Counter-Surveillance for Executives: Recognising Surveillance and Breaking It

Surveillance detection sits at the boundary between personal security and intelligence work. For most executives, the relevant question is not how to conduct a surveillance detection route (that is for their security team), but how to recognise that surveillance is occurring, what to do when they think they have seen something, and how the security operation adapts when surveillance is confirmed.

This article covers the practical dimensions of surveillance and counter-surveillance in the executive protection context.

Why surveillance matters

Most targeted threats – kidnapping, armed robbery, assault, extortion – are preceded by a surveillance phase. The adversary needs to understand the target’s schedule, their security measures, the predictability of their movements, and the opportunity to act. This information gathering takes time and leaves indicators.

The significance is that surveillance is when intervention is possible. Once the attack is underway, options narrow significantly. A security operation that can identify surveillance in progress has an opportunity to disrupt the threat before it materialises: change the route, alert local authorities, or increase protection measures. This is why surveillance detection is described in ASIS International’s Protection of Assets standard as a primary protective function, not an optional enhancement.

Control Risks’ 2025 RiskMap identifies targeting and surveillance activity as the consistent pre-incident factor across kidnapping, assassination, and complex attack cases globally.

What surveillance looks like

Surveillance can be conducted on foot, by vehicle, from a static position, or technically (cameras, tracking devices, phone intercept). For most corporate protection contexts, the concern is static and mobile human surveillance.

Foot surveillance indicators:

• The same individual appearing in multiple locations that are separated by distance and time
• An individual who appears to watch a target’s departure or arrival rather than have a purpose of their own
• Someone who mirrors a change of pace or direction
• An individual who is inappropriately dressed for the environment (dressed for cold weather in a warm location, or vice versa)

Vehicle surveillance indicators:

• The same vehicle appearing near the principal’s home, hotel, or office on multiple occasions
• A vehicle that slows near a known departure or arrival point without an apparent reason
• A vehicle parked with an occupant who appears to observe rather than wait
• A vehicle that follows at a consistent distance across a route change

These indicators are not conclusive individually. A single matching description on a single day is not surveillance. A pattern across multiple incidents, involving the same physical description or vehicle registration, is the significant trigger.

The response to a surveillance sighting

The correct response to a suspected surveillance sighting is to note it – time, location, description, any registration or other identifying detail – and report it to the security team. Not to confront the potential surveillant, not to take independent action, and not to dismiss it without logging it.

The security team’s response will depend on the threat level and the quality of the indicator. At minimum, the sighting goes into the threat log and alters route planning. In high-threat environments, a confirmed surveillance sighting triggers an immediate increase in protection posture, a route change, and potentially an alert to local authorities.

Challenging a surveillant is dangerous and counterproductive. It confirms to the surveillance team that the target is security-aware, potentially triggering an acceleration of whatever operation they are planning. It provides no protective benefit and may provoke an immediate response.

Surveillance detection routes

A surveillance detection route (SDR) is a planned movement pattern designed to surface surveillance by creating situations where a tail must make a binary choice: continue following and risk exposure, or break off.

An effective SDR uses the environment to create these decision points: a narrow corridor where anyone behind the principal is visible, a sudden direction change that requires a tail to respond in a way that is not natural for someone with an independent purpose, a re-entry into a location just exited. The SDR is observed not only by the principal but by counter-surveillance team members positioned ahead of and behind the principal who can watch for the surveillance response from outside the immediate picture.

SDRs are a trained skill. An SDR run by an untrained individual without a supporting surveillance detection team is likely to be recognisable as deliberate route disruption rather than natural movement. Competent surveillance teams will note this and adapt. SDRs are appropriate for specific threat scenarios managed by trained operators – they are not a general executive awareness tool.

Pattern reduction: the practical step

The most practical counter-surveillance measure available to an executive who does not have a dedicated surveillance detection team is route and routine variation.

Predictability is what surveillance exploits. A principal who departs at the same time every morning, uses the same vehicle, travels the same route, and arrives at the same office entrance at a predictable time has reduced the cost of surveillance to almost nothing. An adversary needs only to observe the pattern once and confirm it on subsequent days.

Varying departure times by 20-30 minutes, using different vehicles where available, entering buildings through different access points, and changing the sequence of regular visits are all low-cost measures that meaningfully increase the surveillance burden. This is not security theatre. Control Risks and Kroll security methodology both identify routine variation as a primary personal security measure for executives in elevated-risk environments.

Technical surveillance: a different problem

Human surveillance can be managed with awareness and variation. Technical surveillance – audio devices in a room, tracking devices on a vehicle, phone intercept software – requires a technical response.

If a principal or security team has reason to believe technical surveillance is occurring (behaviour suggesting advance knowledge of plans, devices found by staff, intelligence indicating targeting), the correct response is a professional TSCM sweep rather than a personal search. Personal searches are not effective against professional technical surveillance. TSCM equipment designed for this purpose detects RF emissions, carrier frequencies, and physical anomalies that a visual inspection will not find.

For more on TSCM methodology and when to commission a sweep, see our article on technical surveillance countermeasures.

For a detailed examination of how adversaries build target profiles from publicly available data – and how to reduce that exposure – see our article on OSINT and personal security for executives.

For city-specific surveillance risk contexts, see our profiles of Bogota, Lagos, and Moscow. For executive protection services that include surveillance detection capability, see our executive protection page. For government officials and public figures who face ideologically motivated surveillance as a distinct threat category, see our security for government officials and public figures guide. For the pre-surveillance phase – the hostile reconnaissance that precedes deployment of surveillance – and how to detect it before it becomes operational, see our hostile reconnaissance detection guide.