PROTECTIVE INTELLIGENCE ASSESSMENT
[PRINCIPAL / PROTECTEE] - Threat-Network Picture
The Protective Intelligence Assessment maps and characterizes the network of actors who may pose a threat to a named principal, and renders lawful engagement options per actor. It elevates the single-subject Subject Threat Assessment to network/program altitude: multiple hostile actors, their facilitation/support relationships, the nexus to the principal (including insider-threat bridges), and a Support / Influence / Neutralize-rendered-lawful engagement matrix. It is a behavioral, structured-professional-judgment product framed by USSS/ATAP/WAVR-21/TRAP-18, with the network-engagement spine as the analytic overlay. It is not a clinical/psychological diagnosis, not an actuarial prediction, not a single-subject dossier, and not a protective-operations plan. If indicators of imminent danger are present, escalate to law enforcement immediately.
Document Control
| Field | Value |
|---|---|
| Report Reference | [REF-YYYY-###] |
| Date of Report | [YYYY-MM-DD] |
| Assessment As-Of Date | [YYYY-MM-DD] |
| Principal / Protectee at Risk | [Named individual / family / principal at risk] |
| Threat-Network Scope (actors in scope) | [Named/numbered actors and entities assessed in this picture] |
| Triggering Event / Referral | [Communication / incident / pattern that prompted assessment] |
| Assessment Models Applied | [Pathway to violence · Warning behaviors/TRAP-18 · WAVR-21 domains · Hunter/Howler · NE spine] |
| Qualified Evaluator (if instrument coded) | [Name / credential - formal WAVR-21/TRAP-18 coding requires a trained rater] |
| Program Owner | [Who owns the protective-intelligence program / case going forward] |
| Client | [CLIENT NAME] |
| Prepared By | [ANALYST / THREAT MANAGER NAME / ID] |
| Reviewed By | [REVIEWER NAME / ID] |
| Approving Officer | [APPROVER NAME / ID] |
| Version | [1.0] |
| Distribution | [NAMED RECIPIENTS] |
Handling & Legal Caveat
Handling: [Classification/TLP]. Named recipients only. No onward dissemination without originator approval.
IMMINENT DANGER: If this assessment surfaces an imminent risk of harm, contact law enforcement / 911 immediately. This product does not substitute for emergency response.
Nature of assessment: This is a behavioral structured-professional-judgment assessment of whether the actors in scope pose a targeted-violence threat to the principal. It is NOT a clinical, psychological, psychiatric, or fitness-for-duty diagnosis, and NOT an actuarial prediction of future violence. It assigns concern and prioritizes management; it does not claim to predict who will or will not act.
Duty to warn / report: Where findings implicate a duty to warn an identifiable potential victim (e.g., Tarasoff-type obligations) or a mandatory-reporting duty, those obligations are triggered independently of this report and must be actioned per counsel and jurisdiction.
Permissible purpose: Conducted for the lawful protective purpose of [PURPOSE]. Not a “consumer report” and not prepared by a “consumer reporting agency” under the FCRA (15 U.S.C. § 1681); not for any FCRA-covered eligibility determination.
Data protection: Personal and behavioral data processed under [GDPR/CCPA/applicable regime]; handle per the client DPA and retention schedule [RETENTION REF]. Privilege: [If applicable] Attorney–Client Privileged / Work Product.
Collection boundary: Collection confined to open/publicly-available information (ATP 2-22.9 1-2); no surveillance of, or pretext contact with, any subject; lawful-open-source only.
Currency: Threat is dynamic. This assessment reflects information as of the as-of date and must be reassessed on the triggers/cadence in §20.
Network Threat Summary
| Field | Value |
|---|---|
| Highest-Concern Actor | [Node ID / name] |
| Network Threat Level | [Minimal / Low / Moderate / High / Imminent] |
| # Threat Nodes / # Nexus Nodes | [n threat / n nexus] |
| Primary Grievance Vector | [Nature / shared driver across the threat network] |
| Insider-Threat Nexus (Y/N) | [Y/N - household/staff or trusted node bridging to a threat actor] |
| Recommended Protective Posture | [One line] |
| Reassessment Trigger | [Event/cadence] |
Table of Contents
Page numbers populate on export to Word/PDF.
- BLUF - Bottom Line Up Front
- Executive Summary
- Key Judgments
- Priority Intelligence Requirements (PIRs)
- Threat-Network Frame & Composition
- Link Analysis & Association Matrix
- SNA / Key-Node Ranking
- Critical & Nexus Nodes
- Per-Actor Threat Characterization
- Critical Factors Analysis (CFA)
- Protectee Exposure Surface & Nexus Layer
- Requirements & Indicators / Collection Plan
- Engagement-Option Matrix (Support / Influence / Neutralize-rendered-lawful)
- Threat-Network Risk Register
- Verified Findings Summary
- Escalation Indicators & Tripwires
- Analysis of Competing Hypotheses (ACH)
- Key Assumptions Check
- Collection Gaps & Intelligence Requirements (RFIs)
- Protective-Intelligence Program Recommendations
- Annex A - Sources, Methodology & Doctrinal Basis
- Annexes B+
1. BLUF - Bottom Line Up Front
2–4 sentences. State the network threat level, the highest-concern actor(s), whether any actor poses (vs. merely makes) a threat to the principal, and the immediate required action (including any law-enforcement referral).
- Network threat level: [Minimal / Low / Moderate / High / Imminent.]
- Highest-concern actor(s): [Node ID(s) + one-line basis.]
- Poses vs. makes a threat: [Which actor(s) pose vs. merely make a threat + one-line basis.]
- Immediate action: [Protective action / law-enforcement referral / monitoring posture.]
2. Executive Summary
Referral & Triggering Event
What prompted this assessment - the communication, incident, or pattern, and when.
[Narrative.]
Network Overview
The shape of the threat network: how many actors, their relationships and facilitation/support links, and the nexus to the principal. Detailed in §5–§8.
[Narrative.]
Scope & Limitations
What was assessed, sources available, time window, and constraints (no clinical evaluation, no direct subject interview, open-source-only collection, data limitations).
[Narrative.]
Network Threat Bottom Line
The net assessment in narrative form - consistent with §13–§14.
[Narrative.]
3. Key Judgments
Analytic assessments. Likelihood (of approach/escalation/targeted violence by the network or a node) and analytic confidence in SEPARATE columns (never combine them in one sentence - ICD 203). Each judgment names its change indicator.
| # | Judgment | Likelihood | Analytic Confidence | Change Indicator |
|---|---|---|---|---|
| KJ-1 | [e.g., likelihood of attempted approach to the principal by Node N-x] | [almost no chance … almost certain] | [HIGH/MOD/LOW] | [ ] |
| KJ-2 | [ ] | [ ] | [ ] | [ ] |
| KJ-3 | [ ] | [ ] | [ ] | [ ] |
| KJ-4 | [ ] | [ ] | [ ] | [ ] |
4. Priority Intelligence Requirements (PIRs)
The questions this assessment must answer (PIR → Indicator → SIR → source). Answer, evidence, confidence, residual gap each.
Collection-management spine: PIR → Indicator → SIR → OSINT-first source (Army-current; EEI = Joint synonym).
PIR-1: [e.g., Does any actor in the network have the intent to harm the principal?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [YES / NO / LIKELY / UNRESOLVED] | [ ] | [HIGH/MOD/LOW] |
Residual gap: [Carry to §19 if open.]
PIR-2: [e.g., Does any actor have the capability and access to act against the principal?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [ ] | [ ] | [ ] |
Residual gap: [ ]
(Repeat - typically: intent · capability · access/opportunity · network coordination/facilitation · insider-threat nexus · pathway progression.)
PIR Summary Matrix
| PIR | Question (brief) | Answer | Analytic Confidence |
|---|---|---|---|
| PIR-1 | Intent (any node) | [ ] | [H/M/L] |
| PIR-2 | Capability | [ ] | [H/M/L] |
| PIR-3 | Access / opportunity | [ ] | [H/M/L] |
| PIR-4 | Network coordination / insider nexus | [ ] | [H/M/L] |
5. Threat-Network Frame & Composition
Block 1 of the network-engagement spine. Inventory every actor as a node; categorize each by position toward the principal, not by structure - friendly / neutral / threat / unknown (ATP 5-0.6 2-2). Never default unknown to neutral (2-8). Allegiance is perishable (2-7).
| Node ID | Actor / Entity | Node Type (person/org/place/event/resource) | Category (friendly/neutral/threat/unknown) | Role in Network | Source Grade |
|---|---|---|---|---|---|
| N-1 | [ ] | [ ] | [ ] | [ ] | [A–F / 1–8] |
| N-2 | [ ] | [ ] | [ ] | [ ] | [ ] |
Structure & density characterization: [Hierarchical / nonhierarchical / blended; cell structure; density. One line.]
6. Link Analysis & Association Matrix
Block 2. “who is doing what to (or for) whom” (ATP 5-0.6 3-29). Multi-mode rule: never link person→person directly - capture the connecting event/place/resource node (3-30). Known = solid, suspected = dashed.
| Node A | Relationship / Activity | Node B (or connecting event/place/resource) | Strength (known/suspected) | Source Grade |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [Known/Suspected] | [ ] |
Relationship diagram: [draw.io / link-chart reference - solid = known, dashed = suspected. Annex B.]
7. SNA / Key-Node Ranking
Block 3. Quantitative centrality over the link diagram to rank structural importance (JP 3-25 App G: degree / closeness / betweenness / eigenvector). Orders which nodes the engagement lanes target first.
| Node ID | Degree | Closeness | Betweenness | Eigenvector | Designation (hub/broker/peripheral/key) |
|---|---|---|---|---|---|
| N-1 | [ ] | [ ] | [ ] | [ ] | [ ] |
Key-node read: [Which nodes are hubs vs brokers vs peripheral; what the ranking implies for prioritization.]
8. Critical & Nexus Nodes
Block 4. Spanners bridging ≥2 networks - “nexus nodes… whose position and linkages provide them the potential to have a significant influence upon at least two of the three basic networks” (ATP 5-0.6, note after Fig 3-10). The household-staff member tied to a threat actor is the insider-threat bridge.
| Node ID | Networks Bridged | Nature (insider-threat risk / influence conduit) | Implication for the Protection Plan | Source Grade |
|---|---|---|---|---|
| [ ] | [friendly↔threat / neutral↔threat] | [ ] | [ ] | [ ] |
9. Per-Actor Threat Characterization
For each threat node from §5, run the structured-professional-judgment characterization below (USSS/ATAP/WAVR-21/TRAP-18). These are behaviors, not inferences about thoughts; coding of WAVR-21/TRAP-18 requires a trained rater. Repeat the full block per threat actor.
Actor [N-x]: [Name / designation]
Actor–Principal Nexus
The relationship between this actor and the principal and the grievance that drives the threat. Targeted violence is grievance-driven and target-specific - establish the “why this target.”
| Element | Finding | Source Grade |
|---|---|---|
| Relationship to principal | [Former employee / intimate / litigant / stranger-fixated / ideological] | [A–F/1–8] |
| Grievance (nature & origin) | [ ] | [ ] |
| Fixation / preoccupation | [Intensity, duration, escalation] | [ ] |
| Identification (warrior mentality, role models, prior attackers) | [ ] | [ ] |
| Contact / communication history with principal | [Frequency, tone, escalation] | [ ] |
| Prior protective/legal actions (TRO, trespass, prior reports) | [ ] | [ ] |
Nexus assessment: [Why this actor is focused on the principal; trajectory of the focus.]
Behavioral Warning Indicators
Coded against the eight proximal warning behaviors (Meloy / TRAP-18). For each: present / absent / unknown, with observed evidence and source grade. These are behaviors, not inferences about thoughts.
| Warning Behavior | Status | Observed Evidence | Source Grade |
|---|---|---|---|
| Pathway (research, planning, preparation, attack-related behavior) | [Present/Absent/Unknown] | [ ] | [A–F/1–8] |
| Fixation (increasing preoccupation with person/cause) | [ ] | [ ] | [ ] |
| Identification (warrior/pseudo-commando, weapons affinity, prior-attacker emulation) | [ ] | [ ] | [ ] |
| Novel aggression (unrelated act of violence to test capacity) | [ ] | [ ] | [ ] |
| Energy burst (increase in activity related to the target) | [ ] | [ ] | [ ] |
| Leakage (communication to a third party of intent to harm) | [ ] | [ ] | [ ] |
| Last resort (violent action/time imperative; “no other option”) | [ ] | [ ] | [ ] |
| Directly communicated threat | [ ] | [ ] | [ ] |
Warning-behavior summary: [Which are present, clustering, recency, and acceleration.]
Pathway-to-Violence
Locate the actor on the pathway. Targeted violence is typically the culmination of a progression, not an impulsive reaction. Identify the furthest stage with behavioral evidence and the direction/velocity of movement.
| Stage | Behavioral Evidence | Observed? | Source Grade |
|---|---|---|---|
| 1. Grievance | [ ] | [Y/N/Unk] | [ ] |
| 2. Ideation (violence as a solution) | [ ] | [ ] | [ ] |
| 3. Research / planning (target, methods, surveillance) | [ ] | [ ] | [ ] |
| 4. Preparation (acquisition, rehearsal, logistics) | [ ] | [ ] | [ ] |
| 5. Breach / probing (approach, security testing) | [ ] | [ ] | [ ] |
| 6. Attack | [ ] | [ ] | [ ] |
Pathway assessment: [Furthest stage evidenced; movement direction and velocity; any stage-skipping.]
Capability, Access & Opportunity
Means, skills, and the access/opportunity to reach the principal. Intent without capability/access is a different problem than intent with both.
| Factor | Finding | Analytic Confidence |
|---|---|---|
| Weapons access / acquisition | [ ] | [H/M/L] |
| Relevant skills / training (military, tactical) | [ ] | [ ] |
| Physical proximity / access to principal | [ ] | [ ] |
| Knowledge of principal patterns/locations | [ ] | [ ] |
| Opportunity (upcoming events, exposure windows) | [ ] | [ ] |
Intent, Motivation & Grievance
Characterize intent and motivation. Distinguish instrumental (goal-directed) from expressive (emotional venting) intent - central to the hunter/howler determination.
| Element | Finding | Analytic Confidence |
|---|---|---|
| Stated intent (explicit/implicit) | [ ] | [H/M/L] |
| Instrumental vs. expressive | [ ] | [ ] |
| Motivation / driver (revenge, ideology, intimacy, notoriety, despair) | [ ] | [ ] |
| Last-resort / desperation indicators | [ ] | [ ] |
| Suicidality / murder-suicide indicators | [ ] | [ ] |
Threat Classification & Level Determination
Render the structured-professional-judgment determination for this actor: poses vs. makes a threat; hunter vs. howler; and the assigned threat level - with explicit rationale tying back to warning behaviors, pathway stage, capability/access, intent, and stabilizers. This is a judgment, not a number.
| Determination | Finding | Basis |
|---|---|---|
| Poses vs. makes a threat | [ ] | [ ] |
| Hunter / Howler | [ ] | [ ] |
| Threat level | [Minimal / Low / Moderate / High / Imminent] | [ ] |
Determination rationale: [Narrative SPJ argument. Reference the discriminating indicators. State likelihood and analytic confidence separately.]
(Repeat §9 per threat node identified in §5.)
10. Critical Factors Analysis (CFA)
Block 6 - the engagement-point engine. Per threat node, decompose the actor’s objective into Critical Capabilities → Critical Requirements → Specific Activities → Critical Vulnerabilities → recommended (lawful) action. “The critical factors are the CCs, critical requirements (CRs), and CVs.” (JP 3-25 Ch IV.) The CV column is where lawful engagement attaches.
| Node | Objective | Critical Capability (CC) | Critical Requirement (CR) | Specific Activity | Critical Vulnerability (CV) | Recommended Lawful Action (→ §13) |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
11. Protectee Exposure Surface & Nexus Layer
Ties the threat network to the principal. Inventory the principal’s exposure (residence, routine, travel, digital footprint, household/staff access) and the nexus nodes (§8) that bridge the threat network to that exposure - especially the insider-threat bridge.
| Exposure Surface | Description | Linked Threat Node(s) | Nexus Node (if any) | Residual Exposure |
|---|---|---|---|---|
| [Residence / routine / travel / digital / staff-access] | [ ] | [ ] | [ ] | [ ] |
Environment lens - OAKOC of the fixed-exposure points
The environment_framework: [oakoc] lens applied to the principal’s predictable, fixed-location exposure (residence, regular venues, habitual routes) - the terrain a threat node would exploit to observe, approach, or act. Open-source terrain analysis only; no surveillance of the principal. (OAKOC: observation and fields of fire, avenues of approach, key terrain, obstacles, cover and concealment - ATP 2-01.3 3-17; legacy synonym OCOKA.)
| Fixed-exposure point | Observation & fields of fire | Avenue(s) of approach | Key terrain / chokepoint | Obstacles | Cover & concealment | Linked threat node(s) |
|---|---|---|---|---|---|---|
| [Residence / venue / habitual route] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
12. Requirements & Indicators / Collection Plan
Block 7. Each CR/CV from §10 decomposes to observable indicators → PIR → Indicator → SIR → OSINT-first source. “open source information provides most of what is known about friendly and neutral networks” (ATP 5-0.6 2-6). The collection sub-matrix follows the ATP 2-22.9 4-step sequence (3-3); only open/publicly-available techniques are used - technical/human/clandestine acquisition is not assigned to OSINT (3-3).
Indicator derivation (off the CFA CR/CV rows):
| CR / CV (from §10) | Observable Indicator | PIR | SIR (specific information requirement) | Open Source / Discipline |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
Collection Plan (ATP 2-22.9 3-3):
| Requirement (PIR) | Requirement Type | Open Source Identified | Collection Technique | Status |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [open/publicly-available only] | [ ] |
Standing caveat: collection confined to open/publicly-available techniques (ATP 2-22.9 1-2/3-3). No technical, human-source, or clandestine acquisition. A Chatham-House-Rule invocation reclassifies an open source to confidential - stop collection.
13. Engagement-Option Matrix (Support / Influence / Neutralize-rendered-lawful)
Block 8 - the Action Framework (ATP 5-0.6 1-5). Per actor, select the lane: Support (friendly nodes), Influence (any category, short of confrontation), or Neutralize (lawful) - which is mandatorily rendered through the lawful-effects translation below and never appears as an action verb. Each lawful effect carries a named legal authority and an owner. Doctrine prefers the judicial over the kinetic effect (ATP 5-0.6 3-49).
Lawful-Effects Translation (the “Neutralize-rendered-lawful” lane resolves to ≥1 of these)
| Lawful effect | What it is | Doctrinal hook |
|---|---|---|
| Deterrence / target-hardening | Visible posture, route/venue hardening, access control | ”isolate the threat networks from the population” (ATP 5-0.6 1-18) |
| Legal process | Civil injunction, restraining/protective order, TRO, cease-and-desist | judicial-apparatus preference (3-49) |
| Law-enforcement referral | Package evidence (link diagram + activity timeline) to police/FBI/prosecutor | reduce threat-leadership influence via state apparatus (3-49) |
| Relationship management / lawful co-opting | Engagement of neutral/threat nodes short of confrontation | ”develop means to co-opt” (3-11) |
| Threat de-escalation | Behavioral-threat-management intervention | influence to “change… behavior” (1-13) |
| Isolation | Sever the threat node’s access to the principal | ”severing the links between networks and its smaller cells” (2-16) |
Per-Actor Engagement Plan
| Node | Category | Lane (Support / Influence / Neutralize-rendered-lawful) | Selected Lawful Effect(s) | Named Legal Authority | Owner | Desired Effect / Measure |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [from the table above] | [statute / order / referral basis] | [ ] | [ ] |
Rule: the word “neutralize” is the lane name only; every Neutralize selection is rendered to ≥1 lawful effect above (the translation) with a named authority and owner. Support and Influence are already lawful.
14. Threat-Network Risk Register
Per-node risk to the principal, scored Likelihood (1–5) × Impact (1–5) = 1–25. Keys: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical. (Distinct from the SPJ threat level in §9 - this orders nodes for the protection plan, matching the network risk-score table.)
| Node | Threat Scenario | Likelihood (1–5) | Impact (1–5) | Score | Band | Priority |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
15. Verified Findings Summary
| # | Finding | Status | Analytic Confidence | Materiality |
|---|---|---|---|---|
| F-1 | [ ] | [Verified / Unverified / Contradicted] | [H/M/L] | [Material / Minor] |
16. Escalation Indicators & Tripwires
The specific, observable behaviors that would indicate escalation and trigger re-assessment or protective action. Pre-defining tripwires is core to threat management.
| Tripwire (observable) | Indicates | Required Response |
|---|---|---|
| [e.g., acquisition of a weapon by a threat node] | [Capability escalation] | [Immediate reassessment / LE referral] |
| [e.g., approach to principal location] | [Breach/probing] | [ ] |
17. Analysis of Competing Hypotheses (ACH)
Test the alternatives at network altitude - a genuine coordinated threat network, several unconnected individuals each making (not posing) a threat, or a misattributed/wrong actor. The favored judgment is the one with the least disconfirming evidence.
Hypothesis 1: [A genuine, coordinated threat network targets the principal]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 2: [Unconnected individuals, expressive/howler, low coordination and low approach risk]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 3: [Misattribution / wrong actor / over-linked network]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Most consistent hypothesis: [Which, and the discriminating evidence.]
18. Key Assumptions Check
| # | Assumption | Basis | Analytic Confidence | Impact if Wrong |
|---|---|---|---|---|
| A-1 | [ ] | [ ] | [H/M/L] | [ ] |
| A-2 | [ ] | [ ] | [ ] | [ ] |
19. Collection Gaps & Intelligence Requirements (RFIs)
| Gap / RFI | Impact on Assessment | Recommended Collection / Routed Product | Priority |
|---|---|---|---|
| [ ] | [ ] | [Method / e.g., ”→ continuous monitoring”] | [HIGH/MED/LOW] |
20. Protective-Intelligence Program Recommendations
Assessment without management is incomplete. Provide concrete management options per node, protective measures tied to §13, legal/LE options, and - critically - actions to AVOID that could escalate. Define reassessment triggers and cadence and name the program owner.
Recommended Management Strategy
Overall posture across the network: monitor / actively manage / disrupt / refer. Rationale.
[Narrative.]
Protective & Mitigation Measures (per node - tie to §13)
| Node | Measure | Lawful Effect (→ §13) | Owner | Priority |
|---|---|---|---|---|
| [ ] | [Protective-detail adjustment / access control / route change] | [ ] | [ ] | [H/M/L] |
| [ ] | [Monitoring of node indicators] | [ ] | [ ] | [ ] |
| [ ] | [Legal action - TRO / trespass / cease-contact] | [ ] | [ ] | [ ] |
| [ ] | [Law-enforcement referral / coordination] | [ ] | [ ] | [ ] |
Actions to AVOID (de-escalation discipline)
Steps that could provoke, accelerate, or validate any node (e.g., aggressive confrontation, public exposure, abrupt cutoff in intimacy cases). Threat management can make things worse if mishandled.
[Narrative.]
Reassessment Triggers & Cadence
When this assessment must be revisited (tripwires from §16) and the routine review interval. Name the program owner.
[Narrative. Program owner: [NAME].]
21. Annex A - Sources, Methodology & Doctrinal Basis
Methodology by Phase (ATP 2-22.9 intelligence process, para 1-9)
Plan (requirements) → Prepare (managed-attribution setup / compliance) → Collect (open-source media + technique) → Produce (evaluate / process / report). State what was done in each phase.
Doctrinal Basis & Method
Governing authority and imported constructs, with FULL/PARTIAL/GAP transparency. Anchors resolve through docs/reference/doctrine/INDEX.md.
- Governing authority (PARTIAL band): USSS Fein-Vossekuil / ATAP / WAVR-21 / TRAP-18 behavioral threat assessment - the behavioral core (pathway-to-violence, fixation, leakage) that military doctrine does not govern.
- Analytic overlay (method, not authority): the network-engagement spine - Network Frame (ATP 5-0.6 2-13), Link Analysis (3-29), SNA (JP 3-25 App G), Nexus nodes (3-50), CFA (JP 3-25 Ch IV), Action Framework (1-5) rendered through the lawful-effects translation.
- Analytic floor: ICD 203 (likelihood/confidence separated), ICD 206 (sourcing), NATO Admiralty A–F reliability.
- Authority boundary: collection confined to lawful open/publicly-available sources (ATP 2-22.9 1-2); military collection authorities do not transfer.
Source Register
| Ref | Source | Source Role (Primary/Secondary/Authoritative/Non-auth.) | Type | Reliability (A–F) | Credibility (1–8) | Date |
|---|---|---|---|---|---|---|
| S-1 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source Evaluation Worksheet (ATP 2-22.9 4-13)
| Source | Identity | Authority | Motive | Access | Timeliness | Consistency | → Reliability/Credibility |
|---|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source Reliability Scale (Admiralty, A–F)
| Grade | Meaning |
|---|---|
| A | Completely reliable |
| B | Usually reliable |
| C | Fairly reliable |
| D | Not usually reliable |
| E | Unreliable |
| F | Reliability cannot be judged |
Grades run A Completely reliable through F Reliability cannot be judged; new sources default to F.
Information Credibility Scale - OSINT 8-band (ATP 2-22.9, Table 2-2)
| Grade | Meaning |
|---|---|
| 1 | Confirmed by other sources |
| 2 | Probably true |
| 3 | Possibly true |
| 4 | Doubtful |
| 5 | Improbable |
| 6 | Misinformation (unintentionally false) |
| 7 | Deception (deliberately false) |
| 8 | Credibility cannot be judged |
New sources default to F/8. Bands 1–5 carry the Admiralty wording; 6–8 are the ATP 2-22.9 additions grading mis-/dis-information distinctly.
Estimative Probability (Likelihood) Lexicon - ICD 203
| Term | Range |
|---|---|
| Almost no chance / remote | 01–05% |
| Very unlikely / highly improbable | 05–20% |
| Unlikely / improbable | 20–45% |
| Roughly even chance | 45–55% |
| Likely / probable | 55–80% |
| Very likely / highly probable | 80–95% |
| Almost certain / nearly certain | 95–99% |
The estimative scale runs from almost no chance / remote (01–05%) to almost certain / nearly certain (95–99%). Likelihood (event) and analytic confidence (evidence) are distinct axes - never combine them in one sentence (ICD 203).
Analytic Confidence Scale (evidence base)
| Level | Criteria |
|---|---|
| HIGH | Multiple independent, reliable sources; corroborated; no significant contradiction. |
| MODERATE | Partial corroboration; some gaps; minor unresolved inconsistencies. |
| LOW | Single/uncorroborated source; significant gaps; plausible alternatives open. |
Risk-Scoring Key
Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
Collection OPSEC / Non-Attribution
Managed-attribution posture used (non-.gov egress, no login pivots into private space, footprint minimization - ATP 2-22.9 App B: research “could unintentionally reveal CCIRs”).
Methodological note: Threat level is a structured professional judgment, not a numeric/actuarial product, and is not a prediction. Likelihood (event) and analytic confidence (evidence) are stated separately (ICD 203). Behavioral observations are non-clinical. Practitioner methods (Bazzell) are cited as method, never as governing authority; no live tool names appear in this skeleton.
22. Annexes B+
- Annex B - Network Link Chart: [draw.io relationship diagram; solid = known, dashed = suspected.]
- Annex C - Behavioral Timeline (per actor): [Chronology of grievance, communications, warning behaviors, dated/graded.]
- Annex D - Identifier & Entity Index.
- Annex E - Source Index: [Citations / archived records, capture timestamps.]
- Annex F - Evidence Archive & Chain of Custody: [Preserved records, hashes, timestamps/URLs.]
- Annex G - Glossary & Abbreviations (warning behaviors, pathway stages, NE block terms, model references).
- Annex H - Revision History.
END OF REPORT
This Protective Intelligence Assessment is a behavioral, structured-professional-judgment product prepared from available records, communications, and open sources as of the stated as-of date. It is not a clinical or psychological diagnosis, not an actuarial prediction, not a consumer report (FCRA), and not legal advice. The network-engagement spine is an analytic overlay, not a grant of authority; engagement options are advisory and any “neutralize”-lane action is rendered to a lawful effect with named authority and owner. Threat is dynamic and this assessment must be reassessed on the stated triggers. If imminent danger is indicated, contact law enforcement immediately.
| Field | Value |
|---|---|
| Prepared By | [ANALYST / THREAT MANAGER NAME] |
| Reviewed By | [REVIEWER NAME] |
| Approving Officer | [APPROVER NAME] |
| Date | [YYYY-MM-DD] |
| Version | [X.X] |
Model wiring
Generated from cell frontmatter at publish time.