Indicators and Vulnerabilities

What you are showing, and who can see it

Bottom Line Up Front

An indicator is any observable action, object, or pattern that can be collected and used to infer your critical information. A vulnerability is an indicator that your specific adversary has the capability and access to collect. These are not the same thing. Mapping this distinction is the analytical core of OPSEC — it tells you exactly where you are exposed and exactly where you are not.

What Indicators Are

The Observable Layer

Every activity you conduct produces observable traces. You cannot operate without generating indicators — the goal is not to eliminate them but to manage which ones are accessible to which adversaries. Indicators fall into several natural categories.

Signatures are the persistent, characteristic patterns associated with you or your group — the vehicles always parked in the same configuration, the lights that go on at the same times, the order cadence at the same suppliers. Signatures are particularly dangerous because they build up over time and require no active collection: a patient observer simply waits.

Associations are the indicators generated by who you know and interact with. Your network reveals information about your capabilities, affiliations, and intentions. A member who is publicly identified as a licensed EMT reveals something about your group’s medical capability. A truck in your driveway bearing a vendor’s logo reveals something about your supply chain.

Profiles are the aggregated pictures built from multiple individual indicators. No single indicator may be revealing in isolation; the combination produces critical information. Your vehicle type, your neighborhood, your purchase patterns, your online affiliations, and your meeting schedule may each be innocuous individually — combined, they tell a detailed story about your preparedness posture.

From Indicator to Vulnerability

The Intersection Test

An indicator becomes a vulnerability only when two conditions are simultaneously true: your identified adversary has the collection capability to observe or obtain it, and that indicator allows the adversary to infer a specific item on your CIL. If either condition is absent, the indicator may still be worth noting, but it is not an active vulnerability requiring countermeasures today.

The vulnerability analysis matrix is a useful tool here. Take each CIL entry, list the indicators your activities produce that could reveal it, and then cross-reference with your threat analysis to determine which adversaries can actually collect those indicators. The intersections are your vulnerabilities. The blank cells are indicators that exist but do not require immediate action.

This matrix approach prevents both under-protection (missing critical vulnerabilities) and over-protection (expending resources on indicators that your actual adversary cannot reach).

Field Example

Separating indicators from vulnerabilities

A group’s CIL includes the location of their primary meeting site. The meeting generates multiple indicators: tire tracks at the access road, light visible from a distance at night, vehicles clustered at unusual hours, and radio traffic on certain frequencies.

Their threat analysis identified two adversaries: an activist group with OSINT capability only, and a former member with local physical access. The vulnerability analysis produces different results for each. Against the activist group, none of the physical indicators are vulnerabilities — the activists have no physical collection capability and cannot reach the property. Against the former member, the physical indicators are all potential vulnerabilities because the former member has local access and knowledge of the area.

Without the vulnerability analysis step, a group might spend significant effort on digital concealment while leaving their physical signatures completely unmanaged — because they conflated indicators with vulnerabilities and did not run the intersection test.

Drill

Pick the three highest-priority entries from your CIL. For each one, list every indicator your current activities produce that could reveal that information to an observer. Then apply the intersection test: which of those indicators are within collection range of your identified adversaries? Circle those — they are your vulnerabilities.

The uncircled indicators still exist but do not require priority countermeasure effort against your current threat environment.

Knowledge Check

Your group generates radio traffic that reveals operational timing. Your primary adversary monitors the relevant frequencies. Your secondary adversary has no radio collection capability. Which statement is accurate?

The radio traffic is a vulnerability to both adversaries equally The radio traffic is not a vulnerability because it can be encrypted The radio traffic is a vulnerability to your primary adversary but not to your secondary adversary — the same indicator produces different vulnerability status depending on adversary collection capability The radio traffic should be eliminated entirely to remove the indicator

Lesson Checkpoint

I can define the three categories of indicators: signatures, associations, and profiles.

I understand the difference between an indicator and a vulnerability.

I can apply the intersection test to determine which of my indicators are actual vulnerabilities.

I have identified at least three active vulnerabilities in my personal or group OPSEC posture.

← PreviousLesson 4 of 7: Threat Analysis — Who Is Watching
Next →Lesson 6 of 7: Risk Assessment

↑ All Seven Lessons

Semper Paratus, Semper Gumby