Disrupting the Attack Cycle: How Modern Adversaries Move from Belief to Targeting in a Data-Rich World

This guest article was contributed by Chuck Randolph, Chief Strategy Officer at 360 Privacy

Enterprise security models have long assumed that attacks begin when an adversary starts collecting information about a target. That assumption made sense in an era when surveillance, casing, and reconnaissance were visible early indicators of hostile intent. Today, the earliest stages of many attacks occur long before any operational behavior is detectable. They begin when an individual adopts a grievance or ideological narrative and then turns to widely available personal and organizational data to find someone who represents that grievance.

Information about executives, employees, facilities, families, and routines is easier to obtain than at any point in history. Data brokers legally buy, assemble, and sell detailed personal records that include addresses, contact information, inferred characteristics, and relational connections. The Federal Trade Commission has documented how extensive these datasets are and how openly they circulate. Social platforms, breached data, and public records add even more layers of exposure. For an attacker, this creates an environment where target discovery requires little effort and very little skill.

When this level of exposure intersects with online grievance narratives, the barrier to initiating an attack drops significantly.

Where Traditional Models Fall Short

Frameworks such as the intrusion kill chain and MITRE ATT&CK remain essential for describing how adversaries conduct operations inside digital environments. Physical security models that describe pre attack surveillance, planning, and execution are also still useful. These models provide structure for identifying observable behaviors once an attacker begins preparing to act.

What these models do not fully capture is how attackers arrive at target selection in the first place. Research from the National Consortium for the Study of Terrorism and Responses to Terrorism shows that lone actors often begin with an emotional or ideological grievance before they identify any specific victim or organization. In many cases, grievance serves as the starting point. The attacker then seeks a target that symbolizes the perceived injustice.

The sequence therefore does not begin with reconnaissance. It begins with meaning making. Only once a grievance takes hold does the search for a target begin, and in the modern information environment the target is easy to find.

How Narratives Accelerate Modern Targeting

Online ecosystems have accelerated the spread of narratives that frame organizations, industries, or leaders as adversaries. Conversations in niche forums, amplified posts, targeted content feeds, and commentary cycles can collectively elevate grievance until it feels personal to an individual already primed for hostility.

At the same time, digital exposure supplies attackers with exactly the type of data they need to identify potential targets. Automated OSINT tools can correlate identities, map social networks, identify home and work locations, and highlight personal connections in minutes. Advances in generative AI have made this process even faster by helping users summarize and connect those datasets.

The intersection of grievance and exposure dramatically shortens the time between an individual adopting an adversarial narrative and selecting a symbolic target.

Symbolic Targeting in a Digital World

Terrorism research has long emphasized that attacks often serve a communicative purpose. Bruce Hoffman’s work highlights that targets are frequently chosen for their symbolic meaning rather than their tactical vulnerability. This dynamic now extends to private sector leaders and organizations.

A technology executive may be viewed as the embodiment of artificial intelligence policies. A healthcare leader may represent frustrations about insurance systems. A financial firm may symbolize anger about economic inequality. These associations may have little connection to the individual, but narratives do not require accuracy to be influential. Once grievance is established, attackers simply look for someone or something that represents it. Digital exposure does the rest.

A Modern Hybrid Attack Cycle

To account for these early drivers of targeting, enterprise security programs can adopt a hybrid model that includes both narrative and exposure phases. A simplified version looks like this.

Entry Conditions

• Grievance or ideological activation

• Exposure to narratives that assign blame to industries, institutions, or leaders

• Digital footprints that reveal individuals who could serve as symbolic targets

  
  

Attack Development

• Target fixation based on symbolic relevance

• Digital analysis of exposed data combined with selective physical observation

• Testing of access, communication channels, or response patterns

  
  

Operational Phase

• Execution of the attack

• Attempts to create symbolic or communicative impact

  
  

Post Incident Phase

• Online amplification of the event

• Integration of the attack into broader narrative ecosystems

• Exfiltration

  
  

This model reflects how attackers move from meaning to action and shows that the earliest opportunities for disruption occur far earlier than traditional reconnaissance.

Where Enterprise Security Can Disrupt the Cycle

Enterprise security programs frequently focus on facility protection, surveillance detection, threat investigations, and protective intelligence. These capabilities remain essential but typically operate in the later stages of the attack cycle. To disrupt earlier, organizations should focus on three upstream areas:

Reduce Exposure

Many attacks become possible because unnecessary personal information is easily accessible. Exposure reduction programs that minimize executive and corporate digital footprints can significantly increase the effort required for attackers to identify and select targets.

Monitor Emerging Narratives

Security teams should track narratives that assign blame, hostility, or symbolic meaning to their industry or executives. These narratives often rise well before any individual exhibits concerning behavior. Monitoring them provides an early signal of potential targeting.

Integrate Cyber and Protective Intelligence

Cyber threat intelligence teams already monitor online environments where grievances, misinformation, and identity correlation occur. Structured workflows that connect cyber threat intelligence with protective intelligence and physical security teams can reveal targeting behavior before it escalates.

Updating the Security Model

Traditional attack cycle models remain valuable for understanding how adversaries operate. The challenge is that modern threats increasingly originate upstream from those models. Digital exposure, grievance formation, online narratives, and automated reconnaissance all contribute to earlier stages of the threat pathway. In many cases, the process that leads to violence begins not with surveillance, but with belief.

Organizations that expand detection and disruption efforts into the narrative and exposure phases will gain critical time and situational awareness. In a threat environment where personal data is abundant and narratives spread rapidly, understanding how individuals become targets is now as important as understanding how attacks are carried out.