The Hostile Planning Process

Hostile Planning Process - dark figureThe hostile planning process is the progressive and logical series, phases, and steps that take place while planning a terrorist attack. The steps that are going to be detailed in this two-part article do not come out of strictly theoretical research on terrorism, but rather from the study of actual case studies, including interviews with captured members of terrorist organisations who have disclosed the mechanics of their hostile planning.

It must be mentioned that not all hostile attacks follow a comprehensive textbook version of the hostile planning process. But these non-textbook cases are only non-textbook to the extent that some of the steps in them might have gotten shortened and/or omitted, but the general order of the phases and steps, and most importantly the rationale behind them, remains consistent. This consistency does not suggest that there is some secret connection between all terrorists, but rather that rational and logical individuals who are balancing various risk/benefit analyses during the planning of a pivotal event, will almost always follow certain patterns of thinking and behaviour.

The main phases of the process are:

  1. Initial collection of information.
  2. Analysis, planning and training.
  3. Execution.
  4. Escape and exploitation.

As you can clearly see, these phases are simple, logical and quite self explanatory. They display one of the most basic processes that, as mentioned earlier, is used by almost every criminal, whether he/she is a terrorist or not. These are the exact phases and steps one would follow when planning a bank robbery, a theft, or a kidnapping. In fact, anyone who has spent any time in the military might also recognise these phases and steps, as these are also the exact same ones that are used for military operations. These somewhat surprising similarities appear because logical individuals and groups (regardless of their agendas) tend to follow the same human nature oriented patterns when faced with a challenge. This is precisely why understanding this process is so important. Only after we have abolished the mysteries behind hostile planning, will we be able to effectively eliminate most of the guesswork behind its prevention.

One question that remains is in how detailed a manner will the phases of the hostile planning process be ‘filled in’ with the operational steps. In some cases, there will be a limited number of steps. While in others, many lengthy steps will punctuate the gaps between the phases. The determining factors for this are usually the size and difficulty of the attack, in addition to the available resources and know-how of the hostile entity.

The following is one example of a highly detailed hostile planning process – a textbook case. Bear in mind that there are many different variations on the hostile planning process, and that this is simply one of many. The idea behind understanding a textbook planning process (even though most hostile attacks follow less than textbook planning processes) is to understand the rule before considering the many exceptions to it.

Initial collection of information:

  •   Selection of potential targets
  •   Open source information collection
  •    Initial surveillance.

Analysis, planning, and training:

  •    Final target selection
  •    Operational surveillance
  •    Operational planning
  •    Training and rehearsal
  •    Advanced surveillance.


  •     Last-minute surveillance
  •     Execution.

Escape and exploitation

The following is a detailed breakdown of the various phases and steps of the hostile planning process:

Initial collection of information

The main objective of this stage is to collect enough information in order to:

A) Gain a base-level understanding about the potential targets.

B) Select the best target for an attack.

  • Selection of potential targets

The first step in the hostile planning process happens to be one of the least understood yet most important points in the process. Notice that the word “targets” appears in its plural form. It is important to stress this point in order to show that the planning of a potential attack begins with a number of potential targets. No terrorist attack hinges solely on one ‘do or die’ target. Terrorism, as mentioned before, has a political goal, and in order to meet this goal one of any number of potential targets may be selected. Though terrorist attacks are usually named after the location where they take place, the location is only a tool – not the goal. For this reason, it is logical to begin with a number of potential targets, collect enough information on each one and then select the best target.

  • Open source information collection

Open sources of information are all forms of unclassified information that one can obtain remotely. This includes any and all forms of media, public records, advertising, public notices, etc. In this day and age, almost all said categories of information can be found on the internet.

The logic of starting the information collection process with open sources is that this is not only easy, and usually free, but gives access to an enormous amount of information, which is also very safe to collect. A hostile planner can do this from anywhere in the world, as is often the case. The type of information that is collected usually includes detailed maps (including Google street view, when available), photographs, schedules, information about operations and special events, information about key figures, and so on.

A number of attacks in recent history were conceived of after an article in a media outlet had effectively highlighted the potential target. However, in the majority of cases, these attacks would most likely have occurred anyway as hostile entities will simply make use of the plethora of relevant information that is readily available on the internet at any given time.

  • Initial surveillance

Initial surveillance is the first time that the hostile entity will go out to the field and physically observe the potential targets (remember, a final target selection has not yet taken place, so various potential targets are still being considered).

The main objectives of this step are:

A)    To confirm the validity of the information that had been collected from open sources.

B)    To continue collecting additional information that cannot be collected from open sources.

C)    To narrow down the list of potential targets in order to select the best target.

Although large files can be compiled on any given location from open sources, there is no substitute for actual eyes in the field. Only through actual observation can it be conclusively confirmed that the information that had been collected from the open sources is valid and dependable. In addition, only through direct observation can the hostile entity collect many more vital pieces of information that cannot usually be found in open sources. One such important piece is security, which most properties do not exactly advertise or detail on their websites. There are, of course, many more pieces of information that also factor into this step.

Analysis, Planning, and Training

After a sufficient amount of information is collected on the potential targets, the analysis stage begins with comparing and contrasting the various potential targets in order to select the one most suitable for attack. This is then followed with more collection of detailed information about the selected target, which leads to operational planning, training and rehearsal, and advanced surveillance.

  • Final target selection

Selecting the most suitable target for attack is one of the most crucial decision-making junctures in the hostile planning process. The ideal target for terrorism is one that combines a high level of public exposure (a famous location) with a high level of ease. However, this ideal situation will not usually be found because, in most cases, the higher the exposure is (the more famous and important a place is), the lower the ease factor becomes, and vice versa.

In almost every single case that has been documented, it is the easiest target that is selected for attack. This finding should not be very surprising when considering the risk/benefit ratio that the hostile entity has to calculate. The simple fact of the matter is that a rational hostile entity will choose the target that can give them the highest chance of success and the lowest risk of failure. In this respect, ease will always take precedence over exposure. Bear in mind that if a location’s level of exposure was so low that nobody had ever heard of it, it would probably not make it into the initial selection of potential targets step in the first place. Moreover, the attack itself, if successful, will probably elevate the target’s level of exposure even more (Oklahoma City).

It is important to keep in mind that there are three different and compounding types of ease that are considered. The first is the ease of executing the actual physical attack – the ease of, say, entering a building with a weapon, or parking a car-bomb outside the main entrance, etc. The second, and slightly less obvious type, is the ease in which operational information about the target can be gathered – how easy it is to figure out the target’s vulnerabilities, security measures, etc. The third, even less obvious than the second, is the ease in which operational information can be collected, while still remaining covert. Terrorist organisations (indeed, most criminal entities) rely very heavily on the element of surprise, and are very sensitive to the difficulties of remaining covert while collecting the large amount of information that is needed for an attack. A potential target that the hostile entity can more easily collect information on, and more easily remain covert while doing so, will be much more attractive.

  • Operational surveillance

After the initial collection of information is complete, and a target has been selected, it becomes necessary to collect detailed information on the selected target in order to put together a detailed plan of attack. The main goal here is to collect as much data as possible. I purposely used the word data here because the idea is to record as much non-directional information as possible. This information is non-directional because operational planning has not yet provided an exact direction. Operational planning will subsequently put a plan around an identified vulnerability but at this stage, the hostile entity might have not yet established which vulnerabilities exist, and which vulnerability is the best one to build a plan around. In order to do this, the hostile entity will need to collect a very large amount of information, and for this reason, operational surveillance can be quite a lengthy step, especially in the west, where it can take weeks or even months to conduct.

It is not uncommon for hostile entities to also employ a bit of ‘subcontracting’, so to speak, when attempting to collect information. In many cases, this takes the form of children who are being used for collecting information on targets. A child might be sent to ask employees, or even security personnel, questions regarding the target and its security procedures. The reason children are used so commonly is because they appear less suspicious when asking for detailed information. It is often the case that these ‘subcontractors’ do not even realise they have been conscripted for the purpose of gathering operational intelligence, and might either falsely believe that there is another reason behind it, or simply do it for money.

  • Operational planning

After a sufficient amount of information had been collected and analysed, the hostile entity will formulate a plan of attack. Operational planning tends to be most dependent on the capabilities and resources of the hostile entity, the structure of the target and the ease factors that were mentioned above.

This step will not be discussed at length because of the wide range of variation that exists among attack plans, and because of the relatively little amount of influence that private security personnel can physically exert on it – considering the fact that this step might very well be taking place in a different country. Therefore, it is advisable to not delve too deeply into the specifics of it, and to simply remain open minded about all the logical possibilities.

  •  Training and rehearsal

After the plan of attack has been formulated, the next step is to make sure that the attack can be carried out according to this plan.

Training and rehearsal are, in fact, two different things. Training refers to physically carrying out the attack and operating the weapons that will be involved. For example, if an attack involves a single shooter with a firearm, then the attacker needs to be trained on firearm usage. If improvised explosives are involved, then training in the manufacturing of the explosives is necessary, along with training on, and testing of, the delivery system and detonation device. Training activities involving firearms and explosives usually take place far away from the intended target, and often even happen in a different country. Careful attention to this step can very well make the difference between a successful attack, where, for example, improvised explosives are tested beforehand – as Timothy McVeigh did – and failed attacks where the explosives and detonation devices were not tested beforehand – as was the case with Richard Reid, Umar Farouk Abdulmutallab and Faisal Shahzad.

Rehearsal, unlike training, refers to conducting dry runs on the actual intended target. This means that no firearms or explosives are used, or even carried in most cases, but that an actual physical dry run of the attack takes place on the actual target. Dry runs can take place in many different ways and are dependent on operational planning. There have been documented cases of would-be attackers entering and exiting an intended target, cases where an empty bag is placed where a bomb is intended to be placed later, cases where prospective hijackers board the same flights they intend to hijack in the future, and so on.

As rehearsals take place on the actual selected target, and as covert collection of information (surveillance) is an intrinsic part of any rehearsal, this step is strongly connected to the advanced surveillance step.

  •  Advanced surveillance

The best way to begin explaining advanced surveillance is by pointing out its differences from operational surveillance. As mentioned above, operational surveillance is a wide angled collection of a large amount of raw – non-directional – information. Conversely, advanced surveillance occurs after a plan has been formulated, and gives the hostile entity the opportunity to observe the target in a precise and directional way – with the plan in mind.

As for the connection between advanced surveillance and rehearsals, any action that takes place during a dry run also supplies the hostile entity with additional information that needs to be covertly collected. For example, in cases where a dry run calls for a backpack to be placed at a strategic location (in order to test if a bomb can be placed there later), the act of observing how people react to this will be a part of advanced surveillance. Advanced surveillance gives the hostile entity the best chance to put all the pieces of the plan together and judge if the plan is ready for its execution stage. However, if certain problems are discovered, the judgment might be to go back to the training and rehearsal stage and conduct additional training and/or rehearsals. If the problem is bigger still, the decision might be to go even further back, to the operational planning stage and change the plan. An even bigger problem might make the hostile entity decide to go all the way back to the final target selection stage and choose a different target. And an even bigger problem still, might convince the hostile entity to abandon its plan altogether. But if all the pieces of the plan seem to fit, the decision will be to proceed towards the execution phase.


Execution, as you can see, is both a phase and a step. The step of execution is the actual physical attack, but the phase of execution covers the time frame of the attack. Both last minute surveillance and execution happen within this single time frame, whether it is a few minutes or a few hours.

  • Last minute surveillance

Last minute surveillance happens right before the physical execution (the actual attack), and is most often conducted by the actual attacker/s. In its simplest form, it is comprised of a single attacker who observes his/her target immediately before attacking it, and is the last chance to decide if the imminent execution will take place or not. The length of this step can vary quite widely from case-to-case. From the perspective of the hostile entity, the desire would be to shorten the length of last minute surveillance as much as possible. The reason for this is that the attacker, who is under considerable stress, might get exposed, or even change his/her mind, the longer they are observing the target. However, in order for this step to be short (no longer than a few minutes at most), the preceding steps of the hostile planning cycle must be conducted properly. Only if enough information is collected on the target beforehand, and enough analysis, planning and training have taken place, can last minute surveillance be short and direct. If, on the other hand, steps had been omitted or shortened, then important parts of the work would need to be plugged into the last minute surveillance step; extending its length and increasing the chances of the attacker being detected. One of the hallmarks of less prepared and/or less capable attackers is a lengthy and sloppy last minute surveillance step, where a nervous and suspicious looking individual is seen lurking around before an attack. Conversely, some better prepared attackers (9-11, Mumbai, Oklahoma City) waste very little time in this step, and jump into action very quickly, knowing precisely how, when and where to attack.

  • Execution

As with operational planning, this step will not be discussed at length due to the wide range of variation between different attacks. The most important point that needs to be made regarding execution is, again, like with operational planning, its position within the hostile planning cycle – most notably, how late it actually appears, and how many steps preceded it.

Escape and exploitation

Although this phase comes after the execution, and therefore falls in the preview of counter terrorism, it is still important to mention it for a number of reasons. First, in the same way that a terrorist attack is preceded by much planning, it is also followed by a considerable amount of work. It is at this point that we should be reminded again that the ultimate goal of terrorism is of a political nature; going far beyond the simple creation of destruction and terror. In order to reap the political benefits that the attack is meant to produce, careful escape from, and exploitation of, the attack is necessary.

When considering a suicide attack, many people believe that no escape takes place. But this comes out of the misconception that terrorist attacks only involve the attacker. In many cases there is an entire cell or terrorist network that needs to escape before exploiting the attack. An attacker, in this respect, can be analogised to a projectile – a guided missile – that has been launched by an organisation. These organisers – the ones who launch suicide attackers – are the ones who will need to escape afterwards. But it should be our goal not only to prevent them from escaping, but to proactively prevent them from launching their deadly projectiles in the first place.


Ami Toben
Ami Toben is Director of Consulting and Training at HighCom Security Services based in San Francisco, USA. A former Tank Commander in the Israeli Defence Force, Ami also specialises and lectures in the areas of terrorist activity prevention; surveillance detection; 
penetration testing 
and event & facility security management.