Air Force Cyberspace Defense

Current as of December 18, 2025

MISSION
The Air Force Cyberspace Defense (ACD) weapon system is designed to prevent, detect, respond to, and provide forensic analysis of intrusions into unclassified and classified networks. This weapon system supports the Air Force Information Network Security Operations Center in fulfilling its responsibilities. ACD is operated by the 33rd Cyberspace Operations Squadron (COS) and the 426th Network Warfare Squadron (Air Force Reserve) at Joint Base San Antonio-Lackland, Texas, and various operating locations.

BACKGROUND
ACD evolved from the Air Force Computer Emergency Response Team. The team's primary responsibility was the coordination of the former Air Force Information Warfare Center's technical resources to assess, analyze, and mitigate computer security incidents and vulnerabilities. ACD was officially designated by the Chief of Staff of the Air Force in March 2013.

FEATURES
ACD provides continuous monitoring and defense of Air Force unclassified and classified networks. ACD operates in four sub-discipline areas:

  1. Incident Prevention: Protecting Air Force networks against new and existing malicious logic by assessing and mitigating known software and hardware vulnerabilities.

  2. Incident Detection: Monitoring classified/unclassified Air Force networks, identifying and researching anomalous activity to determine problems and threats to networks, and monitoring real-time alerts generated from network sensors. The system also performs in-depth, historical traffic research reported through sensors.

  3. Incident Response: Determining the extent of intrusions, developing courses of action required to mitigate threats, and determining and executing response actions. The operational crew interfaces with law enforcement during malicious-logic-related incidents.

  4. Computer Forensics: Conducting in-depth analysis to determine threats from identified incidents and suspicious activities, then assessing damage. It supports the incident response process, capturing the full impact of various exploits, and reverse-engineering code to determine the impact on the network/system.