Counter-Ambush Tactics for Security Professionals

(This is the second article on Counter Ambush Tactics from ISDA Member Thomas Pecora, the first article can be read here.)

As security personnel working in a protective operations role, we are tasked to do everything we can to keep our protectees safe.  By far the best method to accomplish this goal is to adopt a predictive, preventative strategy for protecting clients based on the tenets of Detect, Deter, and Defend.  To effectively employ these tenets, we need some very specific soft and hard skills. In the protective operations world, the “soft” skills are sometimes referred to as Protective Intelligence (PI) while in other security disciplines they are referred to as situational and tactical awareness skills.  If we are unable to prevent or avoid an attack, we need to have expertise in specific “hard” skills such as the use of firearms and security driving so that we can survive an ambush. (The Proactive Tool of Protective Intelligence )

Terrorist Attack Cycle

There have been significant studies done to understand how assailants plan and then conduct their attacks.  The result of this research is a basic blueprint for how most attacks are conducted.  This blueprint is called the Terrorist Attack Cycle.  Over time, it has proven to be very effective in helping us understand and counter the steps commonly used by terrorists and criminals when they plan and execute an attack (read kidnapping, assault, assassination, etc.) against an individual or individuals.   Examining each step of the attack cycle is a useful way to identify and examine the tactics and tradecraft required to complete each step.

Threat Environment and Security Plan Analysis

Before specifically addressing the Terrorist “Attack Cycle” we need to conduct two critically important assessments. The first assessment is a thorough review of the current threat environment for the protectee; specifically, to determine who are the adversaries and then learn the Tactics, Techniques, and Procedures (TTPs) they employ.  We call this area of study Assailant Methodology and only by acquiring this information can we can realistically plan and prepare to detect and avoid or defend against possible ambushes.  For example, some assailants specialize in kidnappings while others are known to be very adept at assassinations.

Once we understand who is most likely to attack our protectee and the tactics they would employ, we need to assess how our protectee’s security stacks up against the likely attack methodology. Specifically, we are looking for vulnerabilities in our security plans about the common tactics/tradecraft used by our most likely attackers.

The Attack Cycle

Using the data collected during our two assessments, we are now ready to effectively address the “Attack Cycle.”  The attack cycle is often described as having 6 to 8 steps depending on the sophistication of the attackers. We will be using a 7-step attack cycle as this allows us to focus on specific aspects most useful for protective operations. The seven steps include Initial Target Selection, Surveillance, Attack Planning, Additional Surveillance /Rehearsal, Pre-Attack Deployment, Attack, and Escape.

At the beginning of the attack cycle, the assailant must decide on a target (Initial Target Selection). In many cases, they have multiple potential targets, so they need to gather data about these targets (Surveillance), plan the attack based on information gathered during the surveillance phase (Attack Planning), assemble the team and conduct additional surveillance and possibly a rehearsal (Surveillance/Attack Rehearsal), assemble at the attack site (Pre-Attack Deployment), conduct the Attack, then Escape. 

It is very important that we do not interpret the concept of the attack cycle too literally.  Every threat element is different, and their training, skills, and resources affect the way they approach the planning and execution of an attack.  Also, different types of attacks require different degrees of planning and preparation.

Protective Intelligence and Hard Skills

There are a variety of activities, strategies, and skills that security personnel can use to exploit the weaknesses in the assailant’s attack cycle. This includes Route Planning and Analysis, Surveillance Detection and Counter-Surveillance, Attack Recognition, and Countering the Surprise Factor. The last element, Evasive Action, will require the use of hard skills (firearms, tactical security driving, etc.) by security personnel to be effective.

Route Analysis is the tactical examination of our environment from the point of the view of an attacker looking for potential attack sites, chokepoints, or any hazards which may cause our protectee harm or impact our ability to move the protectee from one location to another securely.   Potential attack sites provide the enemy with the ability to control our movements, provides them with cover and concealment, and leaves them with potential escape routes.  The actual location where we feel the attacker would stage or initiate the attack (where the most firepower would be used) is called the “X.”

One critical aspect that security personnel should focus on is “Chokepoints.”  These are areas that we are required to travel through when moving from one location to the other.  Chokepoints can be the result of geographic features (bridges over river, parks), traffic patterns (only road between two points), or architectural features (buildings and structures) which restrict our movements.  At a minimum, all movements have a chokepoint at the beginning of the movement (departure point) and the end of the movement (arrival point).

Time and Place Unpredictability is the practice of varying routes and times to avoid providing the attackers with a predictable pattern that they can capitalize on to stage an attack. This forces the attackers to spend more time and effort to find an attack site and reduces the number of probable attack sites that the Protective Detail must focus on.  This tactic has shown to be a critical element in protective operations.  Historical studies of assassinations and ambushes have shown that if the victims vary their routes and times (are time and place unpredictable), the attack will most likely occur in one of the chokepoints.  Route analysis, done correctly, will show us where we are vulnerable (ambush sites and chokepoints) and help us determine the most likely attack sites (i.e., the “X”).  We can then pay more attention to these areas.

Protective Operations Surveillance Detection

To target our protectee, an attacker must know where we are, when we depart, and when we will arrive at a location.  At a minimum, they must be aware of our presence early enough to prepare to act. While more sophisticated attackers can gather this data electronically, at some point all attackers must employ “eyes on” the target.  Surveillance Detection (SD) in the protective operations world involves specific activities that help us determine if someone has us under surveillance.  Specifically, SD is done to determine if a hostile element is surveilling our protectee (or our security personnel) to collect information that will later be used to plan and execute an attack, assault, assassination, or kidnapping against our protectee.  SD, as a skill set, is considered a critical defensive capability for modern protective teams. Within the Attack Cycle, there are usually three surveillance steps (Initial Target Selection, Post Target Selection, and Pre-attack Surveillance) that provide us with the best opportunities to detect hostile surveillance. 

 Thinking like the attacker, we need to find the most likely Surveillance Points near our protectee’s work, residence, along routes, near chokepoints and around all potentially viable ambush sites. We need to analyze potential surveillance points looking for the likely places where the Surveillants will be located and the possible methods they may use to blend into their environments. For example, a local park across from the protectee’s residence may provide ample cover for a surveillant.

Once we have located likely surveillance points, we begin to look for correlation (i.e., movement by people or vehicles which corresponds to or is concurrent with our movements).  Additionally, we need to look for some common mistakes made by the surveillants (unnatural movements or activities, staring, note-taking, photography, etc.).  Upon discovery of some correlation or unusual activity, we need to immediately investigate. We can investigate using in-house capabilities covertly or overtly (using law enforcement to conduct interviews, arrests, site inspections, etc.).

Strategically, anytime we observe people in likely surveillance points, we must do a hard focus on them using our surveillance detection skills.  Just being in the critical location should raise our suspicions about these people, so we need to look for signs of surveillance (correlation of movement, mistakes, etc. and other surveillance behavior).  If we observe any specific suspicious activity in these critical areas, we need to respond (change our routes and times, post obvious security in the chokepoints, contact law enforcement, etc.).

Surveillance Detection (SD) is very effective against the initial surveillance step in an attack as untrained personnel are frequently used, and this surveillance takes place over a long period.  With sophisticated terrorist/criminal elements, SD is less effective against the final surveillance step (Post Target Selection) as they will most likely use trained/experienced personnel and this surveillance takes less time.  We need to employ SD during every movement especially near chokepoints and potential ambush sites.

Suggested Reading – The Science of Surveillance Detection and Security Driving

Counter-Surveillance vs. Surveillance Detection

In the 90’s, several elements within the US government began to deploy specialized units to specifically augment the SD activities performed by the protective details.  These units were called Counter Surveillance (CS) Teams.  There are some subtle differences between SD and CS as well as some differences in how some organizations define CS and SD.  In the intelligence community, SD is a tactic conducted by the target of the surveillance while CS is done by other elements that are not part of the protectee’s security package.  Additionally, CS may be used to actively investigate the surveillance activity.

While most protective teams do not have the luxury of having a dedicated CS team there are low budget methods which provide a similar effect.  One method is to assign one or more protective personnel to conduct targeted sweeps through the neighborhood where the protectee lives, through likely ambush sites, and near all established chokepoints.  These activities are done separately from any of the Protectee’s movements.  When we do these types of sweeps before the protectee’s movements, we call them “Advances” and any surveillance detection done under these circumstances falls under the SD category.  Advances are especially useful for detecting deployed attack teams. 

When conducting both SD and CS type sweeps we are looking for signs of surveillance which are part of the attack cycle.  By honing in on specific areas where surveillance is likely to be conducted, we can reduce the number of areas we need to cover, thereby allowing us to increase our accuracy. When we observe any specific suspicious activity in these critical areas, we need to investigate using in-house capabilities as well as any law enforcement liaison.

Of course, the CS team members and advance elements preceding the protectees motorcade also need to be looking for potential deployed attack teams in all likely ambush and chokepoint locations. These two elements give us the best chance to avoid an ambush that has moved to the final stages of the attack cycle.

 Attack Recognition

We need to use the same skills we use when we are performing surveillance detection when we are looking for signs of a possible attack.  We must be aware of our environment, looking ahead, “anticipating” problems or threats, and mentally preparing for a potential threat by playing the “What If” game (i.e., mentally asking ourselves what we will do if we see a situation developing).  We also need to be ready to increase our awareness level if we notice anything unusual. This is especially critical in chokepoints and potential ambush sites.  Specifically, we are looking for unusual interest in our movements (on foot or in a vehicle), anything which slows or stops our movement, any unusual activities by pedestrians or vehicles, and of course, we are looking for any visibly deployed attack elements and vehicles. In a nutshell, we are looking for anything which causes us to feel that “something is wrong.”  If anything unusual is observed, we must immediately raise our awareness level, find the problem, and mentally prepare to react to the environment by thinking of possible options.

Countering the Surprise Factor

The assailants do everything they can to capitalize on the element of surprise as this factor directly contributes to their ability to execute their attack with maximum effect.  If we did not/could not avoid the attack by recognizing the pre-attack surveillance/ambush team deployment phase, we must try to avoid the “surprise factor” (attack recognition) and implement our pre-planned evasive action.

If we “anticipate” and mentally prepare we will not be surprised, and therefore we will not go into “SHOCK” if an attack occurs.  Shock is a condition when the body reacts to great stress, releasing chemicals into the muscles at such a rate that the muscles are overloaded, interfering with their normal functioning, to include possibly freezing up.  This reaction can last three seconds or more.  Shock can dramatically affect our ability to think and to act in an emergency, when three seconds may be all the time we have to act and save ourselves.

Avoiding being surprised directly affects the lethality of the attack and increases survivability by the target.  Some statistics cited say that the assailant has a 91% chance of success if the target (and the security elements) are caught by surprise.  This percentage is dramatically reduced if the target/security element recognizes the attack any time before the moment that the target reaches the planned attack site – the “X.”  If victims have had less than a 10 percent chance of survival when caught by surprise on the “X,” then the key element in our defense is to avoid being “Surprised” by recognizing the attack before it happens.  This pre-attack recognition factor cannot be over-emphasized. 

Evasive Action and Immediate Action Drills

In an ambush situation, the attacker has the following advantages: the element of “surprise,” knowledge of the area/terrain, greater speed, and mobility, and the potential to establish total command and control of the ambush site.  Security elements must understand the potential TTPs of the assailants, predict the likely attack sites, and develop attack reaction tactics, both evasive and defensive. Historically, in assassination type attacks, 85% of these attacks occur near the residence and in or near the vehicle.  If we can anticipate an attack, even for a few seconds, we have a much better chance to execute specific pre-planned maneuvers to defeat an ambush. 

Immediate Action Drills:  For security professionals, the immediate action drills we do in training prepare us to react to a potential attack when we are caught near or on the “X.”   Security teams should have planned and rehearsed these procedures until they can be done without hesitation. This includes observation and initiation (“Contact Right” or “Gun Left”) and then the appropriate tactical response by the security elements (especially the driver if the situation involves an ambush on the motorcade). 

Depending upon the terrain, the type of ambush, the vehicles being used, etc. the specific immediate actions may differ but, in general, the best reaction to a threat is to move (preferably away from the attackers).  Any efforts which result in our movement off of, and away from, the “X” is better than sitting still.  By moving we gain options and increase our survivability.  Almost every study on ambushes has shown that any actions that get the targets off the “X” (the attack site) increase the target’s chances for survival.  We also need to ensure our actions/responses to an attack does not lead us into a secondary ambush.

As security professionals, we spend a lot of time with our protectees in or near our vehicles and, as noted, a significant amount of attacks on protectees occur around the vehicle.  We stand a much better chance of survival if we take any action during an attack.  While there are a wide variety of actions we can take during an ambush, we can still be highly effective if we remember one key concept – “MOVE”! 

Suggested Reading


As security professionals, we must use all the tools available to protect our clients.  We need to understand and counter the assailant’s attack cycle.  “Protective Intelligence” activities and strategies (route planning and analysis, surveillance detection and counter-surveillance) will help us to recognize hostile surveillance and potential danger areas.  Additionally, we must prepare for the worst-case scenario – an ambush.  By using pre-attack recognition skills, we avoid being caught by surprise, so we can use our hard skills (firearms and security driving) and implement our Immediate Action tactics (“MOVE”).  Preparation is critical.  The US Secret Service lives by the mantra that the overall protective capability of a protection detail never exceeds the level of preparation conducted by the security elements.  In other words, if you fail to prepare, prepare to fail.

Tom’s book “GUARDIAN” is now on pre-publications sale on Amazon

And Barnes & Noble

You can contact Tom via LinkedIn

Tom on Facebook

Join the International Security Driver Association (ISDA)

ISDA serves the protective services community.  The ISDA membership is open to all who have an interest in personal protection.

Whether you are exploring a career in executive protection, honing your expertise, or, you are an established security professional, ISDA is your essential resource for continuing education, benchmark research, and online learning programs, all designed to improve your skill set and advance your business.

Frequently Asked Question about ISDA

Books Authored by ISDA Members

ISDA membership enables you to:

  • Access benchmark educational, networking, and marketing programs.
  • Connect with your colleagues and peers across the globe via the member directory.
  • Increase your knowledge and marketability through the precedent-setting education center, research, and online learning programs.
  • Be part of a supportive community of like-minded experienced personal protection professionals.
  • Obtain Certification to members who meet the requirements. The corporate community accepts the ISDA Certification process for more than 40 years. ISDA certification provides proof of knowledge and skill.


Leave a Reply