Our Work


For a complete list of IACD documents, please click here.

Integrated Adaptive Cyber Defense (IACD) is a strategy and framework to adopt an extensible, adaptive, commercial off-the-shelf (COTS)-based approach to cybersecurity operations.

IACD increases the speed and scale of cyber defenses by leveraging automation to enhance the effectiveness of human defenders, moving them outside the response loop into a response planning and approval role “on the loop” of cyber defense.

This effort is sponsored by the Department of Homeland Security (DHS) and the National Security Agency (NSA) in collaboration with the Johns Hopkins University Applied Physics Laboratory (JHU/APL). Through jointly sponsored research (in collaboration with the private sector), IACD defines a framework—including reference architectures, draft specifications for interoperability, use cases, and implementation examples—to adopt this extensible, adaptive approach to cybersecurity operations.

Our goal is to dramatically change the timeline and effectiveness of cyber defense via integration, automation, and information sharing.

IACD logos

Our Approach

Our approach is to rapidly and iteratively execute a series of reference implementations, each exploring specific use cases in order to:

  • Prove concepts using integrations of commercial products
  • Provide insights into potential challenges
  • Identify gaps in technology, the availability of commercial solutions, policies, and standards
  • Gather requirements to facilitate appropriate standards development

Spiral Summaries

During a period of 90 days, JHU/APL selects IACD concepts to research, architect, and implement. In a world where cybersecurity and technology are rapidly advancing, this fast-paced spiral development plan aims to keep up with the cyber defense community as well as to develop and advance complex concepts. JHU/APL is currently in their seventh iteration of spiral development exploring “Trust, Automated, Response Actions Across Environments.” The timeline below offers brief summaries of the outcomes from each of the past spirals.

Spiral Timeline »


Relevent Documents:
IACD Baseline Reference Architecture*

*We want your feedback!

The IACD architecture is intended to be a flexible, extensible, and interoperable framework that allows vendors, users, and stakeholders to consider the critical elements of IACD and what is necessary to integrate a variety of products to meet the specifics of a given enterprise. Additionally, the IACD architecture is continually being updated to reflect recent research, analysis, and experimentation.


Relevent Documents:
Orchestration Thin Specification*

*We want your feedback!

To help the cyber defense community adopt and implement IACD, certain capabilities and services require specifications. The intent is to provide the cyber defense community with minimum sets of requirements for particular IACD components. The intent of specifications is to help further define IACD components so that products that currently exist or products that are currently being developed can align themselves with IACD capabilities and services. Additionally, the goal of the specifications is to elicit feedback from the community to be leveraged.

Integration Development

Spiral integration work, whether experimental in nature or supporting a pilot implementation, is a critical element in advancing the IACD framework and the adoption of IACD capabilities. Insight derived from this work supports the development and refinement of the reference materials posted on this website (e.g., architecture) and provides worked examples that others can use to develop and implement their own IACD solutions.


IACD provides a mechanism where business- and operations-driven objectives, processes, and controls—including those captured via a Cybersecurity Framework profile—can be translated and applied as automated response actions. Via IACD playbooks, conditions, indicators, and controls that drive the need for cybersecurity responses are captured for orchestration services to monitor and execute.

Playbooks bridge the gap between an organization’s policies and procedures and a security automation and orchestration (SA&O) vendor’s capabilities by showing how an SA&O vendor is able to satisfy a client’s policy and procedure requirements through repeatable and auditable processes, with points where security automation can be implemented.

Supporting Materials Playbooks
Why IACD Playbooks? Autoimmunity Playbook for Information Brokers
What’s in a Playbook? Investigate Loss of Internal Service and Rebuild Server Playbook
How to Build a Playbook?

Playbook Jam Sessions

At Integrated Cyber on October 17, 2017, the Center for Internet Security and JHU/APL co-hosted a playbook jam session. Three IACD playbooks were created as a result of that session:

  • Asset Management: Compromised Local Admin Credential Detected
  • Account Control: Employee Transitions or Leaves Organization
  • Asset Management: Potential Malware Detected on Device

To see these playbooks, click here.

Notes: Whenever there are options for analysts/operators to select, approve, or authorize, they may choose a “none of the above” option, which simply moves them to the next step in the playbook. For example, in the Compromised Credentials playbook, an organization may not want to take any initial actions to mitigate until they perform more in-depth analysis. Also, a workflow that is implemented at an organization may skip steps depending on conditional logic (e.g., Was the employee fired? If yes, do not do an extra investigation and go straight to restriction of privileges).