Protective Intelligence: What It Is and Why Mid-Market Companies Are Building It Now
Executive targeting incidents doubled in 2025, capping a 313% increase since 2023. Eighty-five percent of those incidents were physical — assaults, kidnappings, stalking, protest action — and the spread of targets is no longer confined to Big Tech. Financial services and manufacturing now share the top three with technology.
Most mid-market companies still do not have a protective intelligence function. The ones that do often built it by accident: someone in IT bought a cyber threat intelligence tool, mounted it on a screen in the security office, and called the result a program. That is not protective intelligence.
Protective intelligence is investigative and analytical work that proactively identifies, assesses, and mitigates physical threats to executives, employees, and operations. It is its own discipline, with its own methodology, its own deliverables, and its own legal boundaries. This article defines what protective intelligence actually is, where it lives in an organization, what it costs to build, and how to evaluate a vendor or hire without overspending.
What Protective Intelligence Actually Is (and What It Is Not)
Protective intelligence is the process of identifying, assessing, and mitigating threats to people before those threats reach physical proximity. Fred Burton and Scott Stewart — former Stratfor analysts whose definition is widely cited in the industry — describe it as the discipline that combines countersurveillance, investigations, and analysis to prevent attacks rather than respond to them. The U.S. Secret Service National Threat Assessment Center uses the same three-stage logic across its public guidance: identify, assess, manage.
What protective intelligence is not is the part that confuses buyers. It is not cyber threat intelligence. It is not executive protection staffing. It is not surveillance.
Cyber threat intelligence (CTI) tracks digital threats to networks and systems — malware indicators, threat-actor TTPs, domain reputation. Protective intelligence (PI) tracks physical threats to people — targeting behavior, escalation indicators, exposure points. The two functions feed each other and should share signal pipelines, but they are different teams with different tools and different decisions.
| Protective Intelligence | Cyber Threat Intelligence | |
|---|---|---|
| Primary focus | Physical threats to people | Digital threats to networks |
| Threat actors | Stalkers, fixated individuals, organized groups, insiders | Cybercriminals, nation-states, hacktivists |
| Primary signals | OSINT, behavioral indicators, internal reports, public records | Malware, IOCs, dark-web chatter, phishing |
| Deliverable | Threat assessment, person-of-interest dossier, intel brief | IOC feeds, threat reports, vulnerability advisories |
| Owner | Corporate security / GSOC | Information security / SOC |
Protective intelligence is also distinct from executive protection consulting. EP consulting designs the protection program; PI is the upstream function that tells the EP team what to actually be ready for. A capable program treats PI as a sibling of EP, not a feature of it.
Tip: If your current “PI” tool is dashboarding malware indicators or domain reputation, you bought CTI — not protective intelligence.
Why Protective Intelligence Matters in 2026: The Threat Picture
The case for protective intelligence in 2026 is not theoretical — it is the incident data. The Security Executive Council tracked a 313% increase in executive targeting incidents between 2023 and 2025. Volume doubled in 2025 alone. Eighty-five percent of those incidents were physical: assault, attempted kidnapping, stalking, protest-related confrontation. Fourteen percent were cyber-physical hybrids: death threats, swatting, account compromise that supported a real-world action.
In May 2025, two coordinated sites — one mirrored on the other — published full names, business emails, mobile numbers, compensation data, and LinkedIn profiles for hundreds of Fortune 500 executives. The impact reached well beyond the named principals. Their families, executive assistants, drivers, and personal residences became locatable inside an afternoon. Protective intelligence teams across multiple companies spent the following weeks running takedowns, data-broker scrubs, and digital-footprint resets.
The targeting pattern has also broadened. Financial services and technology each accounted for 17% of 2025 incidents, with manufacturing and industrial at 12%. Healthcare and pharmaceutical executives are now appearing in incident logs that used to be tech-only. Companies whose leadership previously assumed they were not visible enough to be targeted are running into the inverse problem: targeting is increasingly opportunistic, and visibility is a function of the internet, not industry.
The corporate spending data tracks the threat data. Executive security spending across the S&P 500 rose 118.9% between 2021 and 2024. Median CEO security benefits stood at $94,276 in 2024 and $76,000 in 2025 across the broader S&P 500 plus Russell 3000 sample — meaning the spend is broadening down-market, not just deepening at the top.
Note: Targeting now extends well past tech. Financial services and manufacturing share the top spots with technology in 2025 incident data.
How a Protective Intelligence Program Works in Practice
Protective intelligence runs as a continuous loop, not a project. The three-stage model — identify, assess, mitigate — repeats daily. The depth of each stage scales with the program’s maturity.
Identify. Analysts pull signals from open-source intelligence (social media, surface and deep web, public records), internal reporting (security desk observations, HR concerns, employee tips), executive office context (travel schedules, public appearances, media coverage), and partner channels (law enforcement liaison, peer-company intelligence sharing). The output is a stream of items worth a closer look — not a list of threats. Most signals are noise. The job is finding the few that are not.
Assess. This is where the discipline earns its keep. The U.S. Secret Service NTAC pathway-to-violence model is the most useful framework in the field. It describes how subjects move from grievance, to ideation, to planning, to preparation, to implementation. Many people have fleeting violent thoughts; very few progress along the pathway. The analyst’s job is detecting movement, not reacting to ideation alone. Behavioral indicators include fixation, identification with prior attackers, novel aggression, and what the field calls an “energy burst” — a preattack increase in the frequency, duration, or variety of warning behaviors that often signals imminent action.
The deliverable from the assessment stage is a written threat assessment with a clear recommendation. Recommendations typically fall into one of five categories: continue monitoring only, conduct a behavioral interview or welfare check, change protective posture, engage law enforcement liaison, or close the case.
Mitigate. The protective response depends on the assessment. It might mean adding advance work to a planned travel leg, raising residential security technology, briefing the principal’s executive assistant on a person of interest, requesting a law enforcement civil order, or coordinating with HR on an employee separation. Mitigation is rarely dramatic. Most of it is small adjustments made early enough that the principal never knows the threat existed.
The standard outputs from a working program look familiar across organizations: a daily intelligence brief covering significant signals from the prior 24 hours, person-of-interest dossiers updated as new information arrives, pre-trip threat overviews tied to the executive’s calendar, and post-incident retrospectives that update the program’s threat baseline. The frameworks behind these outputs — USSS NTAC, the ASIS WVPI AA-2020 standard, the ATAP body of practice — have decades of validation behind them.
Most of protective intelligence is documented, repeatable analytical work. The dramatic moments are rare; the disciplined ones are not.
Tip: The pathway-to-violence framework is the single most useful concept in protective intelligence. Most attackers leak warning signs over weeks or months. The question is whether anyone is listening.
Building a Protective Intelligence Program: The Three Maturity Stages
Most mid-market companies stall because they try to skip from no program to a Fortune 500 program in one budget cycle. That fails. Programs mature in stages, and the right starting stage depends on the company’s size, exposure profile, and existing security posture.
| Stage | Scope | Headcount | Tooling | Annual cost (approx.) |
|---|---|---|---|---|
| 1. Foundation | One or two principals; threat baseline; written escalation protocol; OSINT monitoring at sustainable cadence | 0.25-0.5 FTE analyst (often contracted or fractional) | Free OSINT tools plus one paid platform or a managed service subscription | $50K-$120K |
| 2. Operational | Full C-suite plus board members; integration with EP, HR, and legal; daily intel brief; active person-of-interest tracking | 1-2 FTE analysts | Mid-tier platform (Ontic-class) plus OSINT subscription; some managed-service surge capacity | $200K-$400K |
| 3. Integrated | Multi-region monitoring; GSOC integration; coverage of travel, events, insider risk, and digital exposure; formal threat assessment team | 3-6 FTE plus on-call coverage | Multiple platforms, named managed-service partners, behavioral threat assessment vendor relationship | $750K and up |
A Stage 1 program — one part-time analyst plus one platform — runs roughly $100,000 a year fully loaded. That is the floor for a defensible program. GSOC intelligence analyst salaries in the U.S. average around $138,000 according to current market data; protective intelligence analyst roles average about $103,000 with a typical range of $66,000 to $132,500. A Stage 2 program looks more like a small department.
The mistake we see most often is the jump from Stage 1 to Stage 3, usually after an incident. The company spends three to four times what it needs to, hires faster than it can supervise, and stands up coverage for risks it has not yet assessed. A staged maturity path — and the right physical security consulting engagement to scope it — is what prevents that pattern.
Warning: Skipping from Stage 1 to Stage 3 is the fastest way to overspend. Stage 2 is where most mid-market companies should land for the long term.
Build, Buy, or Hybrid: How to Resource Protective Intelligence
There are three real ways to resource a protective intelligence function — not five marketing categories. Each has tradeoffs that mid-market leadership teams should hear up front.
In-house analyst. Hire a former intelligence, law enforcement, or military intelligence analyst directly. The strengths are real: institutional context, durable cross-functional relationships, full ownership of methodology and tooling. The weaknesses are also real. A single analyst is a single point of failure for vacation, illness, and attrition. The role requires supervision from someone who understands the work. And it takes 6 to 12 months for any new hire to develop the business-specific context that makes the function effective.
Managed service. Vendors like Nisos, Pinkerton, and Control Risks run protective intelligence as a managed offering. The strengths: 24/7 coverage from day one, trained analysts who do not need to learn the discipline, surge capacity for incidents. The weaknesses: less context on your specific business, the analyst is not your employee and turns over on the vendor’s schedule, quality varies by account team in ways the contract often does not capture.
Hybrid. A consultant or fractional protective intelligence lead architects the program, retains a managed service for monitoring volume, and trains an internal analyst as the function matures. This is the model that works for most mid-market companies in our experience. The architect provides methodology and standards alignment; the managed service provides scale; the internal analyst grows into the institutional anchor.
The pattern we see most clearly, having built protective intelligence functions inside large corporate programs and audited them across mid-market clients, is this: tools generate alerts; analysts produce decisions. A platform without a person ends up as a noise machine. A person without a platform burns out trying to do manual OSINT at scale. The hybrid model exists because most companies need both, and most companies cannot justify both as full-time hires on day one.
This is the kind of problem we solve. Start a conversation.
Tip: Tools generate alerts. Analysts produce decisions. A platform without a person ends up as a noise machine.
Where Protective Intelligence Lives in the Organization
A protective intelligence function can sit in three places, and the choice has real downstream effects. The most common placement is under corporate security or the chief security officer. The second most common is under a GSOC director, where it shares infrastructure and analysts with global security operations. The third — rarer but seen in financial services and pharma — is under the chief risk officer or general counsel, particularly where regulatory or reputational risk dominates the business.
The reporting line matters less than the cross-functional interfaces, which are non-negotiable in any mature program:
- HR for insider concerns, behavioral threat referrals, and employee separations involving threats
- Legal for monitoring policy review, retention rules, and escalation paths to law enforcement
- Communications for response to public-facing incidents, doxxing events, and media inquiries
- Information security and cyber threat intelligence for account-compromise signals and digital exposure
- Executive office and chief of staff for travel logistics, public-appearance calendars, and principal-level context
Protective intelligence fails when it sits in a silo. It succeeds when the cross-functional workflow is documented, legal review is built into the cadence, and the analyst has standing meetings with HR and communications. The most natural cross-functional partner is workplace violence prevention — the same behavioral threat assessment methodology underpins both, and the same internal reports often surface on both desks.
Where protective intelligence sits inside the building matters less than how its workflow connects to HR, legal, and the executive office.
Legal and Privacy Boundaries Every Program Has to Respect
Protective intelligence programs that skip legal review get sued or get the general counsel’s pen put through them. Both outcomes are expensive. The discipline involves monitoring people — some of them current or former employees — and the legal landscape on workplace monitoring has tightened materially in the last 24 months.
The NLRB General Counsel has signaled that broad electronic monitoring practices that, viewed as a whole, would tend to interfere with employees’ Section 7 rights are presumptively unlawful absent a special-circumstances showing. State laws compound the federal picture: Illinois BIPA on biometric data, California CCPA on personal information, and a growing list of monitoring-disclosure rules in New York, Connecticut, and Texas.
Practical implications for a protective intelligence program:
- Maintain a written monitoring policy with a documented business need
- Disclose to employees the technologies in use and how data is retained
- Enforce retention windows on collected data; do not stockpile indefinitely
- Distinguish clearly between voluntary OSINT (open public sources) and active surveillance of employees, which generally requires a different legal basis
- Run an annual review with employment counsel and document the review
A legally defensible program is the entire point of having an architect involved early. Programs built without that input tend to discover the problem during litigation or a regulator inquiry, which is the worst time to learn it.
Warning: If your monitoring program has not been reviewed by employment counsel in the last 12 months, assume it is out of date.
How to Evaluate a Protective Intelligence Vendor or Hire
The difference between a real protective intelligence capability and a sales pitch is in the documentation. Six criteria separate the two.
1. Methodology. Can the vendor or candidate walk you through their threat assessment process step by step, in plain language? The methodology should be repeatable and adapt to your context, not improvised per case.
2. Standards alignment. Are they working from established frameworks — the U.S. Secret Service NTAC pathway-to-violence model, the ASIS WVPI AA-2020 standard, ATAP best practices? Standards alignment is evidence that they are operating inside a discipline rather than freelancing.
3. Deliverables. Ask to see a sanitized example of an intelligence brief, a person-of-interest assessment, or a pre-trip threat overview. If they cannot produce one, they do not have a methodology — they have a brochure.
4. Tooling philosophy. Do they recommend a platform without explaining the analyst function behind it? A vendor who leads with the tool is selling software. A vendor who leads with the analyst and uses the tool to support the work is selling intelligence.
5. Legal sophistication. Do they ask about your monitoring policy, your general counsel relationship, and your retention rules in the first conversation? If not, they will run your program past the legal line and you will own the consequences.
6. Independence. Do they sell tools, services, or both? Either is fine; the conflict needs to be transparent. Ask explicitly: “When does your recommendation send work to your team, and when does it not?”
Red flags worth walking away from: leading with agent counts before scoping the threat picture, inability to articulate what monitoring is and is not legally allowed, recommending a single-vendor solution without a build-vs-buy conversation, and treating protective intelligence as a feature of an executive protection staffing package rather than its own discipline.
Tip: Ask any vendor for a sanitized example assessment. If they cannot produce one, they do not have a methodology — they have a brochure.
Frequently Asked Questions
What is protective intelligence in corporate security?
Protective intelligence is investigative and analytical work that identifies, assesses, and mitigates physical threats to executives, employees, and operations before those threats reach physical proximity. It draws on open-source intelligence, internal reporting, and behavioral threat assessment. The output is decisions — adjusted protective posture, monitored persons of interest, recommended interventions — not raw data.
How is protective intelligence different from cyber threat intelligence?
Protective intelligence focuses on physical threats to people. Cyber threat intelligence focuses on digital threats to networks and systems. They are different teams with different tools and different deliverables. They should share a signal pipeline — targeting often appears online before it appears physically — but the disciplines are not interchangeable.
How much does a protective intelligence program cost?
A baseline Stage 1 program — one part-time analyst plus one platform — runs roughly $50,000 to $120,000 per year. A Stage 2 operational program with full C-suite coverage runs $200,000 to $400,000. Fully integrated Stage 3 programs at multinational scale run $750,000 and up. Most mid-market programs operate in the Stage 1 to early Stage 2 range.
Do we need a full-time analyst, or can software do it?
Software produces alerts; an analyst produces decisions. Tool-only deployments tend to generate noise, false positives, and missed signals. A part-time analyst — internal or contracted — is usually the minimum viable role. The analyst-to-tool ratio matters more than the tool itself.
Where does protective intelligence sit organizationally?
Most often inside corporate security or under a GSOC director. Less commonly under the chief risk officer or general counsel, particularly in financial services and pharma. The reporting line matters less than the cross-functional interfaces with HR, legal, communications, cyber, and the executive office. See the section on organizational placement above.
What is the pathway to violence?
The pathway to violence is a behavioral progression — grievance, ideation, planning, preparation, implementation — developed by the U.S. Secret Service NTAC and adopted across corporate threat assessment. Movement along the pathway, not the presence of a violent thought, is the actionable signal. It is the central framework most working analysts use.
What credentials should a protective intelligence analyst have?
Look for a background in intelligence analysis, law enforcement, or military intelligence, plus formal training in behavioral threat assessment and OSINT tradecraft. Useful certifications include ATAP credentials and ASIS PSP. Familiarity with the legal limits on employee monitoring is non-negotiable for corporate roles.
Ready to turn ad hoc threat monitoring into a real protective intelligence program? Let’s talk about where you are.