

Guest Author: Ami Toben of Protection Circle

(Bio Below)



In the first installment of this two-part, joined article, I described a large political fundraiser back in 2008. Prior to the event, our open source intelligence resource had discovered that a specific individual (belonging to a student organization that vehemently opposed our client) intended to get himself into the event. The details we got included the name and even the photo of this individual.



Travis then took us through the fundamental steps of an OSINT investigation, in an attempt to determine the probability of this individual taking offensive or disruptive action during the event, or otherwise engaging in some form of hostile planning.



In this installment, I’ll explain where things go after the OSINT investigation, and how remote intelligence, field intelligence and physical protection can work in conjunction and produce high-level security results. I’ll close out by letting you in on how things ended up at the event, but first, let’s take a closer look at field intelligence.



In the world of protective intelligence, I’ve long discovered that in addition to the crucial role that OSINT plays, there’s often also a need for information that’s collected from the field. It’s not that remote intelligence isn’t important—on the contrary—that’s where you want to start. But this first resort shouldn’t always be your last and only one. Hostile entities also use open sourced intelligence in their Hostile Planning Process, but they don’t stop there—they follow it up with field intelligence, i.e. surveillance. So if hostile entities rely on more than just open sourced intelligence, why wouldn’t we want to do at least as much ourselves?

Intelligence can be described as filtered information that’s contextualized for your needs. And one of the core principles of intelligence assessment is to diversify your sources of information—to try not to solely depend on a single source. With this in mind, there are some very important questions that should be asked:

When it comes to physical assets, a very important source of information is the actual situation in the field. We might have a good idea of what’s been happening online, but how do we find out what’s actually been going on in the field, in and around our physical assets?

“The proof of the pudding is in the eating”. Open sources can be very important, but until they are put to the test—until you have actual evidence from the field—they essentially provide you with unproven theories. If you never see how OSINT physically manifests itself in the field (if you never test your theories), how will you know if it’s good, verifiable intelligence?

Utilizing intelligence for protective operations ultimately comes down to what questions you want answered. If you want to find out what people are saying about your client, or who’s been using online tools for researching, coordinating, communicating or even planning things in regards to your client, then cyber or open-sourced avenues might be all you need. You can then go on to answer subsequent questions regarding people’s profiles and the probability that they’ll take offensive action.

But if you also want to find out whether anyone has been physically surveilling your client; their corporate headquarters, their residences, their routes to and from work, their special events, or any other important asset (remote databases, employee transportation vehicles, etc.), then you’re going to need another—more physical—avenue to answer these types of questions. And this is where field intelligence comes into play.

So going back to the questions raised above, the field component of your protective intelligence effort can provide you with the answers:

It can collect accurate information about what’s been going on in the field, and do so in conjunction with a professional analysis of what it means within the larger context (oftentimes on the spot). No open or remote source can currently provide this.

It can verify the accuracy of your previously collected OSINT by means of physical observation—in real time (the “eating of the pudding”).

So now let’s get back to our political event, and see how OSINT, field intelligence and physical protection all work in conjunction in a real-life case.



As you remember, OSINT had indicated that a member of an opposing organization was going to enter the venue. We knew what he looked like, by which means he was going to enter, and we were told that there was a low-medium probability that he would take physical action during the event. But what we also wanted to find out is whether he was going to engage in a hostile collection of information (external or internal), and, once inside the venue, whether he was going to open up an unsanctioned access point, like one of the emergency egress doors, in order to allow some of his cohorts (who were protesting outside the convention center) to penetrate and disrupt the event.



For these reasons (and a few others), we deployed both external and internal covert field elements. Covertness in this case was important both for collecting the necessary intelligence and also for maintaining appearances that would suit the organization’s public relations needs.

The individual was first picked up by a covert operator outside the convention center. He didn’t engage in any external surveillance activities, and simply made his way to the entrance. This information was quickly relayed to our access control team, who were ready for him when he arrived, and who checked him very thoroughly through the metal detector gates (they even made him take his shoes off).



The individual was then let into the venue where, unbeknownst to him, our covert internal element (which included me) kept a close eye on him during the entire event; which thankfully ended without incident. The low-medium probability that he was going to take physical action was verified, more intelligence was collected on the individual and his organization, and the security and integrity of our assets were maintained.



OSINT, field intelligence and physical protection in cases like this, have a circular relay race-type relationship. First out of the gate is the OSINT resource which passes the intelligence to the field Intel’ assets for verification and further collection of information. The field intelligence is then passed to the physical protection team, which uses it to take action. Finally, at the end of the event, all the combined information goes back to the OSINT resource for further analysis.



Over the years, I’ve successfully applied this model many times to support protective operations for a variety of different clients: from various other political organizations to energy companies, Silicon Valley corporations, pharmaceutical companies, foundations, nonprofit organizations, and wealthy individuals. It works across the board, and is a time-tested method for collecting and assessing intelligence, and for ultimately providing clients with a higher level of safety, security and productivity.

Author Bio

Ami Toben is the owner of Protection Circle, and the director of consulting, training and special operations for HighCom Security Services. He specializes in terrorist activity prevention, surveillance detection, and covert protective operations. Born and raised in Israel, Ami has over 15 years of military (IDF) and private sector security experience. Currently based in the San Francisco Bay Area, Ami has been providing high-end protective services to Fortune 500 corporations, foreign governments, foundations, nonprofit organizations and wealthy individuals.