Threat Awareness
See It. Assess It. Report It.
Why Threat Awareness Matters
Threat awareness is the ability to identify, assess, and respond to potential dangers before they escalate into incidents. It is a core competency for anyone responsible for safety and security.
- Pre-attack behaviors are observable in the vast majority of targeted violence incidents
- Bystanders often notice warning signs but don't report them
- Early reporting is the #1 factor in preventing planned attacks
- Social engineering attacks exploit human trust to bypass physical security
- Most security breaches begin with someone who didn't look like they belonged
Learning Objectives:
- Identify the major types of threats (verbal, written, behavioral, environmental)
- Recognize behavioral indicators associated with pre-attack planning
- Apply situational awareness models, including the Cooper Color Code
- Assess and report threats properly using established protocols
Types of Threats
Recognizing how threats manifest
Threats come in many forms. Understanding the categories helps you spot them faster and respond appropriately.
Direct: "I'm going to hurt you."
Indirect: "Someone should teach this place a lesson."
Conditional: "If they fire me, they'll regret it."
All verbal threats must be taken seriously, even those framed as jokes. Context, tone, and pattern matter. Report every instance.
Notes or letters: Left on desks, in mailboxes, or posted publicly.
Emails and texts: Threatening language sent digitally.
Social media: Public posts, comments, or direct messages containing threats.
Written threats provide documentation. Preserve the original, do not alter or delete it, and report immediately.
Surveillance: Watching, photographing, or mapping a location.
Rehearsal: Practicing or dry-running an attack plan.
Acquisition: Obtaining weapons, materials, or access credentials.
Behavioral indicators are often the most reliable warning signs because they show commitment beyond words.
Unsecured areas: Unlocked doors, open perimeter gaps.
Poor lighting: Dark zones that conceal movement.
Access control gaps: Broken badges, tailgating, unmonitored entrances.
Environmental threats don't come from people directly but create the conditions that allow other threats to succeed.
Behavioral Indicators
Pre-attack behaviors based on FBI/DHS research
Research into targeted violence consistently shows that attackers exhibit observable warning behaviors before acting. Recognizing these patterns is critical to prevention.
Grievance → Ideation → Research & Planning → Preparation → Breach → Attack
At every stage, the individual makes observable decisions and takes observable actions. The earlier we identify someone on this pathway, the more opportunities exist for intervention. Most people who start down this path never reach the end if they receive help or are disrupted in time.
Situational Awareness: The Cooper Color Code
A mental readiness framework for security professionals
Developed by Lt. Col. Jeff Cooper, this color code system describes four levels of mental alertness. It helps you calibrate your awareness to match your environment.
AVOID THIS STATE on duty. In Condition White, you can be surprised and overwhelmed before you can react.
This is your baseline on duty. Example: Walking through the facility, making eye contact, noticing who belongs and who doesn't.
Example: An unfamiliar person loitering near a restricted entrance, watching employee badge-in patterns.
Example: The loiterer from Condition Orange is now trying to force open the restricted door. You activate your radio and initiate lockdown.
• When you enter a room, identify exits and scan for anything unusual
• In a parking lot, look up from your phone and observe who is around you
• On patrol, note vehicles, people, and objects that don't fit the pattern
• Shift to Orange the moment something triggers your attention
• Have a mental "what if" plan so you can move to Red without freezing
Awareness is not anxiety. Condition Yellow is relaxed and sustainable. It simply means your eyes are open and your mind is engaged.
Site Security Assessment
Evaluating your environment for vulnerabilities
A security-aware professional knows their environment inside and out. Use this checklist-based approach to assess any site, informed by Crime Prevention Through Environmental Design (CPTED) principles.
Site Assessment Checklist
- Are all entry points monitored (cameras, guards, or electronic access)?
- Can doors be locked down quickly in an emergency?
- Are emergency exits clearly marked and unobstructed?
- Are loading docks and service entrances secured when not in active use?
- Are parking lots, walkways, and building perimeters well-lit?
- Are there dark zones or blind spots where someone could hide?
- Do interior spaces have clear sight lines (no hidden alcoves or blind corners)?
- Are burned-out lights reported and replaced promptly?
- Do cameras cover all critical areas (entrances, stairwells, parking, perimeter)?
- Are there known blind spots in camera coverage?
- Is the badge/key card system functioning properly? Are lost badges deactivated?
- Are visitor sign-in procedures followed consistently?
- Can employees see approaching visitors from their workstations?
- Are hedges, walls, and fences designed to prevent concealment?
- Are high-value areas (server rooms, cash handling) in interior, controlled locations?
- Is landscaping maintained to preserve sight lines?
Identifying Suspicious Activity
Knowing what to look for
Suspicious activity is any observed behavior that could indicate a person is planning or committing a crime or attack. It is based on what someone is doing, not on how they look.
Never dismiss your gut feeling. Report what you see and let trained professionals determine whether it warrants further investigation. A false alarm costs nothing. A missed warning can cost everything.
Social Engineering & Manipulation
How threats exploit human trust
Social engineering bypasses physical security by manipulating people. Attackers exploit natural human tendencies like helpfulness, obedience to authority, and the desire to avoid conflict.
Pretexting (Fake Stories)
Creating a fabricated scenario to gain trust or access. Examples: "I'm the new IT technician." "I left my badge inside." "I'm here to meet John in accounting." Always verify the story through an independent channel before granting access.
Tailgating / Piggybacking
Following an authorized person through a secured door. They may carry large boxes so you hold the door, or simply walk closely behind you. Never hold doors for unauthorized individuals, even if it feels rude. Direct them to the front desk.
Authority Impersonation
Wearing fake uniforms, badges, or claiming to be inspectors, executives, or law enforcement. People tend to comply with perceived authority figures without questioning. Always verify credentials through official channels.
Distraction Techniques
One person creates a commotion or draws attention while an accomplice slips past security. Staged arguments, medical emergencies, or loud disruptions can all be cover for unauthorized entry. Maintain security posture even during distractions.
Phishing for Information
Casually asking employees about schedules, security protocols, building layouts, or personnel details. It may feel like friendly conversation, but the information can be used for reconnaissance. Be mindful of what you share and with whom.
• "Can I help you find who you're looking for?"
• "I'll need to verify that with our office. One moment, please."
• "Let me escort you to the front desk so they can get you set up."
• "Can I see your badge? It's our policy for everyone in this area."
Being politely firm is professional, not rude. Legitimate visitors will understand. Those with bad intentions will often leave rather than face verification.
Threat Assessment Process
A structured approach to evaluating threats
When you observe something concerning, use this five-step process to organize your thinking before reporting. You are not expected to make the final call on threat level, but clear observations help those who do.
Identify: What Exactly Was Said or Done?
Record the specific words, actions, or behaviors you observed. Be factual and precise. "He said he would 'make everyone pay'" is more useful than "He was being weird." Stick to observable facts, not assumptions.
Evaluate Credibility: Can They Carry It Out?
Does the person have the physical ability, resources, or access to follow through? A threat from someone with known access to weapons or restricted areas is more credible than a vague statement from a stranger passing by.
Assess Intent: Do They Mean It?
Consider context and history. Is this an isolated outburst or part of an escalating pattern? Have they made similar statements before? Are they taking steps that align with their words (acquiring materials, conducting surveillance)?
Determine Capability: Do They Have the Means?
Capability includes physical means (weapons, tools), knowledge (training, expertise), and opportunity (access to the target). Someone who has all three represents a significantly higher risk than someone with only one.
Report: Always Report, Let Professionals Assess
Even if you are unsure about steps 2-4, report what you observed. Trained threat assessment professionals have tools, databases, and context you don't. Your observation could be the missing piece that completes a larger picture.
Communication & Reporting
How to report effectively
A well-communicated report can be the difference between a prevented incident and a missed opportunity. Reporting is the most important action you can take.
• Immediate supervisor or shift lead for initial reports
• Security department or operations center for active concerns
• HR department for employee-related behavioral concerns
• Local law enforcement (911) for imminent threats
• DHS tip line (1-866-347-2423) for suspicious activity related to terrorism
• Anonymous reporting systems (if your organization has one)
• Who: Physical description, name if known, clothing, distinguishing features
• What: Exactly what was said or done (use direct quotes when possible)
• When: Date and time of the observation
• Where: Specific location (building, floor, room, parking area)
• Direction of travel: Which way did they go? Vehicle description and plate if applicable
• Witnesses: Who else was present?
Common reasons people hesitate to report:
• "I might be wrong." (Better to be wrong than silent.)
• "Someone else probably reported it." (They probably didn't.)
• "I don't want to cause trouble." (You're preventing trouble.)
• "It's probably nothing." (Let the professionals decide that.)
There is no penalty for a good-faith report that turns out to be nothing. There can be devastating consequences for a real threat that goes unreported.
Personal Safety Planning
Practical steps to keep yourself safe
Awareness without a plan is incomplete. Personal safety planning ensures you can act quickly and decisively when it matters most.
• Identify at least two exits
• Note where you could take cover or concealment
• Observe who is already there and what they're doing
• Locate the nearest phone, alarm, or panic button
• Position yourself where you can see entrances
• Vary your arrival and departure times and routes when possible
• Park in well-lit areas near building entrances
• Have keys or badge ready before you reach your vehicle or door
• Avoid isolated areas, especially during low-traffic hours
• Establish check-in procedures with your team or supervisor
• Know the radio codes or duress signals used by your organization
• Use the buddy system when working in or moving through high-risk areas
• Let someone know where you're going and when to expect you back
• Sit or stand where you can see exits and entrances
• Keep a clear path between yourself and the nearest exit
• When interviewing or meeting unfamiliar people, keep a desk or table between you
• Avoid turning your back to doors or open hallways
• Trust your instincts. If a situation feels unsafe, create distance first and assess second
Key Takeaways
Your quick reference summary
Core principles of threat awareness:
- Four types of threats: Verbal, written, behavioral, and environmental. Recognize each form and understand that they often overlap.
- Behavioral indicators are key: Surveillance, security testing, weapons acquisition, concerning statements, grievance collection, and last resort thinking are all observable pre-attack behaviors.
- Cooper Color Code: Stay in Condition Yellow (relaxed alert) as your default. Shift to Orange when something catches your attention, and Red when action is required.
- Assess your environment: Use CPTED principles to evaluate entry/exit points, lighting, camera coverage, access control, and natural surveillance.
- Identify suspicious activity: Look for people who don't belong, unusual vehicles or packages, photography of security features, probing questions, and abandoned items.
- Defend against social engineering: Verify identities, never hold secured doors for strangers, challenge politely but firmly, and be mindful of what information you share.
- Use the 5-step threat assessment: Identify, evaluate credibility, assess intent, determine capability, and report.
- Report early and often: Clear, factual, specific reports save lives. When in doubt, report. You are never expected to investigate on your own.
- Plan for your safety: Know your exits, vary your routes, use check-in procedures, practice protective positioning, and trust your instincts.
Knowledge Check
Knowledge Check
Knowledge Check
Quiz Complete
Calculating your results...