THREAT CASE ASSESSMENT & MANAGEMENT (TAM)
[CASE REFERENCE / PRINCIPAL] - Ongoing Threat-Management Case File
The Threat Case Assessment & Management (TAM) product is the living case-management framework for an ongoing threat situation involving a named principal. It consolidates all threat-actor intelligence, management actions, risk evolution, stakeholder coordination, and forward planning into a single authoritative case file. It is the operational-management layer that consumes and acts upon the Protective Intelligence Assessment (PIA - the deep-dive threat-network characterization) and the Hostile Surveillance Vulnerability Assessment (HSVA - the physical-venue/route vulnerability picture).
This product does NOT:
- Re-perform the initial threat-network characterization (Protective Intelligence Assessment, the behavioral SPJ network product).
- Assess physical-surveillance vulnerabilities at specific venues, routes, or residences (Hostile Surveillance Vulnerability Assessment).
- Conduct a single-subject threat assessment on an individual actor in isolation (Subject Threat Assessment).
- Provide clinical/psychological diagnosis, actuarial prediction, or legal advice.
- Substitute for an emergency response - if indicators of imminent danger are present, escalate to law enforcement immediately.
The TAM is a dynamic document updated on a defined cadence and on trigger events. It is the program owner’s primary tool for tracking case status, management effectiveness, and risk evolution over time.
Document Control
| Field | Value |
|---|---|
| Report Reference | [REF-YYYY-###] |
| Date of Current Version | [YYYY-MM-DD] |
| Case Opened | [YYYY-MM-DD] |
| Principal / Protectee | [Named individual / family / principal] |
| Case Owner / Threat Manager | [Name / role] |
| Case Status | [Active / Monitoring / Closed - with date of status] |
| Governing Assessment(s) Consumed | [PIA ref / HSVA ref / other assessments informing this case] |
| Client | [CLIENT NAME] |
| Prepared By | [ANALYST / THREAT MANAGER NAME / ID] |
| Reviewed By | [REVIEWER NAME / ID] |
| Approving Officer | [APPROVER NAME / ID] |
| Version | [X.X] |
| Next Scheduled Review | [YYYY-MM-DD] |
| Distribution | [NAMED RECIPIENTS] |
Handling & Legal Caveat
Handling: [Classification/TLP]. Named recipients only. No onward dissemination without originator approval.
IMMINENT DANGER: If this case file surfaces an imminent risk of harm, contact law enforcement / 911 immediately. This product does not substitute for emergency response.
Nature of this product: This is a case-management framework for an ongoing threat situation. It consolidates intelligence, management actions, and risk assessments into a single living document. It is not a clinical, psychological, psychiatric, or fitness-for-duty diagnosis, and not an actuarial prediction of future violence. It assigns concern, prioritizes management, and tracks risk evolution; it does not claim to predict who will or will not act.
Duty to warn / report: Where findings implicate a duty to warn an identifiable potential victim (e.g., Tarasoff-type obligations) or a mandatory-reporting duty, those obligations are triggered independently of this report and must be actioned per counsel and jurisdiction.
Permissible purpose: Conducted for the lawful protective purpose of [PURPOSE]. Not a “consumer report” and not prepared by a “consumer reporting agency” under the FCRA (15 U.S.C. § 1681); not for any FCRA-covered eligibility determination.
Data protection: Personal and behavioral data processed under [GDPR/CCPA/applicable regime]; handle per the client DPA and retention schedule [RETENTION REF]. Privilege: [If applicable] Attorney–Client Privileged / Work Product.
Collection boundary: Collection confined to open/publicly-available information (ATP 2-22.9 1-2); no surveillance of, or pretext contact with, any subject; lawful-open-source only.
Currency: Threat is dynamic. This case file reflects information as of the current-version date and must be reassessed on the triggers/cadence defined in §16.
Case Snapshot
| Field | Value |
|---|---|
| Case Status | [Active / Monitoring / Closed] |
| Current Case Risk Level | [Minimal / Low / Moderate / High / Imminent] |
| # Active Threat Nodes | [n] |
| # Nodes in Active Management | [n] |
| Primary Grievance Vector | [Nature / shared driver across the threat network] |
| Insider-Threat Nexus (Y/N) | [Y/N] |
| Days Since Last Significant Event | [n] |
| Next Scheduled Review | [YYYY-MM-DD] |
Table of Contents
Page numbers populate on export to Word/PDF.
- BLUF - Bottom Line Up Front
- Executive Summary
- Key Judgments
- Priority Intelligence Requirements (PIRs)
- Case Overview & Chronology
- Threat-Actor Register (Active & Monitored Nodes)
- Management-Action Log
- Management-Effectiveness Assessment
- Dynamic Risk Register
- Escalation / De-Escalation Criteria & Tripwires
- Stakeholder Coordination & Communication Plan
- Resource Requirements & LOE
- Verified Findings Summary
- Analysis of Competing Hypotheses (ACH)
- Key Assumptions Check
- Collection Gaps & Intelligence Requirements (RFIs)
- Case-Forward Plan & Recommendations
- Annex A - Sources, Methodology & Doctrinal Basis
- Annexes B+
1. BLUF - Bottom Line Up Front
2–4 sentences. State the current case risk level, the highest-concern actor(s), the most significant change since the last version, and the immediate required action (including any law-enforcement referral or protective-measure adjustment).
- Current case risk level: [Minimal / Low / Moderate / High / Imminent.]
- Highest-concern actor(s): [Node ID(s) + one-line basis.]
- Most significant change since last version: [New actor / escalation / management-action outcome / tripwire triggered.]
- Immediate action: [Protective action / law-enforcement referral / management-action adjustment / monitoring posture.]
2. Executive Summary
Case Origin & Triggering Event
What prompted the case to be opened - the communication, incident, or pattern, and when. Detail field observations arrive as EP-027 field contact / suspicious activity reports (the ART-field-contact-report seam); cite the originating report reference(s) and the intake disposition (new case / merged / watchlisted). Reference the governing Protective Intelligence Assessment if one exists.
[Narrative.]
Current Case Status
The shape of the case at this version: how many active threat nodes, management posture, risk trajectory (stable / escalating / de-escalating), and any significant events since the last version.
[Narrative.]
Scope & Limitations
What this version covers, sources available, time window, and constraints (no clinical evaluation, no direct subject interview, open-source-only collection, data limitations).
[Narrative.]
Case Risk Bottom Line
The net assessment in narrative form - consistent with §9.
[Narrative.]
3. Key Judgments
Analytic assessments about the case trajectory, actor behavior, and management effectiveness. Likelihood (of escalation/approach/targeted violence) and analytic confidence in SEPARATE columns (never combine them in one sentence - ICD 203). Each judgment names its change indicator.
| # | Judgment | Likelihood | Analytic Confidence | Change Indicator |
|---|---|---|---|---|
| KJ-1 | [e.g., likelihood of escalation by Node N-x within the next 90 days] | [almost no chance … almost certain] | [HIGH/MOD/LOW] | [ ] |
| KJ-2 | [e.g., effectiveness of current management actions in reducing approach risk] | [ ] | [ ] | [ ] |
| KJ-3 | [ ] | [ ] | [ ] | [ ] |
| KJ-4 | [ ] | [ ] | [ ] | [ ] |
4. Priority Intelligence Requirements (PIRs)
The questions this case must answer to drive management decisions (PIR → Indicator → SIR → source). Answer, evidence, confidence, residual gap each. PIRs evolve as the case progresses.
Collection-management spine: PIR → Indicator → SIR → OSINT-first source (Army-current; EEI = Joint synonym).
PIR-1: [e.g., Has any threat node escalated along the pathway to violence since the last assessment?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [YES / NO / LIKELY / UNRESOLVED] | [ ] | [HIGH/MOD/LOW] |
Residual gap: [Carry to §16 if open.]
PIR-2: [e.g., Are current management actions having a measurable effect on any node’s behavior?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [ ] | [ ] | [ ] |
Residual gap: [ ]
PIR-3: [e.g., Has any new actor entered the threat network or has any existing node changed its relationship to the principal?]
| Assessment | Supporting Evidence | Analytic Confidence |
|---|---|---|
| [ ] | [ ] | [ ] |
Residual gap: [ ]
(Repeat as needed - typically: escalation indicators · management effectiveness · network change · insider-threat evolution · opportunity/access windows.)
PIR Summary Matrix
| PIR | Question (brief) | Answer | Analytic Confidence |
|---|---|---|---|
| PIR-1 | [ ] | [ ] | [H/M/L] |
| PIR-2 | [ ] | [ ] | [H/M/L] |
| PIR-3 | [ ] | [ ] | [H/M/L] |
| PIR-4 | [ ] | [ ] | [H/M/L] |
5. Case Overview & Chronology
Case Origin
How and when the case was opened. Referral source, triggering event, initial risk level.
[Narrative.]
Significant Events Timeline
All significant events in the case - threat-actor communications, approaches, management actions, legal steps, law-enforcement contacts, protective-measure changes. Dated and graded by source.
| Date | Event Type | Description | Actor(s) Involved | Management Response | Source Grade |
|---|---|---|---|---|---|
| [YYYY-MM-DD] | [Communication / approach / legal action / LE contact / protective measure change / reassessment] | [ ] | [Node ID(s)] | [ ] | [A–F / 1–8] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Case Status History
Track the case risk level over time to show trajectory.
| Period | Case Risk Level | Key Driver | Management Posture |
|---|---|---|---|
| [YYYY-MM-DD – YYYY-MM-DD] | [Minimal / Low / Moderate / High / Imminent] | [ ] | [Monitor / Active management / Disruption / LE referral] |
| [ ] | [ ] | [ ] | [ ] |
6. Threat-Actor Register (Active & Monitored Nodes)
Inventory every actor in the case, categorized by current management status. Drawn from the governing Protective Intelligence Assessment and updated with new intelligence. Each node’s characterization is maintained as a living entry.
Active Management Nodes (nodes under active management/intervention)
| Node ID | Actor / Entity | Relationship to Principal | Grievance / Driver | Current Pathway Stage | Current Threat Level | Management Lane (§7) | Last Updated |
|---|---|---|---|---|---|---|---|
| N-1 | [ ] | [ ] | [ ] | [ ] | [Minimal/Low/Moderate/High/Imminent] | [ ] | [YYYY-MM-DD] |
| N-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Monitored Nodes (nodes under observation, no active intervention)
| Node ID | Actor / Entity | Relationship to Principal | Grievance / Driver | Current Pathway Stage | Current Threat Level | Monitoring Cadence | Last Updated |
|---|---|---|---|---|---|---|---|
| N-3 | [ ] | [ ] | [ ] | [ ] | [Minimal/Low/Moderate/High/Imminent] | [ ] | [YYYY-MM-DD] |
| N-4 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Inactive / Closed Nodes (nodes no longer assessed as posing a threat)
| Node ID | Actor / Entity | Reason for Closure | Date Closed | Reopening Criteria |
|---|---|---|---|---|
| N-5 | [ ] | [ ] | [YYYY-MM-DD] | [ ] |
7. Management-Action Log
Complete record of every management action taken in the case, with dates, rationale, legal authority, and outcome. This is the case’s institutional memory.
| Action ID | Date | Node(s) Targeted | Action Type | Lawful Effect (→ §13 of governing PIA) | Legal Authority | Owner | Outcome / Effectiveness | Next Step |
|---|---|---|---|---|---|---|---|---|
| A-1 | [YYYY-MM-DD] | [N-x] | [Protective-detail adjustment / access control / route change / legal process / LE referral / relationship management / threat de-escalation / isolation / monitoring escalation] | [Deterrence/hardening / legal process / LE referral / relationship management / de-escalation / isolation] | [Statute / order / referral basis] | [ ] | [Effective / partially effective / ineffective / pending / escalated] | [ ] |
| A-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Pending Actions
| Action ID | Planned Action | Node(s) Targeted | Target Date | Owner | Status |
|---|---|---|---|---|---|
| A-3 | [ ] | [ ] | [YYYY-MM-DD] | [ ] | [Not started / in progress / delayed] |
8. Management-Effectiveness Assessment
Assess whether the current management strategy is working. Per node and overall. This is the case’s feedback loop - if actions are not reducing risk, the strategy must change.
Per-Node Effectiveness
| Node ID | Current Management Lane | Actions Taken (Action IDs) | Observed Behavioral Change | Effectiveness Rating | Basis for Rating |
|---|---|---|---|---|---|
| [N-x] | [ ] | [A-1, A-2] | [De-escalation / no change / escalation / unknown] | [Effective / Partially effective / Ineffective / Cannot assess] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Overall Case-Management Effectiveness
Net assessment: is the overall management strategy reducing risk to the principal? What is working, what is not, and what needs to change?
[Narrative.]
9. Dynamic Risk Register
Per-node risk to the principal at the current version, scored Likelihood (1–5) × Impact (1–5) = 1–25. Keys: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical. Track risk score changes across versions to show trajectory.
| Node ID | Threat Scenario | Likelihood (1–5) | Impact (1–5) | Score | Band | Previous Score | Trend | Priority |
|---|---|---|---|---|---|---|---|---|
| [N-x] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [Stable / Escalating / De-escalating / New] | [H/M/L] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Risk Heat Map (Consolidated)
Aggregate view of all node risks. Narrative summary of the risk landscape.
[Narrative.]
10. Escalation / De-Escalation Criteria & Tripwires
The specific, observable behaviors or events that would trigger escalation of management posture, de-escalation, or case closure. Pre-defining these is core to disciplined case management.
Escalation Tripwires (trigger increased management posture)
| Tripwire (observable) | Indicates | Required Response | Responsible Party |
|---|---|---|---|
| [e.g., acquisition of a weapon by a threat node] | [Capability escalation] | [Immediate reassessment / LE referral / protective-measure escalation] | [ ] |
| [e.g., approach to principal location] | [Breach/probing] | [ ] | [ ] |
| [e.g., new communication with violent content] | [Intent escalation] | [ ] | [ ] |
| [e.g., threat node’s pathway stage advances] | [Progression toward attack] | [ ] | [ ] |
De-Escalation Criteria (trigger reduced management posture)
| Criterion (observable) | Indicates | Required Response | Responsible Party |
|---|---|---|---|
| [e.g., sustained period of no threat-related activity by node] | [Risk reduction] | [Reassess threat level; consider downgrade to monitoring] | [ ] |
| [e.g., successful legal remedy (TRO/restraining order in effect)] | [Legal barrier in place] | [ ] | [ ] |
| [e.g., node’s stated grievance resolved or withdrawn] | [Driver removed] | [ ] | [ ] |
Case-Closure Criteria
Conditions under which the case may be closed. Closure is a deliberate decision, not a default.
| Criterion | Met? (Y/N/Partial) | Evidence |
|---|---|---|
| [All threat nodes assessed as no longer posing a threat] | [ ] | [ ] |
| [No threat-related activity for [n] months] | [ ] | [ ] |
| [Principal no longer at risk (e.g., relocation, role change)] | [ ] | [ ] |
| [Client has accepted residual risk in writing] | [ ] | [ ] |
11. Stakeholder Coordination & Communication Plan
Who needs to know what, when, and how. Defines the communication architecture for the case.
Stakeholder Register
| Stakeholder | Role in Case | Information Need | Communication Cadence | Point of Contact |
|---|---|---|---|---|
| [Client / principal] | [Decision-maker / protectee] | [Case status, risk level, significant events] | [Immediate for escalation; weekly summary; full report per version] | [ ] |
| [Protective detail / security team] | [Physical protection] | [Threat-actor descriptions, indicators, management actions] | [ ] | [ ] |
| [Law enforcement liaison] | [Legal/LE response] | [Criminal activity, TRO violations, imminent threats] | [ ] | [ ] |
| [Legal counsel] | [Legal advice, privilege] | [Legal actions, duty-to-warn obligations] | [ ] | [ ] |
| [Household / staff (if applicable)] | [Insider-threat awareness] | [Relevant indicators, security protocols] | [ ] | [ ] |
Communication Protocols
| Scenario | Communication Channel | Recipients | Timeliness |
|---|---|---|---|
| [Imminent threat / emergency] | [Phone / secure messaging / in-person] | [ ] | [Immediate] |
| [Tripwire triggered] | [ ] | [ ] | [Within [n] hours] |
| [Routine status update] | [ ] | [ ] | [Per cadence] |
| [New version of this case file] | [ ] | [ ] | [Per version] |
12. Resource Requirements & LOE
What resources are required to manage this case at the current posture. Updated per version.
| Resource Category | Current Allocation | Required Allocation | Gap | Priority |
|---|---|---|---|---|
| [Analyst / threat-manager hours per week] | [n hrs/wk] | [n hrs/wk] | [ ] | [H/M/L] |
| [Open-source monitoring / collection] | [ ] | [ ] | [ ] | [ ] |
| [Legal / LE coordination] | [ ] | [ ] | [ ] | [ ] |
| [Protective-detail augmentation] | [ ] | [ ] | [ ] | [ ] |
| [Technical surveillance / security upgrades] | [ ] | [ ] | [ ] | [ ] |
| [External specialist consultation] | [ ] | [ ] | [ ] | [ ] |
13. Verified Findings Summary
| # | Finding | Status | Analytic Confidence | Materiality |
|---|---|---|---|---|
| F-1 | [ ] | [Verified / Unverified / Contradicted] | [H/M/L] | [Material / Minor] |
| F-2 | [ ] | [ ] | [ ] | [ ] |
14. Analysis of Competing Hypotheses (ACH)
Test the alternatives at case altitude - whether the current management strategy is appropriate, whether the threat is being over- or under-estimated, and whether a different case theory would change management posture. The favored judgment is the one with the least disconfirming evidence.
Hypothesis 1: [Current case theory and management strategy are correct - the identified nodes pose the assessed threat and the management actions are appropriate]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 2: [The threat is being over-estimated - some or all nodes are howlers/expressive only, and the current management posture is disproportionate to the actual risk]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 3: [The threat is being under-estimated - there are unidentified nodes, or the assessed nodes are further along the pathway than current intelligence indicates]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Hypothesis 4: [The current management actions are counterproductive - they are escalating rather than de-escalating one or more nodes]
- Evidence for / against: [ ] / [ ]
- Assessment: [ ]
Most consistent hypothesis: [Which, and the discriminating evidence. If the favored hypothesis has changed since the last version, state the shift and why.]
15. Key Assumptions Check
| # | Assumption | Basis | Analytic Confidence | Impact if Wrong |
|---|---|---|---|---|
| A-1 | [ ] | [ ] | [H/M/L] | [ ] |
| A-2 | [ ] | [ ] | [ ] | [ ] |
| A-3 | [ ] | [ ] | [ ] | [ ] |
16. Collection Gaps & Intelligence Requirements (RFIs)
| Gap / RFI | Impact on Case Management | Recommended Collection / Routed Product | Priority |
|---|---|---|---|
| [ ] | [ ] | [Method / e.g., ”→ continuous monitoring”] | [HIGH/MED/LOW] |
| [ ] | [ ] | [ ] | [ ] |
17. Case-Forward Plan & Recommendations
Assessment without management is incomplete. Provide the forward plan for the case: management actions to take, actions to avoid, reassessment triggers and cadence, and case-closure pathway if applicable.
Recommended Management Strategy (Next Period)
Overall posture for the coming period: maintain current posture / escalate management / de-escalate / prepare for closure. Rationale.
[Narrative.]
Specific Management Actions (Next Period)
| Action ID | Planned Action | Node(s) Targeted | Lawful Effect | Owner | Target Date | Priority |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [YYYY-MM-DD] | [H/M/L] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Actions to AVOID (de-escalation discipline)
Steps that could provoke, accelerate, or validate any node (e.g., aggressive confrontation, public exposure, abrupt cutoff in intimacy cases). Threat management can make things worse if mishandled.
[Narrative.]
Reassessment Triggers & Cadence
When this case file must be updated (tripwires from §10) and the routine review interval. Name the case owner.
| Trigger / Cadence | Action | Responsible Party |
|---|---|---|
| [Routine review] | [Full case-file update] | [Case owner] |
| [Tripwire triggered (§10)] | [Immediate reassessment and case-file update] | [Case owner] |
| [New intelligence on any node] | [Update node entry and risk score] | [Analyst] |
| [Management action outcome known] | [Update management-action log and effectiveness assessment] | [Case owner] |
Case-Closure Pathway (if applicable)
If the case is approaching closure, define the remaining steps, criteria, and timeline.
[Narrative. Case owner: [NAME].]
18. Annex A - Sources, Methodology & Doctrinal Basis
Methodology by Phase (ATP 2-22.9 intelligence process, para 1-9)
Plan (requirements) → Prepare (managed-attribution setup / compliance) → Collect (open-source media + technique) → Produce (evaluate / process / report). State what was done in each phase.
Doctrinal Basis & Method
Governing authority and imported constructs, with FULL/PARTIAL/GAP transparency. Anchors resolve through docs/reference/doctrine/INDEX.md.
- Governing authority (PARTIAL band): USSS Fein-Vossekuil / ATAP / WAVR-21 / TRAP-18 behavioral threat assessment - the behavioral core (pathway-to-violence, fixation, leakage) that military doctrine does not govern.
- Case-management framework: Derived from protective-intelligence program management standards (ATAP / ASIS PI.1 / OSAC best practices) for ongoing threat-case documentation, risk tracking, and management-action accountability.
- Analytic overlay (method, not authority): the network-engagement spine - Network Frame (ATP 5-0.6 2-13), Link Analysis (3-29), SNA (JP 3-25 App G), Nexus nodes (3-50), CFA (JP 3-25 Ch IV), Action Framework (1-5) rendered through the lawful-effects translation.
- Analytic floor: ICD 203 (likelihood/confidence separated), ICD 206 (sourcing), NATO Admiralty A–F reliability.
- Authority boundary: collection confined to lawful open/publicly-available sources (ATP 2-22.9 1-2); military collection authorities do not transfer.
Source Register
| Ref | Source | Source Role (Primary/Secondary/Authoritative/Non-auth.) | Type | Reliability (A–F) | Credibility (1–8) | Date |
|---|---|---|---|---|---|---|
| S-1 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source Evaluation Worksheet (ATP 2-22.9 4-13)
| Source | Identity | Authority | Motive | Access | Timeliness | Consistency | → Reliability/Credibility |
|---|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source Reliability Scale (Admiralty, A–F)
| Grade | Meaning |
|---|---|
| A | Completely reliable |
| B | Usually reliable |
| C | Fairly reliable |
| D | Not usually reliable |
| E | Unreliable |
| F | Reliability cannot be judged |
Grades run A Completely reliable through F Reliability cannot be judged; new sources default to F.
Information Credibility Scale - OSINT 8-band (ATP 2-22.9, Table 2-2)
| Grade | Meaning |
|---|---|
| 1 | Confirmed by other sources |
| 2 | Probably true |
| 3 | Possibly true |
| 4 | Doubtful |
| 5 | Improbable |
| 6 | Misinformation (unintentionally false) |
| 7 | Deception (deliberately false) |
| 8 | Credibility cannot be judged |
New sources default to F/8. Bands 1–5 carry the Admiralty wording; 6–8 are the ATP 2-22.9 additions grading mis-/dis-information distinctly.
Estimative Probability (Likelihood) Lexicon - ICD 203
| Term | Range |
|---|---|
| Almost no chance / remote | 01–05% |
| Very unlikely / highly improbable | 05–20% |
| Unlikely / improbable | 20–45% |
| Roughly even chance | 45–55% |
| Likely / probable | 55–80% |
| Very likely / highly probable | 80–95% |
| Almost certain / nearly certain | 95–99% |
The estimative scale runs from almost no chance / remote (01–05%) to almost certain / nearly certain (95–99%). Likelihood (event) and analytic confidence (evidence) are distinct axes - never combine them in one sentence (ICD 203).
Analytic Confidence Scale (evidence base)
| Level | Criteria |
|---|---|
| HIGH | Multiple independent, reliable sources; corroborated; no significant contradiction. |
| MODERATE | Partial corroboration; some gaps; minor unresolved inconsistencies. |
| LOW | Single/uncorroborated source; significant gaps; plausible alternatives open. |
Risk-Scoring Key
Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
Collection OPSEC / Non-Attribution
Managed-attribution posture used (non-.gov egress, no login pivots into private space, footprint minimization - ATP 2-22.9 App B: research “could unintentionally reveal CCIRs”).
Methodological note: This is a case-management framework, not a clinical/actuarial product. Threat levels are structured professional judgments, not predictions. Likelihood (event) and analytic confidence (evidence) are stated separately (ICD 203). Behavioral observations are non-clinical. Practitioner methods (Bazzell) are cited as method, never as governing authority; no live tool names appear in this skeleton.
19. Annexes B+
- Annex B - Network Link Chart (Current): [draw.io relationship diagram; solid = known, dashed = suspected; annotated with management status per node.]
- Annex C - Behavioral Timeline (per active node): [Chronology of grievance, communications, warning behaviors, management actions, dated/graded.]
- Annex D - Identifier & Entity Index.
- Annex E - Source Index: [Citations / archived records, capture timestamps.]
- Annex F - Evidence Archive & Chain of Custody: [Preserved records, hashes, timestamps/URLs.]
- Annex G - Glossary & Abbreviations (warning behaviors, pathway stages, NE block terms, model references, case-management terms).
- Annex H - Version History & Change Log: [Date, version, author, summary of changes from previous version.]
END OF REPORT
This Threat Case Assessment & Management (TAM) product is a living case-management framework prepared from available records, communications, and open sources as of the stated current-version date. It is not a clinical or psychological diagnosis, not an actuarial prediction, not a consumer report (FCRA), and not legal advice. It consumes and acts upon the Protective Intelligence Assessment and Hostile Surveillance Vulnerability Assessment; it does not re-perform those assessments. Threat is dynamic and this case file must be reassessed on the stated triggers and cadence. If imminent danger is indicated, contact law enforcement immediately.
| Field | Value |
|---|---|
| Prepared By | [ANALYST / THREAT MANAGER NAME] |
| Reviewed By | [REVIEWER NAME] |
| Approving Officer | [APPROVER NAME] |
| Date | [YYYY-MM-DD] |
| Version | [X.X] |
Model wiring
Generated from cell frontmatter at publish time.