The New Risk Equation: When Cyber Becomes Physical

The boundary between cyber and physical threats has blurred in ways that would have been difficult to imagine even a decade ago. According to the 2025 State of Threat Intelligence report, organizations are now expanding the scope of intelligence programs beyond traditional network defenses to include human and operational risk.

Digital exposures are no longer confined to online spaces. They are increasingly spilling into the physical world as stalking, extortion, and targeted violence. In many incidents, the real-world threat begins with digital reconnaissance: adversaries scraping travel plans, property records, or family details before acting offline.

AI-driven impersonation and deepfake scams amplify this exposure by exploiting trust at scale, targeting executives through fake meetings, spoofed emails, and cloned websites designed to manipulate behavior in both digital and physical environments.

These shifts align directly with the long-standing “converged security” model, which unifies cyber and physical functions - aligning both personnel and strategy under a single risk framework. While security convergence has gained limited traction in the private sector through the past decade, the rise of AI-enabled impersonation, synthetic media, and identity fraud gives the model renewed urgency. Akin to military and intelligence organisations, modern attackers now blend digital and physical tradecraft with unprecedented speed, making siloed security functions increasingly ineffective.

In this environment, organisations that combine cyber, human, and geopolitical data in their security and risk management are better positioned to detect early warning signals.

The Executive Threat Landscape Is Escalating

Executives’ online and offline lives are now intertwined across platforms, conferences, and global travel. And adversaries are increasingly exploiting that overlap.

One of the clearest indicators of this shift is the rise in doxxing and swatting, which exposes personal data, home addresses, and family details of executives. These incidents, once associated mainly with public figures and teenagers in chat rooms, have expanded into the corporate realm.

At the same time, deepfake-enabled impersonation and business email compromise (BEC) schemes are surging. The FBI’s latest IC3 report lists BEC among the highest-loss categories in cybercrime and notes that fraudsters increasingly augment these attacks with AI-generated audio and video. In early 2024, for example, fraudsters created a deepfaked video conference call to mimic corporate leadership and deceive a Hong Kong finance employee into wiring $25 million. While this is the single most public incident, we have seen multiple audio deepfakes used in identity and wire fraud cases since then.

For years cybercriminals have timed their attacks with periods when security teams are least likely to be available and average employees are under pressure. A few years ago this simply meant Friday afternoon phishing and malware launched over the holiday breaks.

However, these risks are further amplified by post-pandemic executive work patterns. Leaders are traveling more frequently and working across time zones, creating predictable periods when they are offline or unable to validate communications. Cyber-criminals will time their attacks to align with flights, hotel check-ins, and international events - moments when verification is hardest and urgency can be most easily manufactured.

Extending Threat Intelligence into Executive Protection

Threat intelligence now monitors not just cyber-risk, but human and operational risk as well.

Social Media and Open-Source Monitoring

Threat intelligence includes continuous monitoring of social networks, forums, and dark-web chatter for early signs of hostility toward executives or events. These signals offer some of the earliest indicators that an executive or organization may be targeted. Threat intelligence also enables detection of impersonation accounts, fraudulent social profiles, and phishing domains designed to mimic executives or brands. By correlating external data with internal telemetry, intelligence teams can separate background noise from credible intent.

Geopolitical and Event Intelligence

Integrating threat intelligence with geopolitical data and executive travel itineraries allows security teams to forecast unrest, monitor protest chatter, and tailor protection measures based on regional risk.

Yet a measurable gap remains. According to ASIS International’s Executive Protection Standard and 2025 Executive Threat Environment report, roughly 26% of organizations rarely or never brief executives before travel, leaving leadership exposed to threats in volatile regions. Threat intelligence can close this gap by correlating data from open sources, social media, and dark-web forums with location data, event schedules, and geopolitical analysis.

Integrated Risk Analysis

Advanced executive protection programs can now produce composite risk scores for executives. These models combine digital indicators, adversary intent, and physical proximity into a single view of converged risk that evolves as conditions change. When security teams can see cyber indicators, human behavior, and geopolitical context in the same frame, they gain the ability to prioritize threats by likelihood and align physical security with cyber response.

From Reactive to Predictive Protection

The 2025 State of Threat Intelligence report reveals that organizations are merging threat intelligence with adjacent functions such as security operations, crisis response and, increasingly, physical security.

This shift is already measurable. Thirteen percent of organizations now integrate physical security into their intelligence programs. Nearly half (47%) also link intelligence with risk management, creating a more consistent view of organizational exposure. Another quarter plan to expand intelligence into identity, fraud, and GRC workflows within the next two years.

The report also finds that 58% of organizations use threat intelligence to inform business risk assessments, and 43% apply it to strategic planning. These trends reveal that intelligence is not just a technical input but a foundation for enterprise-wide decision-making.

Breaking Down Barriers and Embedding Human-Centric Intelligence

Despite growing momentum toward converged, intelligence-led security, most organizations still face significant operational and cultural barriers that limit full integration across cyber, physical, and human domains.

The [2025 State of Threat Intelligence] report highlights three friction points that consistently hold programs back: poor integration with existing tools (48%), information overload (46%), and a lack of contextual relevance (46%). These challenges create fragmentation in how intelligence is collected, shared, and acted upon, making it difficult for teams to translate raw data into meaningful protection for people. When combined with leadership silos that still exist in many organizations, modernization requires active transition.

Operationalize Threat Intelligence for Executive Protection

Recorded Future’s threat intelligence platform can provide the visibility, context, and automation needed to bridge digital and physical protection.

With access to the world’s largest intelligence repository, Recorded Future continuously ingests data from technical telemetry, open-source intelligence, dark-web forums, and geopolitical feeds. This enables security teams to detect and correlate early warning signals across multiple domains, including:

• Monitoring online threat activity, such as doxxing attempts, impersonation, and emerging hostility toward executives or employees across social media and the dark web.
• Identifying infrastructure abuse, including domain registrations or phishing campaigns that mimic corporate or leadership identities, enabling preventive takedowns before they’re weaponized.
• Integrating geopolitical and travel intelligence, so teams can align regional risk indicators with executive itineraries and planned events.
• Correlating digital and physical indicators, for example linking leaked credentials or cloned badges to specific threat actors or geographic movements.

Because Recorded Future integrates intelligence into real-time risk scoring and automated alerting workflows, executive protection and corporate security teams can identify and respond to emerging threats before they escalate.

Ultimately, Recorded Future can extend the power of threat intelligence beyond systems and data to the people who represent the organization itself.