What is a threat assessment and why most organizations get it wrong

Most organizations hear "threat assessment" and think of a checklist someone fills out after an incident. A form that gets filed. A box that gets checked. That is not a threat assessment. That is paperwork masquerading as prevention.

A threat assessment is a behavior-based inquiry process designed to identify, evaluate, and manage individuals who may be moving toward violence or targeted harm. It looks at what someone is doing, not what category they fit into. It watches for escalation, not just explosion. And when it works, nobody hears about it, because nothing happens.

The problem is that most organizations don't have one. Or they have something they call a threat assessment process, but it amounts to a policy document that sits in a shared drive until someone gets hurt.

The gap between policy and prevention

The U.S. Secret Service's National Threat Assessment Center has been publishing research on targeted violence for over 25 years. Their data is consistent and clear: people who carry out mass attacks display observable warning behaviors beforehand. In their analysis of 173 mass attacks between 2016 and 2020, NTAC found that 65% of attackers exhibited behaviors that concerned the people around them before the attack occurred. In 57% of those cases, the concerning behavior made observers fear for their safety or the safety of others.

Those are not small numbers. That means in the majority of cases, someone saw something. Someone noticed a change. And in most of those cases, the information either went nowhere or landed with someone who didn't know what to do with it.

That is the gap a functioning threat assessment process is supposed to close.

What a threat assessment actually looks like

A threat assessment is not a prediction tool. The FBI, the Secret Service, and every credible practitioner in the field will tell you the same thing: the goal is not to predict who will become violent. The goal is to identify concerning behavior, gather context around it, evaluate the risk, and intervene before harm occurs.

The U.S. Secret Service released a six-step framework in October 2024 specifically for state and local law enforcement agencies to build behavioral threat assessment units. That framework applies beyond law enforcement. The core logic is the same whether you're running a corporate security program, managing a school campus, or overseeing executive protection:

Establish a multidisciplinary team. Threat assessment is not a one-person job. It requires perspectives from security, human resources, legal, behavioral health, and operational leadership. Each discipline sees different pieces of the picture. None of them sees the whole thing alone.

Define reporting pathways. People need to know where to bring concerns and feel safe doing it. If reporting means going through three layers of management or risking retaliation, people will stay quiet. The Secret Service's own research shows that bystander reporting is one of the most effective tools for early identification. It only works when the reporting infrastructure actually exists.

Gather and centralize information. A threat assessment inquiry collects behavioral data from multiple sources: direct observations, personnel records, digital communications, law enforcement databases, prior incident reports. Isolated data points are often meaningless on their own. Assembled together, they form a pattern.

Assess the totality of the situation. This is where structured professional judgment tools like the WAVR-21 come in. Developed by clinical and forensic psychologists, these instruments provide a consistent framework for evaluating risk factors across 21 dimensions. They account for things like fixation on a target, grievance development, weapons access, behavioral leakage, and recent destabilizing events. They don't produce a score that says "this person will be violent." They organize the information in a way that supports better decision-making.

Develop a management strategy. The assessment itself is only useful if it leads to action. Management strategies range from monitoring and continued information gathering at the low end to intervention referrals, access restrictions, protective measures, and law enforcement engagement at the high end. The strategy has to match the risk, and it has to be reassessed as circumstances change.

Reassess continuously. This is the part that most organizations miss entirely. Threat assessment is not a point-in-time exercise. As the FBI Law Enforcement Bulletin has noted, a person's risk profile can shift overnight based on a single life event. A stable individual becomes volatile after a job loss, a divorce, a restraining order. Assessment captures a window. Management is ongoing.

Why behavioral analysis is the foundation

There is a temptation to treat threat assessment as a technical problem. Install cameras. Monitor email. Deploy access control. Those measures have value, but they address the environment, not the person. A camera records someone walking through a door. It does not tell you why they came back to the building after being terminated last week.

Behavioral analysis in the context of threat assessment means tracking observable changes in a person's conduct, communication, and affect over time. It means paying attention when someone who has been managing conflict shifts to fixation. When grievance language appears in writing. When someone begins researching weapons or prior incidents. When isolation increases and coping mechanisms degrade.

The concept of "behavioral leakage" matters here more than most organizations realize. First described in the threat assessment literature by researchers like J. Reid Meloy, leakage refers to the intentional or unintentional communication of violent intent. It shows up in social media posts, conversations with coworkers, letters, journal entries. In the NTAC data, 65% of mass attackers engaged in prior threatening or concerning communications. 43% had directly threatened someone. These were not silent, invisible threats. They were signaled.

The question is whether anyone was trained to recognize the signals and whether there was a system in place to act on them.

Early warning systems and why they matter before escalation

A functioning threat assessment program is an early warning system. It catches behavior at the stage where intervention can actually change the outcome.

This is the part that organizations chronically underinvest in. They spend on incident response, active shooter training, physical hardening. All of that happens after something has already gone wrong, or prepares for the moment when it does. Early warning operates upstream, at the point where someone is developing a grievance, not acting on it. Where behavioral changes are visible but haven't escalated to a direct threat.

California's SB 553, which went into effect in 2024, requires most employers to maintain a written workplace violence prevention plan. That includes hazard assessment, training, and incident documentation. It is the first state-level mandate of its kind to cover general industry. Other states are following. The regulatory direction is clear: organizations will be expected to demonstrate that they have prevention programs, not just response plans.

But compliance alone is not prevention. A written plan that nobody reads, a training session that nobody remembers, a reporting hotline that nobody trusts are compliance artifacts. They satisfy a regulator. They don't stop a threat.

Early warning systems work when they are embedded in organizational culture. Supervisors need training to recognize escalation pathways, not just obvious threats. HR needs to track behavioral patterns across interactions rather than treating each complaint as isolated. And security teams need behavioral training, because access control procedures alone don't tell you anything about intent.

How risk scoring helps prioritize threats

Not every concerning behavior warrants the same response. An employee who makes a single frustrated comment about a policy change is not in the same category as someone who has been fixating on a specific colleague, making veiled references to violence, and recently lost a custody dispute.

Risk scoring provides a structured way to differentiate. In a well-built threat assessment process, incoming reports are triaged based on severity, immediacy, and context. Structured tools assign weight to factors like weapons access, history of violence, substance use, social isolation, and the nature of the threat. The output is not a binary "dangerous" or "safe" designation. It's a calibrated picture that determines the speed and intensity of the response.

This matters operationally because resources are limited. Most organizations handle more concerning behavior reports than they have capacity to investigate deeply. Risk scoring prevents the team from spending equal time on low-level reports while a high-risk case sits in queue. It also provides documentation that supports legal and organizational decisions if intervention becomes necessary.

The corporate context most people ignore

Much of the public conversation about threat assessment focuses on schools and mass attacks. That makes sense given the scale of those events and their visibility. But the corporate environment presents its own set of challenges that are often overlooked.

The Security Executive Council's 2025 analysis of executive targeting found that incidents involving threats against senior corporate leaders doubled between 2024 and 2025. The study documented 424 incidents worldwide, with 95 occurring in the first ten months of 2025 alone. CEOs represented 64% of targets, but targeting of non-CEO leadership roles increased by 225% since 2023. 18% of assailants had a workplace connection, such as being a current or former employee.

Those numbers reflect something specific: grievance-driven targeting in a corporate context often follows a detectable trajectory. A terminated employee doesn't go from zero to violence overnight. There are usually warning signs: escalating communications, return visits, social media posts, contact attempts with former colleagues. A threat assessment team trained in behavioral analysis and connected to HR, legal, and security can identify that trajectory and intervene before it reaches a critical point.

The same logic applies to insider threats, fraud investigations, and workplace disputes that have the potential to escalate. Corporate investigations frequently surface behavioral indicators that, in isolation, look like personnel problems. In context, they look like early-stage threats. The difference between the two interpretations is whether anyone is looking at the full picture.

What warning signs should trigger a threat assessment

Threat assessment professionals focus on patterns, not profiles. There is no demographic or psychological profile that predicts violence. What predicts risk is a convergence of behaviors and circumstances that, taken together, suggest someone is moving along a pathway toward harmful action.

The signs that should initiate a formal inquiry are well-documented. Direct or veiled threats. Fixation on a specific person or grievance. Increasing isolation from peers. Research into prior attacks or weapons acquisition. Statements suggesting there is no other way out. Sudden behavioral shifts after a personal loss. Escalating aggression in communications.

That last one shows up more than people expect. It rarely starts with an explicit threat. It starts with tone changes in emails, complaints that get more specific and more personal, a shift from frustration to blame.

None of these signs, on their own, is sufficient to conclude that someone will act. All of them, especially in combination with recent stressors, justify a structured inquiry. The NTAC research consistently finds that attackers experience multiple stressors in the years and months before an event. In the 2016-2020 dataset, 87% of attackers had experienced at least one major stressor within five years of the attack, and 81% had experienced one within the year.

The question is never "is this person a threat?" The question is: "Is this person on a pathway that could lead to harm, and what can we do to redirect it?"

How predictive threat intelligence improves response planning

Traditional threat assessment is reactive in the sense that it begins when someone reports a concern. Predictive threat intelligence pushes the timeline further upstream by analyzing behavioral patterns, communication metadata, and environmental factors to identify individuals who may pose a risk before a formal report is ever filed.

This is where threat monitoring, risk modeling, and data analysis converge. Instead of waiting for someone to report that a former employee has been showing up in the parking lot, a predictive approach continuously monitors the signals that precede that behavior. Changes in communication patterns. Financial stress indicators. Legal proceedings. Social media escalation.

This doesn't mean mass surveillance. It means applying intelligence tradecraft to the specific problem of targeted violence prevention. The same analytical methods used to assess geopolitical risk or track financial fraud apply to individual threat cases when adapted to the appropriate legal and ethical framework.

The operational value is lead time. Every day of advance warning is a day that can be used to implement protective measures, engage intervention resources, or de-escalate a situation before it reaches a point of no return. Organizations that invest in early warning and threat detection capabilities move from reactive response to informed prevention.

Threat assessment vs. threat and risk assessment

The terms get conflated constantly, and the confusion matters because it changes what organizations actually build.

A threat assessment focuses on individuals: identifying and evaluating people who may pose a risk based on their behavior, intent, and capacity. It answers the question: "Is this person moving toward violence?"

A threat and risk assessment is broader. It evaluates threats, vulnerabilities, and consequences across an entire environment. It answers questions like: "What threats does this facility face? Where are our vulnerabilities? What is the potential impact of different attack scenarios?" This is the framework typically used in physical security planning, emergency management, and regulatory compliance.

Both are necessary. Neither replaces the other. A threat and risk assessment might identify that an organization's executive team is exposed during public events. It won't tell you that a specific individual has been fixating on the CEO for three months. A behavioral threat assessment might identify that individual, but it has nothing to say about whether the building's access control can actually prevent entry.

Most organizations do one and assume they've covered the other. They haven't.

How to build a threat assessment process that supports early action

Building a threat assessment capability that actually works requires more than policy. Policy is where most organizations stop. What it actually requires is a team with authority, training that reaches beyond the security department, reporting infrastructure that people will use, and leadership willing to fund something that, when it works, is invisible.

Start with the team. A multidisciplinary threat assessment team should include, at minimum, representation from security, HR, legal, and behavioral health. In larger organizations, operational leadership and communications should also have a seat. The team needs defined roles, a regular meeting cadence, and authority to act on findings.

Train broadly. The team itself needs specialized training in behavioral threat assessment methodology, but awareness training should extend to every level of the organization. Frontline employees, supervisors, and managers need to know what to look for and how to report it. The FBI, Secret Service, and organizations like the Association of Threat Assessment Professionals (ATAP) all offer training resources, and in 2024 alone, NTAC delivered more than 300 trainings and briefings to over 40,000 participants.

Build the reporting infrastructure. Anonymous and non-anonymous reporting channels, clear escalation procedures, response timelines, and feedback mechanisms for reporters. If someone files a concern and never hears anything back, they won't file the next one.

Use structured assessment tools. WAVR-21 for workplace and campus settings, MOSAIC for general threat assessment, and other structured professional judgment instruments give the team a consistent analytical framework. These tools don't replace judgment. They discipline it.

Document everything. Threat assessments generate records that may later be relevant to legal proceedings, insurance claims, or regulatory inquiries. The documentation protocol should be established before the first case, not figured out during it.

Connect to external resources. Workplace investigations often intersect with threat assessment when behavioral concerns arise during an inquiry into harassment, discrimination, or policy violations. Similarly, digital forensics capabilities become relevant when concerning communications need to be preserved, authenticated, or analyzed. The threat assessment team should have clear pathways to engage external specialists when cases exceed internal capacity.

The question organizations need to answer

Forty-eight percent of workplace violence incidents go unreported. Think about what that number actually means. Half the time someone gets threatened, harassed, or assaulted at work, it never makes it into a report. The organization never finds out. The behavior continues, escalates, or resolves on its own — and nobody in a position of authority ever knew it happened.

Most organizations don't know whether their employees feel safe reporting concerns. Most don't know whether their supervisors could recognize a behavioral escalation pattern if it were happening in front of them. Most don't know whether their security team has ever conducted a structured threat inquiry.

The question is not whether something will happen. The question is whether the organization would see it coming if it did.

Threat assessment is not a product you buy or a training event you schedule once a year. It is a capability that requires people, process, institutional commitment, and the willingness to look at uncomfortable information and act on it. The organizations that build that capability are the ones that don't end up in the post-incident debrief trying to explain why nobody noticed.

Frequently asked questions

What is a threat assessment?

A threat assessment is a systematic, behavior-based process used to identify, evaluate, and manage individuals who may be moving toward violence or targeted harm. It focuses on observable behaviors, contextual factors, and environmental stressors rather than demographic profiles. The goal is early identification and intervention, not prediction.

How does threat assessment support early intervention?

Threat assessment creates structured pathways for receiving, triaging, and acting on behavioral concerns before they escalate. By training personnel to recognize warning signs like fixation, grievance development, and behavioral leakage, organizations can intervene during the early stages of a threat trajectory rather than responding after harm occurs.

What role does behavioral analysis play in threat assessment?

Behavioral analysis provides the analytical foundation for threat assessment. It involves tracking observable changes in an individual's conduct, communication, and emotional state over time. Structured tools like the WAVR-21 help practitioners evaluate risk factors consistently and make informed decisions about intervention strategies.

How do early warning systems help prevent escalation?

Early warning systems identify concerning behavior at the stage where intervention is still possible. They combine reporting infrastructure, behavioral training, and structured assessment protocols to catch threats upstream, before they develop into direct actions. Effective systems require organizational commitment, trained personnel, and a culture where reporting is expected and protected.

Why is risk scoring important in threat assessment?

Risk scoring provides a structured method for differentiating between levels of concern and allocating resources accordingly. It weighs factors like threat specificity, weapons access, recent stressors, and history of violence to produce a calibrated risk picture that guides the speed and intensity of response. Without risk scoring, teams risk either over-responding to low-level concerns or under-responding to high-risk cases.

What are common signs that a threat assessment is needed?

Warning signs include direct or veiled threats, fixation on a specific person or grievance, increased isolation, research into prior attacks, sudden behavioral changes after personal loss, escalating aggression in communications, and expressions of hopelessness. These indicators, especially when they appear in combination with recent life stressors, justify a formal threat assessment inquiry.

References

Association of Threat Assessment Professionals (ATAP). Professional standards and certification for threat assessment practitioners. Retrieved from https://www.atapworldwide.org

Bureau of Labor Statistics. (2024). National Census of Fatal Occupational Injuries in 2023. U.S. Department of Labor. Retrieved from https://www.bls.gov/iif/

Federal Bureau of Investigation. (2017). Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks. Behavioral Analysis Unit, National Center for the Analysis of Violent Crime. Retrieved from https://www.fbi.gov/file-repository/making-prevention-a-reality.pdf

Meloy, J.R., & White, S.G. (2016). Threat Assessment and Management Strategies: Identifying the Howlers and Hunters. FBI Law Enforcement Bulletin.

National Threat Assessment Center. (2023). Mass Attacks in Public Spaces: 2016-2020. U.S. Secret Service, Department of Homeland Security. Retrieved from https://www.secretservice.gov/protection/ntac

National Threat Assessment Center. (2024). Behavioral Threat Assessment Units: A Guide for State and Local Law Enforcement to Prevent Targeted Violence. U.S. Secret Service, Department of Homeland Security.

National Threat Assessment Center. (2025). First Baptist Church of Sutherland Springs: A Case Study on the Link Between Domestic Violence and Mass Attacks. U.S. Secret Service.

Security Executive Council. (2025). Executive Targeting Report: Analysis of Attacks on Corporate Executives from 2003-2025. In collaboration with Mercyhurst University Business Intelligence and Innovation Lab.

White, S.G., & Meloy, J.R. (2007). The WAVR-21: A Structured Professional Judgment Guide for the Workplace Assessment of Violence Risk. Specialized Training Services.