Hostile Reconnaissance: Detection and Response

Most serious attacks are not impulsive. They are planned. And the planning phase – the period in which an attacker gathers the information they need to select an opportunity, identify the approach, understand the security measures, and reduce their own risk – is the window in which the attack can be detected and disrupted.

That window is hostile reconnaissance.

The CPNI (now NPSA, National Protective Security Authority) has published extensive guidance on the attack planning cycle. Its framework – intelligence, planning, preparation, execution – places reconnaissance firmly in the planning phase, which typically precedes the attack by days to weeks in opportunistic criminal cases and by weeks to months in organised or ideologically motivated cases.

Understanding hostile reconnaissance – what it looks like, how to detect it, and what to do when you spot it – is one of the highest-value security skills for any individual or organisation operating in an elevated-threat environment.

The Attack Planning Cycle

The NPSA’s “Stay Safe” framework and the related ACT (Action Counters Terrorism) guidance describe the pre-attack planning cycle consistently:

Intelligence gathering. The attacker identifies a target and begins researching them. In modern practice, this almost always starts online: social media, business registration records, LinkedIn, press archives, property records, company websites, and any publicly available scheduling information. This phase can be conducted entirely without physical contact with the target.

Surveillance. Once the target has been identified and basic intelligence gathered, physical surveillance establishes what cannot be determined remotely: the target’s actual movement patterns, the physical security measures at their home and workplace, the timings of specific routines, and the opportunities those patterns create. This is the phase that close protection and physical security programmes are designed to detect.

Planning and preparation. Based on the intelligence and surveillance product, the attacker selects the method, the opportunity, and the approach. For organised criminal groups, this phase may involve logistics, equipment acquisition, and rehearsal.

Execution. The attack.

Every intervention before execution is worth more than the response after it. Detecting reconnaissance disrupts the planning before it reaches the execution phase.

What Hostile Reconnaissance Looks Like

Hostile reconnaissance is not always obvious. Trained surveillance operatives – whether working for criminal organisations, hostile states, or in some commercial espionage contexts – are specifically trained to avoid the behaviours that trigger observation. What you are looking for is anomaly against baseline, not a person in a trenchcoat with a camera.

People

An individual who does not fit the normal profile of the environment and who is displaying behaviour inconsistent with a legitimate reason for being there. Specific indicators:

Loitering without obvious purpose. An individual who has been stationary in an area for an extended period without a plausible reason – not waiting for a bus, not using their phone for a call, not engaged in any activity that explains their presence.

Unusual interest in security infrastructure. An individual who appears to be studying entry points, CCTV locations, security personnel positions, or routes into and out of a building. Most people, even curious ones, do not systematically scan security infrastructure.

Photography or filming directed at security rather than the obvious subject. Tourist photography in an urban area is normal. Photography specifically directed at a building’s entry controls, at a particular vehicle, or at specific personnel is not.

Repeat sightings in unlikely combinations. The same individual appearing at three different locations in a target’s routine within a fortnight is the clearest possible indicator of surveillance. The locations should not be places that would naturally lead to multiple random encounters.

Vehicles

Extended parking with an unusual line of sight. A vehicle parked for multiple hours in a position that provides a clear view of a building’s entrance, a residence, or a movement route, when that position has no obvious legitimate use.

Repeat sightings on movement routes. The same vehicle appearing on multiple routes used by a principal on different days. A surveillance team working a target on the road will typically use several vehicles to reduce the risk of this pattern being noticed.

Vehicles with occupants who do not exit. An occupied vehicle parked for extended periods, where the occupants remain in the vehicle without an obvious reason.

Registration number anomalies. Plates that do not match the vehicle, plates covered or partially obscured, or vehicles with trade plates being used for extended personal occupation.

Digital indicators

Before any physical surveillance, a serious attacker will have conducted online reconnaissance. The indicators that your digital profile is being researched are subtler:

Unusual access to your LinkedIn profile from individuals you do not recognise in unfamiliar organisations or from specific geographic locations of concern.

Attempts to connect via professional platforms or direct messages from individuals whose profile does not match the apparent relationship or context.

Requests for scheduling information under a pretext – a journalist asking for confirmation of a speaking engagement, a service provider asking about your regular appointments.

Social media posts by family members that reveal routine location information or scheduling – a common and underappreciated source of reconnaissance intelligence.

Surveillance Detection Routes (SDRs)

A surveillance detection route is a pre-planned movement route specifically designed to expose surveillance teams. The route uses a series of choke points, direction changes, and environments where a surveillance team following the subject would be forced to reveal themselves by appearing in multiple locations that cannot be explained by coincidence.

An effective SDR has several characteristics:

Choke points. Sections of the route where surveillance must commit to following or risk losing the subject, such as a narrow alleyway, a single escalator, or a specific turn that has no obvious onward route.

Natural stop points. Moments in the route where the subject stops for a plausible reason – to look in a shop window, to take a photograph, to check a phone – that allow a backwards view of the environment without revealing counter-surveillance intent.

Direction changes. Multiple changes of direction that a coincidental follower cannot easily explain and that a surveillance team on foot must manage.

Static support. An SDR is most effective when a member of the close protection team is positioned statically at a point on the route and can observe the route behind the subject for following individuals or vehicles.

SDRs require training and practice to conduct effectively. An untrained individual attempting an improvised SDR is likely to either miss genuine surveillance or to draw attention through obvious counter-surveillance behaviour.

Surveillance Detection Around Premises

Hostile reconnaissance of a premises – a residence, office, or venue the principal regularly attends – can be detected through:

Regular external surveys. Periodic checks of the external environment around the premises, looking for vehicles that have been present for extended periods, individuals who are loitering, or changes to the environment that suggest surveillance positions have been established.

CCTV review. Post-event review of CCTV footage from premises cameras for repeat appearances of the same individual or vehicle is a standard intelligence product of the physical security function.

Pattern analysis. Logging unusual observations over time enables the identification of patterns that single observations would not reveal. A simple log maintained by a residential security team or a close protection team tracking external sightings is a practical intelligence tool.

What to Do When Surveillance Is Detected

Do not confront. Confronting a suspected surveillant reveals your detection capability, identifies the specific individual who has been observed, potentially accelerates the attack timeline, and puts you in physical proximity to an individual who may be dangerous. None of these outcomes is good.

Disengage. Change your route, destination, or plans in a way that does not obviously indicate you have identified the surveillance. For a close protection team, this means executing an anti-surveillance drill: a route change or destination change that is plausibly explained by normal behaviour.

Record. Note as much detail as possible: the individual’s description, the vehicle description and plate, the time, the location, and exactly what was observed. The quality of this record determines the intelligence value.

Report and assess. The observation should be reported to the close protection team or security lead immediately, logged, and assessed alongside any other indicators in the threat picture. A single observation is a note. The same observation type recurring is an intelligence indicator that should inform the threat assessment and the security posture.

Increase surveillance detection activity. A single confirmed or suspected surveillance sighting should trigger a period of heightened surveillance detection activity – more frequent external surveys, SDRs on movement routes, and increased CCTV monitoring.

For the broader counter-surveillance methodology and how it integrates into a close protection programme, see our counter-surveillance for executives guide. For how protective intelligence uses patterns of concerning contact and observation to assess and manage specific threat actors, see our protective intelligence guide. For security managers planning hostile reconnaissance detection in open-access environments such as places of worship – where greeters and congregation members are the primary observation layer – see our security planning for religious institutions guide. For understanding the CBRN threat category that reconnaissance activity may precede – including chemical, biological, radiological, and nuclear threat profiles, corporate facility response protocols, and suspicious substance handling – see our CBRN and bioterrorism awareness guide. For judicial and legal proceedings environments – where hostile reconnaissance may precede attempts to intimidate witnesses, threaten judges, or disrupt court proceedings in high-risk markets such as Lagos, Bogota, and Manila – see our security for judges, courts, and legal proceedings guide.

Source: NPSA (National Protective Security Authority, formerly CPNI): Attack Planning Cycle and Pre-Attack Indicators guidance (2024). NPSA: Stay Safe – ACT (Action Counters Terrorism) framework. CPNI: Hostile Vehicle Mitigation and Surveillance Detection training materials (2023). Gavin de Becker: The Gift of Fear (1997) – pre-attack indicator methodology. OSAC: Surveillance Detection for Corporate Environments 2024. Control Risks: Pre-Attack Reconnaissance – Corporate Threat Indicators Report 2024.