INT-01-02

Building the Matrix

Steps 1 through 4: from question to a matrix that is ready to be read

Bottom Line Up Front

The first four steps of ACH produce a matrix that is ready to be analyzed. Step 1 frames the question and generates the hypothesis set. Step 2 compiles the evidence. Step 3 builds the grid and populates every cell. Step 4 refines the matrix by removing evidence that cannot discriminate between hypotheses. Each step has specific failure modes that are more common than the steps themselves suggest. This lesson covers what each step actually requires, what good and poor execution looks like, and what errors at each step cost you in the analysis that follows.

Step 1: Frame the Question and Identify the Hypotheses

The Foundation

ACH begins with a question, and the question matters more than most analysts realize. A poorly framed question constrains the hypothesis set before it is even generated. The question “Is this candidate trustworthy?” invites a yes-or-no answer and implicitly frames the analysis around a single variable. The question “What best explains this candidate’s behavior pattern across these specific observations?” invites competing explanations. Frame the question to invite competition, not to confirm a prior direction.

Once the question is framed, generate the hypothesis set. Heuer recommends three to six hypotheses as a practical working range. Fewer than three usually means explanations are being conflated or the deception and null hypotheses have been omitted. More than six usually means the hypotheses are not meaningfully distinct from one another, or the scope of the question is too broad. Three to six is not a rule — it is a signal. If you are outside that range, examine why before proceeding.

Apply the Lesson 1 checks to the hypothesis set before moving to Step 2. Is the set collectively exhaustive — does it include every realistic explanation, including the deception hypothesis and the null hypothesis? Are the hypotheses meaningfully distinct from one another — does each describe a genuinely different situation, not minor variations on the same explanation? Could the correct explanation be one that is not in this set?

That last question is the most important one. Spend a deliberate moment trying to think of an explanation that your hypothesis set does not contain. If you find one, it belongs in the set. If you cannot find one, that is a reasonable stopping point — but the search has to be active, not passive.

Question Framing Error

Framing a question around a conclusion already in view is a common opening error that is invisible from inside the analysis. “Why is this person acting suspiciously?” presupposes suspicious behavior and sets up a hypothesis set of explanations for suspicious behavior rather than explanations for the observed behavior. Reframe: “What explains the specific observations we have documented about this person’s behavior?” Now the hypothesis set can include the explanation that the behavior is not suspicious at all.

Step 2: List the Evidence

Compile Without Filtering

Step 2 requires assembling everything that is relevant to the question: direct observations, reported information, historical patterns, behavioral baselines, the absence of expected things, and the assumptions you are relying on without direct evidence. This last category — assumptions — is the one most frequently omitted.

Every analysis rests on assumptions that have not been directly verified. In a vetting context, you might be assuming that the referral contact has no reason to mislead you, that the candidate’s background story is internally consistent, that the observations you have made are a representative sample of the candidate’s behavior rather than a curated performance. These assumptions belong in the matrix as evidence items. They can be marked for their evidential weight and tested in Step 6. If they are never written down, they never get tested.

Evidence items must be specific. Vague entries produce ambiguous cell markings that cannot be read reliably. “Candidate seems evasive” is not an evidence item — it is an interpretation masquerading as an observation. “Candidate declined to answer three specific direct questions about previous group affiliations at two separate events” is an evidence item. It describes observable behavior that can be evaluated against each hypothesis with some precision. Every time you write an evidence item, ask: could two independent observers, given this description, reach the same conclusion about whether it is consistent or inconsistent with each hypothesis? If not, the item needs to be more specific.

Also note the absence of expected evidence. If a hypothesis predicts that something should be observable, and that thing is not observable, that absence is itself evidence. In a vetting context: if a candidate claims significant prior community involvement but produces no verifiable connections to that community when those connections should be easy to produce, the absence of those connections is an evidence item. Write it down as such.

Step 3: Build the Matrix and Mark Every Cell

The Grid

Build a grid with hypotheses across the top and evidence items down the left side. In each cell, assess the relationship between that evidence item and that hypothesis using three categories:

Consistent (C): The evidence is what you would expect to observe if this hypothesis were true. Consistent does not mean confirming — it means not contradicting. Evidence can be consistent with a hypothesis and still be equally consistent with competing hypotheses.

Inconsistent (I): The evidence is difficult or impossible to explain if this hypothesis were true. This is the analytically decisive marking. Before marking a cell I, ask the harder version of the question: is it truly the case that this evidence cannot plausibly coexist with this hypothesis? Or is there a strained but possible explanation that makes them compatible? Be rigorous here. A weak inconsistency that can be explained away under pressure will not hold up in the sensitivity testing step.

Not Applicable (N/A): The evidence has no logical relationship to this hypothesis either way. Use this marking carefully — it is the easiest one to apply incorrectly. Evidence that you cannot immediately connect to a hypothesis is not necessarily N/A. It may mean the connection requires more thought. N/A means the evidence is genuinely irrelevant to whether this hypothesis is true or false.

Work across the rows. Take one evidence item at a time and assess it against every hypothesis before moving to the next item. Do not mark an entire column before moving to the next column. If you find yourself doing that, you have returned to column-reading and you need to stop and reorient.

Example Matrix Fragment

Evaluating a candidate: four hypotheses, four evidence items

Suppose your MAG is evaluating a candidate who was referred by a trusted member, has attended three events, asks detailed questions about group logistics, and whose claimed prior community affiliation cannot be verified. The four hypotheses: H1 = genuine community member integrating normally; H2 = genuine community member but with poor information security judgment; H3 = directed external collector; H4 = independent opportunist mapping community resources.

Evidence item E1: Candidate asks specific questions about supply cache locations at second event. Across the row: H1 (C — a new member wanting to understand group capabilities); H2 (C — poor judgment about what questions are appropriate); H3 (C — consistent with collection behavior); H4 (C — consistent with opportunistic mapping). E1 is consistent with all four hypotheses. It is non-diagnostic. It will be removed or deprioritized in Step 4.

Evidence item E2: Claimed prior affiliation with regional preparedness group cannot be verified by any mutual contact despite six weeks and multiple outreach attempts. Across the row: H1 (I — a genuine community member would typically have verifiable connections); H2 (I — same reason); H3 (C — a directed collector would construct a backstory that is hard to verify); H4 (C — an opportunist may have fabricated prior community involvement to gain access). E2 is diagnostic. It is inconsistent with H1 and H2 and consistent with H3 and H4. This is the type of evidence that does real work in the matrix.

Step 4: Refine the Matrix

Remove What Cannot Discriminate

After the matrix is populated, read through the evidence column on the left side and identify any evidence item that is marked Consistent or N/A for every hypothesis. These items are non-diagnostic. They cannot help you distinguish between explanations. Leaving them in the matrix does not strengthen the analysis — it dilutes it by burying the diagnostic evidence in a larger set that makes the matrix look thorough without being thorough.

Non-diagnostic evidence should be either removed or explicitly flagged as non-diagnostic. The purpose is to leave the matrix focused on the items that actually discriminate. Before removing an item, briefly reconsider whether the markings are correct. Sometimes evidence that appears consistent across all hypotheses was marked that way because the analyst was not probing hard enough. Ask again, for each hypothesis: is there truly no way this evidence item is inconsistent with this hypothesis if that hypothesis were true?

Step 4 is also the moment to review the quality of each evidence item. Are any items vague enough that two analysts would mark the same cell differently? If so, return to Step 2 and sharpen the item before proceeding. An inconsistency that rests on a vague evidence item is not a reliable inconsistency.

Steps 1-4 Practice

Choose a current or recent community security question. Work through the first four steps on paper: frame the question, write out the hypothesis set and check it against the Lesson 1 criteria, list all evidence items with specific descriptions (including assumptions and absences), build the matrix and mark every cell by reading across the rows, then identify and flag the non-diagnostic items.

You now have a matrix that is ready to be read. Lesson 3 covers Steps 5 through 8: drawing conclusions, stress-testing them, reporting, and setting up monitoring for what comes next.

Lesson 2 Checkpoints

Frame the question to invite competing explanations, not to confirm a direction — embed no interpretations in the question itself

Generate 3 to 6 hypotheses; fewer usually means the deception or null hypothesis is missing, more usually means hypotheses are not meaningfully distinct

Evidence items must be specific enough that independent observers could agree on cell markings — interpretations embedded in evidence items produce unreliable matrices

Include assumptions in the evidence list and flag them for sensitivity testing — unwritten assumptions are untested assumptions

Include the absence of expected evidence as explicit evidence items when a hypothesis predicts something that is not present

Mark every cell by reading across the row — Consistent, Inconsistent, or Not Applicable — for every evidence item against every hypothesis

In Step 4, identify non-diagnostic evidence (Consistent or N/A across all hypotheses), re-examine the markings, then remove or deprioritize items that cannot discriminate

← Previous LessonINT-01-01 — The Three Core Principles
Next Lesson →INT-01-03 — Reading the Matrix (Steps 5–8)

↑ Back to Intelligence Analysis

Fortune Favors the Prepared · INT-01-02 · For Member Use Only