Doctrine · Research Paper

The Adversary Learning Cycle

Paper PAR-006
Author Parthenius Air Intelligence Unit
Published 2026
Category Doctrine
Read time 11 minutes
Abstract
Security models describe the defender. This paper models the adversary. We formalise the five-stage learning cycle that organised adversaries move through before acting against a protected operation — watching, probing, model building, model testing, and execution readiness — and define the observable characteristics of each stage. We examine why conventional detection sees only the final stage, identify where in the cycle disruption is effective and where it is merely expensive, and describe the regression dynamics that field data shows when a learning cycle is broken. The framework builds on the learnability concept established in The Learnability Problem (PAR-002) and is validated against 19 months of continuous deployment data. The cycle presented here is not a theory of what adversaries might do. It is a description of what the data shows they consistently do.

1. The defender bias

Nearly every model in the conventional security literature describes the defender. Layered defence describes the defender's architecture. Detect–delay–respond describes the defender's sequence. Security maturity models describe the defender's organisation. The adversary appears in these models only as an abstraction — a threat vector, an attack probability, an actor whose behaviour is assumed rather than observed.

This is a structural bias with operational consequences. An operation that models only itself can optimise only itself: more cameras, faster response, higher walls. It cannot answer the question that determines whether it will be breached — what does the adversary currently know about us, and how close are they to knowing enough?

As established in The Learnability Problem (PAR-002), the critical variable in operations facing organised adversaries is not incident frequency but learnability — the rate at which an adversary can build a reliable model of the operation. This paper formalises the process by which that model is built. If learnability describes the defender's exposure, the learning cycle describes the adversary's work.

2. The five stages

Across 19 months of continuous deployment against an organised, well-resourced adversary — and across the prior operational history in rail, energy, and infrastructure that preceded the platform — the same sequence appears. Regardless of target, method, or syndicate structure, the adversary moves through five distinguishable stages before acting.

S1
Watching
Initial attention without commitment. The adversary is assessing whether the operation is worth studying — value of target, apparent difficulty, visible security posture. This stage generates no incident, triggers no alert, and leaves no trace in a conventional log. Most operations never detect it.
S2
Probing
Deliberate, low-cost test events begin. A vehicle passing at the same time each day. An approach that stops short of the perimeter. A minor breach left unexploited. These are data-collection events — measuring response speed, consistency, and coverage gaps — designed to generate information without generating consequence.
S3
Model building
Probe data is assembled into a working model of the operation. Patrol routes are mapped. Handover times are identified. Response assets are tracked and timed. By this stage, the adversary frequently holds a more accurate operational picture of the site than its own management does.
S4
Model testing
The adversary verifies the model against the live operation. The window is confirmed. The specific identified gap is tested. This is the final stage at which disruption remains possible — the last point where the adversary's investment can still be invalidated before it converts into action.
S5
Execution readiness
The model is complete, the window confirmed, the confidence threshold reached. The adversary now holds higher certainty about the outcome than the operation defending against it. An incident is no longer a question of whether. Only when.

Two properties of this cycle matter more than the stages themselves. First, it is sequential. Stages are not skipped. An adversary cannot test a model they have not built, and cannot build a model without probe data. Second, it is cumulative. Each stage represents invested effort — weeks of observation, dozens of probe events, organisational coordination. That investment is the adversary's asset. It is also their exposure.

3. What drives stage transitions

The adversary advances from one stage to the next on a single criterion: confidence. The transition from watching to probing occurs when the target appears worth the cost of study. The transition from probing to model building occurs when probe results are consistent — when the operation responds the same way to the same stimulus often enough to be treated as data rather than noise. The transition from model to testing occurs when the model makes predictions the adversary trusts enough to verify. The transition to execution readiness occurs when verification succeeds.

This has a direct implication that inverts conventional security intuition. Consistency is what advances the adversary through the cycle. An operation that behaves identically every day is not demonstrating discipline — it is supplying the confirmations that move its adversary from S2 to S3 to S4. The predictable operation is not merely observable. It is cooperative.

The adversary does not advance on their own skill. They advance on the operation's consistency.

4. The asymmetry of visibility

Conventional detection is built to observe events that cross a threshold: a perimeter breach, an alarm activation, a confirmed intrusion. Measured against the learning cycle, these thresholds sit almost entirely inside S5 — and occasionally late S4, when a model test happens to trip a sensor.

The consequence is an asymmetry that defines the entire problem. The adversary observes the operation continuously from S1 onward. The operation observes the adversary, if at all, at S5 — after the watching, after the probing, after the model has been built and verified. Both sides are conducting intelligence work. One side has been doing it for thirty days before the other side's instruments register anything at all.

Field observation · Active deployment · South Africa · Month 9
52 confirmed probe events were recorded in a single month by deployment intelligence — approaches, timing runs, and test movements consistent with S2–S3 activity. In a conventional incident log covering the same period, the count would have been zero. No perimeter was breached. No alarm was triggered. The adversary's most productive month of learning was, by conventional measurement, a quiet month.

This is why zero-incident periods are ambiguous, as established in PAR-002. A silent month is consistent with two opposite realities: an adversary who has been denied, and an adversary who is in S3, working undisturbed. Conventional metrics cannot distinguish them. The distinction — the most important distinction in the operation's security posture — exists only at the level of the learning cycle.

5. Where disruption works

If the cycle is sequential and cumulative, the strategic question becomes: where should it be broken?

Disrupting at S5 is interdiction — stopping an attack in progress. It is the most expensive intervention, carries the highest risk to personnel, and recovers none of the strategic position: the adversary's model survives the encounter and is reused. Disrupting at S1 is impossible in any practical sense — watching is undetectable and undeterrable; any valuable operation will be watched.

The productive range is S2 through S4, and the mechanism is not interception but invalidation. The adversary's accumulated asset is their model. A model is only an asset while it predicts. When the operational signature shifts — when patrol logic, response behaviour, and coverage patterns change in ways the model did not anticipate — the model stops predicting, and everything invested in building it is written off.

The economics of this exchange favour the defender for the first time. Advancing through the cycle costs the adversary weeks of coordinated effort. Invalidating that progress costs the operation a signature change. The defender spends variance; the adversary loses capital. Repeated across cycles, this asymmetry is what converts an attackable operation into an unlearnable one — the condition What Is Adaptive Deterrence? (PAR-001) defines as genuine deterrence.

6. Regression dynamics

A broken cycle does not end the contest. Field data shows a consistent pattern following disruption: the adversary regresses to an earlier stage and begins rebuilding. Probing resumes — but against an operation whose signature no longer matches the invalidated model, forcing collection to start substantially from the beginning.

Field observation · Active deployment · South Africa · Months 12–19
Following variance directives issued in months 12 and 13, probe event frequency collapsed from a peak of 52 monthly contacts to 3 — a decline consistent with regression from late-stage model building to early probing. Through month 19, the adversary has remained in S2, probing a signature that continues to shift. Nineteen months of contact. Zero completed cycles. Zero successful extractions.

Regression is not elimination. The adversary documented in this deployment has not left; they have been held at a stage of the cycle where their investment cannot compound. That is the honest description of what sustained deterrence looks like against an organised adversary: not an empty threat landscape, but a learning process that is never permitted to complete. The contest continues. The plan never concludes.

7. Implications

For measurement. An operation facing organised adversaries should know, at any time, what stage of the learning cycle its threat environment reflects. Stage state is a leading indicator; incident count is a trailing one. The Opportunity Denied Rate — the proportion of adversary planning cycles prevented from completing — is the outcome metric this framing produces, and is treated fully in a forthcoming paper in this series.

For design. Security architecture evaluated only for capability — coverage, response time, detection probability — is being evaluated for its performance at S5. Architecture should also be evaluated for what it teaches: how quickly its patterns can be learned, how much confirmation its consistency supplies, and how readily its signature can be varied without losing operational effectiveness.

For assessment. The question a serious operation should put to itself is not are we protected? but where in the cycle is our adversary right now? An operation that cannot answer is not unprotected. It is unobserved in the only direction that matters.

Conclusion

The learning cycle is the adversary's method. It is sequential, cumulative, confidence-driven, and — against a consistent operation — reliable. Conventional security sees its final stage and calls that visibility. The alternative is to treat the cycle itself as the object of measurement and disruption: to detect the probing, track the model building, and invalidate the model before it is tested. The adversary's greatest asset is the intelligence they accumulate about an operation. The defender's greatest opportunity is that this asset can be destroyed without a single confrontation — by ensuring that what was learned is no longer true.

How to cite this paper
Parthenius Air, The Adversary Learning Cycle, Parthenius Air Research, PAR-006, 2026.
parthenius-air.com/the-adversary-learning-cycle