The phone rang at 3:45 pm on a Friday afternoon. We were winding down for the weekend when the caller ID lit up — it was the counterterrorism analyst in our office we affectionately called “CT Brian.” When he called, it was never good news. An al-Qaeda-affiliated group seized an American aid worker. Her captors were preparing to move her within the hour and special operations forces needed cyber to pinpoint her location in 30 minutes or less. An assault team stood by, ready to launch — if we could tell them where to go. Weekend plans evaporated. Screens brightened. People leaned in. But inside the cyber cell, the faces told a different story. In cyber, 30 minutes might as well be 30 seconds.
As a cyber operator, I have lived moments like that more times than I can count over 20 years — hostage recoveries, counter-terrorism missions, combat operations, and embassy evacuations. In every case, lives hung in the balance and time determined the outcome. Too often, what throttled U.S. Cyber Command’s ability to contribute wasn’t skill or technology. It was a force design inherited from the National Security Agency’s intelligence culture — one built around patience, not speed, where operations unfolded over months and years rather than minutes. Breaking through that inheritance requires three things: Understanding why the current model is too slow, rethinking how the force is built and trained, and pushing authority down to where it can actually be used.
The Speed, Control, and Intensity Tradeoff
U.S. Cyber Command’s operational model consistently prioritizes control and intensity at the expense of speed. Operations that could contribute to a crisis in hours instead take weeks or months, not because the technology demands it, but because the organization was designed around a fundamentally different clock.
Cybersecurity analyst Lennart Maschmeyer captured this dynamic precisely. Based on how cyber forces have operated, he identified a fundamental tradeoff: You can optimize for any two of speed, control, or intensity — but not all three. Pursue speed and you sacrifice precision — an operation rushed to meet a crisis window may hit the wrong system or produce unintended effects that compromise the broader mission. Prioritize control and the timeline stretches — the exhaustive testing and approval chains that ensure precision add days or weeks to every action. Maximize intensity and both suffer — a high-impact operation demands both careful planning and rapid execution, and under the current model, the organization cannot deliver both.
This tradeoff describes how Cyber Command has operated. But a product of how the force was built — not a law of physics. The danger is that the cyber community accepted it as one.
That expectation has become self-fulfilling. When Cyber Command’s contribution to the campaign against the Islamic State took months to materialize, senior leaders across the Department of Defense concluded that cyber was inherently slow and began planning without it. Commanders stopped asking for cyber support in time-sensitive situations because they had learned not to expect it.
Twenty years of operations have taught me that this expectation is wrong. Advantage goes to those who can act within the real decision window: Not the timeline we wished we had, nor the timeline that fit our processes, but the actual minutes the commander has before a hostage is moved, a weapon is launched, or an adversary changes position. A cyber effect that arrives late after that window closes — no matter how technically brilliant — is irrelevant.
Three Principles
If the speed-control-intensity tradeoff product of Cyber Command’s design rather than a law of physics, what should a redesigned force optimize for? Three principles point the way.
First, speed is the standard. The benchmark should be 30 minutes or less, because that is the real timeline of a crisis. If cyber cannot deliver within the window, a commander has to make a decision; it will not be part of the plan.
Second, readiness means starting from a position of strength, not scrambling to build from scratch. The concept of persistent engagement — maintaining continuous access to adversary networks, monitoring threat infrastructure in real time, and pre-positioning capabilities before a crisis begins — has been an important evolution because it ensures the force is not starting from zero when the phone rings. But in practice, operations still depend on footholds in adversary networks — vulnerabilities, compromised credentials, or implanted software — that are fragile, slow to weaponize, and often unusable when the mission window arrives. A better approach starts with what is available right now and asks how cyber — combined with special operations forces, intelligence agencies, diplomats, law enforcement, or partner nations — can compress the timeline to an outcome. As the National Security Council’s Senior Director for Cyber, Alexei Bulazel has put it, cyber is an accelerant when paired with other tools of national power. When cyber operators can geolocate a target in real time, a special operations team that would have spent days searching a city can launch within the hour. Cyber is rarely decisive on its own, but paired with the right partners, it makes everything faster.
Third, integration over independence. The instinct within the cyber community has been to prove that cyber operations can deliver standalone strategic effects — the digital equivalent of a bomber wing. That aspiration has shaped how Cyber Command organizes its teams, develops its tools, and measures success — around independent cyber campaigns rather than around making joint operations faster. But the missions where cyber has mattered most tell a different story. When cyber operations helped special operations forces find the target, provided the Treasury Department data to freeze a terrorist’s bank accounts, or produced evidence that led to an indictment and arrest, no one asked whether cyber delivered the final blow. They asked whether the mission succeeded. The force should be structured and evaluated accordingly — organized around enabling every other instrument of national power, not around proving that cyber can go it alone.
Why the Force Can’t Deliver, Yet
These principles describe what a reformed cyber force should look like. However, the current Cyber Mission Force — the operational arm of U.S. Cyber Command, roughly 6,200 military and civilian personnel organized into 135 teams across five military services — is not built to deliver them. Each service brings different priorities, cultures, and training pipelines, and the force is built on a talent model that makes operational speed nearly impossible.
The majority of the force’s personnel fall into two categories. The first are operators who can execute prebuilt exploitation scripts and use established access platforms as designed, but whose effectiveness is bound by what those tools were built to do.
The second are the high-performers who have developed deep knowledge of specific tools and adversary networks — their architecture, defenses, and vulnerabilities — but who cannot write new code, adapt an exploit for an unfamiliar system, or build a custom tool when existing capabilities don’t fit the target.
Both categories are limited to the capabilities that a small cadre of developers and National Security Agency engineers have built in advance. When the pre-built tool doesn’t match the target — and in a crisis, it often doesn’t — the operation stalls.
A third, far smaller group — elite operator-developers — does not just use existing cyber tools but builds them, modifies them in real-time, and adapts them as conditions change. These operator-developers’ understanding of the digital systems in which they operate often exceeds that of the engineers who designed them, and only they can consistently deliver speed, control, and intensity at the same time. But they are extraordinarily rare — only dozens across an enterprise of thousands — and they carry the offensive cyber burden for the whole force. The tradeoff persists not because cyber operations are slow, but because the force is built around the majority rather than scaling the capabilities of an elite minority. Change that, and the tradeoff disappears.
Rebuilding the Cyber Force for Real Conflict
Three changes would transform Cyber Command’s ability to deliver speed, control, and intensity simultaneously.
First, scale the expertise of the elite. The scarcity of top-tier operator-developers is a structural bottleneck. The fix is automation and modularization: Translating the best operators’ techniques into repeatable systems that allow less experienced operators to execute complex operations with precision and speed. This could include disabling an adversary’s air defense communications, redirecting network traffic to isolate a target, or extracting intelligence from a hardened system. This isn’t about building massive platforms. It is about producing lean, resilient tools designed to be used continuously by any trained operator, not just the elite few. Agentic AI accelerates this shift. When elite operators encode their tradecraft into AI agents that can autonomously handle the time-consuming steps of an operation — reconnaissance, access validation, tool selection — operators at every tier are freed to focus on judgment and mission-critical decisions.
The private sector has already demonstrated this underlying principle. The NSO Group, an Israeli cyber intelligence firm, and its Pegasus platform, ethical concerns aside, proved that powerful cyber capabilities become operationally useful at scale only when they are repeatable and usable by average operators. Agentic AI is the next evolution of the same idea: Push even more complexity into the system, further lower the skill floor for effective employment, and let humans focus on what only humans can do. When you do that, the majority become effective contributors to crisis operations, and the force is no longer dependent on a handful of irreplaceable individuals.
Second, invert the career model. Cyber Command’s career progression currently places defense at the bottom as the entry-level assignment, then tool development, then offense at the top. That sequencing is inverted. Defense is the hardest mission in cyber operations, requiring deep knowledge of how systems work from hardware up, how adversaries behave, and how to protect sprawling, complex networks.
The current model exists because the services — not Cyber Command — control the training pipeline, and they default to placing new personnel in defensive roles where the risk of an operational mistake is lowest. Putting the least experienced people on your hardest mission means the networks that matter most are defended by the people who understand them least. A force built for speed should reverse the model: Offense first, then tool development, then defense. Starting every cyber professional in offense carries risk — a poorly executed operation can burn an access or cause unintended effects. But that risk is manageable with proper supervision, and the payoff is substantial. Operators would develop an attacker’s mindset, learn first-hand how cyber integrates with special operations and intelligence in joint missions, and build the technical intuition that no classroom can replicate. The best operators transition into tool development, where they build automation — like the frameworks described above — that solve real problems because they have lived the gap between what a pre-built tool can do and what the mission requires. The most capable developer-operators move into defense, where they recognize adversary threats sooner and impose real costs on attackers.
Third, push authority down to where it can be used. Even with the right people and right tools, cyber operations will remain slow if every significant action requires approval from senior officials far removed from the operational situation. The military has already solved this problem in other domains. Special operations teams typically include a joint terminal attack controller — a trained specialist embedded with the ground force who is authorized to call in airstrikes within the parameters of the air tasking order. The rules of engagement are set in advance, and the authority to act within those rules is delegated to the person closest to the fight. Not every situation works this way; some strikes require authorization from higher headquarters, and some cyber operations will too. But the default should be delegated authority within defined parameters, not centralized approval for every action. Pre-approved cyber authorities — aligned with the geographic combatant commander’s plan and subject to the same guardrails that govern other time-sensitive military operations — would let operators act at the speed the mission demands. The guardrails remain. The latency disappears.
The Next Fight Will Be Fast
When the next crisis erupts, there will be no time to argue about approvals, develop new network access from the ground up, or re-engineer tools to fit an unfamiliar target. There will only be the clock, the mission, and the people charged with accomplishing it.
Long-term strategic operations — the kind that take months or years of development to produce high-end effects against hardened targets, like the operation that damaged Iranian nuclear centrifuges or the attacks that brought down portions of Ukraine’s power grid — remain crucial. But the force cannot be organized exclusively around them when the majority of real-world demands look like CT Brian’s phone call: A hostage who will be moved in an hour, an embassy under threat, a weapon that must be disabled before it is used. Those situations are measured in minutes, and a force that cannot answer in minutes is a force that does not get asked.
The reforms outlined here — scaling elite expertise through AI and automation, inverting the career model to build offensive skill first, and delegating authority to the operators closest to the fight — are not aspirational. They are achievable with current technology and existing authorities. What they require is an institutional willingness to break from a model that was built for a different era and a different mission. The operators coming up behind me are every bit as talented and driven as the ones I had the privilege of leading. They deserve a force structure that matches their skill with speed, their initiative with authority, and their commitment with tools worthy of the mission.
The next phone call is already coming.
Timothy N. Neslony is a cyber strategist and retiring Air Force officer with more than 20 years in offensive cyber operations and national cyber policy. He began his career on keyboard as an NSA operator and developer, went on to build and command multiple U.S. Cyber Command-aligned operational units, and later served on the Joint Staff, in the Department of Defense, and at the White House as Director for Military Cyber Policy. His perspective is rooted in two decades of driving the evolution of U.S. cyber power, from early experimentation to expanding the realm of the possible to advanced employment in conflict and crisis.
The views expressed here are the author’s alone and do not constitute endorsement by the Department of the Air Force, the Department of Defense, or the U.S. government.
Image: Sgt. Renee Seruntine via DVIDS
