Maturing the Cyber Force – Replicating the Flying Community’s Training Methods

  • Published
  • By Major Nathaniel C. Ray

When compared to the flying community which has existed since World War 1, the cyber community is still in its infancy stages. The Cyber Mission Force (CMF) was authorized in 2012 and 133 CMF teams reported initial operating capability in 2016.[1] Although CMF teams have been operating at differing levels for a decade, training and tactics development should not be considered mature. United States Cyber Command (USCC) sets joint training standards, but each service is left to develop their own training pipeline. The Air Force is in the process of revising their pipeline, but has failed to capitalize on lessons learned from over a century of aviation training development. In order to increase the quality of cyber operators and to meet the burgeoning demands within the cyber domain, the Air Force should take the best practices from a mature Formal Training Unit (FTU) like Air Force Special Operations Command’s (AFSOC’s) 19th Special Operations Squadron (SOS) and apply them to their cyber training pipeline.

A model of training excellence

AFSOC is known for their elite operational capabilities and high training standards for their special mission crews. This model of excellence has been refined over decades and effectively produces tip-of-the-spear operators. An AFSOC pilot begins their journey at one of four Undergraduate Pilot Training (UPT) locations where they gain basic flight skills and earn their wings. They then transition to the 19th SOS, AFSOC’s FTU, where they are trained how to fly their specific aircraft, which is considered Initial Qualification Training (IQT). They then learn how to employ the special operations mission in that aircraft which is considered Mission Qualification Training (MQT). 

The 19th SOS typically breaks down their MQT syllabus into Basic, Intermediate, and Advanced training which like it sounds correlates to a crawl, walk, run approach. The basic phase focuses on academics and checklist operations, while the Intermediate and Advanced phases place students in highly stressful situations that solidify the skillset needed to perform the special operations mission. Students are under direct supervision of an instructor during every training sortie which allows tailored demonstrations and ensures safe operation of the weapon system.[2] The training is demanding and requires significant preparation including “chair-flying” to be successful. Chair-flying is walking through mentally, verbally, and/or physically what one should do when faced with certain challenging scenarios and is a well-known technique within the flying community. The 19th SOS also follows Coyle’s process to create proficiency through high repetition, high feedback training with vivid memorable rules of thumb, where models of excellence are demonstrated.[3] These methods are a large part of what makes them so successful at creating high-performing operators.

Students must also pass an evaluation after each phase. If they do not progress, they are removed from training and are usually sent to a less-demanding non-combat aircraft. Once they graduate from the 19th SOS, they are considered mission ready and join an operational unit. The ops unit will typically perform an informal sortie with an in-house instructor who ensures they are ready to deploy, but it is assumed based on past results that the student is fully mission-ready. After completing theater specific ground training and ensuring all medical and fitness requirements are current, they are considered Combat Mission Ready and able to be sent on real-world missions.[4]

In order to train to the most current Tactics, Techniques, and Procedures (TTPs) the 19th SOS is able to cross-pollinate with ops units and leverage the veteran experience of its contract instructors. Many of the “blue-suiters” spent an entire Active-Duty career flying an aircraft like the AC-130 gunship and become FTU instructors after retiring. Additionally, ops units will rotate operators with a handful of deployments under their belt into the FTU for a few years. This level of real-world operational experience is critical in developing students into mission ready operators and ensuring training remains relevant to current TTPs. There is also natural synergy due to the 19th SOS being co-located on Hurlburt Field with most of AFSOC’s operational units. Often the FTU will draw on operational units’ instructors to support student training. Operational units also send their Airmen to the FTU for certain upgrade training like Aircraft Commander and Instructor upgrade. This close proximity allows upgrade training to occur with low logistical overhead and zero TDY costs.

Lastly, nearly every AFSOC weapons system has a robust simulator that allows realistic training to occur before an actual flight. These simulators are near-exact replicas of actual aircraft mission systems and allow challenging scenarios to be repeated until a student demonstrates proficiency both as an individual and within a crew. This saves money in fuel costs, but also allows training to occur at an appropriate pace, based on the instructional phase. The basic and intermediate phases typically rely heavily on simulator instruction, while the advanced phase requires students to perform the mission in flight.

All training phases require significant crew integration and is what makes AFSOC Airmen so effective in combat. The AC-130J gunship for example takes a crew of nine to aviate and navigate, communicate to air and ground assets, target & track enemies, and shoot & reload Precision Guided Munitions, 30mm, and 105mm cannons. This takes a ballet of checklists and Crew Resource Management (CRM) that is developed over many repeated realistic scenarios both in the simulator and aircraft. CRM skills are also integrated into all AFSOC training syllabi and evaluated during all initial and periodic evaluations.[5]

This model of excellence that the 19th SOS has refined over decades can be applied to the cyber career field with similar results.

The Problem with the Current Cyber Training Pipeline

AFSOCs successful training model is underpinned by highly experienced instructor cadre, realistic simulators with challenging scenarios, training as a crew, and the expectation to produce an operator who can satisfy combatant command requirements immediately upon graduation the FTU. Conversely, the current Air Force Defensive Cyber Operations (DCO) training pipeline does not effectively produce USCC qualified Airmen that can operate independently upon graduating. Instead, it produces a half-finished operator that needs significant training investment to become proficient. This outcome does not support the USAF Information Warfare Strategy call for “professionals that are technically proficient in their primary functional area…and understand how to deliver effects in support of air and joint force objectives.”[6] Understanding the current DCO training pipeline will make clear what needs to change going forward.

The journey for new 17S or 1B4 Air Force Specialty Code (AFSC) Airmen begins at Keesler AFB where Air Education and Training Command (AETC) instructs basic cyber fundamentals. Graduates gain their cyber wings and move onto weapon system specific training. The 39th Information Operations Squadron (IOS) at Hurlburt Field instructs Cyber Defense Analyst courses with the intent to train students on basic host and network operations as well as weapon system usage. The current courses provide a basic level of instruction and do not require Qualification (QUAL) or Mission (MSN) Evaluations aka “Checkrides”. Instead, skills are assessed via written and performance-based tests at the end of each block, much like a traditional classroom environment. After graduating from the 39th IOS, operators are sent back to one of 18 DCO squadrons in the nation. Each unit is responsible for developing their own MQT and for carrying out both a QUAL and MSN Eval for their new Airmen. If the Airmen pass MQT and the two Evals, they are allowed to operate independently on mission.

The problem with this approach is that the 39th IOS produces an operator that can only perform at the most basic level and who still needs instructor oversight. AFSOC on the other hand, expects an FTU graduate to have completed all phases of training and is fully mission ready, deployable, and able to operate without an instructor when they reach the operational unit. In Air Force cyber, operational units shoulder the burden of providing this in-unit MQT and training operators in both the intermediate and advanced phases, which USCC calls Senior and Master-level.[7] The intent of MQT is to produce an operator that is capable of passing a QUAL and MSN Eval. Unfortunately, MQT is not standardized as each unit develops their own syllabus and training material. Although the QUAL & MSN Eval should require the same skills for all operators, evaluation profiles are also unit developed. This disparate training and evaluation profiles combined with a units’ high operational tempo, result in subpar training and a lack of standardization across the cyber community

Figure 1. Operational View 1 from ACC A3/2/6KD

Additionally, the current 39th IOS training model focuses almost entirely on individual skills, but combat operations require the ability to operate effectively within a cyber crew. The MSN Eval must be accomplished while operating within a cyber crew, but no standardized instruction occurs on how to effectively manage or operate within a crew. Some of the critical skills needed to effectively operate include crew communication, case management, CRM, and following the plan, brief, execute, and debrief (PBED) cycle. Executing these skills effectively within a team is not currently taught at the FTU.

Cyber Training Should Copy the Special Operations Forces (SOF) aircrew model

AETC’s portion of the cyber training pipeline can be correlated to learning how to “fly the airplane” at UPT. However, the current cyber weapon system FTU is not expected to produce a fully mission ready operator like the SOF FTU does. This expectation should change and the cyber FTU should be responsible for producing fully qualified cyber operators. As it is right now, the 39th IOS is only charged with bringing operators to the basic phase and places the training burden of the intermediate (Senior) and advanced (Master) phases on the units to carry out. In order to standardize training and evaluations, the 39th IOS should add rigorous intermediate and advanced phases with QUAL and MSN evaluations that assess operator’s ability to carrying out the USCC Cyber Protection Team (CPT) functions[8] of hunt, clear, enable hardening, and assess within a cyber crew. The Cyber Operations Squadron (COS) units can then informally validate that the operators are ready to employ their weapon system unsupervised. The 39th IOS should also develop a robust cyber range that allows challenging scenarios to be easily repeated. These simulations should develop both individual skills and the ability to operate effectively within a crew. In doing so, the Air Force would be matching China’s rapid development of cyber ranges for the same reasons.[9]

Additionally, the 39th IOS should be responsible for providing upgrade training for instructors and cyber crew leads (CCLs) in order to standardize performance in these crucial roles. USCC requires CCLs to lead cyber crews within the CPT construct.[10] There is currently no formal CCL course in existence, which is a critical role in ensuring mission success.

ACC should also consider moving the 39th IOS to Joint-Base San Antonio (JBSA) where the majority of operational units reside. This proximity would foster natural cross-pollination between the FTU and the operational units along with ensuring training keeps pace with current TTPs. It would also allow operational unit’s instructors to augment FTU instructors when needed and for upgrade training to occur with low logistical overhead. Additionally, the 39th IOS should seek to hire contract personnel that not only have deep cyber knowledge, but have years of experience operating within the CPT construct and are fully qualified on the weapon system they instruct.


To summarize, in order to emulate the AFSOC training model the 39th IOS should change the following:

  • Develop and execute Intermediate and Advanced MQT courses that prepare students to pass QUAL and MSN evaluations.
  • Execute standardized QUAL and MSN evaluations at the FTU in order to provide fully mission qualified operators
  • Provide upgrade training courses for Instructors and CCLs
  • Develop challenging scenarios on a cyber range that foster high repetition, high feedback training that provides opportunity to instruct vivid memorable rules of thumb, and where models of excellence can be demonstrated.
  • Inculcate a culture of CRM and focus scenarios on crew operations.
  • Consider moving the 39th IOS to JBSA to increase synergy with the majority of operational units.
  • Ensure instructors are fully qualified on the weapons systems they instruct and have experience executing in the CPT construct.


The cyber domain continues to be the place our adversaries choose to leverage more than any other due to their ability to operate with perceived impunity just below the threshold of armed conflict. In order to prevail in this domain, the DoD must invest in building a mature cyber training pipeline that produces competent operators. If this action is not taken, the Air Force and ultimately the military will struggle in successfully defending against nation-states’ Advanced Persistent Threat (APT) groups who operate at an elite level. These groups have mastered the ability to hide within the cyber domain and only high-performing teams are capable of hunting and clearing them from critical mission systems. The main way the military can match parity with these APT groups is to revise the current training pipeline in a way that produces competent mission-ready operators upon graduation. The Air Force has successfully refined their flying training into a well-oiled machine that produces the finest pilots in the world. This model of excellence should be replicated within the cyber training pipeline.


Major Nathaniel C. Ray
Major Ray is the deputy commander of the 262nd Cyber Operations Squadron at Joint-Base Lewis McChord, WA. He was commissioned through ROTC at Det 695, University of Portland, OR in 2009. He graduated from Undergraduate Combat Systems Officer Training in 2010 and proceeded to be trained at the 19th SOS in the U-28A Draco aircraft. He then joined the 319th SOS and deployed 5 times to various worldwide locations flying over 1765 hours. In 2014 he joined the 19th SOS Instructor cadre and taught U-28A combat operations for 2 years before joining the Air National Guard. In 2019 he cross-trained into cyber operations and attended 10 months of 17S pipeline training including the 39th IOS CVA/H course. Upon returning to the 262nd COS he served as the Assistant Director of Operations and Cyber Protection Team Lead.


[1.] United States Cyber Command, “History,” Accessed July 8, 2022,

[2.] Air Combat Command Manual (ACCM) 17-2CVA/H, VOLUME 1. CVA/H Training, 19 January 2021.

[3.] Daniel Coyle, The Culture Code - The Secrets of Highly Successful Teams (Random House Business Books, 2019)

[4.] Air Force Manual (AFM) 11-2AC-130J, VOLUME 1. AC-130J Aircrew Training, 13 September 2019.

[5.] Air Force Instruction (AFI) 11-290. Air Force Special Operations Command Supplement Cockpit/Crew Resource Management Program, 29 August 2018.

[6.] HQ USAF, USAF Strategy for Information Warfare. (Washington D.C.: Headquarters of the United States Air Force, 8 July 2022)

[7.] Maj Scott Polcyn, Operational View 1 - ACC CVA/H Write Conference Outbrief (ACC A3/2/6KD, 19 Nov 2021), slide 4, fig. 1.

[8.] Cyber Warfare Publication (CWP) 3-33.4, Cyber Protection Team Organization, Functions, And Employment, 28 January 2020.

[9.] Cary, Dakota. Downrange: A Survey of China’s Cyber Ranges. Washington D.C.: Center for Security and Emerging Technology, September 2022.

[10.] Cyber Warfare Publication (CWP) 3-33.4.