Sixty Thousand People, Five Radio Channels, Zero Shared Picture
Live events are the hardest security environment in the civilian world because everything about them works against the way security tools are designed to operate. The venue configuration changes between events. The threat profile changes between events. The staffing, the law enforcement liaison, the command structure, and the radio plan all change between events. A security architecture that requires weeks of sensor calibration, integration engineering, and vendor professional services is not a security architecture for live events. It is a security architecture for buildings that happen to host them.
The NFL has logged over 2,000 drone incursions per season across its venues. FIFA World Cup 2026 venues are deploying counter-UAS systems for the first time. Political conventions, inaugurations, and major sporting events are now designated as National Special Security Events (NSSEs) or Special Event Assessment Rating (SEAR) events specifically because the threat surface extends across air, ground, electromagnetic, cyber, and information domains simultaneously.
The security challenge is not that any one of these threats is new. The challenge is that they converge on the same location at the same time, and the teams responsible for each domain do not share a common picture.
The event security manager sees cameras and access control. The law enforcement liaison sees their CAD system and radio traffic. The counter-UAS operator - if one exists - sees their sensor feed. The social media analyst - if one exists - sees their dashboard. The incident commander in the mobile command post is supposed to synthesize all of this into a coherent picture and call the "game" under time pressure, but what they actually have is P25 or DMR radio channels, a whiteboard, and the ability to ask each team what they are seeing one at a time.
The Deployment Problem Nobody Talks About
Counter-UAS vendors demonstrate their fixed-site systems in controlled environments with weeks of setup time and permanent infrastructure. Then they ask you to protect a three-day music festival with the same architecture. The event security manager knows this doesn't work, but the alternatives - no UAS detection at all, or a handheld RF scanner carried by a guard who may not know what they're looking at - are worse.
Empyrean is designed for the deployment reality that live events actually impose. The platform runs on portable hardware - deployable from transit cases to a mobile command post, a venue back office, or a trailer outside the perimeter. Stand-up time is measured in hours, not weeks. Configuration for a new venue uses geospatial boundaries, sensor registration, and policy templates that the security team controls without vendor intervention. Teardown is the reverse of stand-up. The system moves to the next venue with the team.
This is not a simplified version of a fixed-site product. It is the same platform, the same fusion engine, the same policy layer, the same audit trail - packaged for an operational model where the venue changes every weekend and the team cannot afford a vendor engagement between events.
Drones: Detection, Classification, and the Authority Gap
The drone problem at live events is not a detection problem. It is an authority problem wrapped in a detection problem. Venue security has no legal authority to jam, spoof, or kinetically interdict an unauthorized UAS in most jurisdictions. The Safer Skies Act, if enacted, would extend limited counter-UAS authorities to certain designated facilities and events - but even under the most permissive interpretation, the interdiction authority rests with law enforcement or federal agencies, not with venue security staff.
This means the event security manager's drone response is fundamentally a coordination exercise. Detect the drone. Classify it - is this a hobbyist who wandered into the TFR, an unauthorized commercial operator, or a deliberate threat? Look up the cooperative ID against Remote ID broadcasts and LAANC authorizations. Document the track history. Alert the law enforcement liaison with enough information for them to act. Preserve the evidence for post-incident investigation.
Empyrean supports this entire workflow as a policy-driven chain that routes differently depending on what the detection reveals. A drone with a valid Remote ID broadcasting inside a LAANC authorization window gets logged and monitored. A drone without Remote ID operating inside a TFR triggers an alert to the law enforcement liaison with the track, the RF signature, the estimated launch point, and the relevant camera sector - automatically, without the GSOC analyst assembling the package manually. The venue security team's job is to detect and document. The law enforcement partner's job is to assess and act. Empyrean makes sure both sides have the same picture when it matters.
All of this is coordinated across the Empyrean data mesh, the mechanism in which your own C-UAS and other security tool investments are normalized and idempotently tracked. Where you are not getting a temporary icon on your ATAK EUD that disappears after 5 minutes, but that your team can run analytics against and maintain full chain-of-custody of the normalized underlying data and anything done with it.
Narrative Intelligence Before Doors Open
The social media threat that matters is not the one that arrives during the event. It is the one that builds in the days and weeks before. Coordinated agitation campaigns, targeted threats against performers or attendees, protest organization with potential for escalation, and inauthentic behavior designed to provoke or distract - all of these are visible in open sources before the event if anyone is looking for them with the right tools and the right lens.
Most event security teams are not looking, because the social media monitoring tool belongs to the marketing department, the public relations team, or a crisis communications consultant who produces sentiment reports, not security assessments. The gap between "people are angry online" and "this specific threat against this specific event has geographic and temporal indicators consistent with operational preparation" is the gap between a marketing metric and a security decision.
Empyrean's narrative intelligence feeds directly into the security operations workflow. Threats are scored for severity and credibility based on behavioral indicators - not just keyword matching - and correlated with the event calendar, the venue, and any associated physical or cyber indicators. The event security manager sees a threat assessment that says "coordinated social media campaign targeting Saturday's event, originating from accounts with geographic proximity to the venue, escalating in volume over the past 72 hours" - not a word cloud and a sentiment graph.
Multi-Agency Coordination When It Counts
The phone bridge collapses in the first sixty seconds of an active incident because it was never designed for what it's being asked to do. Five agencies - venue security, local PD, state police, EMS, fire - each have their own communication system, their own incident command structure, and their own understanding of the situation based on whatever radio traffic they can hear on their own channel. The incident commander in the mobile command post is supposed to have a common operational picture but actually has a phone with five lines and a whiteboard.
Empyrean replaces this with federated multi-agency coordination where every partner in the response sees the same operational picture - scoped to their role, updated in real time. Venue security sees the full internal picture: cameras, access control, drone tracks, RF alerts, narrative intelligence. Local PD sees the perimeter, the incident location, the drone track, and the responding units. EMS sees the casualty collection point, the ingress/egress routes, and the nearest staging area. Fire sees the building layout, the fire suppression status, and the hazmat inventory. Each agency sees what they need. None of them see what belongs to another lane.
This works through TAK integration - the same Cursor-on-Target protocol that military, law enforcement, and emergency management agencies already use - or through Empyrean's native federation pipeline for partners who don't run TAK. The integration is pre-configured at the template level. When the event security team deploys to a new venue, the federation with law enforcement and emergency services is part of the deployment, not an afterthought.
The Evidence Chain That Survives the Aftermath
Every significant security incident at a live event generates three downstream requirements: a law enforcement investigation, an insurance claim, and an organizational after-action review. Each of these requires documentation of what was detected, when it was detected, what decisions were made, who authorized them, and what actions were taken. If the documentation is assembled after the fact from radio logs, guard reports, camera pull requests, and human memory, the resulting package has gaps that lawyers, adjusters, and investigators will find.
Empyrean produces this documentation continuously and automatically. Every detection, every correlation, every alert, every operator action, and every policy execution is logged with timestamp, operator identity, source system, and disposition. The evidence chain is not a report that someone writes after the event. It is a byproduct of operating the platform during the event. When the investigation begins, the evidence is already assembled, time-stamped, and traceable to source - because it was being recorded while the incident was still happening.
This is not a convenience feature. For the event security manager, it is the difference between "we detected the drone at 7:47pm EST, classified it as non-cooperative at 7:48pm EST, alerted law enforcement at 7:49pm EST, and here is the track history and the RF signature data" and "we think someone saw a drone but we're not sure exactly when and the camera footage has already been overwritten."