Your Shield Against Targeted Violence

Why This Matters to You Right Now

If you’re reading this, something’s made you feel exposed. Maybe you’ve received worrying messages, noticed someone taking too much interest, or want to understand how real threats develop. Here’s the thing—attackers follow predictable patterns. Once you understand these patterns, you get your control back.
The Attack Cycle isn’t some academic theory. It’s your early warning system. Many successful attacks have followed these phases. More importantly, many attacks that have been prevented were stopped because someone spotted and acted on the warning signs.

The Reality Check

Most security advice tells you what to do after threats emerge. That’s backwards. When a threat is identified, you’re already playing catch-up. Real protection starts with understanding how attackers think and move, long before they reach your door. The Attack Cycle framework has been used by law enforcement and security professionals for over two decades, developed initially by the FBI and later adopted by the Department of Homeland Security and Secret Service to understand how criminals, terrorists, and assassins.

How Attackers Operate: The Eight-Phase Cycle

The Attack Cycle breaks down into eight distinct phases. Each one gives you different opportunities to detect and stop them. Think of it as a roadmap showing where your defences must be strongest.

Phase 1: Target Selection (General) – Why They Consider Multiple Targets

Attackers don’t just randomly choose targets. During this initial phase, they’re considering multiple potential targets who represent something to them—success they don’t have, values they oppose, or simply the visibility they crave. The targeting isn’t emotional; it’s calculated.

They research several potential targets simultaneously, looking at public profiles, business activities, family situations, and visible routines. They ask themselves: “Who could give me what I want? Who represents what I’m fighting against? Who would generate the impact I’m seeking?”

This is also known as ‘target dispersal’ and has been seen in several attacks on UK politicians. In these attacks, attackers initially considered multiple public figures before settling on their final choice.

What this means for you: Even if you’re not their final target, you may be considered during this phase. Your public exposure and visible patterns matter, as they influence whether you remain on their list or are discarded in favour of someone more accessible.

Phase 2: Initial Surveillance – Basic Information Gathering

During this phase, they’re conducting broad surveillance across their potential targets to understand who offers the best opportunity. This isn’t yet focused, detailed surveillance—its comparative intelligence gathering.

Surveillance in this context isn’t just someone following you with binoculars—its comprehensive information gathering through multiple methods. These include technical surveillance (monitoring your digital footprint), social engineering (manipulating people around you for information), open-source research (mining public records and social media), and sometimes physical observation.

They’re looking for basic patterns, security arrangements, and accessibility across multiple targets. The quality of their surveillance varies—some operations have sophisticated capabilities, while fixated individuals may leave obvious digital footprints or leak behavioural indicators that raise red flags.

What this means for you: Train everyone around you to recognise inappropriate questions or unusual interest in your routines. Your household staff, business colleagues, and family must understand what normal curiosity looks like versus concerning information gathering.

Phase 3: Final Target Selection – The Decision Point

This is where they narrow down their focus and make their final choice. The answer may come down to two critical factors: accessibility and predictability.

Accessibility means: Can they reach you when you’re vulnerable? Do you have security gaps they can exploit? Are there moments when your defences are down?

Predictability means: Can they forecast where you’ll be and when? Do you follow routines that can be mapped? Are your movements foreseeable enough to plan around?

Attackers aren’t necessarily looking for the most prominent target—they’re looking for the most accessible one with predictable patterns they can exploit. A billionaire with unpredictable movements and layered security is less attractive than a local businessperson who walks the same route to lunch every Tuesday.

The reality is stark: you don’t need to be the most famous person to become a target—you just need to be the most reachable one on their list. This decision point often comes down to a simple assessment: Which target represents their desired symbolic value while offering the clearest path to success?

What this means for you: Understanding why you might be selected helps predict what they’ll do next. Your threat assessment must identify what makes you attractive as a target—particularly how accessible and predictable you are—and then design countermeasures to address those specific vulnerabilities.

Phase 4: Pre-Attack Surveillance – Detailed Intelligence Gathering

Now they’re focused solely on you. This is comprehensive, detailed surveillance to map your exact routines, security measures, and vulnerabilities. They’re building a complete picture of your accessibility and predictability patterns.

All surveillance focuses on answering two critical questions: “When is this person most accessible?” and “What patterns can I rely on?” They’re looking for the moments when you’re predictably vulnerable—the regular coffee shop visits, the weekly family dinners, the consistent travel routes. These are fundamental targeting criteria that any serious threat will systematically evaluate.

Modern information gathering includes social media analysis, property record searches, business filing reviews, family member research, staff investigation, and monitoring your public appearances or statements. They’re building a comprehensive picture of your life, looking for exploitable patterns and security gaps.

Some surveillance activity may be to establish how effective your security is. Are they switched on and acting professionally, or are they lethargic, lazy, and ignoring red flags?

What this means for you: This is your best opportunity for detection. Train everyone around you to recognise inappropriate questions or unusual interest in your routines and how to respond when they identify such activities. They need to build a detailed picture of your patterns and feel they understand your vulnerabilities.

Phase 5: Planning – Working Out the Details

This phase is where attackers may become most vulnerable to detection. They acquire materials, develop detailed plans, and may struggle to contain their intentions. They’re now working out precisely how to exploit the accessibility and predictability they’ve identified.

They may confide in family members, boast online, document their intentions, or test their capabilities through seemingly unrelated actions. Equally, the most sophisticated may not leave and traces of their intentions.

This is also when they acquire whatever they need for their attack—physical tools, access credentials, or simply working out logistics.

Here’s the uncomfortable truth: If attackers spend weeks or months planning to exploit your vulnerabilities, but your protection team only meets quarterly or hasn’t rehearsed scenarios in years, they’re already ahead of you. The most sophisticated security hardware means nothing if your team doesn’t know how to coordinate under pressure.

What this means for you: Your threat monitoring must extend beyond direct communications, which are extremely poor indicators of an escalating threat. Monitor for concerning posts about you in online communities and ensure your security team understands the signs of hostile reconnaissance.

More critically, your executive protection team must regularly plan and train together. They need to know instinctively how each member will react during different scenarios—medical emergencies, physical threats, evacuation procedures, or communication breakdowns. The planning phase isn’t just about detecting their preparation—it’s about ensuring your preparation is superior to theirs.

Phase 6: Rehearsals – Testing Their Plan

Many attackers conduct rehearsals or test runs before executing their attack. This might involve timing routes, testing equipment, conducting practice surveillance, or even “novel aggression”—testing their ability to commit harmful acts through unrelated incidents.

Rehearsals often involve timing routes, testing equipment, and conducting what we call ‘novel aggression’—testing one’s ability to commit harmful acts through more minor, seemingly unrelated incidents. Someone planning reputational damage might start with minor acts of malicious exposure. Someone considering physical harm might begin with property damage or threats.

Professional groups conduct full rehearsals of vehicle assaults, determining who blocks escape routes, who approaches the target, and how they’ll coordinate their timing. In the UK, this phase often involves perfectly legal activities that only appear concerning in context—purchasing surveillance equipment, researching security systems, or acquiring items that could be misused.

What this means for you: Your team should regularly run their scenarios: What happens if your primary route is blocked? How do team members communicate if mobile networks fail? Who takes command if the team leader is incapacitated? Your security assessment should include monitoring activities that could support an attack against you. The rehearsal phase reveals their intended methodology and confirms they’ve identified a viable window of accessibility combined with predictable patterns they can exploit.

Phase 7: Execution – When Prevention Has Failed

They’re now moving to execute their plan, positioning themselves to exploit the accessibility and predictability they’ve mapped. Once they begin their attack, prevention has failed, and you’re now in crisis response mode.

Modern attacks aren’t always physical. Coordinated reputation attacks, privacy violations, or systematic harassment campaigns can be equally damaging and require different response strategies.

Some attackers will abort during the early stages of execution. Something goes wrong, they lose their nerve, or circumstances change. Your visible security presence can deter action, particularly if it disrupts their assumptions about your accessibility.

What this means for you: Your immediate security protocols—access controls, surveillance systems, alert procedures—must function perfectly. Emergency procedures should be practised regularly, covering multiple scenarios—physical threats, digital attacks, and reputation crises. Your team should be trained to identify and act on concerning behaviour immediately, not wait to “see what develops.”

Phase 8: Escape and Exploitation – The Aftermath

Attackers plan their aftermath differently. Some intend to escape and continue their campaign, others plan to be caught to gain attention, and some are prepared to harm themselves rather than face the consequences. Understanding their likely exit strategy helps predict their behaviour during the execution phase.

Even failed attacks serve their purpose if they generate publicity or inspire copycat behaviour. This phase focuses on claiming responsibility, justifying actions, and potentially recruiting others to continue their cause.

Successful prevention often goes unnoticed, which is precisely how it should be. Public knowledge of prevented attacks can inspire others.

What this means for you: Post-incident analysis should strengthen defences while avoiding publicity that might encourage similar attempts. Your media strategy should be carefully coordinated with security considerations. Your crisis response should be coordinated with professional security services and legal representation.

Your Strategic Advantages

Early Detection Saves Lives and Reputations

The Attack Cycle provides multiple intervention points before violence occurs. Each phase offers opportunities to identify, assess, and neutralise threats while they’re still manageable.

Consider the 2017 case in which I identified a planned parliamentary attack using six lines of intelligence. The attacker had leaked his intentions (Phase 5), allowing intervention before execution. Without understanding the Attack Cycle, those six lines might have seemed insignificant.

Cost-Effective Protection

Stopping threats early costs significantly less than responding to completed attacks. Prevention during the surveillance phase might require modest security adjustments. Response after an attack can cost millions in direct expenses, reputation management, and long-term security enhancements.

Reduced Anxiety Through Understanding

Fear of the unknown is often worse than known risks. Understanding how attacks develop transforms vague anxiety into actionable intelligence. You’re no longer wondering “if” something might happen—you’re systematically monitoring for specific indicators and taking measured responses.

Professional Credibility

Your security team becomes more effective when they understand what they’re protecting against. Training staff in Attack Cycle recognition creates multiple early warning systems across your organisation.

Practical Implementation for Your Situation

Immediate Actions

Audit Your Exposure: What information about you is publicly available? How accessible are you during routine activities? What predictable patterns in your life could someone exploit? Where are your surveillance blind spots?

Train Your Team: Staff should recognise concerning behaviour and know how to report it. This includes household staff, business colleagues, and family members.

Establish Monitoring: This includes digital monitoring for online threats and physical awareness of suspicious activity around your properties or routine locations.

Medium-Term Measures

Professional Threat Assessment: Regularly evaluate your threat environment, including analysis of any concerning communications or behaviour.

Reduce Predictability: Vary your routines where possible. Change departure times, alternate routes, and avoid fixed patterns that can be mapped and exploited.

Control Accessibility: Implement layered security that makes it progressively more challenging for someone to reach you during vulnerable moments.

Integrated Security Planning: Your physical security, digital privacy, and crisis response should work together, not as separate systems.

Relationship Management: Build trusted relationships with law enforcement, private security professionals, and crisis management specialists before you need them.

Team Coordination: Your executive protection team must train together regularly, not just assume competence. You cannot afford to discover during an incident that your team members have different tactical training or response procedures. Regular scenario-based exercises should cover medical emergencies, communication failures, route blockages, and team leader incapacitation. The question isn’t whether your team looks professional—it’s whether they can coordinate instinctively under pressure.

 Long-Term Strategy

Adaptive Protection: Your security posture should evolve with your public profile, business activities, and threat environment.

Family Integration: Ensure family members understand their role in collective security without living in fear. This includes helping them reduce their predictability and accessibility.

Crisis Preparedness: Plans and procedures for various scenarios, regularly tested and updated.

Environmental Considerations

The UK’s threat environment includes everything from fixated individuals targeting public figures to organised crime groups conducting reconnaissance for high-value robberies. Brexit tensions, economic pressures, and social media have created new dynamics in how threats develop and manifest.

Instead of focusing primarily on firearm threats, your team must assess vehicle access points, crowd control measures, and maintain sufficient distance to counter potential knife attacks. When conducting walkabouts in city centres, your advance team should specifically assess vehicle barriers—are there bollards protecting pedestrian areas? Can hostile vehicles access your route?

The key is adapting your defensive thinking to the most likely attack methods. Your team needs immediate action drills for engine sounds that signal vehicle attacks, clear procedures for moving you quickly into adjacent buildings, and understanding that knife threats require different spacing and response tactics than firearm threats.

The UK Context

The UK’s threat environment includes everything from fixated individuals targeting public figures to organised crime groups conducting reconnaissance for high-value robberies. Brexit tensions, economic pressures, and social media have created new dynamics in how threats develop and manifest.

Recent cases demonstrate the importance of early intervention. The Manchester Arena bombing, the Westminster Bridge attack, and various plots against public figures all followed recognisable patterns. In several cases, opportunities existed to disrupt these attacks during earlier phases of the cycle.

The challenge for UK-based individuals is that our legal system requires a higher threshold for police intervention than some jurisdictions. This places greater responsibility on private security measures and professional threat assessment.

Your Next Steps

Understanding the Attack Cycle is only valuable if you act on it. Consider these questions:

Assessment: When did you last conduct a comprehensive threat and vulnerability assessment examining your accessibility and predictability?

Monitoring: What systems do you have in place to detect concerning behaviour during its early phases?

Response: What would you do if your security team identified someone mapping your routines in Phase 4 (pre-attack surveillance)?

The Attack Cycle isn’t about creating paranoia—it’s about creating confidence through preparation. When you understand how threats develop, you can build defences that work while maintaining the life you want to live.

The Bottom Line

Every attack prevented succeeded because someone recognised the warning signs and acted appropriately. Many attacks failed to be stopped because those warning signs were either missed or misunderstood.

You don’t need to become a security expert, but you need security experts who understand these principles. The Attack Cycle should inform every aspect of your protective programme, from digital privacy to crisis response.

The goal isn’t perfect security—that’s impossible and would be unbearable. The goal is intelligent security that addresses real threats while preserving your freedom and peace of mind. This starts with understanding and controlling the two factors attackers depend on most: your accessibility and predictability.

Your safety isn’t about luck. It’s about understanding, preparation, and expertise when you need it.

Three Critical Questions to Consider:

1. How quickly could your current security team recognise and respond to someone conducting surveillance on your property or routine to map your accessibility and predictability?
2. What systems do you have to monitor for “leakage”—people discussing plans to target you in their personal networks or online communities?
3. If someone began progressing through the Attack Cycle against you tomorrow, at which phase would they most likely be detected, and what would trigger that detection?

Professional Training in Threat Recognition

Understanding the Attack Cycle is only the first step. Effective threat management requires specialised skills that go beyond traditional security training.

Our CPD-accredited ‘Behavioural Threat Management, Countering Fixated & Lone Actor Threats’ programme teaches advanced skills in identifying and managing potential threats before they escalate. Participants develop expertise in distinguishing between threats, recognising warning behaviours, and implementing appropriate risk management strategies.

These courses bridge the gap between academic understanding and practical application, giving your security team—and you—the tools to spot concerning behaviour during the critical early phases of the Attack Cycle when intervention is most effective.

To learn more about our training programmes or to discuss your specific security requirements, contact Defuse Global.