Integrating Hunt Forward Operations for Enhanced UK Cyber Campaigning

Since 2016, the UK has maintained a degree of organisational and strategic separation between ‘defensive cyber’, and ‘offensive cyber’, also known as cyber effects capabilities.

However, there is increasing recognition from practitioners and policymakers that the UK should move towards cyber campaigning where both defensive cyber and offensive cyber are integrated into one continuous strategic grapple in cyberspace. The UK government has acknowledged that cyberspace is a domain of continuous competition in Responsible Cyber Power in Practice and Strategic Defence Review 2025 which aligns with cyber persistence theory.

The UK has an opportunity to take a defensive cyber type of operation, Hunt Forward operations, and extend it into an integration platform for offensive cyber.

What are Hunt Forward Operations?

‘Hunt Forward’ is a defensive cyber activity coined by US Cyber Command (USCYBERCOM), which involves deploying experienced cyber personnel physically into the networks of partner and allied nations to proactively threat-hunt adversary activity.

Picture the server rooms of an undisclosed defence ministry overseas. A small team of international cyber specialists work shoulder-to-shoulder with local engineers. Network maps spider across whiteboards, and a careful translation of jargon takes place over the quiet hum of the racks of equipment. The detective team are physically present inside a partner network, flying out with carry-on suitcases of servers to help search for command-and-control nodes, malware families and operational patterns; faint fingerprints of adversaries that might otherwise remain hidden. This scene is unusual as operators usually only look after their own nations’ networks.

The UK MOD have already conducted some Hunt Forward operations. These have been limited due to the perennial challenges of recruiting and retaining experienced cyber personnel to meet the UK’s busy operational landscape.

‘Hunt Forward’ is a military term, but the underlying principle – forward-deployed, collaborative threat hunting – need not be delivered by defence establishments alone.

What’s the Opportunity?

USCYBERCOM staff have previously noted that Hunt Forward operations enable them to observe adversary tradecraft in environments that may be closer to the ‘front lines’ of hostile cyber activity, in other words, to gather better intelligence. Allies geographically or politically proximate to adversaries often experience different targeting patterns and techniques. The intelligence from Hunt Forward operations can inform the training and upskilling of offensive cyber operators, refine targeting methodologies, and create opportunities for deception and counter-infrastructure strategies. In effect, the defensive hunt becomes the reconnaissance phase of a broader operational cycle.

Not all intelligence derived from Hunt Forward will align with offensive priorities. The infrastructure identified during a defensive investigation may belong to compromised third-party systems rather than the adversary themselves. Additionally, Hunt Forward teams are unlikely to focus on bespoke, strategically calibrated exploits, such as highly tailored malware targeting critical operational technology systems (for example, Stuxnet). Hunt Forward’s value lies in breadth of visibility and speed of detection, not necessarily in preparing the ground for particular cognitive effects.

In addition, Hunt Forward operations provide a vantage point outside of domestic networks to stage ‘countermeasures’ against an adversary’s infrastructure. In other words, analysts can observe adversary tradecraft in operational environments, collect telemetry unavailable through remote sensors and build relationships with local defenders who understand the intricacies of their own infrastructure.

Policy Recommendations

This author recommends three modest but meaningful policy changes that would enable the extension of Hunt Forward operations into an integration platform for offensive cyber:

1. Establish conditional planning permissions.
2. Develop a structured host-nation consent framework.
3. Select partnerships where deep trust required for such operations can be sustained.

Recommendation 1: Conditional Planning Permissions

Conditional planning permissions should be established for Hunt Forward deployments. Embedding personnel into Hunt Forward teams would ensure that offensive operational opportunities are recognised early and that collected intelligence is structured in a way that supports future campaigns. Allowing personnel to conduct preliminary operational planning – within clearly defined parameters – saves time. These permissions should not permit immediate offensive activity; rather, they would allow teams to prepare options that could be rapidly approved if circumstances change.

Recommendation 2: Host Nation Consent Framework

Equally critical is host-nation consent. Hunt Forward operations take place on allied networks, often at the invitation of governments with their own legal frameworks, risk tolerances and political constraints. Their willingness to host a limited defensive threat-hunting mission does not automatically translate into consent for their networks to serve, overtly or covertly, as staging grounds for offensive cyber operations. Trust-building is vital for progression.

The UK should also pursue a formal host-nation consent framework, ready for negotiation with allies to deliver Hunt Forward operations. These missions depend on extraordinary levels of trust. A partner nation is effectively inviting foreign cyber specialists into sensitive national infrastructure. If Hunt Forward operations are to support broader cyber campaigning, the UK must be transparent about the possible uses of the intelligence gathered and the conditions under which further action might occur. Such clarity protects both parties and prevents misunderstandings at moments of operational urgency. The framework would articulate baseline UK positions, jointly developed by the NCF and DCEMF, on what data collected during Hunt Forward may be used for offensive planning, whether infrastructure identified in partner territory can be used as pivot points, and how and when host nations are informed of prospective offensive actions derived from joint operations. These negotiations must be carefully aligned with broader diplomatic and security engagement, to ensure that they do not strain alliances.

Recommendation 3: Selective Partnerships

The UK should consider selective partnerships. Hunt Forward operations require skilled personnel, diplomatic effort and sustained engagement with partner institutions. Attempting to replicate the breadth of the US approach (22 Hunt Forward Operations took place in 17 different countries in 2023 with more on the way) could dilute effectiveness, as the UK has more limited Cyber resources than the US. Instead, the UK should prioritise a smaller number of partnerships where long-term cooperation is feasible and politically sustainable. Deep relationships – built through repeated deployments and shared operational experience, in the style of Latvia and Canada – are far more likely to generate the trust required for expanded cyber collaboration.

The idea of multinational collaboration in offensive cyber activity is not unprecedented. The international law enforcement operation that dismantled LockBit, Operation Cronos, demonstrated how intelligence sharing and coordinated action across multiple states can produce tangible effects against cyber adversaries. While military cyber operations differ from law-enforcement efforts, the underlying lesson remains relevant: complex cyber threats increasingly require collaborative responses that blend intelligence, access, and operational capability across borders.

Hunt Forward operations are tangible expressions of cyber cooperation between allies. They strengthen collective defence, expose adversary behaviour and demonstrate solidarity in the face of persistent digital threats. The UK should expand Hunt Forward operations not only as defensive assistance but as platforms for broader cyber campaigning, generating access and intelligence to inform offensive cyber operations and cyber campaigning.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.