PROTECTION OPERATIONS: COUNTERMEASURES AND SURVEILLANCE DETECTION
Protective Operations: Countermeasures and Surveillance Detection
At the conclusion of this training, the student will be able to:
1. Define what protective intelligence is and how it is used to predict and prevent an attack.
2. Identify the protective intelligence functionary.
3. Identify information needs as related to protective intelligence.
4. Define the roles and responsibilities of the protective intelligence team member.
5. Define: surveillance, surveillance detection, counter-surveillance, and anti-surveillance.
6. Identify the objective of adversarial surveillance.
7. Identify the methods of adversarial surveillance.
8. Discuss unpredictability and its application to protective operations.
9. Define a route survey and explain how it is applied to protective operations.
10. Explain what a surveillance detection route is and how it is used in protective operations.
11. Define sweep vehicle and its uses in protective operations.
12. Identify common mistakes in adversarial surveillance.
13. Define “Coopers Colors” and its application to protective operations.
Protective operations are mission specific to prevent and respond to threats to personnel. By leveraging
lessons learned and capitalizing on successes, the goal of providing protection can-and will be realized.
The goal of protective operations is to: detect pre-attack planning, prevent the attack from occurring,
and to make the attack difficult to effectuate.
Proactive tactics and operations are almost always better than reactive measures. Preventing the attack
by detecting it in the early stages (pre-operational) or deterring it by presenting a robust and hardened
target. It is in the early stages of the attack cycle that an adversary will formulate an initial target list,
conduct initial/low-level surveillance, move to final target selection and ultimately onto the attack
By maintaining an alert posture and applying effective counter-surveillance measures, it is possible that
the adversary will defer to an easier target. This concept is not limited to personnel protection, but to
the entire system of proactive protection doctrine.
The graphic to the left illustrates the phases in the attack cycle. It
begins with a broad target list; moves to initial target surveillance;
progresses to a refined target list; focuses target surveillance on
the short-list; onto planning/reversal; and finally to the attack
By presenting the hardened target, as noted, an adversary may
move onto less difficult selections.
I. Goals of Protective Intelligence
A. Develop current knowledge of specific threats against the principal.
Conduct in-depth research to learn about the principals’ inherent threats and vulnerabilities.
B. Establish and maintain daily contact with local, state, national (host-national) law enforcement and
Early on, establish primary and secondary points of contact. Network and establish contacts.
C. Analyze, assess, and apprise the protection team of potential threats based on available intelligence.
D. Recognition of pre-attack indicators:
1. Group Specific (Intelligence)
2. Threat Specific (Surveillance)
3. Incident Specific (Recognition)
IA. Protective Intelligence Officer
A. The Protective Intelligence Officer (sometimes referred to as the PIO) is the primary coordinator.
B. Establishes liaison with and manages the intake of threat intelligence.
C. Maintains required systems to manage, analyze and control threat intelligence.
II. The Intelligence Process
A. Intelligence is collected from law enforcement, intelligence sources (informants/agents) and open
B. Upon receipt, intelligence is sorted by pre-defined intelligence needs and action requirements.
C. Intelligence gaps are closed through liaison and source engagement.
D. Regular assessments are provided to the protection team and partners as information needs dictate.
E. The process of threat intelligence is a constant. Additional capabilities and information needs may
dictate changes in daily operations based on threat reporting or changes in operating environments.
III. Information Needs
A. At a minimum, the following intelligence needs should be satisfied:
1. Threat Assessment of Principal (Perpetual Process)
2. Open Source Information related to Principal (Perpetual Process)
3. Dynamic Threats (Perpetual Process)
4. Historical Threats to Principal (Archival)
5. Changes in Principal Status (Situational)
6. Daily Principal Assessment (Daily)
B. Dependent upon the particular mission or tasking, the following informational needs may develop:
1. Location Threat Assessment (Pre-arrival and daily)
1a. Local Threat Groups (LTG)
1b. Local Health Concerns (LHC)
1c. Local Political Dynamics (LPG)
1d. Historical Threat Review (HTR)
2. Travel Threat Assessment (Pre-departure and daily)
2a. Mode Inherent Threats (MIH)
2b. Mode Historical Threat Review (HTR)
2c. Dynamic Threats (Situational)
IV. Functions of Protective Intelligence Officers (PIO)
A. Establish contact and daily liaison with all potential sources of information required to provide for the
Sources can include household staff, venue specific employees and related.
B. Ensure information flows both ways. If, in the process of collecting threat intelligence, information of
interest to partner agencies is developed, ensure it reaches the right party (in compliance with any
C. While addressing all information needs to provide for the full picture, ensure priority information
needs are addressed with a critical drive.
D. Provide regular updates to protective operations team as information is developed. Solicit feedback
and identify changing information needs.
As part of the seven-step Attack Cycle, surveillance occurs at least twice. The frequency provides for the
opportunity to detect and potentially disrupt an adversaries operation. By knowing why an adversary
conducts surveillance and how to detect it, you may influence their decision as to target selection.
In most cases, the person conducting pre-operational surveillance will be loosely connected to the
operational cell of a group; this provides a break between operators and the person conducting the
surveillance. Frequently untrained, their sole purpose is to document and report, frequently through an
intermediary or via a dead-drop.
Surveillance is conducted to:
A. Develop initial target lists.
B. Refine target lists.
C. Formulate plan and method of attack.
D. Identify escape and evasion routes. (if not a suicide attack)
E. Identify members of protection team, support personnel and related.
By recognizing how surveillance is conducted and why, the members of the detail can reverse that
knowledge and engage in counter-surveillance and anti-surveillance measures. These can include
engaging in fixed site reverses, shielding aspects, misdirection and subterfuge operations.
Remember, surveillance is a critical part of the Attack Cycle. Disrupt surveillance and you may disrupt an
attack. It may not be you or the principal under protection that is the target of surveillance; depending
on the circumstances, the location or other close principal is the target.
VI. Methods of Surveillance
Easy type and method of surveillance has its advantages and disadvantages. Depending on the
circumstances, some methods are easier to detect than others. For example, the presence of fixed
surveillance at the principals’ residence may be easier to note than moving where the adversary
employs the use of multiple vehicles.
Fixed: the surveillant(s) remain at a fixed location to conduct observation. Presence may be dictated by
principal activities. Examples include: adjacent bus stops, taxi stands, street vendors, overwatch
buildings, adjoining offices and the like.
Moving: any application of movement; foot, automobile, motorcycle, aircraft, etc.
Technical: similar to those techniques used in investigative operations; bugs, concealed cameras, wire
taps and intercepts.
Combination: any combination of methods.
Progressive: segmented, overlapping and long-term.
Due to the nature of protective operations and the principles schedule, it can be a challenge to build
unpredictability into the routine. The advantage of unpredictability is that it widens the adversaries’ gap
of exposure and increases the chance of detection. When possible:
A. Alternate Routes.
Identify alternate routes and junctures along each route where an alternate route can be taken. This will
ensure escape options remain a constant and evasive measures are available, if needed.
B. Varied Departure and Arrival Times.
C. Vehicle Changes
D. Double back
E. Destination Secrecy
F. Dummy Motorcades
G. Alternate Destinations
VIII. Route Security
Whenever possible, the designated route should be pre-traveled well in advance of the primary
transport and immediately prior to the actual transit. This provides a defined picture of the roadway
condition, potential choke-points, area concerns and alternate/escape routes.
When conducting the pre-drive, documentation is always advisable. This will provide the primary driver
and support drivers an early look at the roadway, its particular features and any nuances therein. While
the use of applications such as Google Maps and Street View have found their way into protective
operations, they should be used with the caveat that some images are quite dated and features are
subject to frequent change.
A. Route Analysis and Survey.
1a. from adversaries perspective, identify likely attack points.
2a. identify likely concealment points,
3a. identify likely escape routes.
4a. identify refuge/safe locations.
B. Identify Choke Points and Bottlenecks.
C. Locate safe havens, places of refuge, hospitals and law enforcement facilities. Highlight these
locations on the pre-travel route map and travel itinerary.
D. When possible, obtain overheads that illustrate the entire route. Highlight items identified in C.
X. Surveillance Detection Routes (SDR)
A. As a means to detect surveillance, the use of a SDR will be used as part of the proactive process of
identifying potential surveillance and in presenting a robust target.
B. SDR Design.
1b. identify chokepoints.
2b. normal travel actions and behavior.
3b. site/location compatible.
4b. Backup/trailing eyes.
XI. Sweep Vehicle
The Sweep or Advance Vehicle is used to detect training or advance route surveillance. Members
engaged in sweep activity must remain nondescript and be subtle in their activity.
A. Sweep follows detail to identify possible fixed, mobile or progressive surveillance.
B. Direct engagement is not advised.
C. Communication with primary and intelligence is critical.
XII. Common Adversary Surveillance Mistakes
Even given that most surveillance is conducted by loosely affiliated members, the conduct of such
provides for the opportunity to detect and disrupt. Even professionally conducted surveillance presents
some common indicators:
A. Coordinated Movements.
C. Communication Equipment.
D. Observation/Documentation Equipment.
E. Note Taking.
F. Unusual interest in protection personnel vice principal.
G. Acquisition or attempts to access overwatch positions.
H. Possession of principal or detail information (photos, bio’s, etc)
XII. Keys to Detection
Paying close attention to people can provide for detection. While those conducting surveillance may
change clothing, apply disguises or change vehicles; there may be an opportunity to detect unusual or
A. Replace casual observation with a close attention to detail.
B. Establish standards of reference: color, make, model, direction and time.
C. Define standard observation, notation and reporting protocol:
a. Year, make and model
b. type, size and color
d. unique characteristics
f. unique characteristics
D. Establish a standard format to document and analyze reporting. Through effective analysis, patterns
and trends may be detected.
XIII. Cooper Color System
Jeff Cooper developed a system tied to set colors to denote condition of alert. Similar to the current
system of color codes alerts used by DHS, these colors reflect threat and operating conditions.
Unaware of surroundings.
State of action/engaged.
Notes: The presence, notation or reference to any copyrighted, trademarked or protected name, title or
product is neither an endorsement nor reflection as to any involvement by the respective owners. Any
name, title or reference is solely for reference purposes.
This product was prepared independently as part of professional development and is not reflective of
agency policy, procedure or official opinion. Please direct feedback, questions, or suggestions to
Jonathan Greenstein email: email@example.com