Tackling Online Radicalization and Extremism with Modern Threat Assessment Strategies
Traditional models of workplace violence prevention and executive protection are being tested by a rapidly changing threat landscape. Today, many threats originate and evolve online. They take shape in loosely connected digital communities before culminating in real-world violence, often far removed from a conventional workplace setting.
In this new environment, the earliest signs of violence often begin not with a confrontation but with fixation. Individuals may develop an obsessive interest in a person, organization, or industry for weeks, months, or even years before taking action, frequently without ever making a direct threat. Instead, the person remains in the digital periphery, frequenting fringe forums, consuming extremist content, and glorifying previous attacks and attackers. This behavioral arc is increasingly familiar to those studying violent incidents ranging from school shootings to targeted violence against public figures and executives.
For corporate security professionals, this environment creates a significant yet essential challenge to solve: detecting the earliest behavioral cues of potential violence before they escalate. While threat assessment has long been used to identify and prevent violence, today’s pre-incident behaviors originating online demand a more proactive, nuanced approach. By leveraging established behavioral frameworks alongside modern threat assessment strategies, organizations can begin to identify and mitigate these unique types of threats, no matter how subtle or unconventional they may appear.
Online ecosystems provide ideological frameworks that give personal grievances global meaning.
The Rise of Step Zero: Ambiguous Behavior as a Precursor
The concept of the pathway to violence remains foundational to threat assessment. Recognizing the behavioral steps a person often follows before carrying out an act can provide an opportunity for protective measures and intervention. However, opportunity also lies in recognizing those ambiguous earlier behaviors, what we’re calling “step zero,” that can be difficult to discern as potentially threatening.
Step zero behaviors may include:
- Unusual interest or fixation on an individual, office, or position
- Expressions of admiration, love, or the belief of having a special relationship with an individual
- Expressions of despondency or hopelessness, such as remarks about feeling trapped, powerless, or desperate for a resolution
- Fixation on issues or situations, accompanied by comments or behaviors that indicate escalating frustration
- Sudden withdrawal from family or colleagues, erratic communication, increased absence or decline in work product, unkempt appearance, or subtle changes in demeanor
These behaviors aren’t crimes. They seldom involve direct threats or require law enforcement intervention. But if not recognized or addressed, the behaviors can mark the beginning of a progression toward violence.
Consider the 2023 attempted attack on Supreme Court Justice Brett Kavanaugh. The would-be assailant had no prior criminal record but exhibited classic pre-attack indicators: fixation on the justice, consumption of political content that framed the target as dangerous, and travel with the intent to kill.
Similarly, Luigi Mangione, who is accused of fatally shooting UnitedHealthcare CEO Brian Thompson on his way to a board meeting, had no serious criminal history (only a misdemeanor charge for trespassing); wrote online about his own health struggles, including back pain, spinal surgery, and depression; and expressed his discontent with the U.S. healthcare industry.
In each case, the subject’s behavior was visible before violence occurred, but his or her signals were fragmented, scattered across platforms and timelines; therefore, the intent of violence was difficult to discern. At step zero, neither of these cases had enough evidence to warrant law enforcement action, but they did provide critical clues as to the subject’s interest and motivation.
Fixation and Ideology in the Digital Age
What’s different now isn’t just the fixation—it’s what amplifies and validates it. Online ecosystems provide ideological frameworks that give personal grievances global meaning. Mangione, for example, is now an international celebrity with social media fan accounts and a cult following of supporters. Individuals with employment-based or reputational frustrations may find community and even encouragement within extremist spaces that promote violence against executives, government officials, healthcare leaders, and journalists.
This shift demands a recalibration of how we approach preventing violence and protecting prominent people. We are no longer dealing simply with disgruntled insiders or ex-employees in an office setting. We are increasingly assessing ideologically motivated outsiders whose pretext for violence is digital, symbolic, and deeply emotional. This further blurs the lines between what we would consider a true workplace violence incident and, subsequently, what tactics to use to prevent it.
Rethinking Threat Assessment in a Decentralized World
Modern threat assessment programs and the security professionals that implement them must evolve to capture and contextualize signals of targeted interest long before a weapon is procured or a confrontation occurs. A few key strategies to take action include:
Recognize signs and encourage reporting. Once people understand what to report, they should feel confident reporting concerning behaviors without fear or retribution. Create an environment where individuals feel supported and encouraged to report, even if they think the behavior may be insignificant. Develop clear guidelines on what to look for, such as erratic online communication or a change in mood. Additionally, develop clear reporting mechanisms, such as an intake form, and use accessible language customized to your organization’s culture.
Centralize information. Effective threat assessment starts with breaking down silos. Centralizing information across teams allows organizations to identify patterns of ideation and concerning behavior more quickly and accurately. For insider threats, consolidating data from HR, security, IT, and legal can reveal a more complete picture of an individual’s behavior. For external actors, leveraging security technologies that integrate multiple data sources—both public and proprietary—can provide valuable insights. By aggregating online activity, prior incidents, and behavioral indicators, organizations are better equipped to detect emerging threats, recognize repeat patterns, and prepare an appropriate response strategy.
Adjust operational procedures if the behavior is coming from someone not affiliated with the company. Even with limited information, physical security and executive protection teams need to be aware of what you know so that they can adjust operational procedures accordingly. This might include monitoring the individual and situation more closely or revising existing security protocols.
Notify law enforcement and intended targets (if any) for immediate intervention. If an individual’s activities indicate clear planning or preparation for an attack (like purchasing weapons or rehearsing), involve law enforcement immediately. At this stage, extreme security measures may be required to prevent escalation.
Develop a post-incident management plan. Once the situation is contained, create a management plan to ensure the threat remains neutralized. Conduct a thorough after-action review to analyze what went right and what went wrong, and how your team can improve its processes for future incidents.
Closing the Gap
Organizations must accept that the threat perimeter has expanded. Preventing violence in the workplace and against executives today means identifying digital fixation, interpreting behavioral cues, and intervening early with modern threat assessment strategies. At its core, assessing threats is about recognizing human behavior. As threats evolve and relocate to digital ecosystems, security leaders must adopt a posture that prioritizes the early detection, recognition, and intervention of unusual behavior or direction of interest instead of late-stage reactivity to obvious threatening behavior.
If we want to prevent the next attack, we must reframe our thinking from “Did they make a threat?” and instead start asking, “Are they showing signs of fixation, unusual interest, or targeting behavior?” This mindset shift—from reactive to proactive using proven methodologies, from direct threats to directional interest—is one of the keys to prevention.
In a world where someone can plot an attack without ever setting foot in an office or issuing a warning, step zero in the pathway to violence may be the only we get, and security professionals can’t afford to miss this critical step.
Cynthia Marble serves as senior director, threat assessment and management at Ontic, where she acts as a strategic advisor, providing specialized insights in these areas to private and public sector executive protection, security, and threat assessment teams. She previously served for more than 26 years with the U.S. Secret Service, most recently as the Special Agent in Charge for the U.S. Secret Service Houston Field Office, where she managed the Secret Service offices in Houston and Austin, Texas, as well as Mexico City. Marble is a nationally recognized leader in the fields of threat assessment and threat management, executive protection, protective intelligence investigations, national security, and global security operations.
