Protective Intelligence: Building a Threat Picture Before You Need It

Protective intelligence is the intelligence function of executive protection. It answers the question that precedes every security decision: who is the threat, and what are they likely to do?

Without a current, accurate threat picture, security decisions default to generic measures applied without specific intelligence. That approach protects against the average threat, not the actual one. For principals with elevated threat profiles – executives in high-conflict sectors, senior government officials, high-net-worth individuals with contentious legal exposures – a protective intelligence capability is not a luxury supplement to physical security. It is the foundation on which physical security decisions are built.

What protective intelligence covers

Protective intelligence has four primary functions:

Threat identification. Who has the intent to harm, harass, or disrupt the principal? This includes: individuals who have made direct or indirect threats, persons who have exhibited concerning approach behaviour, former employees with a grievance, activist groups targeting the principal’s organisation, and in some contexts, state or state-proximate actors with an interest in the principal.

Threat assessment. For identified threat actors, what is their capability and intent? A determined individual who has made a direct threat and has a history of violence is categorically different from an individual who has made a social media post that includes the principal’s name. Assessment methodology draws on the work of threat assessment professionals including Gavin de Becker & Associates and the Association of Threat Assessment Professionals (ATAP).

Early warning monitoring. Ongoing monitoring of the information environment for indicators of elevated threat: new threatening communications, social media activity from identified persons of concern, dark web monitoring for personal data or explicit targeting, and news monitoring for events that could affect the threat picture.

Intelligence production. Converting raw information into assessed, actionable intelligence that security decision-makers can act on. This includes regular threat assessment updates, specific alerts when indicators change, and briefings to the protection team and, where appropriate, the principal.

Persons of concern: the management framework

Protective intelligence practice draws a critical distinction between persons of concern and threat actors. A person of concern is an individual whose behaviour warrants monitoring but does not yet constitute a confirmed threat. A threat actor has demonstrated intent and some level of capability.

The management framework for persons of concern is a structured process:

• Record and document all concerning contacts or behaviour (communications, approaches, incidents)
• Assess the nature and severity of the concern against established criteria
• Assign a case status (monitor, manage, or refer)
• Set review intervals based on the assessed risk level
• Escalate if indicators change (frequency of contact increases, threatening content appears, physical proximity is established)
• Coordinate with law enforcement if the threshold for legal action is reached

The Fixated Threat Assessment Centre (FTAC), a joint unit of the Metropolitan Police and the National Health Service in the UK, has published research identifying the behavioural indicators most predictive of escalation from communication to physical approach or attack. This research is used by professional protective intelligence practitioners to calibrate their assessment methodology.

Open-source intelligence for protective intelligence

The majority of protective intelligence collection is open-source. OSINT does not require covert methods and operates entirely within legal parameters.

Sources include:

• Social media monitoring: keyword alerts for the principal’s name, title, and organisation on major platforms. Tools such as Brandwatch and Mention provide automated monitoring at scale, while manual review is required for nuanced interpretation of threatening content.

• Court records: restraining orders, criminal history, civil litigation involving persons of concern. In the US, PACER provides federal court records. UK County Court judgments and Crown Court records provide similar data.

• Incident databases: OSAC (Overseas Security Advisory Council) incident reports, ACLED (Armed Conflict Location and Event Data), and private-sector threat intelligence feeds provide context for environmental threat levels.

• Dark web monitoring: trade in personal data, credential leaks, and in some cases explicit targeting communications. Dark web monitoring requires specialist tools and interpretation.

• Corporate and property records: UK Companies House, US SEC filings, and property registries provide information about business relationships and addresses that may be relevant to persons of concern.

State actor and intelligence threats

For principals in sectors that attract state intelligence interest – extractive industries, defence, financial services, critical infrastructure, and senior government roles – protective intelligence includes an assessment of state-level threat.

Documented cases of state intelligence services targeting corporate executives include: Chinese MSS operations against executives in industries subject to Chinese industrial policy (energy, semiconductors, aerospace), Russian FSB operations against executives in conflict-adjacent sectors and against journalists, and various state-proximate actors targeting specific high-profile individuals for their public positions or affiliations.

The UK National Cyber Security Centre (NCSC) and the US CISA (Cybersecurity and Infrastructure Security Agency) have both published public guidance on state-directed threats to executives. The protective intelligence response to a state-level threat is different from a grievance-based individual threat: it prioritises digital security, counterintelligence awareness, and close coordination with relevant government agencies.

Legal constraints

Protective intelligence must operate within legal constraints that vary by jurisdiction.

In the UK, processing personal data in connection with a protective intelligence programme requires compliance with UK GDPR, including a lawful basis for processing, data minimisation, and retention limits. The Regulation of Investigatory Powers Act (RIPA) governs covert surveillance of UK subjects. Covert human intelligence sources require specific authorisation.

In the US, the Electronic Communications Privacy Act and various state surveillance statutes constrain electronic monitoring. Conducting physical surveillance of US subjects without legal authorisation creates significant liability.

Professional protective intelligence firms understand these constraints and operate within them. An organisation building an in-house protective intelligence capability should obtain legal review of its collection, retention, and processing practices before beginning operations.

For the specific protective intelligence and security posture adjustments required when an executive becomes the focus of public controversy – including fixated individual monitoring, schedule management, and residential security review – see our executive security during controversy guide. For executive protection services that incorporate threat assessment and protective intelligence, see our executive protection page. For understanding the digital component of protective intelligence, see our articles on TSCM and social media OPSEC for executives. For how open source intelligence is used by adversaries to build physical targeting packages – and what individuals can do about it – see our guide to OSINT and personal security for executives. For stalking and workplace harassment as a specific threat category requiring dedicated protective intelligence, see our guide to workplace stalking and harassment security. For the specific protective intelligence considerations that apply to government officials and public figures – fixated individuals, ideological motivation, and state actor threat – see our security for government officials and public figures guide. For hostile reconnaissance as the early-stage threat activity that protective intelligence programmes are specifically designed to detect and disrupt, see our hostile reconnaissance detection guide. For public-facing speakers and keynote presenters – where lone-wolf threat assessment, NFTAC fixated individual methodology, and protective intelligence monitoring of threatening social media activity form a specific application of the broader protective intelligence discipline – see our security for conference speakers and keynote presenters guide.