Most security work begins with the attacker. Who are they, what do they want, what are they capable of. Protective intelligence begins at the other end. It starts with the person being protected and asks what an adversary would find if they went looking. That inversion is the whole discipline, and it has a reason behind it worth setting out plainly.
What protective intelligence is
Protective intelligence is the practice of understanding a person the way an adversary would, in order to defend them. It sits between two established fields and belongs to neither.
Physical executive protection models the principal as a body to be moved through space safely: routes, venues, vehicles, proximity. Corporate cybersecurity models the same person as a user with accounts, devices and passwords to be secured. Both are necessary. Neither describes what an open-source adversary actually works with, which is a public name attached to a home address, a family, a routine, an old leaked password, and a set of handles that connect all of it.
Protective intelligence is the layer that reads that picture. It is an intelligence discipline before it is a security service. The recognised intelligence collection disciplines are usually named by their source: human, signals, imagery, geospatial and open-source intelligence, with social media intelligence the most recent addition to the family. Protective intelligence draws mainly on the open-source and social ones and turns them inward, applying the adversary’s own reconnaissance methods to the person being protected, so that what an attacker could assemble is known to the defender first.
The clearest proof that this is a working method and not a theory is that the evidence base for the field was built with it. The most comprehensive open-source study of attacks on senior executives to date, a January 2026 dataset assembled by a Fortune 500 protective-intelligence team with Mercyhurst University, catalogues 424 incidents between 2003 and 2025. It was produced by structured open-source collection: more than fifty variables per incident, organised around the characteristics of the target, the assailant, and the circumstances of the attack. The same open-source lens that maps a threat can map an exposure. Its authors are careful to call the dataset a representative snapshot rather than a complete record, since open-source reporting misses what is never reported. It describes a pattern, not a precise count.
Why the profile comes before the threat
Security has a durable shorthand for risk. Risk is a function of three things: the threat, the vulnerability, and the consequence. A threat is an actor with intent and capability. A vulnerability is the opening that lets the threat reach its target. The consequence is what happens if it does.
The reason protective intelligence begins with the profile falls straight out of that equation. You do not control the threat. You cannot decide who develops a grievance, which activist network fixes on your employer, or which fraud crew buys a breach corpus this month. Threat is exogenous; it arrives on its own schedule.
You do control the other two terms. Your vulnerability is what is findable and usable about you: the address in a registry, the home in a tagged photograph, the password reused since 2014. Your consequence is what that exposure enables once someone holds it. Both are properties of you and your footprint, not of any particular attacker. They are the part of the risk equation that is yours to move.
| Factor | Can you control it? | What protective intelligence does |
|---|---|---|
| Threat: who targets you, and why | No. It is exogenous. | Anticipates plausible actors; does not pretend it can remove intent |
| Vulnerability: what is findable and usable | Yes | Maps it the way an adversary would, then reduces it |
| Consequence: what an exposure enables | Largely yes | Identifies what a given exposure unlocks; closes the highest-impact paths first |
Chasing the threat means waiting for an actor to declare themselves and reacting once they have. Starting with the profile means working on the two variables you can actually change, before anyone declares anything. Mapping the profile first is therefore not thoroughness for its own sake. It is the only work available on the side of the risk equation you own.
How a profile is actually mapped
Mapping a profile is not a matter of searching a name and reading what comes back. It is a structured exercise. The structure is borrowed from threat modelling, the engineering discipline that asks what could go wrong with a system before it does.
Reviews of threat-modelling approaches converge on a first step that is always the same: before you reason about attackers, you enumerate what you have and what is exposed. Whether the method is STRIDE, PASTA or an attack tree, it opens by identifying assets and entry points. You cannot model a threat to an asset you have not listed. Identification precedes analysis.
Protective intelligence applies the same order to a person. The assets are the elements of a life that an adversary can use: identity documents and numbers, locations, financial signals, relationships, credentials, and the behavioural pattern that ties them together. The exposure is which of those an outsider can reach without authentication. Surfacing each is an investigation rather than a lookup: mapping a person’s discoverable footprint and tracing the credentials already circulating about them are disciplines in their own right. Only once that inventory exists does it make sense to ask who might act on it and how. A profile mapped this way is examinable: each item has a source, and each source can be checked, reduced, or left in place as a deliberate decision rather than an oversight.
This is also where protective intelligence parts company with a generic “remove yourself from the internet” pitch. Erasing everything is neither possible nor the goal. The work is to know precisely what is reachable, rank it by what it enables, and act on the items that carry the most weight.
The profile is bigger than the person
A profile that stops at the individual is incomplete, because attackers do not stop there. Work on the security of interdependent assets makes the point formally: when several assets are connected, a rational attacker does not strike the strongest one. They strike the weakest link whose compromise still reaches the target. Defence, in that model, is a question of where to invest, given that the adversary will look for the cheapest path in.
For a person, the connected assets are rarely their own well-secured accounts. They are the secondary ones: a driver, an assistant, a family member’s open social profile, a recurring calendar entry, a home network, a second-home address in another country’s registry. Each sits one step from the principal and is usually softer. A teenager’s public post naming a parent’s employer, or a partner’s check-in at a family address, can be worth more to an adversary than anything the principal published themselves. Much of it is an attack surface you do not directly own.
Protective intelligence maps that extended surface deliberately, because the weakest link defines the real exposure. Reducing only the principal’s own footprint while the connected ones stay open leaves the path in untouched. The work has to follow the relationships outward, to the point where hardening stops being worth the cost.
Patterns of life, and reducing predictability
Static facts (an address, a number, a password) are one half of a profile. The other half is the pattern: where someone is, when, with whom, and how reliably. Executive-protection practice has long treated patterns of life as a core exposure, because a predictable routine is what converts a list of facts into an opportunity with a time and a place attached.
Most of that pattern is now published voluntarily and continuously. Posts, check-ins, tagged photographs and replies disclose routine, locations and relationships without anyone being asked. Reading that stream over a period of weeks, the way a watcher would and with the subject’s consent, is itself a protective measure, because it shows the person what their own movements broadcast.
The protective response has two parts. The first is reduction: removing or locking down what discloses routine and location. The second is reducing predictability, varying what remains visible so it is worth less to anyone trying to anticipate you. This is counter-reconnaissance in a narrow, defensive sense, raising the cost and lowering the confidence of anyone building a model of your movements. It is a discipline applied to your own behaviour and your own information, and it stops well short of seeding false records into systems that have to stay accurate. Financial, identity, medical and official records are off limits. That boundary is not a soft one.
Where the digital layer meets the physical one
The reason any of this matters beyond inconvenience is that the digital profile is the route to the physical one. The exposure that lets a fraud crew impersonate someone is the same exposure that lets a fixated individual find their front door.
The executive-targeting dataset records that convergence directly. Of its 424 catalogued incidents, the large majority were physical rather than cyber, a third resulted in death or injury, and around half occurred in the target’s home city, the place a routine is most legible. Its authors flag, as the clearest emerging pattern, the way online exposure and compromised personal information now enable real-world targeting, alongside the growing use of AI tools to support reconnaissance and to lower the cost of convincing impersonation. Whether the concern is a fraud attempt or a fixated visitor, the input is the same body of findable information.
This is the cross-domain point that physical protection and cybersecurity each see only half of. Why elevated exposure raises the odds of being targeted, and when protective services are worth their cost, is taken up separately. The conclusion that matters here is narrower: because the physical risk runs through the digital footprint, the footprint is where protective intelligence has to begin.
Where this leaves you
Protective intelligence starts with the profile because the profile is the half of the risk you can actually change. You cannot legislate away the people who might target you. You can know what they would find, decide what to leave and what to remove, and make the rest harder to read. A discipline that began by naming threats would be reacting to other people’s decisions. One that begins with the profile is acting on its own.
Seeing your own exposure the way an outsider would is the first move, and it is one anyone can begin. The Executive Exposure Checklist is a self-diagnostic version of that step, the items worth auditing before someone maps them for you. Where the picture warrants a full analyst-led assessment, the Shield maps the complete surface, the connected assets and the pattern, and turns it into a ranked plan for reducing what can be reduced.
If you carry elevated exposure and want to see what an adversary could assemble before they do, a Shield assessment maps your full surface and turns it into a ranked plan.
Talk to an AnalystSources
- Risk as a function of threat, vulnerability and consequence: standard risk formulation used in homeland-security and infrastructure risk analysis (US DHS / RAND).
- Tatam, M. et al. (2021). A review of threat modelling approaches for APT-style attacks. Heliyon. On asset and entry-point identification as the first step of threat modelling (STRIDE, PASTA, attack trees).
- Hota, A. R. et al. (2016). Optimal and game-theoretic deployment of security investments in interdependent assets. GameSec / LNCS. On the weakest link in interdependent assets and where a defender should invest.
- Security Executive Council & Mercyhurst University (January 2026). Executive Targeting Report: Analysis of Attacks on Corporate Executives, 2003–2025 (public release). Open-source dataset of 424 incidents; described by its authors as a representative snapshot, not a complete record.
- Weissmann, M. et al. (2025). Future threat landscapes: the impact on intelligence and security services. Security & Defence Quarterly. On the intelligence-collection disciplines, including open-source and social media intelligence.