THREAT CASE ASSESSMENT & MANAGEMENT (TAM)

[CASE REFERENCE / PRINCIPAL] - Ongoing Threat-Management Case File

The Threat Case Assessment & Management (TAM) product is the living case-management framework for an ongoing threat situation involving a named principal. It consolidates all threat-actor intelligence, management actions, risk evolution, stakeholder coordination, and forward planning into a single authoritative case file. It is the operational-management layer that consumes and acts upon the Protective Intelligence Assessment (PIA - the deep-dive threat-network characterization) and the Hostile Surveillance Vulnerability Assessment (HSVA - the physical-venue/route vulnerability picture).

This product does NOT:

  • Re-perform the initial threat-network characterization (Protective Intelligence Assessment, the behavioral SPJ network product).
  • Assess physical-surveillance vulnerabilities at specific venues, routes, or residences (Hostile Surveillance Vulnerability Assessment).
  • Conduct a single-subject threat assessment on an individual actor in isolation (Subject Threat Assessment).
  • Provide clinical/psychological diagnosis, actuarial prediction, or legal advice.
  • Substitute for an emergency response - if indicators of imminent danger are present, escalate to law enforcement immediately.

The TAM is a dynamic document updated on a defined cadence and on trigger events. It is the program owner’s primary tool for tracking case status, management effectiveness, and risk evolution over time.


Document Control

FieldValue
Report Reference[REF-YYYY-###]
Date of Current Version[YYYY-MM-DD]
Case Opened[YYYY-MM-DD]
Principal / Protectee[Named individual / family / principal]
Case Owner / Threat Manager[Name / role]
Case Status[Active / Monitoring / Closed - with date of status]
Governing Assessment(s) Consumed[PIA ref / HSVA ref / other assessments informing this case]
Client[CLIENT NAME]
Prepared By[ANALYST / THREAT MANAGER NAME / ID]
Reviewed By[REVIEWER NAME / ID]
Approving Officer[APPROVER NAME / ID]
Version[X.X]
Next Scheduled Review[YYYY-MM-DD]
Distribution[NAMED RECIPIENTS]

Handling: [Classification/TLP]. Named recipients only. No onward dissemination without originator approval.

IMMINENT DANGER: If this case file surfaces an imminent risk of harm, contact law enforcement / 911 immediately. This product does not substitute for emergency response.

Nature of this product: This is a case-management framework for an ongoing threat situation. It consolidates intelligence, management actions, and risk assessments into a single living document. It is not a clinical, psychological, psychiatric, or fitness-for-duty diagnosis, and not an actuarial prediction of future violence. It assigns concern, prioritizes management, and tracks risk evolution; it does not claim to predict who will or will not act.

Duty to warn / report: Where findings implicate a duty to warn an identifiable potential victim (e.g., Tarasoff-type obligations) or a mandatory-reporting duty, those obligations are triggered independently of this report and must be actioned per counsel and jurisdiction.

Permissible purpose: Conducted for the lawful protective purpose of [PURPOSE]. Not a “consumer report” and not prepared by a “consumer reporting agency” under the FCRA (15 U.S.C. § 1681); not for any FCRA-covered eligibility determination.

Data protection: Personal and behavioral data processed under [GDPR/CCPA/applicable regime]; handle per the client DPA and retention schedule [RETENTION REF]. Privilege: [If applicable] Attorney–Client Privileged / Work Product.

Collection boundary: Collection confined to open/publicly-available information (ATP 2-22.9 1-2); no surveillance of, or pretext contact with, any subject; lawful-open-source only.

Currency: Threat is dynamic. This case file reflects information as of the current-version date and must be reassessed on the triggers/cadence defined in §16.

Case Snapshot

FieldValue
Case Status[Active / Monitoring / Closed]
Current Case Risk Level[Minimal / Low / Moderate / High / Imminent]
# Active Threat Nodes[n]
# Nodes in Active Management[n]
Primary Grievance Vector[Nature / shared driver across the threat network]
Insider-Threat Nexus (Y/N)[Y/N]
Days Since Last Significant Event[n]
Next Scheduled Review[YYYY-MM-DD]

Table of Contents

Page numbers populate on export to Word/PDF.

  1. BLUF - Bottom Line Up Front
  2. Executive Summary
  3. Key Judgments
  4. Priority Intelligence Requirements (PIRs)
  5. Case Overview & Chronology
  6. Threat-Actor Register (Active & Monitored Nodes)
  7. Management-Action Log
  8. Management-Effectiveness Assessment
  9. Dynamic Risk Register
  10. Escalation / De-Escalation Criteria & Tripwires
  11. Stakeholder Coordination & Communication Plan
  12. Resource Requirements & LOE
  13. Verified Findings Summary
  14. Analysis of Competing Hypotheses (ACH)
  15. Key Assumptions Check
  16. Collection Gaps & Intelligence Requirements (RFIs)
  17. Case-Forward Plan & Recommendations
  18. Annex A - Sources, Methodology & Doctrinal Basis
  19. Annexes B+

1. BLUF - Bottom Line Up Front

2–4 sentences. State the current case risk level, the highest-concern actor(s), the most significant change since the last version, and the immediate required action (including any law-enforcement referral or protective-measure adjustment).

  • Current case risk level: [Minimal / Low / Moderate / High / Imminent.]
  • Highest-concern actor(s): [Node ID(s) + one-line basis.]
  • Most significant change since last version: [New actor / escalation / management-action outcome / tripwire triggered.]
  • Immediate action: [Protective action / law-enforcement referral / management-action adjustment / monitoring posture.]

2. Executive Summary

Case Origin & Triggering Event

What prompted the case to be opened - the communication, incident, or pattern, and when. Detail field observations arrive as EP-027 field contact / suspicious activity reports (the ART-field-contact-report seam); cite the originating report reference(s) and the intake disposition (new case / merged / watchlisted). Reference the governing Protective Intelligence Assessment if one exists.

[Narrative.]

Current Case Status

The shape of the case at this version: how many active threat nodes, management posture, risk trajectory (stable / escalating / de-escalating), and any significant events since the last version.

[Narrative.]

Scope & Limitations

What this version covers, sources available, time window, and constraints (no clinical evaluation, no direct subject interview, open-source-only collection, data limitations).

[Narrative.]

Case Risk Bottom Line

The net assessment in narrative form - consistent with §9.

[Narrative.]

3. Key Judgments

Analytic assessments about the case trajectory, actor behavior, and management effectiveness. Likelihood (of escalation/approach/targeted violence) and analytic confidence in SEPARATE columns (never combine them in one sentence - ICD 203). Each judgment names its change indicator.

#JudgmentLikelihoodAnalytic ConfidenceChange Indicator
KJ-1[e.g., likelihood of escalation by Node N-x within the next 90 days][almost no chance … almost certain][HIGH/MOD/LOW][ ]
KJ-2[e.g., effectiveness of current management actions in reducing approach risk][ ][ ][ ]
KJ-3[ ][ ][ ][ ]
KJ-4[ ][ ][ ][ ]

4. Priority Intelligence Requirements (PIRs)

The questions this case must answer to drive management decisions (PIR → Indicator → SIR → source). Answer, evidence, confidence, residual gap each. PIRs evolve as the case progresses.

Collection-management spine: PIR → Indicator → SIR → OSINT-first source (Army-current; EEI = Joint synonym).

PIR-1: [e.g., Has any threat node escalated along the pathway to violence since the last assessment?]

AssessmentSupporting EvidenceAnalytic Confidence
[YES / NO / LIKELY / UNRESOLVED][ ][HIGH/MOD/LOW]

Residual gap: [Carry to §16 if open.]

PIR-2: [e.g., Are current management actions having a measurable effect on any node’s behavior?]

AssessmentSupporting EvidenceAnalytic Confidence
[ ][ ][ ]

Residual gap: [ ]

PIR-3: [e.g., Has any new actor entered the threat network or has any existing node changed its relationship to the principal?]

AssessmentSupporting EvidenceAnalytic Confidence
[ ][ ][ ]

Residual gap: [ ]

(Repeat as needed - typically: escalation indicators · management effectiveness · network change · insider-threat evolution · opportunity/access windows.)

PIR Summary Matrix

PIRQuestion (brief)AnswerAnalytic Confidence
PIR-1[ ][ ][H/M/L]
PIR-2[ ][ ][H/M/L]
PIR-3[ ][ ][H/M/L]
PIR-4[ ][ ][H/M/L]

5. Case Overview & Chronology

Case Origin

How and when the case was opened. Referral source, triggering event, initial risk level.

[Narrative.]

Significant Events Timeline

All significant events in the case - threat-actor communications, approaches, management actions, legal steps, law-enforcement contacts, protective-measure changes. Dated and graded by source.

DateEvent TypeDescriptionActor(s) InvolvedManagement ResponseSource Grade
[YYYY-MM-DD][Communication / approach / legal action / LE contact / protective measure change / reassessment][ ][Node ID(s)][ ][A–F / 1–8]
[ ][ ][ ][ ][ ][ ]

Case Status History

Track the case risk level over time to show trajectory.

PeriodCase Risk LevelKey DriverManagement Posture
[YYYY-MM-DD – YYYY-MM-DD][Minimal / Low / Moderate / High / Imminent][ ][Monitor / Active management / Disruption / LE referral]
[ ][ ][ ][ ]

6. Threat-Actor Register (Active & Monitored Nodes)

Inventory every actor in the case, categorized by current management status. Drawn from the governing Protective Intelligence Assessment and updated with new intelligence. Each node’s characterization is maintained as a living entry.

Active Management Nodes (nodes under active management/intervention)

Node IDActor / EntityRelationship to PrincipalGrievance / DriverCurrent Pathway StageCurrent Threat LevelManagement Lane (§7)Last Updated
N-1[ ][ ][ ][ ][Minimal/Low/Moderate/High/Imminent][ ][YYYY-MM-DD]
N-2[ ][ ][ ][ ][ ][ ][ ]

Monitored Nodes (nodes under observation, no active intervention)

Node IDActor / EntityRelationship to PrincipalGrievance / DriverCurrent Pathway StageCurrent Threat LevelMonitoring CadenceLast Updated
N-3[ ][ ][ ][ ][Minimal/Low/Moderate/High/Imminent][ ][YYYY-MM-DD]
N-4[ ][ ][ ][ ][ ][ ][ ]

Inactive / Closed Nodes (nodes no longer assessed as posing a threat)

Node IDActor / EntityReason for ClosureDate ClosedReopening Criteria
N-5[ ][ ][YYYY-MM-DD][ ]

7. Management-Action Log

Complete record of every management action taken in the case, with dates, rationale, legal authority, and outcome. This is the case’s institutional memory.

Action IDDateNode(s) TargetedAction TypeLawful Effect (→ §13 of governing PIA)Legal AuthorityOwnerOutcome / EffectivenessNext Step
A-1[YYYY-MM-DD][N-x][Protective-detail adjustment / access control / route change / legal process / LE referral / relationship management / threat de-escalation / isolation / monitoring escalation][Deterrence/hardening / legal process / LE referral / relationship management / de-escalation / isolation][Statute / order / referral basis][ ][Effective / partially effective / ineffective / pending / escalated][ ]
A-2[ ][ ][ ][ ][ ][ ][ ][ ]

Pending Actions

Action IDPlanned ActionNode(s) TargetedTarget DateOwnerStatus
A-3[ ][ ][YYYY-MM-DD][ ][Not started / in progress / delayed]

8. Management-Effectiveness Assessment

Assess whether the current management strategy is working. Per node and overall. This is the case’s feedback loop - if actions are not reducing risk, the strategy must change.

Per-Node Effectiveness

Node IDCurrent Management LaneActions Taken (Action IDs)Observed Behavioral ChangeEffectiveness RatingBasis for Rating
[N-x][ ][A-1, A-2][De-escalation / no change / escalation / unknown][Effective / Partially effective / Ineffective / Cannot assess][ ]
[ ][ ][ ][ ][ ][ ]

Overall Case-Management Effectiveness

Net assessment: is the overall management strategy reducing risk to the principal? What is working, what is not, and what needs to change?

[Narrative.]

9. Dynamic Risk Register

Per-node risk to the principal at the current version, scored Likelihood (1–5) × Impact (1–5) = 1–25. Keys: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical. Track risk score changes across versions to show trajectory.

Node IDThreat ScenarioLikelihood (1–5)Impact (1–5)ScoreBandPrevious ScoreTrendPriority
[N-x][ ][ ][ ][ ][ ][ ][Stable / Escalating / De-escalating / New][H/M/L]
[ ][ ][ ][ ][ ][ ][ ][ ][ ]

Risk Heat Map (Consolidated)

Aggregate view of all node risks. Narrative summary of the risk landscape.

[Narrative.]

10. Escalation / De-Escalation Criteria & Tripwires

The specific, observable behaviors or events that would trigger escalation of management posture, de-escalation, or case closure. Pre-defining these is core to disciplined case management.

Escalation Tripwires (trigger increased management posture)

Tripwire (observable)IndicatesRequired ResponseResponsible Party
[e.g., acquisition of a weapon by a threat node][Capability escalation][Immediate reassessment / LE referral / protective-measure escalation][ ]
[e.g., approach to principal location][Breach/probing][ ][ ]
[e.g., new communication with violent content][Intent escalation][ ][ ]
[e.g., threat node’s pathway stage advances][Progression toward attack][ ][ ]

De-Escalation Criteria (trigger reduced management posture)

Criterion (observable)IndicatesRequired ResponseResponsible Party
[e.g., sustained period of no threat-related activity by node][Risk reduction][Reassess threat level; consider downgrade to monitoring][ ]
[e.g., successful legal remedy (TRO/restraining order in effect)][Legal barrier in place][ ][ ]
[e.g., node’s stated grievance resolved or withdrawn][Driver removed][ ][ ]

Case-Closure Criteria

Conditions under which the case may be closed. Closure is a deliberate decision, not a default.

CriterionMet? (Y/N/Partial)Evidence
[All threat nodes assessed as no longer posing a threat][ ][ ]
[No threat-related activity for [n] months][ ][ ]
[Principal no longer at risk (e.g., relocation, role change)][ ][ ]
[Client has accepted residual risk in writing][ ][ ]

11. Stakeholder Coordination & Communication Plan

Who needs to know what, when, and how. Defines the communication architecture for the case.

Stakeholder Register

StakeholderRole in CaseInformation NeedCommunication CadencePoint of Contact
[Client / principal][Decision-maker / protectee][Case status, risk level, significant events][Immediate for escalation; weekly summary; full report per version][ ]
[Protective detail / security team][Physical protection][Threat-actor descriptions, indicators, management actions][ ][ ]
[Law enforcement liaison][Legal/LE response][Criminal activity, TRO violations, imminent threats][ ][ ]
[Legal counsel][Legal advice, privilege][Legal actions, duty-to-warn obligations][ ][ ]
[Household / staff (if applicable)][Insider-threat awareness][Relevant indicators, security protocols][ ][ ]

Communication Protocols

ScenarioCommunication ChannelRecipientsTimeliness
[Imminent threat / emergency][Phone / secure messaging / in-person][ ][Immediate]
[Tripwire triggered][ ][ ][Within [n] hours]
[Routine status update][ ][ ][Per cadence]
[New version of this case file][ ][ ][Per version]

12. Resource Requirements & LOE

What resources are required to manage this case at the current posture. Updated per version.

Resource CategoryCurrent AllocationRequired AllocationGapPriority
[Analyst / threat-manager hours per week][n hrs/wk][n hrs/wk][ ][H/M/L]
[Open-source monitoring / collection][ ][ ][ ][ ]
[Legal / LE coordination][ ][ ][ ][ ]
[Protective-detail augmentation][ ][ ][ ][ ]
[Technical surveillance / security upgrades][ ][ ][ ][ ]
[External specialist consultation][ ][ ][ ][ ]

13. Verified Findings Summary

#FindingStatusAnalytic ConfidenceMateriality
F-1[ ][Verified / Unverified / Contradicted][H/M/L][Material / Minor]
F-2[ ][ ][ ][ ]

14. Analysis of Competing Hypotheses (ACH)

Test the alternatives at case altitude - whether the current management strategy is appropriate, whether the threat is being over- or under-estimated, and whether a different case theory would change management posture. The favored judgment is the one with the least disconfirming evidence.

Hypothesis 1: [Current case theory and management strategy are correct - the identified nodes pose the assessed threat and the management actions are appropriate]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Hypothesis 2: [The threat is being over-estimated - some or all nodes are howlers/expressive only, and the current management posture is disproportionate to the actual risk]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Hypothesis 3: [The threat is being under-estimated - there are unidentified nodes, or the assessed nodes are further along the pathway than current intelligence indicates]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Hypothesis 4: [The current management actions are counterproductive - they are escalating rather than de-escalating one or more nodes]

  • Evidence for / against: [ ] / [ ]
  • Assessment: [ ]

Most consistent hypothesis: [Which, and the discriminating evidence. If the favored hypothesis has changed since the last version, state the shift and why.]

15. Key Assumptions Check

#AssumptionBasisAnalytic ConfidenceImpact if Wrong
A-1[ ][ ][H/M/L][ ]
A-2[ ][ ][ ][ ]
A-3[ ][ ][ ][ ]

16. Collection Gaps & Intelligence Requirements (RFIs)

Gap / RFIImpact on Case ManagementRecommended Collection / Routed ProductPriority
[ ][ ][Method / e.g., ”→ continuous monitoring”][HIGH/MED/LOW]
[ ][ ][ ][ ]

17. Case-Forward Plan & Recommendations

Assessment without management is incomplete. Provide the forward plan for the case: management actions to take, actions to avoid, reassessment triggers and cadence, and case-closure pathway if applicable.

Overall posture for the coming period: maintain current posture / escalate management / de-escalate / prepare for closure. Rationale.

[Narrative.]

Specific Management Actions (Next Period)

Action IDPlanned ActionNode(s) TargetedLawful EffectOwnerTarget DatePriority
[ ][ ][ ][ ][ ][YYYY-MM-DD][H/M/L]
[ ][ ][ ][ ][ ][ ][ ]

Actions to AVOID (de-escalation discipline)

Steps that could provoke, accelerate, or validate any node (e.g., aggressive confrontation, public exposure, abrupt cutoff in intimacy cases). Threat management can make things worse if mishandled.

[Narrative.]

Reassessment Triggers & Cadence

When this case file must be updated (tripwires from §10) and the routine review interval. Name the case owner.

Trigger / CadenceActionResponsible Party
[Routine review][Full case-file update][Case owner]
[Tripwire triggered (§10)][Immediate reassessment and case-file update][Case owner]
[New intelligence on any node][Update node entry and risk score][Analyst]
[Management action outcome known][Update management-action log and effectiveness assessment][Case owner]

Case-Closure Pathway (if applicable)

If the case is approaching closure, define the remaining steps, criteria, and timeline.

[Narrative. Case owner: [NAME].]


18. Annex A - Sources, Methodology & Doctrinal Basis

Methodology by Phase (ATP 2-22.9 intelligence process, para 1-9)

Plan (requirements) → Prepare (managed-attribution setup / compliance) → Collect (open-source media + technique) → Produce (evaluate / process / report). State what was done in each phase.

Doctrinal Basis & Method

Governing authority and imported constructs, with FULL/PARTIAL/GAP transparency. Anchors resolve through docs/reference/doctrine/INDEX.md.

  • Governing authority (PARTIAL band): USSS Fein-Vossekuil / ATAP / WAVR-21 / TRAP-18 behavioral threat assessment - the behavioral core (pathway-to-violence, fixation, leakage) that military doctrine does not govern.
  • Case-management framework: Derived from protective-intelligence program management standards (ATAP / ASIS PI.1 / OSAC best practices) for ongoing threat-case documentation, risk tracking, and management-action accountability.
  • Analytic overlay (method, not authority): the network-engagement spine - Network Frame (ATP 5-0.6 2-13), Link Analysis (3-29), SNA (JP 3-25 App G), Nexus nodes (3-50), CFA (JP 3-25 Ch IV), Action Framework (1-5) rendered through the lawful-effects translation.
  • Analytic floor: ICD 203 (likelihood/confidence separated), ICD 206 (sourcing), NATO Admiralty A–F reliability.
  • Authority boundary: collection confined to lawful open/publicly-available sources (ATP 2-22.9 1-2); military collection authorities do not transfer.

Source Register

RefSourceSource Role (Primary/Secondary/Authoritative/Non-auth.)TypeReliability (A–F)Credibility (1–8)Date
S-1[ ][ ][ ][ ][ ][ ]

Source Evaluation Worksheet (ATP 2-22.9 4-13)

SourceIdentityAuthorityMotiveAccessTimelinessConsistency→ Reliability/Credibility
[ ][ ][ ][ ][ ][ ][ ][ ]

Source Reliability Scale (Admiralty, A–F)

GradeMeaning
ACompletely reliable
BUsually reliable
CFairly reliable
DNot usually reliable
EUnreliable
FReliability cannot be judged

Grades run A Completely reliable through F Reliability cannot be judged; new sources default to F.

Information Credibility Scale - OSINT 8-band (ATP 2-22.9, Table 2-2)

GradeMeaning
1Confirmed by other sources
2Probably true
3Possibly true
4Doubtful
5Improbable
6Misinformation (unintentionally false)
7Deception (deliberately false)
8Credibility cannot be judged

New sources default to F/8. Bands 1–5 carry the Admiralty wording; 6–8 are the ATP 2-22.9 additions grading mis-/dis-information distinctly.

Estimative Probability (Likelihood) Lexicon - ICD 203

TermRange
Almost no chance / remote01–05%
Very unlikely / highly improbable05–20%
Unlikely / improbable20–45%
Roughly even chance45–55%
Likely / probable55–80%
Very likely / highly probable80–95%
Almost certain / nearly certain95–99%

The estimative scale runs from almost no chance / remote (01–05%) to almost certain / nearly certain (95–99%). Likelihood (event) and analytic confidence (evidence) are distinct axes - never combine them in one sentence (ICD 203).

Analytic Confidence Scale (evidence base)

LevelCriteria
HIGHMultiple independent, reliable sources; corroborated; no significant contradiction.
MODERATEPartial corroboration; some gaps; minor unresolved inconsistencies.
LOWSingle/uncorroborated source; significant gaps; plausible alternatives open.

Risk-Scoring Key

Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

Collection OPSEC / Non-Attribution

Managed-attribution posture used (non-.gov egress, no login pivots into private space, footprint minimization - ATP 2-22.9 App B: research “could unintentionally reveal CCIRs”).

Methodological note: This is a case-management framework, not a clinical/actuarial product. Threat levels are structured professional judgments, not predictions. Likelihood (event) and analytic confidence (evidence) are stated separately (ICD 203). Behavioral observations are non-clinical. Practitioner methods (Bazzell) are cited as method, never as governing authority; no live tool names appear in this skeleton.

19. Annexes B+

  • Annex B - Network Link Chart (Current): [draw.io relationship diagram; solid = known, dashed = suspected; annotated with management status per node.]
  • Annex C - Behavioral Timeline (per active node): [Chronology of grievance, communications, warning behaviors, management actions, dated/graded.]
  • Annex D - Identifier & Entity Index.
  • Annex E - Source Index: [Citations / archived records, capture timestamps.]
  • Annex F - Evidence Archive & Chain of Custody: [Preserved records, hashes, timestamps/URLs.]
  • Annex G - Glossary & Abbreviations (warning behaviors, pathway stages, NE block terms, model references, case-management terms).
  • Annex H - Version History & Change Log: [Date, version, author, summary of changes from previous version.]

END OF REPORT

This Threat Case Assessment & Management (TAM) product is a living case-management framework prepared from available records, communications, and open sources as of the stated current-version date. It is not a clinical or psychological diagnosis, not an actuarial prediction, not a consumer report (FCRA), and not legal advice. It consumes and acts upon the Protective Intelligence Assessment and Hostile Surveillance Vulnerability Assessment; it does not re-perform those assessments. Threat is dynamic and this case file must be reassessed on the stated triggers and cadence. If imminent danger is indicated, contact law enforcement immediately.

FieldValue
Prepared By[ANALYST / THREAT MANAGER NAME]
Reviewed By[REVIEWER NAME]
Approving Officer[APPROVER NAME]
Date[YYYY-MM-DD]
Version[X.X]

Model wiring

Generated from cell frontmatter at publish time.