How to Protect Your People and Assets from Targeted Threats
Threats against public and private sector personnel and facilities are on the rise. To help organizations keep their people and assets safe, Recorded Future recently hosted a webinar to explain how the violent extremist landscape is evolving, share tactics aimed at identifying key sources of online risk exposure, and offer mitigations that can help reduce physical security concerns.
Read on for a recap of the highlights, and be sure to watch the recording for complete details and recommendations.
How to protect your people and assets from targeted threats
Watch our on-demand virtual briefing led by Recorded Future experts and practitioners to better understand recent shifts in tactics, techniques, and procedures (TTPs) deployed by violent extremists so you can protect your people and assets.
The violent extremist threat landscape is changing
Recorded Future threat intelligence analyst Paul S. shared that the domestic violent extremist (DVE) threat landscape in the US has shifted over the past year. According to Recorded Future’s assessments, the DVEs that represent the greatest risk of conducting violent attacks against organizations in the US (i.e., neo-Nazis and white supremacists, anti-government and anti-authority actors, and anarchists) are increasingly considering targeted physical attacks against individuals rather than mass casualty attacks.
(For more information on domestic violent extremism, check out this report from Recorded Future’s Insikt Group®: US Violent Extremists Likely Shifting Focus to Targeted Physical Threats in 2025.)
Paul S. noted that violent extremists have “celebrated, promoted, or encouraged” events like the 2024 assassination attempts against then- presidential candidate Donald Trump, the December 2024 assassination of UnitedHealthcare CEO Brian Thompson, and the June 2025 assassination plots against lawmakers in Minnesota. Their aims, he said, are to threaten public figures and boost their own recruitment efforts by playing on public sympathies for some of the attacks, perpetrators, or ideologies.
As a result, high-profile figures in the US including C-suite executives and senior government officials are at heightened risk from physical threat activities. “DVEs and other threat actors are leveraging sources of digital exposure and identifying soft spots in operational security to target personnel,” he said.
He also said that, while the specific violent extremist groups that pose a threat in Europe are different from those in the US, they fall into similar ideological buckets. And it seems that European groups are taking cues from the US threat landscape as they shape their operations.
Recorded Future threat intelligence analyst Mary P. said that. “Data breaches happen everywhere, exposing information. Regardless of jurisdiction, social media can be a major source of exposure.”
TTPs remain the same, with some enhancements
Paul S. noted that violent extremists’ tactics, techniques, and procedures (TTPs) seem likely to remain the same, with physical threats including online targeted threats, stalking, harassment, physical approaches, sabotage, surveillance, disruptive protests and demonstrations, doxxing, swatting, and more. Recorded Future has also seen increased use of drones and unmanned vehicles, generative AI, 3D-printed firearms, cryptocurrency, and end-to-end encrypted communication applications.
“We've also seen some efforts by violent extremists—especially those focused on online threats—to improve their in-house, open-source intelligence capabilities by leveraging online information on their targets,” he said.
In Europe, where access to firearms is limited, there's been more experimentation with 3D-printed firearms and other types of weaponry.
Executives face multiple sources of digital exposure and online risk
Mary P. explained that the availability of personally identifiable information (PII) on the Internet leaves private and public sector executives increasingly vulnerable to physical and cyber threats.
“Not only can threat actors take advantage of individual sources of online exposure,” she said, “but they can also combine multiple sources of exposure, using one source to pivot to another to improve overall targeting.”
Brian Solecki, Recorded Future’s Director of Security and Safety, said that these sources of digital exposure enable threat actors to develop information on home and work locations, patterns of life, modes of travel, and other information that affords them the opportunity to develop and implement plans for physical attacks.
Modern executive protection begins with intelligence
Solecki described threat intelligence as the foundation of any comprehensive security strategy. “It affords organizations the opportunity to allocate the appropriate resources toward the physical security procedures and cybersecurity measures they need to mitigate identified threats.”
He also discussed the importance of setting up priority intelligence requirements (PIRs), critical pieces of information to help security teams anticipate, prevent, and manage threats against their executives. A key PIR involves monitoring online activity and social media for suspicious activity or threats.
“This can help you to determine the viability or the level of threat posed by individuals or groups that could target your executives,” he said. “It also allows you to assess the protocols and plans you already have in place to make sure they're sufficient to the threat landscape.”
When asked what security teams can do to protect executives in a time when it’s impossible to lock down someone’s online presence, the panelists provided several recommendations, including:
- Don’t make schedules or family information public.
- Limit posting controversial statements on social media.
- Remove PII from the Internet wherever possible.
- Use the strongest possible privacy settings.
- Educate family members about digital risks.
How Recorded Future solutions help organizations protect their people and assets
Mary P. shared a number of ways customers can use Recorded Future to protect their people and assets. For example, they can monitor the dark web and underground forum sources, track negative sentiment toward their organizations online, detect compromised executive credentials, and monitor for data breaches. They can also use the Recorded Future Analyst On Demand service to commission executive security assessments.
Paul S. noted that Recorded Future’s threat intelligence sourcing makes all the difference. The company is constantly identifying new sources and adding them to the Recorded Future Platform so customers can use them to build queries and identify instances of exposures, targeting, and threats.
Take a deeper dive on executive and asset protection
The webinar included an audience Q&A session, which covered top platforms and forums for threatening content, correlations between threats and negative sentiment campaigns, and more. Watch it on demand, and then schedule a demo to see how Recorded Future solutions can help address your organization’s unique security needs.
Below are select questions from the audience during the webinar, some were answered during the session and others have been answered in this blog post.
Audience Questions Answered
Could you share your thoughts on a related issue - deepfake videos
Threat actors can use generative AI technology to produce audio and video deepfakes to facilitate convincing spear phishing attacks against executives and their family members, friends, colleagues, and subordinates. Threat actors can also use this technology to produce deepfake pornography or other similar embarrassing content to harass, intimidate, and blackmail executives and individuals associated with executives. Additionally, threat actors can use generative AI to produce deepfakes of executives that depict executives making controversial statements or engaging in controversial behavior with the intention of driving negative sentiment toward executives and damaging the brands of their companies.
How might you broach these topics with an executive who has a more elevated risk?
The best approach is through an honest and candid conversation that concisely lays out the potential threats. Highlight the security measures that are already in place and then provide recommendations for the most appropriate course of action moving forward. You need to be prepared to articulate (and in some cases defend) what you are proposing, the allocation of resources required to do what you are proposing and the possible implications of what may occur if the proposed actions are not implemented.
Do you have any insights on how we can distinguish between normal online chatter that threatens an exec and online sentiments that should be taken more seriously?
The more specific chatter is, in terms of demonstrating knowledge about where/when an individual will be making an appearance, or references to family members and/or associates, is definitely a key threat indicator for those responsible for the protection of their company’s executives, and could require increased security measures to include variations of movement routes, additional close protection and law enforcement notifications and coordination.
Context is critical, which can be determined by leveraging threat intelligence to conduct an investigation. In a heightened threat environment, any “chatter” threatening an executive online likely warrants further research. In turn, investigations can determine the nature and seriousness of the threat by ascertaining the context behind the post.
For instance:
- Who posted the threat? What other information can be discerned from their online activity?
- What is included in the threat? Does it contain evidence of the poster’s capabilities or credibility to carry out the threat?
- When was the post published? Was it published following notable instances of physical violence against executives, notable geopolitical or domestic political developments that may implicate the executive’s company, or amidst a broader online negative sentiment campaign targeting the company?
- Where is the individual that posted the threat? Are there means of determining their location or degree of access to the executive?
- Why did the individual post the threat? Do they reference a motivation for targeting the executive, or indicate adherence to violent extremist ideologies?
With public support for threat actors like Luigi Mangione being more widespread today, how seriously should we be taking comments mentioning him or sharing images of him as memes?
In most cases, memes or comments glorifying Mangione or his alleged actions likely do not constitute actionable threats to executives. However, when Mangione or other recent accused perpetrators of targeted violent attacks are mentioned in relation to a specific executive or company (e.g., “I hope Executive A is Luigi’ed next”), or by known domestic violent extremist threat actors, or by individuals who have posted other information indicating they are actively targeting particular figures, the threats should be taken very seriously and almost certainly warrant further investigation.