectively.
Deception strategies deserve special attention because they offer benefits beyond simple prevention. Using honeytokens, fake credentials, or decoy internal servers can reveal attacker intent and movement in ways that traditional controls cannot. When an attacker interacts with something that should never be touched, you gain high-confidence detection with minimal noise. Deception can also slow attackers down, forcing them to spend time validating what is real and what is not. This wasted effort works in your favor, especially during active incidents where time matters. While deception requires careful design to avoid confusing legitimate users, its payoff can be significant when aligned with clear goals.
Selecting courses of action should always be aligned with the overall risk appetite and goals of senior leadership. Security teams do not operate in a vacuum, and the most technically elegant response may still be the wrong choice if it conflicts with business priorities. Some organizations prioritize availability above all else, while others are willing to accept downtime to protect sensitive data. Understanding where your organization falls on that spectrum allows you to recommend actions that leadership is more likely to support. It also ensures that when something goes wrong, the decision can be defended as aligned with agreed-upon values rather than ad hoc judgment. Alignment builds trust, and trust enables faster action when it matters most.
This alignment ensures that your technical responses support the broader business rather than working against it. When security actions are clearly tied to business outcomes, such as protecting revenue, customer trust, or regulatory standing, they are easier to justify and sustain. Over time, this connection changes how security is perceived inside the organization. Instead of being seen as an obstacle, security becomes a partner in managing risk. Courses of action then become part of normal decision-making rather than emergency exceptions. This cultural shift does not happen overnight, but it starts with consistently choosing responses that make sense beyond the technical domain.
Documentation is another often overlooked but critical element of effective action. For every major defensive action taken, you should document the intended goal and the expected outcome. This does not need to be bureaucratic, but it should be explicit. Writing down what you are trying to achieve forces clarity and makes post-incident review far more productive. If the outcome does not match the expectation, you have a concrete basis for learning and improvement. Over time, this practice builds an institutional memory that improves future decisions and reduces repeated mistakes.
Before executing any course of action, it is essential to verify that you have the necessary authority and tools to carry it out. Acting without proper authorization can create legal, operational, or political problems that outweigh the benefits of the response. Similarly, planning an action that depends on tools you do not actually control leads to delays and frustration during critical moments. Knowing your limits in advance allows you to design realistic responses rather than idealized ones. It also highlights gaps that can be addressed proactively, such as missing approvals or incomplete tooling. Preparation in this area directly affects how smoothly response efforts unfold under pressure.
Practice is what turns theory into skill, and practicing response does not require a live incident. You can start by listing multiple ways to disrupt a specific command and control communication channel, even in a tabletop setting. Each option will have different costs, risks, and visibility. Some may be fast but noisy, others slow but subtle. By exploring these options ahead of time, you reduce decision latency when a real alert arrives. This kind of rehearsal builds confidence and helps teams avoid tunnel vision. It also reveals creative approaches that might not surface during an actual crisis.
Select courses of action that change outcomes, the central message is that action is what ultimately changes the game. Detection tells you something is wrong, but response determines what happens next. By thoughtfully selecting courses of action, weighing cost against impact, anticipating attacker reactions, and aligning with business goals, you can influence the outcome of an intrusion rather than simply observe it. Documenting intent, verifying authority, and practicing options all contribute to more effective decisions. Take your latest alert and recommend one specific response, because deliberate act
