How do gender hierarchies inform processes of strategic change? Drawing upon feminist institutionalism and security studies, we argue that gender hierarchies form the boundaries of acceptability for strategic change. We conduct a qualitative feminist analysis of cyber strategy policy documents and expert commentary around a 2018 shift in US cyber strategy. We identify two ideal-typical modes of masculinity—military and “tech”—as influential in conditioning US cyber strategy. The interaction of these masculinities facilitated the emergence of “defending forward” and “persistent engagement” as proactive, dynamic, and suitably masculine new strategic concepts. The previously preferred strategic concept, deterrence, conversely, was constructed in line with feminized tropes as weak, passive, and reactive. Strategic change is facilitated by a change in the meaning of a specific gender norm—masculinized action—while still constrained by the continuation of a broader gender hierarchy of masculinities over femininities, and the associated valorization of action over passivity and dependence.