HOSTILE SURVEILLANCE VULNERABILITY ASSESSMENT
[SITE / PRINCIPAL / OPERATION UNDER ASSESSMENT]
The Hostile Surveillance Vulnerability Assessment identifies and characterizes vulnerabilities to hostile surveillance (static, mobile, technical, human) at a named site, for a named principal, or in support of a named operation. It evaluates the observable, exploitable gaps in physical/information security that an adversary could leverage to conduct surveillance - detection, monitoring, probing, or reconnaissance - against the asset. It is a physical-security / counter-surveillance analytic product, not a threat-actor investigation.
This product draws its altitude boundary against three sibling products:
- Reconnaissance (Recce) Report: The Recce product reports actual adversary reconnaissance activity (observed surveillance, probing, technical detection) against an asset. This assessment does NOT assert that hostile surveillance is occurring * - it identifies the conditions that make surveillance possible, detectable, or deniable.*
- Protective Intelligence Assessment: The PI product maps a network of hostile actors and their intent/capability toward a principal. This assessment does NOT assess actor intent or network structure * - it assumes a generic hostile surveillance capability and tests the asset against it.*
- Threat Case Assessment & Management (TAM): The TAM product manages a specific known threat actor/case with named individuals and escalation management. This assessment does NOT manage a specific threat case * - it is a pre-threat vulnerability baseline.
This product is advisory and preventive, not a prediction of attack. It informs protective-posture hardening, countersurveillance program design, and security-awareness training. It does not prescribe specific technical-security installations or replacement of existing security infrastructure - those decisions are operational planning products derived from this assessment.
Document Control
| Field | Value |
|---|---|
| Report Reference | [REF-YYYY-###] |
| Date of Report | [YYYY-MM-DD] |
| Assessment As-Of Date | [YYYY-MM-DD] |
| Asset Under Assessment | [Site name / principal name / operation designation] |
| Asset Type | [Fixed site / residence / event / principal-movement / operation] |
| Asset Location / Geography | [Address / city / region / operational area] |
| Assessment Purpose / Trigger | [Periodic review / event preparation / threat-received / insurance / due diligence] |
| Classification / Handling | [TLP-AMBER / CONFIDENTIAL / etc.] |
| Client | [CLIENT NAME] |
| Requesting Party | [REQUESTING PARTY NAME] |
| Prepared By | [ANALYST / THREAT MANAGER NAME / ID] |
| Reviewed By | [REVIEWER NAME / ID] |
| Approving Officer | [APPROVER NAME / ID] |
| Version | [X.X] |
| Distribution | [NAMED RECIPIENTS] |
Handling & Legal Caveat
Handling: [Classification/TLP]. Named recipients only. No onward dissemination without originator approval.
IMMINENT DANGER: If during the conduct of this assessment evidence of active hostile surveillance is discovered, contact the designated security officer / law enforcement immediately. This product does not substitute for emergency response.
Nature of assessment: This is a vulnerability assessment - an analytic evaluation of observable conditions that could facilitate hostile surveillance. It is NOT a finding that hostile surveillance is occurring, NOT a security-system audit or certification, NOT a compliance inspection, and NOT a threat-actor investigation. It identifies gaps; remediation is the responsibility of the asset owner/operator.
Permissible purpose: Conducted for the lawful protective purpose of [PURPOSE]. Not a “consumer report” and not prepared by a “consumer reporting agency” under the FCRA (15 U.S.C. § 1681); not for any FCRA-covered eligibility determination.
Data protection: Site/location and principal identifiability data processed under [GDPR/CCPA/applicable regime]; handle per the client DPA and retention schedule [RETENTION REF]. Privilege: [If applicable] Attorney–Client Privileged / Work Product.
Collection boundary: Collection confined to open/publicly-available information (ATP 2-22.9 1-2) and site-survey observations conducted with permission and without intrusion on private space. No surveillance of, or pretext contact with, any individual; no trespass; no unauthorized photography. Image/recording of the asset perimeter from public rights-of-way noted.
Currency: Surveillance vulnerability is dynamic - physical posture, routines, and threat environment change. This assessment reflects conditions as of the as-of date and must be reassessed on the triggers/cadence in §[REASSESSMENT SECTION].
Vulnerability Summary Card
| Field | Value |
|---|---|
| Overall Surveillance Vulnerability Level | [Minimal / Low / Moderate / High / Critical] |
| Highest-Vulnerability Domain | [Static-position / movement / technical / human-insider / digital-footprint] |
| Highest-Vulnerability Location / Segment | [Specific location / route segment / time window] |
| Critical Gaps Identified (count) | [n critical / n high / n medium / n low] |
| Remediation Priority | [Immediate / this week / next cycle / deferred] |
| Reassessment Trigger / Cadence | [Event/cadence] |
Table of Contents
Page numbers populate on export to Word/PDF.
- BLUF - Bottom Line Up Front
- Executive Summary
- Key Judgments
- Priority Intelligence Requirements (PIRs)
- Asset Characterisation & Protective Posture Baseline
- Physical / Static-Position Surveillance Vulnerability
- Movement & Route Surveillance Vulnerability
- Technical / Electronic Surveillance Vulnerability
- Human / Insider Surveillance Vulnerability
- Digital-Footprint & Information-Exposure Vulnerability
- Counter-Surveillance Capability & Readiness Assessment
- Vulnerability Register & Risk Scoring
- Verified Findings Summary
- Hostile Surveillance Indicators & Warning Matrix
- Analysis of Competing Hypotheses (ACH)
- Key Assumptions Check
- Collection Gaps & Intelligence Requirements (RFIs)
- Recommendations & Remediation Priorities
- Annex A - Sources, Methodology & Doctrinal Basis
- Annexes B+
1. BLUF - Bottom Line Up Front
2–4 sentences. State the overall surveillance vulnerability level, the highest-vulnerability domain and specific location/segment, the most critical gap(s), and the immediate recommended action (hardening, route change, countersurveillance deployment, further assessment).
- Overall vulnerability level: [Minimal / Low / Moderate / High / Critical.]
- Highest-vulnerability domain: [Domain + location/segment.]
- Most critical gap(s): [One-line basis.]
- Immediate action: [Hardening / route change / deploy countersurveillance / initiate Recce monitoring / further assessment.]
2. Executive Summary
Assessment Trigger & Purpose
What prompted this vulnerability assessment - periodic review, event preparation, threat intelligence indicating generic surveillance, insurance requirement, client request. Why now.
[Narrative.]
Asset Overview
The asset(s) under assessment: site characteristics (urban/rural, proximity to public space, perimeter type, access control), principal movement (routine patterns, predictable windows), or operation profile. Baseline protective posture in brief.
[Narrative.]
Scope & Limitations
What was assessed, assessment methods (site walk / OSINT / remote imagery / interviews), time window, constraints (no interior inspection, access limitations, cooperation level, no electronic countermeasures sweep).
[Narrative.]
Vulnerability Bottom Line
The net assessment - overall vulnerability level, the most exposed domains/locations, and the overarching recommendation.
[Narrative.]
3. Key Judgments
Analytic assessments about the asset’s vulnerability to hostile surveillance, not predictions of attack. Likelihood (of effective hostile surveillance against the asset under current posture) and analytic confidence in SEPARATE columns (never combine them in one sentence - ICD 203). Each judgment names its change indicator.
| # | Judgment | Likelihood (of effective hostile surveillance) | Analytic Confidence | Change Indicator |
|---|---|---|---|---|
| KJ-1 | [e.g., A determined hostile surveillance operator could maintain continuous observation of the principal’s residence from public space with low probability of detection under current posture] | [almost no chance … almost certain] | [HIGH/MOD/LOW] | [Deployment of uniformed patrol / addition of access-control barriers / change in adjacent land use] |
| KJ-2 | [ ] | [ ] | [ ] | [ ] |
| KJ-3 | [ ] | [ ] | [ ] | [ ] |
| KJ-4 | [ ] | [ ] | [ ] | [ ] |
4. Priority Intelligence Requirements (PIRs)
The questions this assessment must answer (PIR → Indicator → SIR → source). Answer, evidence, confidence, residual gap each.
Collection-management spine: PIR → Indicator → SIR → OSINT-first source (Army-current; EEI = Joint synonym).
PIR-1: [e.g., What are the most accessible, least observable surveillance positions from which to observe the asset?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [Identified n positions / none identified / inconclusive] | [ ] | [HIGH/MOD/LOW] |
Residual gap: [Carry to §17 if open.]
PIR-2: [e.g., What are the predictable, exploitable patterns (temporal, route, behavioural) of the asset?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [ ] | [ ] | [ ] |
Residual gap: [ ]
PIR-3: [e.g., What information about the asset (location, routine, security posture) is discoverable from open sources?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [ ] | [ ] | [ ] |
Residual gap: [ ]
PIR-4: [e.g., What are the existing counter-surveillance measures and their effectiveness?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [ ] | [ ] | [ ] |
Residual gap: [ ]
(Repeat - tailor PIRs to asset type and assessment depth: typically 4–6 PIRs covering static, movement, technical, human, digital, counter-surveillance readiness.)
PIR Summary Matrix
| PIR | Question (brief) | Answer | Analytic Confidence |
|---|---|---|---|
| PIR-1 | [ ] | [ ] | [H/M/L] |
| PIR-2 | [ ] | [ ] | [H/M/L] |
| PIR-3 | [ ] | [ ] | [H/M/L] |
| PIR-4 | [ ] | [ ] | [H/M/L] |
5. Asset Characterisation & Protective Posture Baseline
Describe the asset and its current protective posture. Establish the baseline against which vulnerabilities are assessed. For a site: perimeter type and integrity, access control, lighting, sightlines from surrounding public space, guard force or technical surveillance. For a principal: residence type, movement profile, security detail, household/staff access. For an operation: footprint, schedule, security protocols.
Asset Characterisation
| Attribute | Finding | Source Grade |
|---|---|---|
| Asset name / designation | [ ] | [A–F / 1–8] |
| Asset type | [Fixed site / residence / principal-movement / event / operation] | [ ] |
| Location / geography | [Address / coordinates / area / route corridor] | [ ] |
| Surrounding environment | [Urban density (high/medium/low) / residential / commercial / industrial / remote / mixed] | [ ] |
| Public-access proximity | [Distance from nearest public right-of-way / public space / transport node / vantage point] | [ ] |
| Property / operational footprint | [Dimensions / area / building configuration / floor plan (unclassified)] | [ ] |
| Hours of operation / occupancy | [24/7 / business hours / intermittent / period(s) of vulnerability] | [ ] |
Protective Posture Baseline
| Domain | Current Measure / Capability | Source Grade |
|---|---|---|
| Perimeter security (physical barriers) | [Fence / wall / bollards / natural barriers / none identified] | [A–F / 1–8] |
| Access control (entry points) | [Gate / guard / electronic / key-card / biometric / none identified] | [ ] |
| Surveillance detection (technical) | [CCTV coverage / analytics / radar / LPR / none identified] | [ ] |
| Surveillance detection (human) | [Guard force / CP / countersurveillance team / none identified] | [ ] |
| Lighting & environmental | [Perimeter lighting / motion-activated / IR / blind spots identified] | [ ] |
| Communications security | [COMSEC / OPSEC posture / information-sec measures identified] | [ ] |
| Personnel security / insider controls | [Vetting / access logging / separation-of-duties / none identified] | [ ] |
| Digital footprint management | [Online OPSEC / address opacity / social-media discipline / none identified] | [ ] |
Known Historical Surveillance / Reconnaissance Incidents
Any prior incidents of observed surveillance, probing, suspicious activity, or security breaches at the asset. If none, state explicitly.
| Date | Incident Description | Relation to Current Assessment | Source Grade |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
6. Physical / Static-Position Surveillance Vulnerability
Assess the asset’s vulnerability to static, fixed-position surveillance - a hostile observer maintaining sustained observation of the asset from a fixed location (public vantage point, adjacent property, parked vehicle, natural cover). Evaluate each potential observation position for: field of view, concealment, duration feasibility, access/egress, and deniability.
Observation-Position Survey Matrix
| Position ID | Location / Description | Distance to Asset | Field of View (asset coverage %) | Concealment (natural / structural / vehicular) | Duration Feasibility (unattended / short / sustained) | Access & Egress (risk of detection) | Overall Vulnerability (Low / Med / High) | Source Grade |
|---|---|---|---|---|---|---|---|---|
| OP-1 | [ ] | [meters] | [%] | [ ] | [ ] | [ ] | [ ] | [ ] |
| OP-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Observation-Position Analysis
For each identified observation position - what it provides (approach surveillance, entry monitoring, principal visual confirmation, pattern-of-life capture), the time-of-day / seasonal factors, and any mitigations that reduce the position’s effectiveness.
[Narrative per OP - guidance: describe the surveillance utility of each position, not the asset details.]
Covert Positioning & Dump Sites
Potential locations for unattended surveillance devices (hidden cameras, trackers, data skimmers, unattended ground sensors) on or near the asset - access points, concealment opportunities, duration-factors.
| Position ID | Location | Concealment Quality | Access Difficulty | Device Types Suitable | Detection Risk | Source Grade |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Static-Position Vulnerability Assessment
Summary judgment: under current posture, could a determined hostile surveillance operator maintain sustained static observation of the asset with low probability of detection? Factors combining to raise or lower that judgment.
[Narrative. Likelihood + confidence stated separately.]
7. Movement & Route Surveillance Vulnerability
Assess the vulnerability of mobile assets (principal movements, convoys, patrols, predictable route patterns) to hostile surveillance - mobile surveillance (foot / vehicle / drone / co-opted third-party), staged observation at predictable points, tracking devices, and route profiling. Analyse each routine route segment.
Route / Movement Inventory
Catalog the predictable movements of the asset: residence → work, regular appointments, planned travel, habitual routes, timing predictability.
| Route ID | Origin → Destination | Frequency | Typical Duration | Timing Predictability | Mode(s) of Transport | Choke Points / Predictable Segments | Source Grade |
|---|---|---|---|---|---|---|---|
| R-1 | [ ] | [ ] | [ ] | [High / Med / Low] | [Vehicle / foot / air / mixed] | [ ] | [ ] |
| R-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Route-Segment Vulnerability Analysis (Per Route)
For each route, segment the route into phases and assess the surveillance vulnerability of each segment: departure point, transit segments, arrival points, choke points (bridges, tunnels, single-lane, restricted-access junctions), and predictable slowdown points.
| Route ID | Segment | Vulnerability (Low/Med/High) | Observable from Public Space? | Observation Positions (static/mobile) | Concealment Opportunity for Mobile Surveillance | Counter-Surveillance Difficulty | Source Grade |
|---|---|---|---|---|---|---|---|
| R-1 | Departure / residence | [ ] | [Y/N] | [ ] | [ ] | [ ] | [ ] |
| R-1 | Transit segment A | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| R-1 | Transit segment B | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| R-1 | Arrival / destination | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Mobile-Surveillance Detection Environment
Assess the ease or difficulty of detecting mobile surveillance against the asset - traffic density, road network complexity, availability of turns / counter-surveillance routes, ability to identify parallels.
| Factor | Finding | Implication for Surveillance Difficulty |
|---|---|---|
| Traffic density on route | [Heavy / moderate / light / variable] | [Easier to blend / harder to detect] |
| Route-complexity (alternates available) | [ ] | [ ] |
| Ability to conduct dry-cleaning / SDR | [ ] | [ ] |
| Typical vehicle mix (anonymity) | [ ] | [ ] |
| Aerial / drone surveillance risk | [ ] | [ ] |
Movement-Pattern Vulnerability Assessment
Summary judgment: under current movement predictability and countersurveillance posture, could a determined hostile surveillance operator build a reliable pattern-of-life profile and execute mobile surveillance on a given movement?
[Narrative. Likelihood + confidence stated separately.]
8. Technical / Electronic Surveillance Vulnerability
Assess vulnerability to technical or electronic surveillance methods against the asset - communications intercept (RF / cellular / Wi-Fi / Bluetooth), video/audio surveillance, tracking (GPS / cellular / Bluetooth beacons), data exfiltration from connected systems, and drone-based surveillance.
RF / Communications Intercept Surface
| Signal Type | Presence on Asset | Detectability from Public Space | Encryption / Protection | Intercept Difficulty (Low/Med/High) | Source Grade |
|---|---|---|---|---|---|
| Cellular (GSM/LTE/5G) | [ ] | [ ] | [ ] | [ ] | [ ] |
| Wi-Fi (2.4/5/6 GHz) | [ ] | [ ] | [ ] | [ ] | [ ] |
| Bluetooth / BLE | [ ] | [ ] | [ ] | [ ] | [ ] |
| SATCOM / VSAT | [ ] | [ ] | [ ] | [ ] | [ ] |
| Radio / trunked systems | [ ] | [ ] | [ ] | [ ] | [ ] |
| Other wireless peripherals | [ ] | [ ] | [ ] | [ ] | [ ] |
GPS / Location Tracking Vulnerability
Assess vulnerability to GPS-spoofing / jamming / physical-tracker placement on vehicles, personal items, or shipments. Potential placement points and detection difficulty.
| Target | Tracker-Placement Points | Accessibility | Detection Difficulty (vehicle / personal search posture) | Source Grade |
|---|---|---|---|---|
| [Primary vehicle] | [Exterior / undercarriage / interior / OBD port / fuel cap] | [ ] | [ ] | [ ] |
| [Secondary vehicle] | [ ] | [ ] | [ ] | [ ] |
| [Personal effects / baggage / shipments] | [ ] | [ ] | [ ] | [ ] |
Drone / Aerial Surveillance Vulnerability
Assess vulnerability to drone-based observation - altitude / range of public vantage, no-fly-zone / airspace restrictions, detect-and-avoid capability, typical drone traffic in area (anonymity).
| Factor | Finding | Implication |
|---|---|---|
| Airspace restrictions / no-fly zones | [None / restricted / prohibited] | [ ] |
| Drone detection / C-UAS capability | [None / passive / active / contractual] | [ ] |
| Typical civilian drone traffic | [None / low / moderate / high] | [ ] |
| Asset exposure from vertical aspect | [Open / partially covered / fully covered] | [ ] |
Technical Surveillance Vulnerability Assessment
Summary judgment: the overall vulnerability to technical/electronic surveillance, factoring the intercept surface, tracking vulnerability, drone risk, and the asset’s technical-security posture.
[Narrative. Likelihood + confidence stated separately.]
9. Human / Insider Surveillance Vulnerability
Assess vulnerability to surveillance facilitated by a human source with legitimate access to the asset - household staff, security personnel, vendors, building management, co-workers, neighbours, or family members. Insider threat as a surveillance vector.
Access Population Inventory
| Access Type | Individuals / Roles with Access | Access Level (Escorted / Unescorted / 24/7) | Vetting / Screening | Risk Leverage Points (financial / coercion / ideology / intimacy) | Source Grade |
|---|---|---|---|---|---|
| Household / domestic staff | [ ] | [ ] | [ ] | [ ] | [ ] |
| Security personnel (contracted) | [ ] | [ ] | [ ] | [ ] | [ ] |
| Building / property management | [ ] | [ ] | [ ] | [ ] | [ ] |
| Regular vendors / services | [ ] | [ ] | [ ] | [ ] | [ ] |
| IT / technical support | [ ] | [ ] | [ ] | [ ] | [ ] |
| Neighbours / co-tenants | [ ] | [ ] | [ ] | [ ] | [ ] |
| Family / associates with access | [ ] | [ ] | [ ] | [ ] | [ ] |
Insider Surveillance Vector Assessment
For each access category, assess the vulnerability that a hostile actor could recruit / co-opt / coerce an insider to: report on routines, provide interior access, place devices, photograph documents, observe/signal.
| Vector / Scenario | Plausibility (Low/Med/High) | Required Insider Access Level | Indicators of Co-Opting | Mitigation / Deterrent | Source Grade |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Human Surveillance Vulnerability Assessment
Summary judgment: vulnerability to surveillance through the human / insider vector, factoring access breadth, vetting gaps, and compensation/dependence structures.
[Narrative. Likelihood + confidence stated separately.]
10. Digital-Footprint & Information-Exposure Vulnerability
Assess vulnerability through digital footprint - what a hostile surveillance operator could learn about the asset from open sources without physical presence. Do not re-perform a full OSINT footprint; assess what information is available and of surveillance value.
Information Exposure Matrix
| Information Category | Discoverable from OSINT? (Y/N/Partial) | Surveillance Value to Hostile Operator | Mitigation in Place | Source Grade |
|---|---|---|---|---|
| Address / location (principal / site) | [ ] | [Direct targeting / pattern-of-life baseline] | [ ] | [ ] |
| Residence interior / layout imagery | [ ] | [ ] | [ ] | [ ] |
| Routine / schedule / calendar | [ ] | [ ] | [ ] | [ ] |
| Travel / itinerary | [ ] | [ ] | [ ] | [ ] |
| Principal / family photographs | [ ] | [ ] | [ ] | [ ] |
| Vehicle(s) / registration / plates | [ ] | [ ] | [ ] | [ ] |
| Security posture (visible measures) | [ ] | [ ] | [ ] | [ ] |
| Staff / household personnel | [ ] | [ ] | [ ] | [ ] |
| Business / professional associations | [ ] | [ ] | [ ] | [ ] |
| Real estate / property records | [ ] | [ ] | [ ] | [ ] |
Digital-Footprint Surveillance Vulnerability Assessment
Summary judgment: whether available digital information significantly lowers the collection burden for a hostile surveillance operator - does the operator need to develop information from physical surveillance that the internet already provides?
[Narrative. Likelihood + confidence stated separately.]
11. Counter-Surveillance Capability & Readiness Assessment
Assess the asset’s current capability to detect, deter, and respond to hostile surveillance. This is an analytic evaluation of readiness, not an audit or operational plan.
Counter-Surveillance Capacity Table
| Capability | Currently Present (Y/N/Partial) | Description | Effectiveness Assessment (Low/Med/High) | Gap Identified | Priority (H/M/L) |
|---|---|---|---|---|---|
| Dedicated countersurveillance team / function | [ ] | [ ] | [ ] | [ ] | [ ] |
| CCTV / analytics coverage (purpose: surveillance detection) | [ ] | [ ] | [ ] | [ ] | [ ] |
| Guard-force surveillance-detection training | [ ] | [ ] | [ ] | [ ] | [ ] |
| Route / movement countersurveillance protocols | [ ] | [ ] | [ ] | [ ] | [ ] |
| Technical surveillance countermeasures (TSCM) programme | [ ] | [ ] | [ ] | [ ] | [ ] |
| Insider-threat detection / reporting mechanisms | [ ] | [ ] | [ ] | [ ] | [ ] |
| Drone detection / C-UAS | [ ] | [ ] | [ ] | [ ] | [ ] |
| Digital-footprint / OPSEC management | [ ] | [ ] | [ ] | [ ] | [ ] |
| Incident reporting / suspicious-activity protocol | [ ] | [ ] | [ ] | [ ] | [ ] |
| Periodic vulnerability reassessment | [ ] | [ ] | [ ] | [ ] | [ ] |
Readiness Summary
Net judgment: does the asset have the capacity to detect an attempt at hostile surveillance before the surveillance phase is complete? What are the most critical capability gaps?
[Narrative.]
12. Vulnerability Register & Risk Scoring
Per-domain and consolidated risk scoring. Likelihood (1–5: how easily a hostile surveillance operator could exploit this vulnerability) × Impact (1–5: consequence of successful exploitation for the asset) = 1–25. Keys: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
Per-Domain Risk Register
| Domain | Vulnerability Description | Likelihood (1–5) | Impact (1–5) | Score | Band | Priority |
|---|---|---|---|---|---|---|
| Static-position surveillance | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| Movement / route surveillance | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| Technical / electronic surveillance | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| Human / insider surveillance | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| Digital-footprint / information exposure | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Consolidated Vulnerability Heat Map
Cross-domain summary to identify highest-risk exposure. Guidance: rank-order domains by score and note any critical individual findings that drive the consolidated level.
| Consolidated Level | Basis | Trigger(s) for Escalation |
|---|---|---|
| [Minimal / Low / Moderate / High / Critical] | [ ] | [ ] |
13. Verified Findings Summary
| # | Finding | Status | Analytic Confidence | Materiality |
|---|---|---|---|---|
| F-1 | [ ] | [Verified / Unverified / Contradicted] | [H/M/L] | [Material / Minor] |
| F-2 | [ ] | [ ] | [ ] | [ ] |
14. Hostile Surveillance Indicators & Warning Matrix
Observable indicators that a hostile surveillance operation may be underway or being prepared against the asset. Organised by domain - static, mobile, technical, human, digital. For each indicator: what to look for, where to look, how to verify.
Indicator Matrix
| Domain | Indicator (observable behaviour / condition) | Detection Method | Potential False-Flag / Misattribution | Action if Confirmed | Source Grade |
|---|---|---|---|---|---|
| Static | [Unknown/infrequent vehicle parked at observation position with line of sight to asset for extended period] | [ ] | [ ] | [ ] | [ ] |
| Static | [ ] | [ ] | [ ] | [ ] | [ ] |
| Mobile | [ ] | [ ] | [ ] | [ ] | [ ] |
| Mobile | [ ] | [ ] | [ ] | [ ] | [ ] |
| Technical | [ ] | [ ] | [ ] | [ ] | [ ] |
| Technical | [ ] | [ ] | [ ] | [ ] | [ ] |
| Human | [ ] | [ ] | [ ] | [ ] | [ ] |
| Digital | [ ] | [ ] | [ ] | [ ] | [ ] |
Indicator Escalation Logic
Guidance on how to read clusters of indicators - a single indicator is ambiguous; multiple concurrent indicators across domains increase concern.
[Narrative.]
15. Analysis of Competing Hypotheses (ACH)
Test the alternative explanations for the observed vulnerability pattern. A vulnerability assessment does not assume hostile intent - the hypotheses test whether the vulnerability conditions are exploitable by an adversary, benign, or a mischaracterisation.
Hypothesis 1: [The asset’s vulnerability profile would permit effective hostile surveillance by a determined operator]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 2: [The asset’s vulnerability profile is benign - routine urban/public exposure that does not materially enable surveillance]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 3: [The vulnerability profile is overestimated - assumptions about operator capability, resources, or persistence are too pessimistic]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 4: [The vulnerability profile is underestimated - the assessment missed collection vectors or assumed adversary limitations that do not apply]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Most consistent hypothesis: [Which, and the discriminating evidence.]
16. Key Assumptions Check
| # | Assumption | Basis | Analytic Confidence | Impact if Wrong |
|---|---|---|---|---|
| A-1 | [Hostile surveillance operator is assumed to have generic surveillance tradecraft (static + mobile + technical) and motivation to invest collection time] | [ ] | [H/M/L] | [ ] |
| A-2 | [Asset’s current protective posture is static - no imminent upgrades or degradation] | [ ] | [ ] | [ ] |
| A-3 | [ ] | [ ] | [ ] | [ ] |
| A-4 | [ ] | [ ] | [ ] | [ ] |
17. Collection Gaps & Intelligence Requirements (RFIs)
| Gap / RFI | Impact on Assessment | Recommended Collection / Routed Product | Priority |
|---|---|---|---|
| [ ] | [ ] | [Method / e.g., ”→ site survey / aerial imagery analysis / staff interviews”] | [HIGH/MED/LOW] |
| [ ] | [ ] | [ ] | [ ] |
18. Recommendations & Remediation Priorities
Assessment without management is incomplete. Provide concrete, prioritised recommendations to reduce surveillance vulnerability. Organise by domain and by stakeholder (asset owner, security team, principal, legal/compliance). Distinguish between immediate/low-cost measures and longer-term investment. Include actions to AVOID that could be counterproductive.
Remediation Priority Matrix (Per Finding from §12–§13)
| Finding / Gap | Recommended Remediation | Lawful Basis / Authority | Owner | Priority (Critical/High/Med/Low) | Estimated Effort | Timeline |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Stakeholder-Specific Recommendations
For the Asset Owner / Principal
Highest-level actions - posture adjustments, resource commitment decisions, principal behaviour changes.
[Narrative.]
For the Security Team
Operational-level actions - surveillance-detection patrols, countersurveillance protocols, technology upgrades, staff training, incident-response plan.
[Narrative.]
For Legal / Compliance
Any actions requiring legal review - trespass enforcement, access-control policies, data-protection implications of countersurveillance measures, privacy notice updates.
[Narrative.]
Actions to AVOID (counterproductive measures)
Steps that could degrade security, create legal exposure, or provoke escalation - e.g., aggressive confrontation of suspicious persons without evidence, public exposure of countermeasures, unauthorised technical intercept, self-surveillance of neighbours.
[Narrative.]
Reassessment Triggers & Cadence
When this assessment must be revisited and the routine review interval. Name the program owner.
[Narrative. Program owner: [NAME]. Review cadence: [quarterly / bi-annual / annual / event-triggered].]
19. Annex A - Sources, Methodology & Doctrinal Basis
Methodology by Phase (ATP 2-22.9 intelligence process, para 1-9)
Plan (requirements / scope definition / asset brief) → Prepare (site-survey permissions / remote-imagery procurement / managed-attribution setup) → Collect (site walk / open-source research / imagery analysis / staff interviews) → Produce (evaluate / process / report). State what was done in each phase.
Collection Methods
List collection methods used in this assessment (site survey from public rights-of-way, remote-satellite/drone imagery analysis, OSINT search, questionnaire/interviews with asset security personnel, review of existing security documentation).
- [Method 1]: [Brief description]
- [Method 2]: [ ]
- [Method 3]: [ ]
Doctrinal Basis & Method
Governing authority and imported constructs, with FULL/PARTIAL/GAP transparency.
- Governing authority (GAP band): No single military doctrine governs vulnerability-to-hostile-surveillance assessment. This product draws method from physical-security / counter-surveillance / protective-intelligence practitioner frameworks, layered over the analytic floor.
- Analytic overlay (method, not authority): The structured-observation-position survey method; route-segment vulnerability analysis; domain decomposition of surveillance vectors (static / mobile / technical / human / digital).
- Counter-surveillance readiness evaluation: Adapted from protective-intelligence program-assessment frameworks.
- Analytic floor: ICD 203 (likelihood/confidence separated), ICD 206 (sourcing), NATO Admiralty A–F reliability.
- Authority boundary: collection confined to lawful open/publicly-available sources (ATP 2-22.9 1-2) and site surveys conducted from public rights-of-way with no trespass, no surveillance of individuals, and no unattended sensing.
Source Register
| Ref | Source | Source Role (Primary/Secondary/Authoritative/Non-auth.) | Type | Reliability (A–F) | Credibility (1–6) | Date |
|---|---|---|---|---|---|---|
| S-1 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| S-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source Evaluation Worksheet (ATP 2-22.9 4-13)
| Source | Identity | Authority | Motive | Access | Timeliness | Consistency | → Reliability/Credibility |
|---|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source Reliability Scale (Admiralty, A–F)
| Grade | Meaning |
|---|---|
| A | Completely reliable |
| B | Usually reliable |
| C | Fairly reliable |
| D | Not usually reliable |
| E | Unreliable |
| F | Reliability cannot be judged |
Grades run A Completely reliable through F Reliability cannot be judged; new sources default to F.
Information Credibility Scale (Admiralty, 1–6)
| Grade | Meaning |
|---|---|
| 1 | Confirmed by other sources |
| 2 | Probably true |
| 3 | Possibly true |
| 4 | Doubtful |
| 5 | Improbable |
| 6 | Truth cannot be judged |
Each sourced datum receives a two-character grade (e.g., B2). New sources default to F6.
Estimative Probability (Likelihood) Lexicon - ICD 203
| Term | Range |
|---|---|
| Almost no chance / remote | 01–05% |
| Very unlikely / highly improbable | 05–20% |
| Unlikely / improbable | 20–45% |
| Roughly even chance | 45–55% |
| Likely / probable | 55–80% |
| Very likely / highly probable | 80–95% |
| Almost certain / nearly certain | 95–99% |
The estimative scale runs from almost no chance / remote (01–05%) to almost certain / nearly certain (95–99%). Likelihood (event) and analytic confidence (evidence) are distinct axes - never combine them in one sentence (ICD 203).
Analytic Confidence Scale (evidence base)
| Level | Criteria |
|---|---|
| HIGH | Multiple independent, reliable sources; corroborated; no significant contradiction. |
| MODERATE | Partial corroboration; some gaps; minor unresolved inconsistencies. |
| LOW | Single/uncorroborated source; significant gaps; plausible alternatives open. |
Risk-Scoring Key
| Score | Band |
|---|---|
| 1–5 | Low |
| 6–10 | Moderate |
| 11–15 | Elevated |
| 16–20 | High |
| 21–25 | Critical |
Likelihood (1–5) × Impact (1–5) = 1–25. Risk is scored per domain in §12; the overall vulnerability level in the Summary Card is a structured professional judgment, not a sum.
Collection OPSEC / Non-Attribution
Managed-attribution posture used (non-.gov egress, no login pivots into private space, footprint minimization - ATP 2-22.9 App B: research “could unintentionally reveal CCIRs”). Site survey conducted from public rights-of-way only; no photography of individuals; no unattended devices deployed.
Methodological note: This is a vulnerability assessment, not a threat-assessment, not a finding that hostile surveillance is occurring, and not a security-system audit. Likelihood (event) and analytic confidence (evidence) are stated separately (ICD 203). Practitioner methods (countersurveillance tradecraft frameworks) are cited as method, never as governing authority; no live tool names appear in this skeleton. All site observations were conducted lawfully from public space.
20. Annexes B+
- Annex B - Site Diagram / Observation-Position Map: [Sketch/map annotating observation positions, sightlines, choke points, coverage gaps.]
- Annex C - Route Diagram (per route): [Map segmenting the route with vulnerability annotations per segment.]
- Annex D - Digital-Footprint Discovery Record: [Open-source search results - publicly available information found about the asset.]
- Annex E - Source Index: [Citations / archived records, capture timestamps.]
- Annex F - Security-Questionnaire Responses (if applicable): [Anonymised summary of security-team interviews.]
- Annex G - Glossary & Abbreviations.
- Annex H - Revision History.
END OF REPORT
This Hostile Surveillance Vulnerability Assessment is an analytic evaluation of observable conditions that could facilitate hostile surveillance against the named asset. It is NOT a finding that hostile surveillance is occurring, NOT a threat-actor investigation, NOT a security-system audit or certification, NOT a compliance inspection, and NOT an operational security plan. It identifies gaps; remediation is the responsibility of the asset owner/operator. All collection was conducted lawfully from public space or with permission. The vulnerability profile is dynamic and must be reassessed on the stated triggers. If evidence of active hostile surveillance is discovered, contact the designated security officer / law enforcement immediately.
| Field | Value |
|---|---|
| Prepared By | [ANALYST / THREAT MANAGER NAME] |
| Reviewed By | [REVIEWER NAME] |
| Approving Officer | [APPROVER NAME] |
| Date | [YYYY-MM-DD] |
| Version | [X.X] |
Model wiring
Generated from cell frontmatter at publish time.