When compared to advancements in conceptualising deterrence in other domains, cyber deterrence is still in it messy infancy. In some ways cyber deterrence practice outpaces cyber deterrence theory. Tactics, strategy, doctrine, and policy are developed and put to use even before corresponding theories are properly understood. This article analyses how American cyber deterrence has been implemented over the past two decades in order to inform ongoing debates within the academic study of deterrence, and to provide insights from practice for how cyber deterrence theory can be better conceived and refined.