The Scenario

Applied Analysis

Your MAG has been meeting monthly for two years. Four months ago, a member named Darryl introduced a new acquaintance, “Keith,” at a regional preparedness expo. Keith has since attended three MAG events as a guest. The following observations have been documented by multiple members independently.

• At the first event, Keith demonstrated strong baseline knowledge of food storage and communications — approximately the level expected from someone with two to three years of active preparedness practice.
• At the second event, Keith asked two different members, on separate occasions and without apparent awareness that both were members, approximately how much fuel storage the group maintained and whether the group had a primary and alternate rally point.
• At the third event, Keith arrived early and engaged in extended conversation with the MAG leader before other members arrived. Two members who arrived during this conversation noted that Keith appeared to be asking detailed questions about the group’s decision-making structure — specifically, who besides the leader had operational authority.
• Keith’s claimed prior membership in a regional preparedness network in another state cannot be confirmed. Darryl’s attempts to reach a mutual contact who was supposed to know Keith from that network have not produced a response after three weeks.
• Keith has not asked for MAG membership explicitly and has not indicated he is evaluating the group for any purpose.
• Keith’s professional background, as described by Keith, is consistent with his apparent skill level.

Step 1: Frame the Question and Generate Hypotheses

The Question

Question: What best explains Keith’s behavior pattern across four months and three documented events?

The hypothesis set, applying the Lesson 1 criteria:

• H1 — Genuine community member integrating normally. Keith is exactly who he appears to be. The questions are what a well-informed person asks when evaluating whether to join a group. The unconfirmed background is an artifact of a contact who has gone dark, not a fabricated backstory.
• H2 — Genuine member with poor information security judgment. Keith is sincere but does not understand that asking specific operational questions of multiple members separately at guest events is a red flag behavior pattern. He asks because he is curious, not because he is collecting.
• H3 — Independent opportunist mapping MAG resources. Keith has no directed external sponsor but is gathering operational information for personal purposes — perhaps to identify communities with resource caches he could access in an emergency without the commitment of membership.
• H4 — Directed external collector. Keith is operating with a specific intelligence requirement from an external party, and the behavior pattern reflects a collection plan rather than natural social integration.
• H5 — Deception scenario. The entire pattern, including Darryl’s introduction, is constructed to produce a specific conclusion about Keith that serves an external objective. The unverifiable background may be deliberate misdirection, and Darryl’s contact may be unreachable by design.

Note that H5 is uncomfortable because it implicates Darryl, a trusted long-term member. That discomfort is exactly why it belongs in the matrix. ACH does not ask whether a hypothesis is comfortable — it asks whether it is plausible given the capabilities and motivations of the actors involved.

Steps 2 and 3: Evidence List and Matrix

Building the Grid

The evidence items, derived from the scenario documentation:

• E1: Keith demonstrates strong baseline preparedness knowledge at first event (consistent with 2-3 years active practice)
• E2: Keith asked two separate members about fuel storage quantities and rally point structure at second event, apparently unaware both were members
• E3: At third event, Keith engaged in extended pre-meeting conversation with the leader focused on decision-making structure and operational authority
• E4: Claimed prior network membership cannot be confirmed after six weeks and multiple outreach attempts
• E5: Mutual contact Darryl was supposed to know is unreachable after three weeks
• E6: Keith has not requested MAG membership
• E6 note: Assumption embedded here — we are assuming that a genuine candidate would signal membership interest by this point. That assumption is not verified.
• E7: Keith’s described professional background is consistent with his demonstrated skill level
• E8 (absence): No organic social behavior observed — Keith’s interactions have been predominantly question-oriented rather than relationship-building

Reading across the rows for the diagnostic items:

E2 (targeted operational questions to multiple members): H1 (I — a genuinely integrating member would typically not ask sensitive operational questions of multiple members separately at guest status); H2 (C — poor judgment could explain asking, but not the pattern of asking the same category of question separately); H3 (C — consistent with resource mapping); H4 (C — consistent with directed collection); H5 (C — consistent with a constructed approach). E2 is diagnostic: it is inconsistent with H1 and only partially consistent with H2.

E3 (pre-meeting interrogation of decision-making structure): H1 (I — this is not normal integration behavior at guest status); H2 (I — even poor judgment would not typically extend to probing operational authority at a pre-meeting one-on-one); H3 (C — a resource mapper would want to know who controls access decisions); H4 (C — understanding leadership structure is a standard collection objective); H5 (C — consistent). E3 carries serious inconsistencies against H1 and H2.

E4 (unconfirmable backstory): H1 (I — a genuine member with this background would expect it to be verifiable and would typically help resolve the gap); H2 (C — a genuine member with poor judgment might not anticipate that the background check would fail); H3 (C — an opportunist might fabricate or embellish background to gain access); H4 (C — a directed collector would have a backstory designed to resist easy verification); H5 (C — the unverifiable element could be deliberate). E4 is diagnostic.

E8 (absence of organic relationship-building): H1 (I — genuine integration typically involves social behavior alongside information-seeking); H2 (C — social awkwardness could explain this); H3 (C — an opportunist may not invest in relationships they do not intend to maintain); H4 (C — a directed collector may be trained to keep social investment low to maintain deniability); H5 (C — consistent). E8 is weakly diagnostic against H1.

Steps 4 and 5: Refine and Draw Conclusions

Reading the Inconsistencies

After refinement: E1 (consistent across all hypotheses) and E7 (consistent across all hypotheses) are non-diagnostic and deprioritized. E6 carries an embedded assumption and is flagged for sensitivity testing rather than counted as a clean inconsistency against H1.

Remaining diagnostic evidence and inconsistency counts:

• H1 (genuine integrating member): Inconsistent with E2, E3, E4, E8 — four inconsistencies, three of them serious
• H2 (genuine member, poor judgment): Inconsistent with E3, partially inconsistent with E2 — one to two inconsistencies depending on weight assigned
• H3 (independent opportunist): Zero inconsistencies
• H4 (directed collector): Zero inconsistencies
• H5 (deception scenario): Zero inconsistencies

Tentative conclusion: H1 is substantially weakened. H2 is weakened but not eliminated — the inconsistency against E3 is the key question. H3, H4, and H5 all survive without contradiction. The analysis cannot distinguish between H3, H4, and H5 with the current evidence set. That is itself an important finding: the evidence is consistent with all three adversarial explanations and cannot resolve between them at this stage.

Steps 6, 7, and 8: Test, Report, Monitor

Completing the Cycle

Sensitivity testing: The assumption embedded in E6 (that a genuine candidate would signal membership interest by now) is tested first. If this assumption is wrong — if genuine candidates in this community typically take longer before signaling interest — E6 does not support a conclusion against H1, and H1 becomes slightly less weakened. The assumption needs verification before E6 carries analytical weight. More importantly, E2 and E3 together are the primary drivers of the conclusion. If both were explained as innocent — poor judgment plus unusual social behavior — H2 would be the leading hypothesis. The sensitivity test shows that the conclusion’s direction is robust but H2’s viability is the key uncertainty.

Reported conclusion: With moderate confidence, Keith’s behavior pattern is inconsistent with normal guest integration (H1 substantially weakened). H2 (poor judgment, genuine member) remains viable but is inconsistent with the pre-meeting leadership interrogation at E3, which is difficult to explain as poor judgment alone. H3, H4, and H5 all remain credible and the current evidence cannot distinguish between them. The analysis does not support a conclusion of confirmed hostile intent, but it does support elevated monitoring and the decision not to advance Keith toward membership consideration pending further observation. Confidence is moderate. The conclusion rests significantly on the interpretation of E3, which carries an embedded assumption about normal behavior at guest status.

Indicators for the monitoring period: H3/H4/H5 indicators include: Keith approaches additional members with operationally specific questions in contexts where he would not expect group members to compare notes; Keith is observed in contact with unknown third parties in proximity to MAG events; Darryl’s unreachable contact resurfaces and provides information that was implausibly convenient in direction. H2 indicators include: Keith responds positively and without defensiveness to direct guidance about appropriate questions for guest status; Keith’s subsequent behavior shows reduced operational questioning; Keith’s unconfirmable background contact eventually responds through normal delays. H1 indicator: unreachable contact resurfaces with a plausible innocent explanation after an independently verifiable delay (illness, travel, network disruption).

The Six Common Pitfalls

Where the Process Fails

Pitfall 1: Too few hypotheses. The most damaging error is omitting the correct explanation before the analysis begins. In the Keith scenario, omitting H5 (deception scenario) because it implicates Darryl would leave a live possibility untested. The hypothesis set must be generated before social discomfort shapes it.

Pitfall 2: Vague or bundled evidence items. Items that describe interpretations rather than observations (“Keith seems evasive”) cannot be reliably marked across the row. When two analysts mark the same cell differently, the item is too vague. Sharpen before building the matrix.

Pitfall 3: Column-reading returning under pressure. It returns most often when time is short or when a team member is confident about the conclusion. The tell is that the team is asking “does this support H4?” rather than “how does this item fit H1 through H5?” If you hear the column-reading question, stop and reorient.

Pitfall 4: Treating ACH as a verdict. The scenario above ends with a moderate-confidence conclusion and a set of competing viable hypotheses. That is a correct ACH output. Using the output to justify a consequential irreversible action — removing Darryl from the MAG, confronting Keith publicly — would be misusing the method. ACH structures judgment and reduces bias. It does not produce certainty, and it should not be used to justify actions that require certainty as a threshold.

Pitfall 5: Skipping the sensitivity test. Analysts who complete Steps 1 through 5 and go directly to reporting produce a conclusion that cannot describe how fragile it is. The sensitivity test is the step that converts a conclusion into a defensible judgment. Without it, the report cannot answer the question “what would change your mind?” — and a conclusion that cannot answer that question is not an analytical product, it is an opinion with a matrix attached.

Pitfall 6: Amending instead of re-running. When new evidence arrives, the prior conclusion functions as an anchor. Amending the matrix means new evidence is evaluated against the old conclusion rather than freshly. The discipline of re-running the full process is also the discipline of remaining open to a conclusion reversal — which is the hardest outcome to accept and the one ACH exists to make possible.

↑ Back to Intelligence Analysis