Ransomware does not wait for your runbook. From the moment a payload begins to execute, encryption races outward across shares and reachable hosts, and every second of hesitation is measured in files locked and machines lost. Incident response under those conditions is not a checklist you complete at your own pace. It is a contest of tempo against an adversary, and a fighter pilot turned theorist gave us the clearest model for winning that contest.
Military foundation
John Boyd, an American fighter pilot and military strategist, described decision making in conflict as a repeating cycle of four steps: Observe, Orient, Decide, and Act. You observe what is happening, orient yourself by interpreting those observations against your knowledge and the situation, decide on a course of action, and then act, after which the cycle begins again with fresh observation of the changed situation. Boyd called this the OODA loop.
His central insight was about speed and relevance, not about the diagram. In a duel between two adversaries each running their own loop, the one who can move through the cycle more quickly, and orient more accurately, gets inside the other's decision cycle. The slower party finds that the situation has already changed by the time they decide, so their actions answer a reality that no longer exists. The faster party imposes confusion and forces the opponent to react rather than initiate. Tempo, in Boyd's framing, is itself a weapon.
Cyber application
A live ransomware intrusion is a race of competing loops, and the payload's loop is automated and fast. Your job is to run yours faster and more accurately than the malware can spread. The four steps map cleanly onto the work in front of you.
Observe is triage from the evidence in front of you: endpoint alerts, sudden spikes in file modification, unfamiliar processes, authentication anomalies, and the logs that show where activity started and where it is reaching. Orient is making sense of that evidence under pressure. You scope the intrusion, asking which hosts are affected, which accounts are compromised, how the attacker is moving, and whether what you see is the whole picture or only the part that tripped an alert. Orientation is where most responses succeed or fail, because a wrong mental model sends every later decision in the wrong direction.
Decide is committing to a containment action while the picture is still incomplete, because waiting for certainty hands tempo to the payload. You choose what to isolate, what to disable, and what to preserve for later analysis. Act is execution: cutting compromised machines off the network, disabling abused accounts, and severing the paths the payload needs before it reaches the next set of targets. Then the loop restarts. You observe the effect of your action, reorient to the changed state, and decide again, repeating the cycle faster than the encryption can outrun you. The aim is to get inside the malware's loop, to act on the spread before it completes rather than after.
What you practise
In the range, this is rehearsed against a clock and against a thinking opponent rather than a static scenario. You practise cutting the time between first signal and first decisive action, because that interval is where damage accumulates. You learn to orient from partial evidence without freezing, to recognise when your model of the intrusion is wrong and correct it mid-incident, and to commit to containment before you have full certainty, because certainty arrives too late to matter.
You also build the discipline of looping rather than acting once and hoping. Isolating one machine is rarely the end; the next observation tells you whether the spread is checked or whether it has found another route, and you cycle again. Repetition under live pressure is what turns the four steps from a tidy diagram into a reflex. When a real intrusion arrives, the team that has drilled the loop moves while the slower team is still trying to understand what it is seeing, and in a contest of tempo, the side that moves first and accurately is the side that contains the damage.