EVENT THREAT & RISK ASSESSMENT

[EVENT TITLE / NAME - EVENT DATE - ENGAGEMENT REF]

The Event Threat & Risk Assessment is the pre-event analytic threat picture prepared before a defined event: it answers, for a specific event (public, private, corporate, diplomatic, sporting, entertainment, or other gathering) at a specific venue on specific dates, what threatens this event and its attendees, at which phase of the event, how severely, and which way it is trending - expressed as a structured, scored threat picture using an explicit Likelihood × Impact (1–5 × 1–5 = 1–25) register, segmented by event phase (pre-event buildup → attendee arrival/access → main event/program → departure/egress → post-event/teardown) and aggregated to a headline event threat rating with a proceed / proceed-with-conditions / cancel-relocate-postpone recommendation. It is a space/time/activity-anchored framework product: its threat taxonomy maps onto the PMESII-PT operating environment, its phase analysis uses the event’s own operational timeline, and its collection logic is PIR → phase/threat-category → indicator → source. It is duty-of-care and mission-assurance intelligence: it informs the client’s go/no-go, security posture, mitigation investment, emergency planning, and resource allocation for the event. It consumes the holistic environmental rating of the Country Risk Assessment and the descriptive baseline of the Regional Study for the host location, and - where commissioned - the Venue Security Survey (the physical-security assessment of the venue itself - barriers, access control, CCTV, guard force, structural vulnerabilities) and the Protective Advance Survey & Recce Report (the on-the-ground advance reconnaissance for a specific principal’s attendance - route recon, medical-evac routes, pre-positioning, site-specific detail procedures); this product does not perform those surveys but consumes their findings if available and issues RFIs (→ §23) where they are needed but absent. It does not deliver the security-operations plan, the detail deployment, the access-control procedures, the emergency-evacuation plan, or the public-order/crowd-management plan - those are operational/planning products. Where those needs surface, flag and route to the client’s security/event-operations team or to the separately scoped Venue Security Survey and Protective Advance Survey & Recce Report. The Post-Event After-Action Report is retrospective and not scoped here. This is a threat assessment; it is not legal, insurance, medical, or event-operations advice, and it is not a guarantee of event safety.


Document Control

FieldValue
Report Reference[REF-YYYY-###]
Date of Report[YYYY-MM-DD]
Baseline / As-Of Date[YYYY-MM-DD - the date through which threat conditions are assessed]
Event Window[YYYY-MM-DD → YYYY-MM-DD - first setup day through final teardown]
Event Date(s) / Core Operating Days[YYYY-MM-DD → YYYY-MM-DD - the days the public/attendees are present]
Classification / Handling[CLASSIFICATION / TLP MARKING]
Client[CLIENT NAME]
Requesting Party[CONTACT - ENGAGEMENT REF]
Event Name / Title[EVENT NAME]
Event Type & Format[e.g., public concert / corporate conference / VIP diplomatic summit / sporting fixture / trade exhibition / political rally / festival / private gala - and format e.g., indoor/outdoor/hybrid]
Venue / Location[VENUE NAME - CITY / COUNTRY - with map/diagram reference if available]
Expected Attendance / Profile[Estimated crowd size and composition - e.g., 5,000 general public + 200 VIPs + 100 staff]
Client Role / Event Ownership[Organizer / Host / Security contractor / Principal attendee / Insurer / Sponsor]
Engagement Purpose[Decision the assessment informs - e.g., go/no-go for organiser, protectee attendance posture, security investment level, insurance underwriting]
Scope / Depth[Pre-event, event-wide threat rating - see §2 scope; venue security and principal advance handled by sibling products]
Prepared By[ANALYST NAME / ID]
Reviewed By[REVIEWER NAME / ID]
Approving Officer[APPROVER NAME / ID]
Version[1.0]
Distribution[NAMED RECIPIENTS]

Handling: [Classification/TLP]. Disseminate only to the named authorized recipients. Reproduction or onward sharing prohibited without originator approval. This product contains event-specific vulnerability and security-posture information that, if compromised, could enable hostile planning against the event, the venue, and named attendees - treat the event profile, timeline, and protective-posture sections as the most sensitive elements. Store and transmit per the client data-processing agreement and applicable data-protection frameworks (GDPR, CCPA, and local equivalents); restrict to those with a security/risk-management need-to-know.

Nature of this product (READ FIRST): This is an open-source-based analytic assessment of threat to an event and its attendees, prepared to inform the client’s duty-of-care, security, and risk-management decisions. It is not legal, insurance, medical, event-operations, or crowd-management advice; not a security-operations, access-control, emergency-evacuation, or public-order plan; not a venue physical-security survey (Venue Security Survey); not a principal-centric protective advance (Protective Advance Survey & Recce Report); and not a guarantee of event safety. The threat scores are the firm’s structured analytic judgments, calibrated to the stated scales - an aid to risk prioritisation and mitigation investment, not precise measurements, actuarial probabilities, or statements of certainty. The assessment is one input; the client’s security, legal, medical, and event-operations teams, and official public-safety authorities, govern conduct on the ground.

Analytic independence & objectivity (ICD 203): Scores and judgments are the firm’s independent analytic assessment, reached on the evidence and free of any pressure to clear or to cancel the event for reasons other than the assessed threat picture. Reporting is distinguished from analyst judgment throughout; uncertainty drivers and change indicators are stated explicitly; alternative explanations are tested. Where the client’s preference is to proceed regardless, the assessment is not softened to suit it - the threat is stated as assessed and the decision left to the client.

Sourcing & legality: Findings derive from open, licensed, and lawfully accessed sources - public record, official advisories and security/threat assessments, reputable media, recognised conflict and terrorism datasets used within licence, venue-public-information and planning documentation, event publicity materials, mapping and geospatial data, social-media monitoring (public accounts and public posts only), and (where commissioned) discreet in-country human sourcing - current as of the baseline date and graded (Annex A). No classified, proprietary-without-licence, or unlawfully obtained material is used; no surveillance, tracking, interception, or access in breach of any jurisdiction’s law is conducted. Official threat assessments, state advisories, and venue-provided security information are treated as potentially self-interested and corroborated against independent sources.

Scope of protective content: Protective-posture and mitigation options in §20 are advisory and analytic - they indicate the direction and category of measure that would lower residual threat to the event and its attendees. They are not the event security-operations plan, access-control plan, detail deployment, emergency-evacuation plan, or public-order plan - those are operational documents scoped and produced by the client’s security/event-operations team or by separately commissioned sibling products (Venue Security Survey; Protective Advance Survey & Recce Report).

Perishability: This is a point-in-time assessment against a defined event window. Threat conditions move fast - an advisory, an incident, a protest call, a social-media threat, a weather warning, a VIP-attendance change, or a venue-capacity/vendor change can invalidate a phase’s rating overnight. Scores are time-sensitive - re-verify against current reporting immediately before the event window and on any material change to the event profile, venue, or attendance.

Reliance: Reliance is limited to the named client for the stated event and purpose; no third-party reliance without originator consent.

Event Threat Snapshot

FieldValue
Event[Event name, type, date(s)]
Venue / Location[Venue, city, country]
Expected Attendance[Crowd size and composition]
Overall Event Threat Rating[LOW (1–5) / MODERATE (6–10) / ELEVATED (11–15) / HIGH (16–20) / CRITICAL (21–25)] - [aggregate score]
Event Recommendation[PROCEED / PROCEED WITH CONDITIONS / CANCEL / RELOCATE / POSTPONE - see §17]
Rating Trajectory[Improving / Stable / Deteriorating / Volatile over the event window - see §17]
Highest-Threat Phase(s)[The 1–2 phases driving the rating - see §15]
Top Residual Threats[The 2–3 ranked residual threats to act on - see §16]
Principal Threat Drivers[Event-profile exposure / venue factors / attendee profile / threat-actor dynamics pushing threat up - see §6, §17]
Highest-Priority Watch Indicators[The 1–3 tripwires whose activation would most change the rating - see §19]
Conditions Attached (if any)[The protective conditions on which a PROCEED depends - see §17, §20]
Coverage Confidence[HIGH / MODERATE / LOW - access, source diversity, currency - see §25]
Overall Assessment Confidence[HIGH / MODERATE / LOW - see §25]

Table of Contents

  1. BLUF
  2. Executive Summary & Scope
  3. Key Judgments
  4. Priority Intelligence Requirements (PIRs)
  5. Threat Framing, Taxonomy & Methodology
  6. Event Profile & Target Profile
  7. Venue & Location Assessment
  8. Attendee Profile & Exposure
  9. Event Timeline & Phases
  10. Mass-Casualty / Active Threat Risk
  11. Crowd Safety, Crush & Trampling Risk
  12. Protest, Disruption & Civil-Disorder Risk
  13. Hostile Surveillance, Pre-Attack Reconnaissance & Drone Risk
  14. Cyber, Digital & Information-Environment Threat
  15. Weather, Environmental & Health Risk
  16. Phase-by-Phase Threat Profile
  17. Consolidated Threat Register & Heat Map
  18. Overall Event Threat Rating, Trajectory & Event Recommendation
  19. Red Flag / Notable Indicators
  20. Threat-Escalation & Early-Warning Indicators
  21. Protective Posture & Mitigation Options (Advisory)
  22. Analysis of Competing Hypotheses (ACH)
  23. Key Assumptions Check (KAC)
  24. Collection Gaps & RFIs
  25. Assessment & Recommendations
  26. Annex A - Sources & Methodology
  27. Annex B - Appendices

(Page numbers populate on export to Word/PDF.)


1. BLUF

2–3 sentences. Lead with the overall event threat rating, the event recommendation (proceed / proceed-with-conditions / cancel / relocate / postpone), the phase(s) driving the rating, and the single most decision-relevant implication for the event’s safety - with the recommended posture or condition. Written so the decision-maker can act on this line alone.

[BLUF]

2. Executive Summary & Scope

Triggering requirement and engagement purpose; what event, where, when, by whom, and for whom. Scope in/out stated explicitly - the event window, the phases covered, the threat categories scored, the event-specific lens applied, and what is deferred to sibling/downstream products (venue physical security to the Venue Security Survey; principal-centric advance to the Protective Advance Survey & Recce Report; retrospective analysis → Post-Event After-Action Report; operational security, access-control, evacuation, and public-order plans - out of scope; country/area environmental inputs consumed from the Country Risk Assessment / Regional Study). Narrative synthesis of the rating, the recommendation, and the principal residual threats across the phases below, to the ICD 203 floor - reporting separated from analytic judgment, uncertainty drivers named, alternatives acknowledged. State the headline rating, the recommendation, and the top residual threats here.

[EXECUTIVE SUMMARY & SCOPE]

3. Key Judgments

The analytic bottom line on threat to the event - the overall rating and event recommendation, the phases and threat categories that most determine it, and the most consequential residual threats. Each judgment carries likelihood and analytic confidence as separate columns (never combined - ICD 203) and a change-indicator stating what would shift it. Order by decision-relevance. Note: the ICD 203 likelihood term here describes the analytic judgment; the 1–5 likelihood in the threat register (§10–§14) is the scoring input - keep the two distinct and consistent (see §5 for the mapping).

#Key JudgmentLikelihoodAnalytic ConfidenceChange Indicator (what would shift it)
KJ-1[e.g., Overall event threat is assessed [BAND] across the window; recommendation [PROCEED/CONDITIONS/CANCEL], driven primarily by [phase/threat]][ICD 203 term][HIGH/MOD/LOW][ ]
KJ-2[e.g., The highest-threat phase is [phase], where [threat] is scored [residual L×I]][ ][ ][ ]
KJ-3[e.g., The event’s [profile factor / attendee factor / venue factor] materially raises targeting risk for [threat category]][ ][ ][ ]
KJ-4[e.g., The dominant escalation pathway is [event/indicator] affecting [phase]][ ][ ][ ]
KJ-5[e.g., The rating trajectory across the window is [stable/rising/volatile], pending [pivotal event or indicator]][ ][ ][ ]

4. Priority Intelligence Requirements (PIRs)

Collection-management spine for an event threat product: PIR → phase/threat-category → indicator → source. State each PIR, the answer, key evidence, and analytic confidence. Each PIR maps to one or more phases or threat categories. Summarize in the matrix.

  • PIR-1 - Event target profile & directed threat: Does the event’s nature, visibility, controversy, host/organiser profile, or attendee list attract directed threat (terrorist targeting, protest, hacktivism, doxxing, grievance actor), and from whom? [Answer / evidence / confidence]
  • PIR-2 - Venue & location threat environment: What is the current threat level at the venue and its surrounding area (crime, terrorism, unrest, conflict), and which way is it trending across the event window? [ ]
  • PIR-3 - Mass-casualty & active threat: What is the risk of a terrorist, armed-attacker, vehicle, or other mass-casualty attack targeting the event or its attendees, by phase and venue? [ ]
  • PIR-4 - Crowd safety & crush: What is the risk of crowd crush, trampling, or life-safety incident given the venue capacity, layout, ingress/egress design, and expected crowd behaviour? [ ]
  • PIR-5 - Protest, disruption & civil disorder: What is the risk of protest, disruption, political demonstration, or civil disorder affecting the event and its safe conduct? [ ]
  • PIR-6 - Hostile surveillance, pre-attack reconnaissance & drone: What is the risk of hostile reconnaissance, pre-attack preparation, or drone intrusion against the event or venue? [ ]
  • PIR-7 - Cyber, digital & information threat: What is the risk of cyber-attack on event systems, data breach of attendee/credential data, digital disruption, disinformation, or doxxing/narrative targeting affecting the event? [ ]
  • PIR-8 - Weather, environmental & health: What are the weather, seasonal, natural-hazard, and health exposures over the event window, and can the venue withstand them? [ ]
  • PIR-9 - Trajectory & inflection: Where is threat heading across the event window, and what events/indicators (pre-event or in-event) would change a phase’s rating or the recommendation? [ ]
  • [Add event-specific PIRs - e.g., a named high-profile attendee, a specific prior threat against the event, a concurrent event/anniversary/date significance, a specific vendor/supply-chain risk.]
PIRPhase / Threat CategoryAnswer (summary)ConfidenceKey Gap
PIR-1Event target profile[ ][H/M/L][ ]
PIR-2Venue & location environment[ ][H/M/L][ ]
PIR-3Mass-casualty / active threat[ ][H/M/L][ ]
PIR-4Crowd safety / crush[ ][H/M/L][ ]
PIR-5Protest / disruption / disorder[ ][H/M/L][ ]
PIR-6Hostile surveillance / drone[ ][H/M/L][ ]
PIR-7Cyber / digital / information[ ][H/M/L][ ]
PIR-8Weather / environmental / health[ ][H/M/L][ ]
PIR-9Trajectory[ ][H/M/L][ ]

5. Threat Framing, Taxonomy & Methodology

The load-bearing methodology section for a scored, phase-segmented product - state the rules before any score appears so the rating is transparent and reproducible. Define, in order:

  • Event exposure & threat lens. What is at stake (attendee life/safety, event mission, client reputation, business continuity, public confidence) and therefore the lens through which impact is scored. Threat is scored as threat TO THIS EVENT on THIS TIMELINE, not as generic venue risk - state this explicitly. Event ownership, public profile, and client role determine the impact frame.
  • Threat taxonomy. The threat categories scored (this template uses six - §10: Mass-Casualty / Active Threat; §11: Crowd Safety / Crush; §12: Protest / Disruption / Disorder; §13: Hostile Surveillance / Drone; §14: Cyber / Digital / Information; §15: Weather / Environmental / Health), mapped to PMESII-PT. Note any category de-emphasised or added for this event and why.
  • Phase segmentation. The event is decomposed into phases (pre-event buildup → attendee arrival/access → main event/program → departure/egress → post-event/teardown - §9); threat is scored per category and located to the phase(s) where it bites, then mapped onto the timeline in §16.
  • Scoring scales. Likelihood (1–5) and Impact (1–5) → inherent score (1–25); the band key; and the inherent → mitigation → residual logic. Impact is scored against the event’s exposure (life/safety / event mission / reputation / business continuity), not against a generic scenario. State how the 1–5 likelihood relates to the ICD 203 estimative bands used in the Key Judgments (the mapping table below).
  • Inherent vs. residual threat. Inherent = before protective/mitigation measures; residual = after crediting measures assessed to be in place or committed for the event (e.g., venue security, access control, steward-to-attendee ratio, medical coverage). Where no measures are yet defined, state that residual = inherent until the §20 posture is scoped.
  • Event decision frame. The rating is objective (the firm’s assessment of threat level); the client’s risk appetite and event commitment are recorded as context for interpreting it and for setting conditions, not used to adjust the scores. The recommendation (proceed / conditions / cancel / relocate / postpone) follows from the rating against the duty-of-care and mission-assurance threshold, stated here.
  • Relationship to other products. This consumes the Country Risk Assessment country rating / Regional Study baseline for the host location; consumes findings from the Venue Security Survey and Protective Advance Survey & Recce Report where commissioned; feeds the event security-operations plan and emergency planning; the sibling Post-Event After-Action Report uses this as the pre-event baseline for comparison.
  • Coverage constraints. Access to venue-specific security information, attendee list completeness, current threat-intel coverage of the venue area, advisory-data reliability, contested information environment.
Framing ElementContent
Event exposure & threat lens[Life/safety / mission / reputation / business continuity - and client role]
Event window & phases[Core event days and phase breakdown - defer to §9 for detail]
Threat categories scored (taxonomy)[Six default categories; note additions/de-emphasis and why]
Phase segmentation basis[Phase timeline scored and mapped to §16 profile]
Inherent vs. residual basis[Mitigation/security measures credited / none yet - residual = inherent]
Client risk appetite / commitment (context only)[Recorded, not used to adjust scores]
Duty-of-care / recommendation threshold[The rating band at which the firm recommends conditions / cancel / relocate / postpone]
Relationship to other products[Consumes Country Risk/Country Study / consumes Venue Security Survey & Protective Advance if available / feeds event security-operations plan / baseline for Post-Event AAR]
Coverage constraints[Venue intel access, attendee list completeness, threat-intel coverage, advisory reliability, contested info]

Likelihood (1–5) ↔ ICD 203 mapping (apply consistently):

ScoreLikelihood (1–5)Approx. ICD 203 band
1Remotealmost no chance / very unlikely (01–20%)
2Unlikelyunlikely (20–45%)
3Possibleroughly even chance (45–55%)
4Likelylikely (55–80%)
5Almost certainvery likely / almost certain (80–99%)

Impact (1–5), scored against the event: 1 Negligible · 2 Minor · 3 Moderate · 4 Major · 5 Severe/Catastrophic. Define each band concretely for this event in the source annex (e.g., what a “Major” vs. “Severe” outcome means for attendee life safety, event mission/continuity, client reputation, and business/legal consequences).

6. Event Profile & Target Profile

Why this event may attract directed threat - the profile-driven component that distinguishes it from generic location risk. Assess (do not merely list): event type, format, and public visibility; host, organiser, sponsor profile and the controversy or grievance attached to them; date/anniversary significance; attendee profile - high-value, high-controversy, or high-publicity individuals attending (VIPs, political figures, corporate leaders, media); the event’s symbolic, political, ideological, or commercial significance as a target; prior threats, incidents, or hostile attention against this event, similar events, the venue, or the organisers; social-media narrative and protest/threat chatter; and the event’s media coverage posture (high profile attracts, low profile may be OPSEC-relevant). Score the directed-threat exposure this profile creates; the environmental (undirected) threat is scored in §7 and §10–§15.

Profile FactorDetail / BasisThreat RelevanceLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualConfidenceSource Grade
Event type / format / visibility[ ][Terrorist targeting / protest / hacktivism / media][1–5][1–5][ ][ ][ ][H/M/L][A–F/1–6]
Host / organiser / sponsor controversy[ ][Grievance / protest / directed threat / doxxing][ ][ ][ ][ ][ ][H/M/L][ ]
Date / anniversary significance[ ][Symbolic target for anniversary or ideological date][ ][ ][ ][ ][ ][H/M/L][ ]
VIP / high-profile attendee presence[ ][Targeting / kidnap / protest / media magnet][ ][ ][ ][ ][ ][H/M/L][ ]
Symbolic / political / ideological significance[ ][Terrorist / protest / narrative targeting][ ][ ][ ][ ][ ][H/M/L][ ]
Prior threats / incidents / hostile chatter[ ][Persistence / specific actor / capability][ ][ ][ ][ ][ ][H/M/L][ ]
Social-media narrative / protest calls[ ][Spontaneous or organised disruption][ ][ ][ ][ ][ ][H/M/L][ ]
Media coverage posture[ ][High-profile attracts / low-profile as OPSEC][ ][ ][ ][ ][ ][H/M/L][ ]

Target-profile assessment: [Synthesis - whether and from whom this event faces directed (as opposed to ambient) threat, the single profile factor that most elevates risk, and the principal uncertainty. Where a specific threat-actor or campaign is in view, cross-reference §12 and §13 and RFI deep analysis.]

7. Venue & Location Assessment

The physical and environmental setting - the venue itself, its location, the surrounding area, and the local threat environment - consumed from the country/area products and venue-specific information, compressed to what bears on this event and window. Do not perform a full venue physical-security survey (barrier ratings, CCTV coverage, guard-force capability, access-control systems) - that is the Venue Security Survey; consume its findings if available and note gaps. This section covers: venue type (indoor/outdoor/stadium/conference centre/temporary structure/historic site); location setting (urban/rural/isolated); local threat environment (crime, unrest, terrorism - per destination inputs §8 from the Country Risk / Country Study products); venue capacity and layout character (single entry, multiple gates, VIP routes, backstage/service areas, evacuation assembly points, perimeter character); surrounding area (transport links, chokepoints, overlook/observation positions, public thoroughfares, parking, protest-assembly areas); and known venue vulnerabilities from open-source reporting.

FactorDetail / BasisThreat RelevanceLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualConfidenceSource Grade
Venue type / structure[ ][Physical vulnerability / crowd movement / target appeal][1–5][1–5][ ][ ][ ][H/M/L][A–F/1–6]
Location / setting / local threat environment[ ][Ambient risk to event - crime, unrest, terrorism][ ][ ][ ][ ][ ][H/M/L][ ]
Venue capacity / layout character[ ][Crowd concentration / ingress-egress / VIP segregation][ ][ ][ ][ ][ ][H/M/L][ ]
Surrounding area / approaches[ ][Vehicle / pedestrian approach risk / chokepoints / observation][ ][ ][ ][ ][ ][H/M/L][ ]
Known venue vulnerabilities[ ][Past incidents / structural issues / security gaps][ ][ ][ ][ ][ ][H/M/L][ ]

Venue & location assessment: [Synthesis - the venue’s principal threat-relevant characteristics, the highest-risk features of the setting, and gaps that should be addressed by a Venue Security Survey where not already commissioned. Note: deep physical-security assessment is the Venue Security Survey, not this product.]

8. Attendee Profile & Exposure

Who is attending and how that shapes threat. Assess (do not merely list): crowd size and density (planned capacity vs. likely actual attendance); crowd composition and behaviour (general public / ticketed / invite-only / mixed / family vs. high-risk demographic); VIP/high-profile attendees and their security posture; staff, contractor, and vendor access footprint (backstage passes, credentialling risk, service access); media presence and its effect on profile; and any known counter-protests, political sensitivities, or community tensions. Score the attendee-driven threat contribution.

FactorDetail / BasisThreat RelevanceLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualConfidenceSource Grade
Crowd size and density[ ][Crush / mass-casualty / target density][1–5][1–5][ ][ ][ ][H/M/L][A–F/1–6]
Crowd composition / demographics[ ][Behaviour / sensitivity / counter-protest / rivalry][ ][ ][ ][ ][ ][H/M/L][ ]
VIP / high-profile attendee presence[ ][Targeting / kidnapping / security burden / media][ ][ ][ ][ ][ ][H/M/L][ ]
Staff / contractor / vendor footprint[ ][Credentialling risk / insider threat / access vectors][ ][ ][ ][ ][ ][H/M/L][ ]
Media presence[ ][Profile amplification / narrative control][ ][ ][ ][ ][ ][H/M/L][ ]
Community / political sensitivity[ ][Protest / disruption / reputational][ ][ ][ ][ ][ ][H/M/L][ ]

Attendee profile assessment: [Synthesis - the principal attendee-driven threat contributions, whether any high-profile attendance creates a disproportionate threat vector, and crowd-density/crush risk character. Where attendee-list depth is insufficient, flag as a gap (→ §24).]

9. Event Timeline & Phases

The descriptive spine the threat is scored against - the actual event decomposed into operational phases so every score in §10–§15 is locatable in time and activity. Capture each phase: dates/times, activity description, locations within the venue, expected crowd density, key personnel present, and any known security/operational measures planned. Flag fixed, repeated, or published schedules as a threat factor (predictability aids targeting).

Phase #Phase NameDate / Time WindowActivity DescriptionLocation(s) / Zone(s)Expected Crowd DensityKey Personnel / Attendees PresentKnown Security MeasuresPredictability / Exposure Note
P1Pre-event buildup / setup[ ][ ][ ][ ][ ][ ][ ]
P2Attendee arrival / access / ingress[ ][ ][ ][ ][ ][ ][ ]
P3Main event / program (opening)[ ][ ][ ][ ][ ][ ][ ]
P4Main event / program (core sessions)[ ][ ][ ][ ][ ][ ][ ]
P5Main event / program (peak/featured)[ ][ ][ ][ ][ ][ ][ ]
P6Departure / egress[ ][ ][ ][ ][ ][ ][ ]
P7Post-event / teardown[ ][ ][ ][ ][ ][ ][ ]

Timeline note: [The phases of greatest exposure on activity/crowd grounds (ingress, peak attendance, egress - the classic dangerous seams), and how the event’s schedule structure itself raises or lowers threat. Flag fixed/published schedules as a targeting enabler.]

10. Mass-Casualty / Active Threat Risk

Risk to the event from an incident causing multiple casualties: terrorism - vehicle attack, armed attacker, IED/VBIED, knife/hostage at the event; active-threat incident targeting the event, venue, or crowd; indirect fire (mortar/rocket) exposure near a conflict zone; and structural/crowd-collapse falling under mass-casualty rather than crush (→ §11). Locate each to the phase(s) and venue zone(s) where it bites. This is the primary life-safety threat and typically the highest-impact category.

Sub-ThreatDriver / BasisPhase(s) / Zone(s)Likelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Vehicle attack (crowd / perimeter)[ ][ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Armed attacker / active shooter[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
IED / VBIED / device attack[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Knife / edged-weapon / hostage[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Indirect fire / rocket / shelling (conflict zone)[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Structural collapse / crowd-driven mass casualty[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Mass-casualty risk assessment: [Synthesis - the dominant mass-casualty threat to this event, the phases/zones of greatest exposure, the most likely attack modality, and the threat-actor profile. Where a specific threat-actor, proscribed group, or conflict zone is in view, flag it.]

11. Crowd Safety, Crush & Trampling Risk

Risk to attendees from crowd dynamics: crowd crush in high-density queuing/ingress/egress zones; trampling and surge incidents; balcony/railing collapse under crowd load; stampede triggered by panic, noise, or false alarm; blocked egress and inadequate emergency exits; and the adequacy of steward-to-attendee ratio, crowd-flow management, and medical coverage for a crowd of this size and composition. This is the classic event safety risk and often the highest-likelihood threat.

Sub-ThreatDriver / BasisPhase(s) / Zone(s)Likelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Crush / surge at ingress / queuing[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Crush / surge at main-stage / feature[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Crush / surge at egress / exit pinch-point[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Balcony / railing / temporary-structure collapse[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Stampede / panic-triggered incident[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Inadequate egress / blocked exits[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Crowd safety assessment: [Synthesis - the dominant crowd-safety risk, whether ingress, peak density, or egress poses the highest risk, the venue’s capacity threshold vs. expected attendance, and the adequacy of mitigations planned.]

12. Protest, Disruption & Civil-Disorder Risk

Risk to the event from political, ideological, or grievance-driven disruption: organised protest or demonstration targeting the event, venue, host, or attendees; spontaneous protest or gathering; civil unrest in the vicinity affecting event conduct; counter-protest or factional confrontation; disruption tactics (road blocking, sound interference, banner drops, sit-ins, occupation); and escalation to violence, vandalism, or assault. Score the viability and likelihood of disruption against the event profile (§6) and local context.

Sub-ThreatDriver / BasisPhase(s) / Zone(s)Likelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Organised protest / demonstration[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Spontaneous protest / gathering[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Civil unrest in vicinity / spillover[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Counter-protest / factional confrontation[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Disruption tactics (blocking, noise, sit-in, banner)[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Escalation to violence / vandalism / assault[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Protest & disruption assessment: [Synthesis - the principal disruption risk, whether it is organised or spontaneous, the phase of greatest impact (typically arrival/access or main event), and the escalation pathway to violence. Where a specific protest group, call-to-action, or grievance campaign is in view, flag it.]

13. Hostile Surveillance, Pre-Attack Reconnaissance & Drone Risk

Risk to the event from hostile observation and preparation: hostile surveillance and pre-attack reconnaissance of the venue, approaches, security posture, and VIP/attendee movements; drone overflight, disruption, or weaponised-drone threat; and the risk of pre-positioning of personnel, devices, or equipment before the event. This is the enabling threat category - surveillance often precedes a mass-casualty or kidnap attempt. Score the detectability of surveillance opportunity given the venue’s openness, the OPSEC of the event, and the drone-threat environment.

Sub-ThreatDriver / BasisPhase(s) / Zone(s)Likelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Hostile surveillance (physical / technical) of venue[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Pre-attack reconnaissance[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Drone overflight / surveillance[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Weaponised drone / drone-borne IED[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Pre-positioning of personnel / devices / equipment[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Surveillance & drone assessment: [Synthesis - the principal surveillance/drone risk, the phases of greatest vulnerability to pre-attack activity (setup/arrival offer the most opportunity), and the drone-threat capability in the environment. Where a specific adversarial collection capability is in view, flag it and route to protective-intelligence products.]

14. Cyber, Digital & Information-Environment Threat

Risk to the event from the digital and information domain: cyber-attack on event systems (ticketing, credentialling, access control, payment, IT/network infrastructure, live-stream, AV); data breach of attendee data (PII, credentials, VIP travel patterns, medical/access data); digital disruption (hacktivism, DDoS, social-media account compromise, defacement); disinformation campaigns targeting the event (false threats, protest calls, reputational attacks, panic-inducing narrative); doxxing of organisers or attendees; and the IT/cyber resilience of the venue, organisers, and key vendors. Score against the event’s digital footprint and the threat-actor profile from §6 and §12.

Sub-ThreatDriver / BasisPhase(s) / System(s)Likelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Cyber-attack on ticketing / credentialling / access[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Data breach of attendee PII / VIP data[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
DDoS / digital disruption of event systems[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Disinformation / false threat / protest call[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Doxxing of organisers / attendees / VIPs[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Venue / organiser IT-resilience exposure[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Cyber & digital assessment: [Synthesis - the principal digital threat, whether the event’s cyber posture is adequate for its profile and attendee data-sensitivity, and the information-environment risk that could affect event conduct or safety. Note that deep technical cyber assessment is a separate product; this is the analytic threat picture, not the cybersecurity audit.]

15. Weather, Environmental & Health Risk

Risk from the physical environment and health conditions: weather and seasonal exposure during the event window - extreme heat, cold, storm, flood, wind, lightning, air quality, wildfire smoke; venue resilience to weather (indoor/outdoor/temporary structures); natural-hazard exposure (seismic, volcanic, landslide, tsunami - location-dependent); health risks - disease outbreak, food/water safety, medical-system reachability for casualty response; and CBRN/industrial-incident exposure where relevant. This scores the threat; mitigation and contingency planning is the event-operations team’s scope (route to the emergency/evacuation plan).

Sub-ThreatDriver / BasisPhase(s) / Location(s)Likelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Extreme heat / cold / weather event[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Storm / flood / wind / lightning[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Air quality / smoke / visibility[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Natural hazard (seismic / volcano / landslide / tsunami)[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Disease outbreak / food & water safety[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Medical-system adequacy for mass-casualty response[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
CBRN / industrial-incident exposure[ ][ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Weather, environmental & health assessment: [Synthesis - the dominant environmental/health threat over the event window, the venue’s resilience to the likely weather exposures, and whether the local medical infrastructure can handle a mass-casualty event at this location. Route medical/casualty-response planning and weather contingency to the event-operations team.]

16. Phase-by-Phase Threat Profile

The signature synthesis of this product - map the category threats (§10–§15) onto the actual event timeline (§9) so the client sees, for each phase, the dominant threats, the residual rating, the exposure window, and the protective implication. This is what makes the assessment actionable for security and event operations: it converts a threat taxonomy into a phase-by-phase picture. Order chronologically.

Phase #Phase NameLocation / TimeDominant Threats (by §)Peak Residual (L×I)Phase Threat BandExposure Window / SeamProtective Implication (advisory → §21 / event security plan)
P1[ ][ ][§ refs][ ][Low/Mod/Elev/High/Crit][ ][ ]
P2[ ][ ][ ][ ][ ][ ][ ]
P3[ ][ ][ ][ ][ ][ ][ ]
P4[ ][ ][ ][ ][ ][ ][ ]
P5[ ][ ][ ][ ][ ][ ][ ]
P6[ ][ ][ ][ ][ ][ ][ ]
P7[ ][ ][ ][ ][ ][ ][ ]

Phase-profile note: [The highest-threat phase(s) and seam(s) (typically ingress/arrival and peak-egress - the classic vulnerable transitions), how threat concentrates across the timeline, the phase most driving the overall rating, and the implications for security deployment and emergency planning.]

17. Consolidated Threat Register & Heat Map

Aggregate every scored threat from §7–§8 and §10–§15 into one ranked register, ordered by residual score, so the client sees the whole threat picture and the priorities in one place. The heat map plots the distribution across the 5×5 grid. The domain/category sections build the scores; this section ranks and visualises them; §16 locates them on the timeline.

RankThreatCategory (§)Phase(s)Inherent (L×I)Existing MitigationResidual (L×I)BandTrendConfidence
1[ ][§][ ][ ][ ][ ][Low/Mod/Elev/High/Crit][↑/→/↓][H/M/L]
2[ ][§][ ][ ][ ][ ][ ][ ][H/M/L]
3[ ][§][ ][ ][ ][ ][ ][ ][H/M/L]
[ ][§][ ][ ][ ][ ][ ][ ][H/M/L]

Residual-threat heat map (plot each threat’s residual L×I; cell = count or threat IDs):

Impact ↓ / Likelihood →1 Remote2 Unlikely3 Possible4 Likely5 Almost certain
5 Severe[ ][ ][ ][ ][ ]
4 Major[ ][ ][ ][ ][ ]
3 Moderate[ ][ ][ ][ ][ ]
2 Minor[ ][ ][ ][ ][ ]
1 Negligible[ ][ ][ ][ ][ ]

Register note: [Where the residual threat clusters (which category and which phase), the count above the duty-of-care/mission-assurance threshold, and the single threat most driving the rating and recommendation.]

18. Overall Event Threat Rating, Trajectory & Event Recommendation

The headline rating, where it is heading across the event window, and the resulting event recommendation. Derive the overall rating from the phase and category residual scores (state the aggregation logic - the highest-impact residual threats and the highest-threat phase dominate; a single Critical phase can set the rating regardless of benign phases). Give the per-category and per-phase summary, the aggregate rating and band, the trajectory with likelihood and confidence stated separately, and the explicit recommendation with any conditions.

Category (§)Threat SummaryPeak Residual Sub-ThreatCategory BandTrend
Event profile / directed (§6)[ ][ ][Low/Mod/Elev/High/Crit][↑/→/↓]
Venue / location (§7)[ ][ ][ ][ ]
Attendee profile (§8)[ ][ ][ ][ ]
Mass-casualty / active threat (§10)[ ][ ][ ][ ]
Crowd safety / crush (§11)[ ][ ][ ][ ]
Protest / disruption / disorder (§12)[ ][ ][ ][ ]
Surveillance / drone (§13)[ ][ ][ ][ ]
Cyber / digital / information (§14)[ ][ ][ ][ ]
Weather / environmental / health (§15)[ ][ ][ ][ ]
Trajectory PathDescriptionLikelihoodAnalytic ConfidenceKey Watch Indicators
Most likely[ ][ICD 203 term][HIGH/MOD/LOW][ ]
Most dangerous (rating step-up)[ ][ICD 203 term][HIGH/MOD/LOW][ ]
Improving / de-escalation[ ][ICD 203 term][HIGH/MOD/LOW][ ]

Event recommendation:

FieldDetermination
Overall Event Threat Rating[LOW / MODERATE / ELEVATED / HIGH / CRITICAL - aggregate score]
Recommendation[PROCEED / PROCEED WITH CONDITIONS / CANCEL / RELOCATE / POSTPONE]
Conditions (if PROCEED WITH CONDITIONS)[The protective/security conditions on which the PROCEED depends - by category, per §21; e.g., venue security survey completed, access-control plan in place, medical coverage at level X, C-UAS countermeasures, VIP advance completed (Venue Security Survey / Protective Advance Survey)]
Decision authority[Who owns the go/no-go - client/organiser/host; the firm advises]
Reassessment triggers[The indicators/events (per §20) that require re-rating before or during the event]

Overall rating & recommendation judgment: [The aggregate rating, its band, the aggregation logic, the principal drivers, the trajectory, and the basis for the recommendation against the duty-of-care and mission-assurance threshold - the figures used in the BLUF and Snapshot. Cross-reference pivotal indicators to §20 and conditions to §21.]

19. Red Flag / Notable Indicators

Consolidated register of the load-bearing findings behind the scores, each graded by evidentiary status and confidence so the reader can see what is established vs. assessed vs. contested. Materiality flags the findings that most drive the rating and recommendation. This includes verified threat indicators, assessed concerns, and unresolved allegations affecting the event.

#FindingStatusConfidenceMateriality
1[ ][Established / Assessed / Contested / Unresolved][H/M/L][e.g., Drives overall rating / Drives P3 rating / Advisory only]
2[ ][ ][ ][ ]
3[ ][ ][ ][ ]

20. Threat-Escalation & Early-Warning Indicators

The event analog of a red-flag register: specific, observable indicators whose movement would signal a residual-threat score rising, a new threat emerging, or the recommendation needing to change - split into pre-event tripwires (would change the go/no-go - cancel/relocate/postpone) and in-event tripwires (would trigger a posture change, phase cancellation, venue evacuation, or security stand-down). Each is tied to the threat/phase it bears on, the change it would signal, a severity, and a disposition. These feed the event security-operations team’s real-time decision framework.

#Indicator (observable)PhaseThreat / Phase (§)Change SignalledSeverityCurrent StatusDisposition
1[ ][Pre-event / In-event][ ][e.g., Phase P3 residual 9→16][Crit/High/Med/Low][Not present / Emerging / Present][Watch / Notify client / Re-rate / Cancel phase / Evacuate venue / Route to security ops]

Severity definitions: Critical - would change the recommendation to CANCEL/RELOCATE/POSTPONE pre-event, or trigger event curtailment/evacuation in-event; warrants immediate client notification (e.g., specific/threat intelligence on an attack, direct threat to the event, severe weather warning, public-order collapse). High - would materially raise a phase/category score and warrants prompt notification and posture change. Medium - significant development requiring a re-rate. Low - note and monitor.

21. Protective Posture & Mitigation Options (Advisory)

Advisory, analytic options that would reduce residual threat to the event and its attendees - mapped to the ranked threats (§17) and phases (§16), by treatment category (avoid / reduce / transfer / accept). This is direction and category only, not the security plan: it states what kind of measure would lower a given residual score and roughly how much, and routes implementation to the appropriate separately scoped product or the client’s event-security team. Do not write the security-operations plan, access-control plan, crowd-management plan, detail deployment, or evacuation procedures here - those are operational documents. Route venue physical-security measures to the Venue Security Survey, principal-centric measures to the Protective Advance Survey & Recce Report.

Ranked Threat / Phase (§16–§17)Treatment CategoryAdvisory Option (direction only)Expected Residual EffectImplementation Route (separate product / the client’s event-security team)
[ ][Avoid / Reduce / Transfer / Accept][e.g., Hardened vehicle barriers at ingress / C-UAS deployment / enhanced steward density at egress / VIP advance recon / credentialling-system cyber audit][e.g., residual 16→9 if adopted][Venue Security Survey / Protective Advance Survey & Recce Report / Client event-security team / Insurance/risk-transfer / Cyber-security assessment / Counsel]

Posture note: [The highest-leverage threat reductions available for this event, the irreducible residual threat that remains after plausible protective measures (which should inform the proceed/conditions decision in §18), and the items that must be carried into the Venue Security Survey, Protective Advance Survey & Recce Report, and the client’s event security-operations plan. Reiterate that this is advisory, not the security plan.]

22. Analysis of Competing Hypotheses (ACH)

Apply to the central judgment - typically whether the event can be conducted at acceptable residual threat with planned measures (proceed-with-conditions) vs. should be cancelled/relocated, or the single most consequential and contested threat (e.g., whether a specific directed threat against the event is real and active, or whether a protest escalation pathway leads to violence or remains peaceful). State the competing hypotheses, array the diagnostic evidence for/against each, and identify the most consistent explanation and what evidence would overturn it. Use ACH to discipline the recommendation against both alarmism and against pressure to clear the event for non-security reasons; do not pad the apparatus where the evidence is one-sided - say so and close.

Evidence / IndicatorH1: [Acceptable with conditions]H2: [Cancel / relocate / threat too high]H3: [Directed threat is / isn’t active]
[ ][C/I/N][C/I/N][C/I/N]

(C = consistent · I = inconsistent · N = neutral.) Most consistent hypothesis: [ ] - [rationale + the diagnostic evidence that would overturn it].

23. Key Assumptions Check (KAC)

The assumptions underpinning the scores and the recommendation - about event stability, the reliability of security and threat intelligence, the security measures assumed to be in place, attendee behaviour and compliance, venue cooperation, weather, and the absence of an exogenous shock - each with its basis, confidence, and the impact on the rating/recommendation if it proves wrong. Linchpin assumptions (those that, if wrong, change the recommendation) are flagged.

#AssumptionBasisConfidenceImpact if WrongLinchpin?
1[e.g., The venue capacity and layout as provided are current and accurate][ ][H/M/L][ ][Y/N]
2[e.g., The security measures credited in residual scores will be in place for the event as described][ ][ ][ ][ ]
3[e.g., The attendee list and crowd estimate are reliable and not significantly understated][ ][ ][ ][ ]
4[e.g., No major exogenous shock (terrorist attack, severe weather, public-order collapse, cyber breach) intervenes during the event window][ ][ ][ ][ ]
5[e.g., The Venue Security Survey / Protective Advance Survey findings - where consumed - are current and complete][ ][ ][ ][ ]

24. Collection Gaps & RFIs

Where coverage is thin or contested, the impact on the scores/recommendation, the collection that would close the gap, and where to escalate. Event-product gaps are typically a venue lacking a current Venue Security Survey, a missing Protective Advance Survey for a VIP attendee, incomplete attendee list/intel, a known threat-actor capability question, or a late event-profile change.

GapCategory / Phase (§)Impact on Rating/RecommendationRecommended CollectionEscalation TargetPriority
[ ][ ][ ][ ][Country Risk / Country Study / Venue Security Survey / Protective Advance Survey & Recce / Event security-intel cell / In-country HUMINT / Open-source monitoring / Social-media threat monitoring][H/M/L]

25. Assessment & Recommendations

25.1 Threat Assessment

Overall assessment of threat to the event - the headline rating and band, the event recommendation and any conditions, the phases and residual threats that most drive it, the most consequential uncertainties, and the implications for the event as planned. State the figures used in the BLUF and Snapshot, and the coverage/confidence caveats that bound them. Be explicit about the irreducible residual threat that remains even after plausible protective measures.

[ASSESSMENT]

25.2 Recommendations

  • For event organisers / decision-makers: [The proceed / proceed-with-conditions / cancel / relocate / postpone recommendation and what it rests on; the conditions that must be met to proceed; the planning assumption the assessment supports; and the events under which the decision should be revisited.]
  • For the event security team: [The priority residual threats to treat, the highest-leverage measures by category (per §21) to carry into the security-operations plan, the phase-by-phase deployment implications (§16), the indicators to put under watch (§20), and the gaps to fill via the Venue Security Survey / Protective Advance Survey & Recce if not yet commissioned.]
  • For emergency / medical planning: [The threats and phases that must be reflected in the event emergency-evacuation plan and medical coverage - mass-casualty response (§10), crowd-crush (§11), weather contingency (§15), protest escalation (§12).]
  • For analysts (next intelligence steps): [Which locations, phases, threats, or threat actors warrant deeper collection (Venue Security Survey, Protective Advance, K&R, country product → Country Risk/Country Study), which watch indicators to track, and the re-verification cadence to event day.]
  • Escalations / downstream products: [Items routed to the Venue Security Survey, Protective Advance Survey & Recce Report, Country Risk / Country Study, client event-security team, event emergency planner, or cyber-security assessment.]
  • Conditions for reliance / refresh: [The perishability window and the indicators/events (per §20) that should trigger a re-assessment before or during the event.]

26. Annex A - Sources & Methodology

Collection methods and scope; the source register graded with the Admiralty two-axis code; the reference scales (below); statement of the likelihood-vs-confidence separation and the 1–5 ↔ ICD 203 mapping; the threat taxonomy and scoring methodology (inherent → mitigation → residual; impact scored against the event’s exposure - life/safety, mission, reputation, business continuity; phase segmentation and aggregation logic for the overall event rating); the frameworks applied (PMESII-PT mapping) and any tailoring; coverage and currency limitations (access to venue security information, attendee-list completeness, threat-intel coverage, advisory-data reliability, contested information environment, event-profile stability); confirmation that all collection was open-source and lawful (no surveillance, tracking, interception, or physical intrusion); and the treatment of official advisories, venue-supplied information, and state-controlled media as potentially self-interested and corroborated against independent sources.

Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.

Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)

Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely (05–20%) · unlikely (20–45%) · roughly even chance (45–55%) · likely (55–80%) · very likely (80–95%) · almost certain (95–99%).

Analytic confidence (evidence base - kept separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single/uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.

Risk scoring (the load-bearing scale of this product): Likelihood (1–5) × Impact (1–5) = 1–25; band key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical. Likelihood is scored 1 Remote / 2 Unlikely / 3 Possible / 4 Likely / 5 Almost certain (mapped to ICD 203 bands in §5). Impact is scored 1 Negligible / 2 Minor / 3 Moderate / 4 Major / 5 Severe, against the event’s exposure (life/safety, event mission/continuity, client reputation, business/legal consequences - define each band concretely for this event below). Inherent score is before protective/mitigation measures; residual score credits measures assessed to be in place or committed for the event. The overall event rating is derived from the phase and category residual scores with the highest-impact threats and highest-threat phase dominating (state the aggregation rule), not a naive average - a single Critical phase can set the rating.

Coverage confidence (product-level): HIGH (strong access, diverse independent sources across venue/event context, current data, low contested-information distortion) · MODERATE (adequate coverage with gaps on some threat categories or phases, partial access to venue security information, some reliance on official/contested advisories) · LOW (significant access/currency barriers, thin or heavily contested sourcing on material categories or phases, late or unstable event profile).

Impact-band definitions (event-specific - complete for this engagement): [Define what Negligible/Minor/Moderate/Major/Severe mean concretely for each exposure type - attendee life/safety, event mission/continuity, client reputation, business/legal consequences.]

Analytic-framework note: The assessment scores threat to the named event and its attendees across a six-category taxonomy mapped to PMESII-PT, located to event phases on the operational timeline; the collection logic is PIR → phase/threat-category → indicator → source. Scores are structured analytic judgments calibrated to the stated scales, not measurements; the recommendation is independent and objective per ICD 203 and is not adjusted to clear or to cancel the event for reasons other than the assessed threat.

Searched sources (record source type, provider/title, as-of date, coverage scope, limitations, and any self-interest/reliability caveat): [TABLE]

27. Annex B - Appendices

  • Appendix A - Event Profile: the event type, visibility, controversy, host/organiser/sponsor profile, date/anniversary significance, and known prior threats that drive the directed-threat scoring (§6) - handled as sensitive event-security information.
  • Appendix B - Full Event Timeline & Phase Breakdown: the complete phase/segment table (§9) with dates, times, activity descriptions, venue zones, crowd densities, and personnel - the most operationally sensitive element of this report.
  • Appendix C - Full Scored Threat Register: the complete §7–§8 and §10–§15 register with inherent score, mitigation, residual score, phase, trend, confidence, and source grade for every sub-threat.
  • Appendix D - Threat Heat Maps: inherent and residual 5×5 distributions, and per-phase heat maps.
  • Appendix E - Phase-by-Phase Threat Profile: the §16 timeline with dominant threats, residual ratings, exposure seams, and protective implications.
  • Appendix F - Early-Warning & Escalation Matrix: the §20 pre-event and in-event indicators with current status, change signalled, severity, and monitoring/disposition notes.
  • Appendix G - Protective Posture & Mitigation Register: the §21 advisory options with treatment category, expected residual effect, and implementation route.
  • Appendix H - Scoring Methodology & Scale Definitions: the likelihood/impact scales, event-specific impact-band definitions, inherent/residual logic, and the overall-rating aggregation rule.
  • Appendix I - Environmental & Venue Reference: pointers to the Country Risk Assessment / Country Study consumed for the host location, and to the Venue Security Survey / Protective Advance Survey & Recce Report where commissioned.
  • Appendix J - Venue Diagrams, Maps & Route Graphics: venue layout, surrounding-area map, ingress/egress routes, chokepoints, protest-assembly areas, medical-evac routes (where produced and where cleared for inclusion) - handled as sensitive operational information.
  • Appendix K - Full Source Register: every source, Admiralty grade, access date, reference, and any coverage/limitation note.
  • Appendix L - Glossary & Abbreviations.
  • Appendix M - Revision History.

END OF REPORT.

Verification disclaimer: This event threat and risk assessment is a point-in-time, event-scoped analytic threat picture based on open, licensed, and lawfully accessed sources current as of the baseline date; it is not legal, insurance, medical, or event-operations advice, not a venue physical-security survey, not a principal-centric protective advance, and not a guarantee of event safety. The threat scores are the firm’s independent, objective structured analytic judgments calibrated to the stated scales - an aid to risk prioritisation and mitigation investment, not precise measurements or actuarial probabilities. Protective-posture content is advisory and is not the event security-operations plan, access-control plan, emergency-evacuation plan, or public-order plan (those are operational documents scoped and produced by the client’s event-security team or separately commissioned sibling products). Event threat is highly perishable and local - scores are time-sensitive and must be re-verified against current reporting immediately before the event window and on any material change to the event profile, venue, or attendance. All collection was open-source and lawful; no surveillance, tracking, or interception was conducted. Official threat assessments, venue-supplied information, and state-controlled sources were treated as potentially self-interested and corroborated where possible. No classified, unlawfully obtained, or out-of-licence material was used in the production of this report.

Document control footer: [REF-YYYY-### · Version · Classification/TLP · Prepared/Reviewed/Approved · Distribution].

Model wiring

Generated from cell frontmatter at publish time.