The Hostile Planning Process

The hostile planning process is the logical series of phases and steps that take place while planning a hostile attack. The steps that are going to be detailed in this article do not come out of strictly theoretical research, but rather from the study of actual case studies, including interviews with captured members of terrorist organizations, who have disclosed the mechanics of their hostile planning.

It must be mentioned that not all hostile attacks follow a comprehensive textbook version of the hostile planning process. These non textbook cases are only non textbook to the extent that some of the steps in them might have gotten shortened and/or omitted, but the general order of the phases and steps, and most importantly, the rationale behind them, remains consistent. This consistency does not suggest that there is some secret connection between all criminals and terrorists, but rather that rational and logical individuals who are balancing various risk/benefit analyses during the planning of a pivotal event will almost always follow certain patterns of thinking and behavior.

The main phases of the process are:

  1. Initial collection of information.

  2. Analysis, planning and training.

  3. Execution.

  4. Escape and exploitation.

As you can clearly see, these phases are simple, logical and all but self explanatory. They form a very basic process that’s used by almost every criminal, whether he/she is a terrorist or not. These are the exact phases and steps one would follow when planning a bank robbery, a theft, or a kidnapping. In fact, anyone who has spent any time in the military might also recognize these phases and steps, as these are the exact same ones that are used for military operations as well. These somewhat surprising similarities appear because logical individuals and groups (regardless of their agendas) tend to follow the same human nature oriented patterns when faced with a challenge. This is precisely why understanding this process is so important. Only after we have abolished the mysteries behind hostile planning, will we be able to effectively eliminate most of the guesswork behind its prevention.

The following is one example of a highly detailed hostile planning process – a textbook case. Bear in mind that there are many different variations on the hostile planning process, and that this is simply one of many. The idea behind understanding a textbook planning process (even though most hostile plans are less thorough) is to understand the rule before considering the many exceptions to it:

Initial collection of information

  •  Selection of potential targets.
  •  Open source information collection.
  •  Initial surveillance.

Analysis, planning, and training

  •   Final target selection.
  •   Operational surveillance.
  •   Operational planning.
  •   Training and rehearsal.
  •   Advanced surveillance.


  •   Last minute surveillance.
  •   Execution.

Escape and exploitation

The following is a detailed breakdown of the various phases and steps of the hostile planning process:

Initial collection of information

The main objective of this stage is to collect enough information in order to:

A. Gain a base level understanding about the potential targets.

B. Select the best target for an attack.

  • Selection of potential targets

The first step in the hostile planning process happens to be one of the least understood yet most important points in the process. Notice that the word targets appears in its plural form. It is important to stress this point in order to show that the planning of a potential attack begins with a number of potential targets. No consequential attack hinges solely on one ‘do-or-die’ target or location. Terrorism, for example (as mentioned before), has a political goal, and in order to meet this goal one of any number of potential targets may be selected. Though terrorist attacks are usually named after the location where they take place, the location is only a tool – not the goal. For this reason, it is logical to begin with a number of potential targets, collect enough information on each one and then select the best target.

  • Open source information collection

Open sources of information are all forms of unclassified information that one can obtain remotely. This includes any and all forms of media, public records, advertising, public notices, etc. In this day and age, almost all said categories of information can be found on the internet.

The logic of starting the information collection process with open sources is that this is not only easy, and usually free, but gives one access to an enormous amount of information, which is also very safe to collect. A hostile planner can do this from anywhere in the world, as is often the case. The type of information that is collected usually includes detailed maps (including Google street view, when available), Photographs, schedules, information about operations and special events, information about key figures, and so on.

Although there were a number of attacks in recent history that were conceived of after an article in a media outlet had effectively plugged the potential target into this step, in the majority of cases, hostile entities will simply make use of the plethora of relevant information that is readily available on the internet at any given time.

  • Initial surveillance

Initial surveillance is the first time that the hostile entity will go out to the field and physically observe the potential targets (remember, a final target selection has not yet taken place, so various potential targets are still being considered).

The main objectives of this step are:

A.    To confirm the validity of the information that had been collected from open sources.

B.    To continue collecting additional information that cannot be collected from open sources.

C.    To narrow down the list of potential targets in order to select the best target.

Although large files can be compiled on any given location from open sources, there is no substitute for actual eyes in the field. Only through actual observation can it be conclusively confirmed that the information that had been collected from the open sources is valid and dependable. In addition, only through direct observation can the hostile entity collect many more vital pieces of information that cannot usually be found in open sources. One such important piece is security, which most properties don’t exactly advertise or detail on their websites. There are, of course, many more pieces of information that also factor into this step. Much more details will be given regarding surveillance in future articles.

Analysis, Planning, and Training

After a sufficient amount of information is collected on the potential targets, the analysis stage begins with comparing and contrasting the various potential targets in order to select the one most suitable for attack. This is then followed with more collection of detailed information about the selected target, which leads to operational planning, training and rehearsal, and advanced surveillance.

  • Final target selection

Selecting the most suitable target for attack is one of the most crucial decision making junctures in the hostile planning process. The ideal target for terrorism is one that combines a high level of public exposure (a famous location) with a high level of ease. This ideal situation will not usually be found, however, because in most cases, the higher the exposure is (the more famous and important a place is), the lower the ease factor becomes, and vice versa.

 In almost every single case that has been documented, it is the easiest target that is selected for attack. This finding should not be very surprising when considering the risk/benefit ratio that the hostile entity has to calculate. The simple fact of the matter is that a rational hostile entity will choose the target that can give them the highest chance of success and the lowest risk of failure. In this respect, ease will always take precedence over exposure. Bear in mind that if a location’s level of exposure was so low that nobody ever heard of it, it would probably not make it into the initial selection of potential targets step in the first place. Moreover, the attack itself, if successful, will probably elevate the target’s level of exposure even more (Oklahoma City).

It is important to keep in mind that there are three different and compounding types of ease that are considered. The first is the ease of executing the actual physical attack – the ease of, say, entering a building with a weapon, or parking a car-bomb outside the main entrance, etc. The second, and slightly less obvious type, is the ease in which operational information about the target can be gathered – how easy it is to figure out the target’s vulnerabilities, security measures, etc. The third, even less obvious than the second, is the ease in which operational information can be collected, while still remaining covert. Terrorist organizations (indeed, most criminal entities) rely very heavily on the element of surprise, and are very sensitive to the difficulties of remaining covert while collecting the large amount of information that is needed for an attack. A potential target that the hostile entity can more easily collect information on, and more easily remain covert while doing so, will be much more attractive.

  • Operational surveillance

After the initial collection of information is complete and a target has been selected, it becomes necessary to collect detailed information on the selected target in order to put together a detailed plan of attack. The main goal here is to collect as much data as possible. I purposely used the word data here because the idea is to record as much non directional information as possible. This information is non directional because operational planning has not yet provided an exact direction. Operational planning will subsequently put a plan around an identified vulnerability, but at this stage, the hostile entity might have not yet established which vulnerabilities exist, and which vulnerability is the best one to build a plan around. In order to do this, the hostile entity will need to collect a very large amount of information, and for this reason, operational surveillance can be quite a lengthy step, especially in the west, where it can take weeks or even months to conduct.

It is not uncommon for hostile entities to also employ a bit of “subcontracting”, so to speak, when attempting to collect information. In many cases, this takes the form of children who are being used for collecting information on targets. A child might be sent to ask employees, or even security personnel, questions regarding the target and its security procedures. The reason children are used so commonly is because they appear less suspicious when asking about detailed information. It is often the case that these “subcontractors” do not even realized they have been conscripted for the purpose of gathering operational intelligence, and might either falsely believe that there is another reason behind it, or simply do it for money.

I will not go into detail about hostile surveillance operations here, and will dedicate an entire article (or more) to the subject in the near future.

  • Operational planning

After a sufficient amount of information had been collected and analyzed, the hostile entity will formulate a plan of attack. Operational planning tends to be most dependent on the capabilities and resources of the hostile entity, the structure of the target and the ease factors that were mentioned above.

This step will not be discussed at length because of the wide range of variation that exists among attack plans, and because of the relatively little amount of influence that private security personnel can physically exert on it – considering the fact that this step might very well be taking place in a different country. It is therefore advisable to not delve too deeply into the specifics of it, and to simply remain open minded about all the logical possibilities.

  •  Training and rehearsal

After the plan of attack has been formulated, the next step is to make sure that the attack can be carried out according to this plan.

Training and rehearsal are, in fact, two different things. Training refers to physically carrying out the attack, and operating the weapons that will be involved. If an attack involves a single shooter with a firearm, for example, then the attacker needs to be trained on firearm usage. If improvised explosives are involved, then training in the manufacturing of the explosives is necessary, along with training on, and testing of, the delivery system and detonation device. Training activities involving firearms and explosives usually take place far away from the intended target, and often even happen in a different country. Careful attention to this step can very well make the difference between a successful attack, where, for example, improvised explosives are tested beforehand – as Timothy McVeigh did, and failed attacks where the explosives and detonation devices were not tested beforehand – as was the case with Richard Reid, Umar Farouk Abdulmutallab and Faisal Shahad.

Rehearsal, unlike training, refers to conducting dry runs on the actual intended target. This means that no firearms or explosives are used, or even carried in most cases, but that an actual physical dry run of the attack takes place on the actual target. Dry runs can take place in many different ways and are dependent on operational planning. There have been documented cases of would be attackers entering and exiting an intended target, cases where an empty bag is placed where a bomb is intended to be placed later, cases where prospective hijackers board the same flights they intend to hijack in the future, and so on.

As rehearsals take place on the actual selected target, and as covert collection of information (surveillance) is an intrinsic part of any rehearsal, this step is strongly connected to the advanced surveillance step.

  •  Advanced surveillance.

The best way to begin explaining advanced surveillance is by pointing out its differences from operational surveillance. As mentioned above, operational surveillance is a wide angled collection of a large amount of raw – non directional – information. Conversely, advanced surveillance occurs after a plan has been formulated, and gives the hostile entity the opportunity to observe the target in a precise and directional way – with the plan in mind.

As for the connection between advanced surveillance and rehearsals, any action that takes place during a dry run also supplies the hostile entity with additional information that needs to be covertly collected. In cases where a dry run calls for a backpack, for example, to be placed at a strategic location (in order to test if a bomb can be placed there later), the act of observing how people react to this will be a part of advanced surveillance. Advanced surveillance gives the hostile entity the best chance to put all the pieces of the plan together and judge if the plan is ready for its execution stage. If certain problems are discovered however, the judgment might be to go back to the training and rehearsal stage and conduct additional training and/or rehearsals. If the problem is bigger still, the decision might be to go even further back, to the operational planning stage and change the plan. An even bigger problem might make the hostile entity decide to go all the way back to the final target selection stage and choose a different target. And an even bigger problem still, might convince the hostile entity to abandon its plan altogether. But if all the pieces of the plan seem to fit, the decision will be to proceed towards the execution phase.


Execution, as you can see, is both a phase and a step. The step of execution is the actual physical attack, but the phase of execution covers the time frame of the attack. Both last minute surveillance and execution happen within this single time frame, whether it is a few minutes or a few hours.

  • Last minute surveillance

Last minute surveillance happens right before the physical execution (the actual attack), and is most often conducted by the actual attacker(s) him/herself. In its simplest form, it is comprised of a single attacker who observes his/her target immediately before attacking it, and is the last chance to decide if the immanent execution will take place or not. The length of this step can vary quite widely from case to case. From the perspective of the hostile entity, the desire would be to shorten the length of last minute surveillance as much as possible. The reason for this is that the attacker, who is under considerable stress, might get exposed, or even change his/her mind, the longer he/she is observing the target. However, in order for this step to be short (no longer than a few minutes at most), the preceding steps of the hostile planning cycle must be conducted properly. Only if enough information is collected on the target beforehand, and enough analysis, planning and training have taken place, can last minute surveillance be short and direct. If, on the other hand, steps had been omitted or shortened, then important parts of the work would need to be plugged into the last minute surveillance step; extending its length and increasing the chances of the attacker being detected. One of the hallmarks of less prepared and/or less capable attackers is a lengthy and sloppy last minute surveillance step, where a nervous and suspicious looking individual is seen lurking around before an attack. Conversely, some better prepared attackers (9-11, Mumbai, Oklahoma City) waste very little time in this step, and jump into action very quickly, knowing precisely how, when and where to attack.

  • Execution

As with operational planning, this step will not be discussed at length due to the wide range of variation between different attacks. The most important point that needs to be made regarding execution is, again, like with operational planning, its position within the hostile planning cycle – most notably, how late it actually appears, and how many steps preceded it.

Escape and exploitation

Although this phase comes after the execution, and therefore falls in the preview of counter terrorism, it is still important to mention it for a number of reasons. First, in the same way that a terrorist attack is preceded by much planning, it is also followed by a considerable amount of work. It is at this point that we should be reminded again that the ultimate goal of terrorism is of a political nature; going far beyond the simple creation of destruction and terror. In order to reap the political benefits that the attack is meant to produce, careful escape from, and exploitation of, the attack is necessary.

When considering a suicide attack, many people believe that no escape takes place. But this comes out of the misconception that  terrorist attacks only involve the attacker. In many cases there is an entire cell or terrorist network that needs to escape before exploiting the attack. An attacker, in this respect, can be analogized to a projectile – a guided missile – that has been launched by an organization. These organizers – the ones who launch suicide attackers – are the ones who will need to escape afterwards. But it should be our goal not only to prevent them them from escaping, but to proactively prevent them from launching their deadly projectiles in the first place.

In the next article, I will detail specific case studies and show exactly how the hostile planning process was applied in each case.

Protection Circle_avater_due i Ikon

Learn more about this subject—and many others—in my master class on Hostile Activity Prevention. Utilizing Israeli know-how and delivered by me, Ami Toben, this online course teaches actionable, time-tested methods of prevention, detection and disruption of hostile attacks.

23 thoughts on “The Hostile Planning Process

    1. Hi Phil.
      Thank you for your readership.
      These theories and statements are based on many years of unfortunate Israeli experience in this field. My next article will include some of the case studies on which this is based on. I hope it will make things a bit more clear before I continue on towards the methods that can disrupt and prevent hostile planning.

  1. I would certainly wait for the case studies in your next article. I hope the case studies will include lone wolves.

  2. […] Though the term surveillance can be generally applied to various types of activities and electronic measures, this article is dedicated to the HUMINT type of physical surveillance, which can be defined as: The covert observation of a target for the purpose of collecting information. This short sentence is loaded with the three key ingredients of surveillance. The first two ingredients are covertness and physical observation – take one of these factors out, and you no longer have what we consider surveillance. If physical observation is done overtly, willingly allowing the target to see it, then this would simply be physical observation rather than surveillance. Conversely, if an operative is conducting him/herself in such a covert manner that he/she cannot really observe the target, then this would simply be hiding undercover rather than conducting surveillance. The fact that physical surveillance necessarily combines observation and covertness is one of the main reasons why surveillance is such a challenging undertaking. Finally, the third ingredient of surveillance is collection information. After all, such challenging and risky activities aren’t simply performed for the fun of it. The goal of hostile surveillance – the entire reason for doing it in the first place – is to collect crucial information that is necessary for planning an attack. […]

  3. I have seen first hand the hostile planning process in action. As you state, in some cases not all steps will be employed or will be abbreviated. Terrorist organisations in Northern Ireland used this process to good effect for nearly 40 years (the republican groupings especially).

  4. I have glanced through the writeup. It seems that the process has been based on the writer’s experience with terrorism cases related to Hamas/Hezbollah. The threat which Al-Qaeda or Taliban pose is quite different as per my personal experience. First the planning process is very detailed and extensive to exploit the inherent weaknesses of the ground and weather and second and very important that most of their missions are self destructive i.e. no coming back. Training and level of motivation of the participants are the two very important deciding factors. To stop them training freely the Drones have created an umbrella in the sky but there is no answer to the achieving any drop in the level of motivation. I will appreciate if you can highlight this aspect and suggest some measures in your future writeups. A very good effort. Keep it up

    1. Thank you for your comment, Tariq.
      As for the points you raised, let me assure you that this hostile planning process has a much wider base in case studies than just the attacks by Hammas and Hezbollah. In fact, I would challenge you to come up with a single attack, from any organization, that did not tightly or loosely follow this same process. Keep in mind, as I have mentioned in the article itself, that not every case is a textbook case – but even non textbook cases still follow the steps, in the same order, but with some abridgments.
      As for suicide attacks, this is far from any exception to this rule. For one thing, there is nothing about a suicide mission that prevents a person from doing his/her best to achieve their goal. Secondly, we should not only focus on suicide attackers, since in many cases they are just the projectiles that are sent out from a larger organization – and it is the organization (people who do not commit suicide) that is responsible for most of the planning.
      Please take some more time to read this articles, and the following articles that were written afterwards, in order to understand my arguments a bit better.
      Thank you again.

  5. Thank you for attack deterrence as this teaches me to review my protection strategies and also the hostile planing pro cess which awakens u s to counter the process to weaken their strategies.

  6. very interesting article, well written insightful and informative. I will carry on with the series , thanks for sharing this.

  7. […] than react to attacks. For this reason, it becomes more important than ever to understand the hostile planning process of an attack. Only once we understand this type of hostile planning, locate its weaknesses, and […]

  8. […] take risks for no good reason. The way an adversary most often works is by following some form of hostile planning. Even if this process is short and not very professional, at the very least, it’ll be based on […]

  9. […] at the entrance appeared to get ready to make his move. It looked to me like this might be a last-minute surveillance before an attack. I was working solo and couldn’t leave my post but simply had to do […]

Leave a Reply to Terrorism – Tools and GoalsCancel reply