What early warning systems actually detect

Most organizations think an early warning system is software. A dashboard. A threshold alert that pings the security team when something gets flagged. That's monitoring. It's not warning.

A warning is what someone qualified does with the data after the dashboard pings. It's the interpretation. It's the structured judgment that says: "These signals, in this combination, mean this person is moving toward something we need to address now."

The software is the easy part. The hard part is the detection logic, the behavioral framework, and the trained team that knows what they're looking at. Early warning systems work when those three things are connected. They fail when organizations buy the dashboard and assume the rest will follow.

Here's what these systems actually detect when they're built correctly, and where they break down when they're not.

Early warning systems detect behavioral signals, not events

The misconception is that early warning systems predict violence. They don't. Prediction implies certainty about a future event. That's not how this works.

What these systems detect is the convergence of behavioral signals that, in combination, suggest someone is on a pathway toward harmful action. The signals are observable. The pathway is documented. The judgment about where someone is on that pathway is structured. None of it is a crystal ball.

The FBI's Behavioral Threat Assessment Center and the Secret Service's National Threat Assessment Center have published the underlying research for two decades. The findings are consistent across attacker populations. In the FBI's quantitative analysis of active shooters, 100% had evidence of a grievance against a specific target, 90% showed evidence of violent ideation, and 62% engaged in observable pathway behaviors, research, planning, preparation, breach. These behaviors weren't only visible in hindsight. They were observable in the months and weeks before each attack.

Someone could have seen them.

The signals an early warning system is designed to detect include:

• Direct or veiled threats - including statements of intent on social media, in emails, or to peers.

• Fixation on a specific target - repeated references, surveillance behavior, attempts at unwanted contact.

• Behavioral leakage - disclosures to friends, family, or co-workers about violent intentions, often disguised as venting.

• Acquisition behavior - research into weapons, tactical equipment, or prior attacks.

• Identification behavior - references to past attackers as role models, purchase of similar clothing or gear, mimicking language.

• Personal stressors - recent termination, divorce, financial collapse, legal proceedings, loss of housing.

• Capability indicators - access to weapons, training, or insider knowledge of a target's environment.

No single signal is enough to conclude someone will act. That's the part most internal teams get wrong. They wait for the one obvious red flag. By the time that shows up, the person is already at the breach stage, and lead time has collapsed to hours.

What an early warning system detects is the combination. Three or four signals, individually unremarkable, that together describe a pathway.

Behavioral analysis is the foundation

This is where the field separates from generic security software.

Behavioral analysis isn't profiling. There is no demographic, psychological, or socioeconomic profile that predicts violence. Decades of research from the Secret Service, FBI, and academic threat assessment programs converge on the same point: profiles don't work. What works is the analysis of behavior over time, in context, against a structured framework.

The FBI's Pathway to Intended Violence model is one such framework. It identifies six observable stages, grievance, ideation, research and planning, preparation, breach, and attack, that recur across cases of targeted violence. The model isn't strictly sequential. People skip stages. They loop back. Some signals stay hidden because attackers actively conceal them. But across enough cases, the same shape keeps showing up.

Behavioral analysis applies this framework to a specific subject. Not "does this person fit a type?", that question has no answer.

The actual questions are:

• What grievances does this person hold, and against whom?

• Are they engaging in research or planning behavior?

• Have they leaked intent to anyone? Do they have access to means?

• What stressors have converged on them recently?

• Are protective factors, family support, mental health treatment, employment, present or eroding?

The output isn't a probability score. It's a structured judgment, made by a trained team, about where a subject is on the pathway and what intervention is appropriate at that stage.

This is what separates predictive threat intelligence from threat monitoring software. Monitoring tells you what happened. Behavioral analysis tells you what it means.

Risk scoring is a structured framework

When organizations ask about "risk scoring" in the threat assessment context, they usually expect a number from one to ten. A traffic light. Green, yellow, red. Something they can put in a report.

That's not how risk scoring works in this domain, and the structured tools used by professionals make this explicit.

The WAVR-21, Workplace Assessment of Violence Risk, used by Fortune 500 companies, federal agencies, and university threat assessment teams, is a 21-item structured professional judgment guide. It does not generate a quantitative score. It guides a trained assessor through 19 violence risk factors, one protective factor, and one organizational impact factor. The assessor codes each factor as present, partially present, or absent, and arrives at a structured judgment about overall concern level.

The five "critical items", the red-flag indicators, assess violent motives, ideation, intent, weapons skill, and pre-attack planning. These five carry more weight than the others. But the tool does not let the assessor mechanically add them up. The point is to force a structured analysis that documents the reasoning, not to generate a number that can be misread out of context.

That structure is what makes risk scoring defensible. If the case ever goes to litigation, wrongful termination, negligent retention, failure to warn, the documented assessment is what a court evaluates. A traffic-light score is indefensible. A structured professional judgment with documented reasoning is what holds up.

The same logic applies to risk scoring in behavioral threat assessment more broadly. The score isn't the answer. The score is a label attached to the analysis. The analysis is what matters.

The "warning" part comes after detection

Detection identifies the signals. Warning is what the organization does with them.

Most early warning systems break here. The dashboard works. The signals are flagged. And then they sit in a queue because nobody knows whose job it is to interpret them, and nobody has the authority to act if interpretation suggests action is needed.

A functioning early warning capability requires three things connected to the detection layer:

A multidisciplinary threat assessment team with standing authority to investigate, interview, and recommend protective action. This team typically includes representatives from security, HR, legal, and depending on the organization, mental health, IT, and executive leadership. The team meets on a recurring schedule and convenes on demand for active cases.

A reporting infrastructure that people actually use. Most organizations have an anonymous hotline that nobody trusts. The Secret Service's NTAC research shows that bystanders observe concerning behavior in the majority of cases, but reporting rates are low when the system feels punitive, performative, or disconnected from outcomes. Reporting infrastructure works when employees and community members see it produce intervention, not punishment.

An intervention pathway with options. Detection without options is theater. The team needs the ability to recommend everything from welfare checks and EAP referrals to security adjustments, restraining orders, separation of employment, and law enforcement notification. Without that range of options, the team is reduced to writing memos.

This is what separates an early warning system that prevents incidents from one that produces post-incident reports about who saw what and didn't act.

Where these systems fail

The uncomfortable part of this field is that early warning systems often fail in ways that don't show up until after an incident.

The most common failure is fragmentation. HR knows about the performance plan. Legal knows about the lawsuit. Security knows about the parking-lot incident. IT knows about the unusual file access. Nobody connects them, because no one person sees all four data streams. The signals only look like a pattern when they're integrated. Without an assessment team that has access to all of it, the pattern stays invisible until it's too late.

The second failure is signal volume. When organizations expand monitoring without expanding analytical capacity, they generate more flags than the team can review. The result is alert fatigue. The most concerning cases get triaged into the same backlog as the noise. The Insider Threat Matrix research from 2025 found that organizations with mature behavioral analytics programs reduced incident time-to-resolution by 43%, but only when staffing scaled with detection coverage. Buying more sensors without more analysts makes the problem worse.

The third failure is downstream. Detection works. Analysis works. But there's no one with the authority to act on the recommendation, or the political support to act when acting is uncomfortable. The most common version of this is when a senior employee or executive is the subject. The team identifies concerning behavior. The recommendation is uncomfortable. Nobody wants to be the one to escalate it. The case stalls.

These failures are organizational, not technical. The technology side of early warning has matured. The institutional commitment side hasn't. That's where most organizations actually live.

What an operational early warning capability looks like

The systems that work share some characteristics, even across very different organizations.

Detection pulls from multiple data sources at once. Physical security incidents. HR events. Communications metadata, where it can be lawfully collected. Public-source intelligence. Financial-stress indicators where relevant. Bystander reports. No single source is sufficient, and most of the value comes from integration. A single signal in HR is a personnel issue. The same signal alongside three others, surfaced over four months, is a case.

Analysis applies a structured framework to active cases, typically the Pathway to Intended Violence model alongside a structured professional judgment tool like WAVR-21. Trained analysts produce documented assessments, not gut calls. The documentation matters as much as the assessment itself.

Action connects the assessment to a real range of intervention options, welfare checks, EAP referrals, security adjustments, separation of employment, restraining orders, law enforcement notification. Cases that escalate are handed off with context, not panic-dialed in.

Governance reviews case outcomes, calibrates the system over time, and reports to leadership on metrics that actually mean something, case volume, time to assessment, intervention outcomes, repeat incidents. Not alert counts. Alert counts can go up while the system gets worse.

This is what predictive threat intelligence looks like as an operational capability, not a product category. The technology supports the work. It doesn't do the work.

The organizations that get this right don't treat early warning as a software purchase. They treat it as a capability they build, staff, train, and review. The ones that get it wrong end up in the post-incident debrief, going through their own logs, finding all the signals that were there, and explaining why nobody put them together.

The signals are almost always there. The question is whether the system was built to see them.

Frequently asked questions

What is an early warning system in threat assessment?

An early warning system in threat assessment is a structured capability that detects, analyzes, and acts on behavioral signals indicating someone may be moving toward harmful action. It combines integrated monitoring, behavioral analysis, structured risk scoring, and a multidisciplinary response team. The goal is lead time, identifying concerning patterns early enough to intervene before an incident occurs.

How is an early warning system different from monitoring software?

Monitoring software detects events and flags them against a threshold. An early warning system uses that data as input, but the warning comes from trained analysts interpreting the signals against a behavioral framework. Monitoring tells you what happened. An early warning system tells you what the pattern means and what the organization should do about it.

What signals do early warning systems look for?

Early warning systems look for behavioral signals associated with the pathway to violence: grievances against specific targets, fixation, behavioral leakage of intent, research and planning behavior, weapons acquisition, identification with prior attackers, and personal stressors that converge with concerning behavior. No single signal is conclusive. The system detects combinations and trajectories over time.

What is risk scoring in threat assessment?

Risk scoring in threat assessment is a structured framework for documenting an analyst's judgment about a subject's level of concern. Tools like the WAVR-21 guide assessors through specific risk factors, but the output is a structured professional judgment with documented reasoning, not a single number. The score labels the analysis. The analysis is what matters in practice and in any subsequent legal review.

What is behavioral analysis in this context?

Behavioral analysis in threat assessment is the structured evaluation of an individual's observable behavior over time, against a documented framework like the Pathway to Intended Violence model. It does not use demographic or psychological profiles, which decades of research show do not predict targeted violence. It evaluates grievances, intent indicators, capability, and protective factors specific to the subject and their context.

Can early warning systems prevent violence?

Early warning systems can identify concerning patterns early enough to enable intervention, which has prevented incidents in documented cases. The Secret Service's NTAC research on averted attacks shows that the majority involved someone reporting concerning behavior to authorities. Prevention isn't certainty. It's lead time, properly used. Systems that detect signals but lack the response capability to act on them don't prevent anything.

Sources

Federal Bureau of Investigation. (2024). Pathway to Intended Violence Model - Quick Reference Guide. FBI Behavioral Threat Assessment Center.

Federal Bureau of Investigation. (2017). Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks. FBI Behavioral Analysis Unit.

National Threat Assessment Center. (2024). Behavioral Threat Assessment Units: A Guide for State and Local Law Enforcement to Prevent Targeted Violence. U.S. Secret Service.

National Threat Assessment Center. (2021). Averting Targeted School Violence: A U.S. Secret Service Analysis of Plots Against Schools.

White, S., & Meloy, J. R. (2016). WAVR-21 V3: Workplace Assessment of Violence Risk (3rd ed.). Specialized Training Services.

Jones, N. T., Williams, M. M., Cilke, T. R. R., Gibson, K. A., O'Shea, C. L., & Gray, A. E. (2024). Are all pathway behaviors observable? A quantitative analysis of the pathway to intended violence model. Journal of Threat Assessment and Management.

Calhoun, F. S., & Weston, S. W. (2003). Contemporary Threat Management: A Practical Guide for Identifying, Assessing, and Managing Individuals of Violent Intent. Specialized Training Services.

Insider Risk Index. (2025). Insider Threat Matrix: Behavioral Analytics 2025.

Ponemon Institute. (2025). Cost of Insider Threats Global Report.