What Is Counter Adversary Operations (CAO)?

An adversary lands on a workstation through a phished credential. Twenty-seven seconds later, they are on a second host.

That 27 seconds is the fastest breakout time CrowdStrike has ever recorded, from its 2026 Global Threat Report, which also put the average eCrime breakout time at 29 minutes in 2025, a 65% jump in speed over the year before. Breakout time is the gap between an attacker landing on the first host and pivoting to a second. It is the window a defender has to detect, decide, and act before an intrusion becomes a breach.

Now compare that to how most security programs run. The intelligence team writes a report about an actor. The hunt team goes looking for activity in the environment. Those two functions sit in different tools, on different schedules, and the handoff between them takes days. The adversary moves in minutes. That mismatch is the problem counter adversary operations is built to fix.

This guide covers what counter adversary operations is, why traditional threat intelligence falls short against fast adversaries, how fusing intelligence with hunting changes the math, what the model actually does day to day, and where it fits next to the disciplines you already run.

What is counter adversary operations?

Counter adversary operations (CAO) is a model that fuses threat intelligence and threat hunting into a single function focused on the adversary, not the alert. Instead of treating "who is attacking and how" and "is that attacker in my environment right now" as separate jobs, CAO runs them as one continuous loop: intelligence about an actor drives a hunt, and what the hunt finds sharpens the intelligence.

The term was coined by CrowdStrike, which created its Counter Adversary Operations group in the summer of 2023 by uniting its intelligence team and its OverWatch threat hunting team. The vendor framing is specific to its products, but the underlying idea is portable and vendor-neutral: stop organizing defense around indicators and individual alerts, and start organizing it around the human adversary behind them, their identity, their playbook, and their speed.

The shift is from reactive to adversary-centric. A traditional program asks "did something known-bad happen?" CAO asks "which adversary is likely coming for us, what does their playbook look like, and are they already inside?" That reframing is the whole point. You defend against a named opponent with known behavior, not against an anonymous stream of events.

CAO is best understood as an operating model layered on top of cyber threat intelligence, not a replacement for it. It takes the intelligence discipline and welds it to active hunting so the two reinforce each other in close to real time.

Why traditional threat intelligence falls short

Threat intelligence and threat hunting are both mature disciplines. Run in isolation, they each leave a gap that fast adversaries walk straight through.

Intelligence without hunting is a report nobody acts on in time. A classic intelligence team produces finished analysis: an actor profile, a campaign writeup, a feed of indicators. It is accurate and useful, but it is a deliverable, not an action. By the time the PDF reaches the SOC and someone decides what to do with it, the indicators may already be stale and the actor may already be in the network. Intelligence that does not immediately drive a search inside your environment is knowledge sitting on a shelf.

Hunting without intelligence is searching without a map. A hunt team that is not fed current adversary intelligence ends up guessing what to look for. They hunt for generic suspicious behavior rather than the specific tactics of the actor most likely to target their sector. The result is wasted cycles on low-value hypotheses and missed coverage of the techniques that actually matter.

Both are too slow when separated. This is the core failure. When intelligence and hunting live in different teams, different tools, and different workflows, the handoff between "we know about this actor" and "we are looking for this actor right now" takes days. Against a 29-minute average breakout time, a multi-day handoff is not a delay, it is a loss. The adversary has already moved, escalated, and reached their objective before the two halves of your program finished talking to each other.

The deeper issue is that traditional tooling is alert-centric. It generates a high volume of disconnected alerts, and analysts triage them one at a time with no narrative tying them to a known adversary. You can be drowning in alerts and still have no idea which adversary is operating against you or how far they have gotten.

How fusing intelligence and hunting changes the math

CAO closes the gap by making intelligence and hunting feed each other on a tight loop instead of handing off through a queue.

The loop runs in both directions. Intelligence on an adversary, their tactics, techniques, and procedures (TTPs), their infrastructure, their target profile, immediately becomes a hunt hypothesis: go look for this specific behavior in our telemetry now. What the hunt finds, a real detection, a new tool, an unseen technique, flows straight back into the intelligence picture and sharpens the next round of hunting. The cycle tightens with each pass.

Three things change when the two functions fuse:

• Speed. Intelligence becomes an action in minutes, not a report in days. The moment an actor's playbook is understood, the hunt for it is already running.
• Focus. Hunts are driven by the adversary most likely to hit you, mapped to their real techniques, not by generic anomaly chasing. Finite analyst hours go to the threats that can actually reach you.
• Context. An alert stops being an isolated event and becomes part of an adversary narrative. "PowerShell spawned by Word on host A" is noise on its own. Tied to a known actor's playbook, it is a stage in an intrusion you can name and predict.

This is also where attribution earns its keep. Knowing which adversary you face, an advanced persistent threat running a known campaign versus an opportunistic eCrime crew, tells you what they will likely do next. Defense becomes anticipatory: you deploy the detection for step three before the adversary takes step one.

What counter adversary operations does day to day

CAO is a way of working, and it shows up in the daily activity of the team. The model pulls together a handful of capabilities that, run separately, would each lose to the clock.

• Adversary tracking and attribution. Maintain a current picture of the actors relevant to your sector, their identities, motivations, and known playbooks. The goal is to recognize an opponent by behavior, not to chase indicators after the fact.
• Intelligence-led hunting. Turn current adversary intelligence directly into hunt hypotheses and run them against live telemetry. Threat hunting here is not generic, it targets the specific TTPs of the actors that matter.
• Continuous, fused operation. Run intelligence and hunting as one loop around the clock, so a finding on one side updates the other in close to real time rather than through a scheduled handoff.
• Adversary-centric detection. Map activity to adversary behavior and to frameworks like MITRE ATT&CK so individual alerts assemble into a recognizable campaign instead of staying disconnected.
• Faster, contextual response. When a hunt confirms an adversary is active, response is informed by who they are and what they do next, which shapes containment instead of treating every alert as a one-off.

The thread through all of it is time. Every capability is organized to compress the distance between knowing about an adversary and acting on that knowledge inside your environment, because that distance is exactly what the adversary is racing to exploit.

CAO vs. the disciplines it builds on

CAO does not replace threat intelligence, threat hunting, detection, or incident response. It is the operating model that connects them around the adversary. The clean split:

The difference is integration and tempo. Intelligence and hunting can each exist as a standalone team with its own backlog. CAO insists they run as a single, continuous, adversary-focused loop, so the output of one is immediately the input of the other. It is less a new capability than a new wiring of the capabilities you already have.

Whether an organization needs a formal CAO function depends on its threat profile. A team facing targeted, fast-moving adversaries gains the most, because that is exactly the scenario where a slow intelligence-to-hunting handoff costs you the breach. A smaller organization may consume the same idea through a managed service rather than build the function in-house. The model matters more than the org chart: organize defense around the adversary and close the time gap between knowing and acting.

Frequently Asked Questions

What is counter adversary operations (CAO)?

Counter adversary operations is a security model that fuses threat intelligence and threat hunting into a single, continuous function focused on the adversary rather than on isolated alerts. Intelligence about an actor immediately drives a hunt for that actor in your environment, and what the hunt finds sharpens the next round of intelligence. The aim is to compress the time between knowing about an adversary and acting on that knowledge.

Who created the term counter adversary operations?

CrowdStrike coined the term and created its Counter Adversary Operations group in the summer of 2023 by uniting its threat intelligence team and its OverWatch threat hunting team. The vendor framing is specific to its products, but the underlying model, organizing defense around the human adversary and fusing intelligence with hunting, is vendor-neutral and applies to any program.

How is CAO different from traditional threat intelligence?

Traditional threat intelligence produces reports and indicator feeds that a separate team then has to act on, a handoff that can take days. CAO welds intelligence to active hunting so an actor's playbook becomes a live hunt hypothesis in minutes. It also reframes defense from reacting to alerts toward anticipating a named adversary's next move.

Why does breakout time matter to CAO?

Breakout time is the gap between an attacker compromising the first host and moving to a second. CrowdStrike's 2026 Global Threat Report put the average eCrime breakout time at 29 minutes, with a fastest recorded time of 27 seconds. A multi-day handoff between an intelligence team and a hunt team cannot compete with that, which is why CAO fuses the two to act in minutes.

Is CAO the same as threat hunting?

No. Threat hunting is one half of CAO. Hunting searches the environment for undetected attackers, often from a hypothesis. CAO is the larger model that drives that hunting with current adversary intelligence and feeds hunt findings back into the intelligence picture, running both as one continuous loop instead of as separate teams.

Does every organization need a counter adversary operations function?

Not as a formal in-house team. The value scales with the threat: organizations facing targeted, fast-moving adversaries gain the most, because that is where a slow intelligence-to-hunting handoff costs you a breach. Smaller teams often consume the same model through a managed service. What matters is the principle, organize defense around the adversary and close the time gap between knowing and acting.

The bottom line

Counter adversary operations is the discipline of fusing threat intelligence and threat hunting into one continuous, adversary-focused loop, so that knowing about an attacker and hunting for that attacker stop being separate jobs with a slow handoff between them. It exists because adversaries move in minutes and a traditional program measures its intelligence-to-action time in days.

The shift is from alert-centric to adversary-centric: defend against a named opponent with a known playbook, not an anonymous stream of events. Whether you build the function or consume it as a service, the principle is the same. Compress the gap between knowing and acting, because that gap is exactly what the adversary is racing to exploit.