Unraveling the Courses of Action Matrix: Full Guide to CoA

Adam Goss
11 min readFeb 19, 2024
The Courses of Action Matrix

Do you know what defensive capabilities your organization has? Do you know what team is doing what to combat threats? Have you got a way of coordinating your defensive efforts?

Let me introduce you to the Courses of Action (CoA) matrix. This key strategic planning tool will allow you to assess your defensive capabilities, provide security teams with situational awareness, and enable you to coordinate defensive efforts. It provides a structured framework to help you organize your tactical and procedural responses to cyber threats.

In this article, you will see how to use the CoA matrix in the real world by mapping your defensive actions against an adversary’s actions using the Cyber Kill Chain and MITRE ATT&CK. This will enable you to assess how resilient your organization is against a cyber attack, help you answer intelligence requirements, and drive critical thinking about defensive capabilities. Let’s get started!

What is the Courses of Action Matrix?

The Courses of Action (CoA) matrix is a strategic planning tool to identify, evaluate, and prioritize defensive actions against potential threats. It provides a structured framework that security teams can use to orchestrate tactical and procedural responses based on their defensive capabilities.

The CoA matrix is based on the US Department of Defense’s (DoD) defensive capabilities doctrine. These are outlined in Joint Publication 3–13, Information Operations (13 February 2006), which details the actions available to protect against an adversary in the cyber domain.

The matrix outlines seven courses of action that can be used to defend against an attack. These include:

  • Discover: Uncover a threat actor’s past activity in the logs.
  • Detect: Identify an attacker’s current activity using detection tools, such as anti-virus, EDR, and IDS.
  • Deny: Block an adversary’s activities using firewall rules, email filtering, privilege restrictions, etc.
  • Disrupt: Interrupt a threat actor’s activities or flow of information to cause them to fail. This could be interrupting spidering activity, quarantining files, exploit protections like DEP or…

--

--

Adam Goss

Helping demystify cyber threat intelligence for businesses and individuals | CTI | Threat Hunting | Custom Tooling