When a major attack occurs, the analysis begins.
News organizations publish timelines. Think tanks produce assessments. Governments commission reviews. Policy committees convene to ask how it happened and what should be done differently.
This process has genuine value. But all of it is fundamentally backward-looking. And in the counter-terrorism context, backward-looking analysis has an almost complete absence of operational value.
Because by the time the analysis begins, the decisions that could have changed the outcome were made months or years ago. The attack is not a beginning. It’s an ending. It’s the last data point in a sequence that started long before.
The Anatomy of an Intelligence Lifecycle
Ideological framing and justification. Before operational planning begins, the ideological justification gets developed and propagated. Leadership statements shift. Propaganda materials emphasize specific enemies and grievances.
Recruitment and organizational preparation. Recruitment communications evolve — becoming more specific about operational requirements, more urgent in their calls to action.
Financial resourcing. Operations require money. This leaves signals in the financial communications — escalating fundraising urgency, changing geographic focus of financial appeals.
Communication security adaptation. Groups shift communications from public channels to encrypted platforms. The absence of communications that were previously present is a signal.
Geographic and targeting specification. Broad rhetorical enemies give way to more specific references as operational planning advances.
Final preparation. Often marked by a reduction in public-facing communications and a corresponding increase in encrypted channel activity. Each of these phases is observable with meaningful analytical confidence when the monitoring infrastructure is in place.
The 6–18 Month Window
The intelligence lifecycle that precedes a major attack typically spans six to eighteen months from the first observable preparatory signals to the event itself.
This is a significant window. Six months is enough time to substantially adjust organizational exposure, brief decision-makers with actionable lead time, and modify security postures.
It’s also, for most organizations whose threat awareness is based on news monitoring, an entirely invisible window — because nothing newsworthy happens during it.
Conditions-Based Analysis: A Different Starting Point
Event-based analysis asks: “What happened?”
Conditions-based analysis asks: “What conditions, if present, increase the probability that something will happen — and are those conditions currently present?”
The conditions that increase the probability of operational activity include:
- Organizational capacity indicators: Is the group growing, fracturing, or stable?
- Ideological trajectory indicators: Is the rhetoric escalating or moderating?
- Operational security posture indicators: Are communications migrating to encrypted channels?
- Financial health indicators: Are fundraising appeals increasing in urgency?
- Political trigger environment indicators: What developments might accelerate the timeline?
The Forward-Looking Assessment
The practical output of conditions-based intelligence is the forward-looking assessment — not “here’s what happened” but “here’s what the current conditions suggest about the trajectory of this threat over the next 30–90 days.”
This communicates:
- What conditions are currently present and how they compare to historical pre-operational patterns
- What the trajectory of key indicators suggests about probability of significant action
- What would cause the assessment to change
- What the implications are for the specific organization receiving the assessment
The attack is the last data point.
Start earlier.
