PROTECTIVE INTELLIGENCE ASSESSMENT

[PRINCIPAL / PROTECTEE] - Threat-Network Picture

The Protective Intelligence Assessment maps and characterizes the network of actors who may pose a threat to a named principal, and renders lawful engagement options per actor. It elevates the single-subject Subject Threat Assessment to network/program altitude: multiple hostile actors, their facilitation/support relationships, the nexus to the principal (including insider-threat bridges), and a Support / Influence / Neutralize-rendered-lawful engagement matrix. It is a behavioral, structured-professional-judgment product framed by USSS/ATAP/WAVR-21/TRAP-18, with the network-engagement spine as the analytic overlay. It is not a clinical/psychological diagnosis, not an actuarial prediction, not a single-subject dossier, and not a protective-operations plan. If indicators of imminent danger are present, escalate to law enforcement immediately.


Document Control

FieldValue
Report Reference[REF-YYYY-###]
Date of Report[YYYY-MM-DD]
Assessment As-Of Date[YYYY-MM-DD]
Principal / Protectee at Risk[Named individual / family / principal at risk]
Threat-Network Scope (actors in scope)[Named/numbered actors and entities assessed in this picture]
Triggering Event / Referral[Communication / incident / pattern that prompted assessment]
Assessment Models Applied[Pathway to violence · Warning behaviors/TRAP-18 · WAVR-21 domains · Hunter/Howler · NE spine]
Qualified Evaluator (if instrument coded)[Name / credential - formal WAVR-21/TRAP-18 coding requires a trained rater]
Program Owner[Who owns the protective-intelligence program / case going forward]
Client[CLIENT NAME]
Prepared By[ANALYST / THREAT MANAGER NAME / ID]
Reviewed By[REVIEWER NAME / ID]
Approving Officer[APPROVER NAME / ID]
Version[1.0]
Distribution[NAMED RECIPIENTS]

Handling: [Classification/TLP]. Named recipients only. No onward dissemination without originator approval.

IMMINENT DANGER: If this assessment surfaces an imminent risk of harm, contact law enforcement / 911 immediately. This product does not substitute for emergency response.

Nature of assessment: This is a behavioral structured-professional-judgment assessment of whether the actors in scope pose a targeted-violence threat to the principal. It is NOT a clinical, psychological, psychiatric, or fitness-for-duty diagnosis, and NOT an actuarial prediction of future violence. It assigns concern and prioritizes management; it does not claim to predict who will or will not act.

Duty to warn / report: Where findings implicate a duty to warn an identifiable potential victim (e.g., Tarasoff-type obligations) or a mandatory-reporting duty, those obligations are triggered independently of this report and must be actioned per counsel and jurisdiction.

Permissible purpose: Conducted for the lawful protective purpose of [PURPOSE]. Not a “consumer report” and not prepared by a “consumer reporting agency” under the FCRA (15 U.S.C. § 1681); not for any FCRA-covered eligibility determination.

Data protection: Personal and behavioral data processed under [GDPR/CCPA/applicable regime]; handle per the client DPA and retention schedule [RETENTION REF]. Privilege: [If applicable] Attorney–Client Privileged / Work Product.

Collection boundary: Collection confined to open/publicly-available information (ATP 2-22.9 1-2); no surveillance of, or pretext contact with, any subject; lawful-open-source only.

Currency: Threat is dynamic. This assessment reflects information as of the as-of date and must be reassessed on the triggers/cadence in §20.

Network Threat Summary

FieldValue
Highest-Concern Actor[Node ID / name]
Network Threat Level[Minimal / Low / Moderate / High / Imminent]
# Threat Nodes / # Nexus Nodes[n threat / n nexus]
Primary Grievance Vector[Nature / shared driver across the threat network]
Insider-Threat Nexus (Y/N)[Y/N - household/staff or trusted node bridging to a threat actor]
Recommended Protective Posture[One line]
Reassessment Trigger[Event/cadence]

Table of Contents

Page numbers populate on export to Word/PDF.

  1. BLUF - Bottom Line Up Front
  2. Executive Summary
  3. Key Judgments
  4. Priority Intelligence Requirements (PIRs)
  5. Threat-Network Frame & Composition
  6. Link Analysis & Association Matrix
  7. SNA / Key-Node Ranking
  8. Critical & Nexus Nodes
  9. Per-Actor Threat Characterization
  10. Critical Factors Analysis (CFA)
  11. Protectee Exposure Surface & Nexus Layer
  12. Requirements & Indicators / Collection Plan
  13. Engagement-Option Matrix (Support / Influence / Neutralize-rendered-lawful)
  14. Threat-Network Risk Register
  15. Verified Findings Summary
  16. Escalation Indicators & Tripwires
  17. Analysis of Competing Hypotheses (ACH)
  18. Key Assumptions Check
  19. Collection Gaps & Intelligence Requirements (RFIs)
  20. Protective-Intelligence Program Recommendations
  21. Annex A - Sources, Methodology & Doctrinal Basis
  22. Annexes B+

1. BLUF - Bottom Line Up Front

2–4 sentences. State the network threat level, the highest-concern actor(s), whether any actor poses (vs. merely makes) a threat to the principal, and the immediate required action (including any law-enforcement referral).

  • Network threat level: [Minimal / Low / Moderate / High / Imminent.]
  • Highest-concern actor(s): [Node ID(s) + one-line basis.]
  • Poses vs. makes a threat: [Which actor(s) pose vs. merely make a threat + one-line basis.]
  • Immediate action: [Protective action / law-enforcement referral / monitoring posture.]

2. Executive Summary

Referral & Triggering Event

What prompted this assessment - the communication, incident, or pattern, and when.

[Narrative.]

Network Overview

The shape of the threat network: how many actors, their relationships and facilitation/support links, and the nexus to the principal. Detailed in §5–§8.

[Narrative.]

Scope & Limitations

What was assessed, sources available, time window, and constraints (no clinical evaluation, no direct subject interview, open-source-only collection, data limitations).

[Narrative.]

Network Threat Bottom Line

The net assessment in narrative form - consistent with §13–§14.

[Narrative.]

3. Key Judgments

Analytic assessments. Likelihood (of approach/escalation/targeted violence by the network or a node) and analytic confidence in SEPARATE columns (never combine them in one sentence - ICD 203). Each judgment names its change indicator.

#JudgmentLikelihoodAnalytic ConfidenceChange Indicator
KJ-1[e.g., likelihood of attempted approach to the principal by Node N-x][almost no chance … almost certain][HIGH/MOD/LOW][ ]
KJ-2[ ][ ][ ][ ]
KJ-3[ ][ ][ ][ ]
KJ-4[ ][ ][ ][ ]

4. Priority Intelligence Requirements (PIRs)

The questions this assessment must answer (PIR → Indicator → SIR → source). Answer, evidence, confidence, residual gap each.

Collection-management spine: PIR → Indicator → SIR → OSINT-first source (Army-current; EEI = Joint synonym).

PIR-1: [e.g., Does any actor in the network have the intent to harm the principal?]

AssessmentSupporting EvidenceAnalytic Confidence
[YES / NO / LIKELY / UNRESOLVED][ ][HIGH/MOD/LOW]

Residual gap: [Carry to §19 if open.]

PIR-2: [e.g., Does any actor have the capability and access to act against the principal?]

AssessmentSupporting EvidenceAnalytic Confidence
[ ][ ][ ]

Residual gap: [ ]

(Repeat - typically: intent · capability · access/opportunity · network coordination/facilitation · insider-threat nexus · pathway progression.)

PIR Summary Matrix

PIRQuestion (brief)AnswerAnalytic Confidence
PIR-1Intent (any node)[ ][H/M/L]
PIR-2Capability[ ][H/M/L]
PIR-3Access / opportunity[ ][H/M/L]
PIR-4Network coordination / insider nexus[ ][H/M/L]

5. Threat-Network Frame & Composition

Block 1 of the network-engagement spine. Inventory every actor as a node; categorize each by position toward the principal, not by structure - friendly / neutral / threat / unknown (ATP 5-0.6 2-2). Never default unknown to neutral (2-8). Allegiance is perishable (2-7).

Node IDActor / EntityNode Type (person/org/place/event/resource)Category (friendly/neutral/threat/unknown)Role in NetworkSource Grade
N-1[ ][ ][ ][ ][A–F / 1–8]
N-2[ ][ ][ ][ ][ ]

Structure & density characterization: [Hierarchical / nonhierarchical / blended; cell structure; density. One line.]

Block 2. “who is doing what to (or for) whom” (ATP 5-0.6 3-29). Multi-mode rule: never link person→person directly - capture the connecting event/place/resource node (3-30). Known = solid, suspected = dashed.

Node ARelationship / ActivityNode B (or connecting event/place/resource)Strength (known/suspected)Source Grade
[ ][ ][ ][Known/Suspected][ ]

Relationship diagram: [draw.io / link-chart reference - solid = known, dashed = suspected. Annex B.]

7. SNA / Key-Node Ranking

Block 3. Quantitative centrality over the link diagram to rank structural importance (JP 3-25 App G: degree / closeness / betweenness / eigenvector). Orders which nodes the engagement lanes target first.

Node IDDegreeClosenessBetweennessEigenvectorDesignation (hub/broker/peripheral/key)
N-1[ ][ ][ ][ ][ ]

Key-node read: [Which nodes are hubs vs brokers vs peripheral; what the ranking implies for prioritization.]

8. Critical & Nexus Nodes

Block 4. Spanners bridging ≥2 networks - “nexus nodes… whose position and linkages provide them the potential to have a significant influence upon at least two of the three basic networks” (ATP 5-0.6, note after Fig 3-10). The household-staff member tied to a threat actor is the insider-threat bridge.

Node IDNetworks BridgedNature (insider-threat risk / influence conduit)Implication for the Protection PlanSource Grade
[ ][friendly↔threat / neutral↔threat][ ][ ][ ]

9. Per-Actor Threat Characterization

For each threat node from §5, run the structured-professional-judgment characterization below (USSS/ATAP/WAVR-21/TRAP-18). These are behaviors, not inferences about thoughts; coding of WAVR-21/TRAP-18 requires a trained rater. Repeat the full block per threat actor.

Actor [N-x]: [Name / designation]

Actor–Principal Nexus

The relationship between this actor and the principal and the grievance that drives the threat. Targeted violence is grievance-driven and target-specific - establish the “why this target.”

ElementFindingSource Grade
Relationship to principal[Former employee / intimate / litigant / stranger-fixated / ideological][A–F/1–8]
Grievance (nature & origin)[ ][ ]
Fixation / preoccupation[Intensity, duration, escalation][ ]
Identification (warrior mentality, role models, prior attackers)[ ][ ]
Contact / communication history with principal[Frequency, tone, escalation][ ]
Prior protective/legal actions (TRO, trespass, prior reports)[ ][ ]

Nexus assessment: [Why this actor is focused on the principal; trajectory of the focus.]

Behavioral Warning Indicators

Coded against the eight proximal warning behaviors (Meloy / TRAP-18). For each: present / absent / unknown, with observed evidence and source grade. These are behaviors, not inferences about thoughts.

Warning BehaviorStatusObserved EvidenceSource Grade
Pathway (research, planning, preparation, attack-related behavior)[Present/Absent/Unknown][ ][A–F/1–8]
Fixation (increasing preoccupation with person/cause)[ ][ ][ ]
Identification (warrior/pseudo-commando, weapons affinity, prior-attacker emulation)[ ][ ][ ]
Novel aggression (unrelated act of violence to test capacity)[ ][ ][ ]
Energy burst (increase in activity related to the target)[ ][ ][ ]
Leakage (communication to a third party of intent to harm)[ ][ ][ ]
Last resort (violent action/time imperative; “no other option”)[ ][ ][ ]
Directly communicated threat[ ][ ][ ]

Warning-behavior summary: [Which are present, clustering, recency, and acceleration.]

Pathway-to-Violence

Locate the actor on the pathway. Targeted violence is typically the culmination of a progression, not an impulsive reaction. Identify the furthest stage with behavioral evidence and the direction/velocity of movement.

StageBehavioral EvidenceObserved?Source Grade
1. Grievance[ ][Y/N/Unk][ ]
2. Ideation (violence as a solution)[ ][ ][ ]
3. Research / planning (target, methods, surveillance)[ ][ ][ ]
4. Preparation (acquisition, rehearsal, logistics)[ ][ ][ ]
5. Breach / probing (approach, security testing)[ ][ ][ ]
6. Attack[ ][ ][ ]

Pathway assessment: [Furthest stage evidenced; movement direction and velocity; any stage-skipping.]

Capability, Access & Opportunity

Means, skills, and the access/opportunity to reach the principal. Intent without capability/access is a different problem than intent with both.

FactorFindingAnalytic Confidence
Weapons access / acquisition[ ][H/M/L]
Relevant skills / training (military, tactical)[ ][ ]
Physical proximity / access to principal[ ][ ]
Knowledge of principal patterns/locations[ ][ ]
Opportunity (upcoming events, exposure windows)[ ][ ]

Intent, Motivation & Grievance

Characterize intent and motivation. Distinguish instrumental (goal-directed) from expressive (emotional venting) intent - central to the hunter/howler determination.

ElementFindingAnalytic Confidence
Stated intent (explicit/implicit)[ ][H/M/L]
Instrumental vs. expressive[ ][ ]
Motivation / driver (revenge, ideology, intimacy, notoriety, despair)[ ][ ]
Last-resort / desperation indicators[ ][ ]
Suicidality / murder-suicide indicators[ ][ ]

Threat Classification & Level Determination

Render the structured-professional-judgment determination for this actor: poses vs. makes a threat; hunter vs. howler; and the assigned threat level - with explicit rationale tying back to warning behaviors, pathway stage, capability/access, intent, and stabilizers. This is a judgment, not a number.

DeterminationFindingBasis
Poses vs. makes a threat[ ][ ]
Hunter / Howler[ ][ ]
Threat level[Minimal / Low / Moderate / High / Imminent][ ]

Determination rationale: [Narrative SPJ argument. Reference the discriminating indicators. State likelihood and analytic confidence separately.]

(Repeat §9 per threat node identified in §5.)

10. Critical Factors Analysis (CFA)

Block 6 - the engagement-point engine. Per threat node, decompose the actor’s objective into Critical Capabilities → Critical Requirements → Specific Activities → Critical Vulnerabilities → recommended (lawful) action. “The critical factors are the CCs, critical requirements (CRs), and CVs.” (JP 3-25 Ch IV.) The CV column is where lawful engagement attaches.

NodeObjectiveCritical Capability (CC)Critical Requirement (CR)Specific ActivityCritical Vulnerability (CV)Recommended Lawful Action (→ §13)
[ ][ ][ ][ ][ ][ ][ ]

11. Protectee Exposure Surface & Nexus Layer

Ties the threat network to the principal. Inventory the principal’s exposure (residence, routine, travel, digital footprint, household/staff access) and the nexus nodes (§8) that bridge the threat network to that exposure - especially the insider-threat bridge.

Exposure SurfaceDescriptionLinked Threat Node(s)Nexus Node (if any)Residual Exposure
[Residence / routine / travel / digital / staff-access][ ][ ][ ][ ]

Environment lens - OAKOC of the fixed-exposure points

The environment_framework: [oakoc] lens applied to the principal’s predictable, fixed-location exposure (residence, regular venues, habitual routes) - the terrain a threat node would exploit to observe, approach, or act. Open-source terrain analysis only; no surveillance of the principal. (OAKOC: observation and fields of fire, avenues of approach, key terrain, obstacles, cover and concealment - ATP 2-01.3 3-17; legacy synonym OCOKA.)

Fixed-exposure pointObservation & fields of fireAvenue(s) of approachKey terrain / chokepointObstaclesCover & concealmentLinked threat node(s)
[Residence / venue / habitual route][ ][ ][ ][ ][ ][ ]

12. Requirements & Indicators / Collection Plan

Block 7. Each CR/CV from §10 decomposes to observable indicators → PIR → Indicator → SIR → OSINT-first source. “open source information provides most of what is known about friendly and neutral networks” (ATP 5-0.6 2-6). The collection sub-matrix follows the ATP 2-22.9 4-step sequence (3-3); only open/publicly-available techniques are used - technical/human/clandestine acquisition is not assigned to OSINT (3-3).

Indicator derivation (off the CFA CR/CV rows):

CR / CV (from §10)Observable IndicatorPIRSIR (specific information requirement)Open Source / Discipline
[ ][ ][ ][ ][ ]

Collection Plan (ATP 2-22.9 3-3):

Requirement (PIR)Requirement TypeOpen Source IdentifiedCollection TechniqueStatus
[ ][ ][ ][open/publicly-available only][ ]

Standing caveat: collection confined to open/publicly-available techniques (ATP 2-22.9 1-2/3-3). No technical, human-source, or clandestine acquisition. A Chatham-House-Rule invocation reclassifies an open source to confidential - stop collection.

13. Engagement-Option Matrix (Support / Influence / Neutralize-rendered-lawful)

Block 8 - the Action Framework (ATP 5-0.6 1-5). Per actor, select the lane: Support (friendly nodes), Influence (any category, short of confrontation), or Neutralize (lawful) - which is mandatorily rendered through the lawful-effects translation below and never appears as an action verb. Each lawful effect carries a named legal authority and an owner. Doctrine prefers the judicial over the kinetic effect (ATP 5-0.6 3-49).

Lawful-Effects Translation (the “Neutralize-rendered-lawful” lane resolves to ≥1 of these)

Lawful effectWhat it isDoctrinal hook
Deterrence / target-hardeningVisible posture, route/venue hardening, access control”isolate the threat networks from the population” (ATP 5-0.6 1-18)
Legal processCivil injunction, restraining/protective order, TRO, cease-and-desistjudicial-apparatus preference (3-49)
Law-enforcement referralPackage evidence (link diagram + activity timeline) to police/FBI/prosecutorreduce threat-leadership influence via state apparatus (3-49)
Relationship management / lawful co-optingEngagement of neutral/threat nodes short of confrontation”develop means to co-opt” (3-11)
Threat de-escalationBehavioral-threat-management interventioninfluence to “change… behavior” (1-13)
IsolationSever the threat node’s access to the principal”severing the links between networks and its smaller cells” (2-16)

Per-Actor Engagement Plan

NodeCategoryLane (Support / Influence / Neutralize-rendered-lawful)Selected Lawful Effect(s)Named Legal AuthorityOwnerDesired Effect / Measure
[ ][ ][ ][from the table above][statute / order / referral basis][ ][ ]

Rule: the word “neutralize” is the lane name only; every Neutralize selection is rendered to ≥1 lawful effect above (the translation) with a named authority and owner. Support and Influence are already lawful.

14. Threat-Network Risk Register

Per-node risk to the principal, scored Likelihood (1–5) × Impact (1–5) = 1–25. Keys: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical. (Distinct from the SPJ threat level in §9 - this orders nodes for the protection plan, matching the network risk-score table.)

NodeThreat ScenarioLikelihood (1–5)Impact (1–5)ScoreBandPriority
[ ][ ][ ][ ][ ][ ][ ]

15. Verified Findings Summary

#FindingStatusAnalytic ConfidenceMateriality
F-1[ ][Verified / Unverified / Contradicted][H/M/L][Material / Minor]

16. Escalation Indicators & Tripwires

The specific, observable behaviors that would indicate escalation and trigger re-assessment or protective action. Pre-defining tripwires is core to threat management.

Tripwire (observable)IndicatesRequired Response
[e.g., acquisition of a weapon by a threat node][Capability escalation][Immediate reassessment / LE referral]
[e.g., approach to principal location][Breach/probing][ ]

17. Analysis of Competing Hypotheses (ACH)

Test the alternatives at network altitude - a genuine coordinated threat network, several unconnected individuals each making (not posing) a threat, or a misattributed/wrong actor. The favored judgment is the one with the least disconfirming evidence.

Hypothesis 1: [A genuine, coordinated threat network targets the principal]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Hypothesis 2: [Unconnected individuals, expressive/howler, low coordination and low approach risk]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Hypothesis 3: [Misattribution / wrong actor / over-linked network]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Most consistent hypothesis: [Which, and the discriminating evidence.]

18. Key Assumptions Check

#AssumptionBasisAnalytic ConfidenceImpact if Wrong
A-1[ ][ ][H/M/L][ ]
A-2[ ][ ][ ][ ]

19. Collection Gaps & Intelligence Requirements (RFIs)

Gap / RFIImpact on AssessmentRecommended Collection / Routed ProductPriority
[ ][ ][Method / e.g., ”→ continuous monitoring”][HIGH/MED/LOW]

20. Protective-Intelligence Program Recommendations

Assessment without management is incomplete. Provide concrete management options per node, protective measures tied to §13, legal/LE options, and - critically - actions to AVOID that could escalate. Define reassessment triggers and cadence and name the program owner.

Overall posture across the network: monitor / actively manage / disrupt / refer. Rationale.

[Narrative.]

Protective & Mitigation Measures (per node - tie to §13)

NodeMeasureLawful Effect (→ §13)OwnerPriority
[ ][Protective-detail adjustment / access control / route change][ ][ ][H/M/L]
[ ][Monitoring of node indicators][ ][ ][ ]
[ ][Legal action - TRO / trespass / cease-contact][ ][ ][ ]
[ ][Law-enforcement referral / coordination][ ][ ][ ]

Actions to AVOID (de-escalation discipline)

Steps that could provoke, accelerate, or validate any node (e.g., aggressive confrontation, public exposure, abrupt cutoff in intimacy cases). Threat management can make things worse if mishandled.

[Narrative.]

Reassessment Triggers & Cadence

When this assessment must be revisited (tripwires from §16) and the routine review interval. Name the program owner.

[Narrative. Program owner: [NAME].]

21. Annex A - Sources, Methodology & Doctrinal Basis

Methodology by Phase (ATP 2-22.9 intelligence process, para 1-9)

Plan (requirements) → Prepare (managed-attribution setup / compliance) → Collect (open-source media + technique) → Produce (evaluate / process / report). State what was done in each phase.

Doctrinal Basis & Method

Governing authority and imported constructs, with FULL/PARTIAL/GAP transparency. Anchors resolve through docs/reference/doctrine/INDEX.md.

  • Governing authority (PARTIAL band): USSS Fein-Vossekuil / ATAP / WAVR-21 / TRAP-18 behavioral threat assessment - the behavioral core (pathway-to-violence, fixation, leakage) that military doctrine does not govern.
  • Analytic overlay (method, not authority): the network-engagement spine - Network Frame (ATP 5-0.6 2-13), Link Analysis (3-29), SNA (JP 3-25 App G), Nexus nodes (3-50), CFA (JP 3-25 Ch IV), Action Framework (1-5) rendered through the lawful-effects translation.
  • Analytic floor: ICD 203 (likelihood/confidence separated), ICD 206 (sourcing), NATO Admiralty A–F reliability.
  • Authority boundary: collection confined to lawful open/publicly-available sources (ATP 2-22.9 1-2); military collection authorities do not transfer.

Source Register

RefSourceSource Role (Primary/Secondary/Authoritative/Non-auth.)TypeReliability (A–F)Credibility (1–8)Date
S-1[ ][ ][ ][ ][ ][ ]

Source Evaluation Worksheet (ATP 2-22.9 4-13)

SourceIdentityAuthorityMotiveAccessTimelinessConsistency→ Reliability/Credibility
[ ][ ][ ][ ][ ][ ][ ][ ]

Source Reliability Scale (Admiralty, A–F)

GradeMeaning
ACompletely reliable
BUsually reliable
CFairly reliable
DNot usually reliable
EUnreliable
FReliability cannot be judged

Grades run A Completely reliable through F Reliability cannot be judged; new sources default to F.

Information Credibility Scale - OSINT 8-band (ATP 2-22.9, Table 2-2)

GradeMeaning
1Confirmed by other sources
2Probably true
3Possibly true
4Doubtful
5Improbable
6Misinformation (unintentionally false)
7Deception (deliberately false)
8Credibility cannot be judged

New sources default to F/8. Bands 1–5 carry the Admiralty wording; 6–8 are the ATP 2-22.9 additions grading mis-/dis-information distinctly.

Estimative Probability (Likelihood) Lexicon - ICD 203

TermRange
Almost no chance / remote01–05%
Very unlikely / highly improbable05–20%
Unlikely / improbable20–45%
Roughly even chance45–55%
Likely / probable55–80%
Very likely / highly probable80–95%
Almost certain / nearly certain95–99%

The estimative scale runs from almost no chance / remote (01–05%) to almost certain / nearly certain (95–99%). Likelihood (event) and analytic confidence (evidence) are distinct axes - never combine them in one sentence (ICD 203).

Analytic Confidence Scale (evidence base)

LevelCriteria
HIGHMultiple independent, reliable sources; corroborated; no significant contradiction.
MODERATEPartial corroboration; some gaps; minor unresolved inconsistencies.
LOWSingle/uncorroborated source; significant gaps; plausible alternatives open.

Risk-Scoring Key

Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

Collection OPSEC / Non-Attribution

Managed-attribution posture used (non-.gov egress, no login pivots into private space, footprint minimization - ATP 2-22.9 App B: research “could unintentionally reveal CCIRs”).

Methodological note: Threat level is a structured professional judgment, not a numeric/actuarial product, and is not a prediction. Likelihood (event) and analytic confidence (evidence) are stated separately (ICD 203). Behavioral observations are non-clinical. Practitioner methods (Bazzell) are cited as method, never as governing authority; no live tool names appear in this skeleton.

22. Annexes B+

  • Annex B - Network Link Chart: [draw.io relationship diagram; solid = known, dashed = suspected.]
  • Annex C - Behavioral Timeline (per actor): [Chronology of grievance, communications, warning behaviors, dated/graded.]
  • Annex D - Identifier & Entity Index.
  • Annex E - Source Index: [Citations / archived records, capture timestamps.]
  • Annex F - Evidence Archive & Chain of Custody: [Preserved records, hashes, timestamps/URLs.]
  • Annex G - Glossary & Abbreviations (warning behaviors, pathway stages, NE block terms, model references).
  • Annex H - Revision History.

END OF REPORT

This Protective Intelligence Assessment is a behavioral, structured-professional-judgment product prepared from available records, communications, and open sources as of the stated as-of date. It is not a clinical or psychological diagnosis, not an actuarial prediction, not a consumer report (FCRA), and not legal advice. The network-engagement spine is an analytic overlay, not a grant of authority; engagement options are advisory and any “neutralize”-lane action is rendered to a lawful effect with named authority and owner. Threat is dynamic and this assessment must be reassessed on the stated triggers. If imminent danger is indicated, contact law enforcement immediately.

FieldValue
Prepared By[ANALYST / THREAT MANAGER NAME]
Reviewed By[REVIEWER NAME]
Approving Officer[APPROVER NAME]
Date[YYYY-MM-DD]
Version[X.X]

Model wiring

Generated from cell frontmatter at publish time.