Introduction
The sea has become the cheapest place on earth to do expensive damage and deny you did it.
A tanker approaches a port at night, riding a deep draft and a clean profile. Its Automatic Identification System (AIS) reports on a position, a course, and an identity, and every one of those three fields can be false. The satellite fix feeding its navigation display has been pulled sideways by a jammer ashore, so the officer of the watch is steering against a chart that no longer matches the water under the keel. Somewhere along the approach the anchor is riding lower than it should, a few meters above a bundle of fiber and a high-voltage cable that carry a nation’s data and a chunk of its power.
The company that owns the hull sits behind three shells in two jurisdictions, the crew was rotated through a port that keeps no records worth the name, and a maintenance laptop wired into the bridge has been reaching a support server that nobody aboard can identify. One hull, five domains, one night, and none of them is legible on a screen that renders vessels as dots.
I am not a mariner. The closest I get to blue water is a charter boat and a cooler in the Long Island Sound. I build sensor fusion software, and I spend my days on what happens when data from a dozen unreliable sources must be reconciled into one honest picture.
This is a guide to maritime security written from that seat, because the maritime problem in 2026 is a data and decision problem before it is a seamanship problem. The physics of the ocean, and its threats, has not changed much. What has changed is that the sea has become the cheapest place on earth to do expensive damage and deny you did it, and most of the tools pointed at the water were built for a calmer era.
The argument of this guide is simple. The ship is the least of it. Maritime domain awareness is the effective understanding of anything on, under, or connected to the sea that could affect security, safety, the economy, or the environment, and for a critical-infrastructure operator that definition has expanded to include the seabed, the spectrum, the ownership chain, the crew manifest, and the operational technology inside the terminal.
This piece walks the threat from deep water inward: how the domain got this complicated, what it costs to ignore, and then domain by domain, from the vessel that lies about itself, to the money behind it, to the people aboard, to the contested spectrum it moves through, to the environment around it, to the cables beneath it, and finally to the computerized terminal it is steaming toward. It closes on the actors who run these campaigns and on why the only tool that sees the whole thing is one that fuses across every domain at once.
How Maritime Security Developed as a Domain
The doctrine has caught up to the reality that the maritime threat now arrives simultaneously through spectrum, network, ownership, crew, and seabed, and that the old physical layer is only the part you can see.
Maritime security became a multi-domain problem in stages; each layer added without removing the one beneath it. For most of recorded history, the maritime threat was physical and visible: navies, privateers, piracy, blockade, and the contest over freedom of navigation that shaped centuries of law and war. The seamanship answers to those threats were also physical, resolved with hulls, guns, escorts, and treaties.
That world never went away. Piracy still kills, blockades still bite, and the freedom-of-navigation argument is being relitigated in the Strait of Hormuz and in the South China Sea right now. What changed is that new layers of threat were bolted onto the old ones faster than doctrine could absorb them.
The first new layer was safety instrumentation. The Automatic Identification System (AIS) was born under the International Convention for the Safety of Life at Sea (SOLAS),-1974.aspx) to keep ships from running into each other, broadcasting a vessel’s identity, position, course, and speed over an open very-high-frequency radio channel so that nearby ships and shore stations could see one another.
AIS did its job well, and precisely because it was designed for cooperation and collision avoidance rather than security, it carries no authentication, no encryption, and no assumption that anyone would lie on it. The September 2025 United States Naval Institute Proceedings essay “Move Beyond AIS for Maritime Domain Awareness” makes the point in a credentialed venue that practitioners have known for years: a system built for traffic management was drafted into a security role it was never engineered to fill, and its data must now be fused with a wider surveillance framework because manipulation of it has become routine.
The second layer was securitization. After the attacks of September 11, 2001, the United States treated the maritime domain as a homeland-security surface for the first time at scale. National Security Presidential Directive 41 (also designated as Homeland Security Presidential Directive 13), signed in December 2004, ordered a national strategy for maritime security, and the resulting 2005 National Strategy for Maritime Security and its National Plan to Achieve Maritime Domain Awareness codified AIS as a security tool and directed the government to collect information on all ships, cargo, and people and fuse it into a common operating picture.
The International Ship and Port Facility Security Code, added to SOLAS in the same period, pushed the same logic onto ports and facilities worldwide. The instinct was correct, but the plumbing lagged, and much of the resulting picture was still a map of the vessels that chose to be seen.
The third layer was commercial and allied awareness. Satellite AIS, commercial radar and optical imagery, and space-based maritime tracking put a persistent picture of global shipping within reach of anyone with a subscription, and the Quad’s Indo-Pacific Partnership for Maritime Domain Awareness, launched in 2022 and channeled through the American SeaVision platform, extended that picture to partners across a vast ocean. The United States Department of State reported in September 2025 that it had contributed more than 120 million dollars of MDA support through that partnership and related mechanisms.
The National Maritime Domain Awareness Plan was reissued in August 2025, restating the core purpose of MDA as timely, accurate, informed decision-making rather than mere data collection. Awareness is increasingly becoming cheaper; understanding however is not. In joint doctrine terms for Joint All-Domain Command & Control (JADC2) we can cheaply “Sense” in the maritime domain, but “Make Sense” and “Act” are much more difficult.
The layer of complexity being added now is hybrid warfare and gray-zone conflict, and it is the reason this guide exists. The 2025 United States National Security Strategy reframes the maritime domain as a primary arena of competition and pulls a wide spectrum of illicit and gray-zone activity under the national-security umbrella. NATO published a new Alliance Maritime Strategy on October 29, 2025, emphasizing persistent awareness in the space and cyber domains and the protection of critical maritime infrastructure. India unveiled its Maritime Doctrine 2025 on December 2, 2025, formalizing a “No War, No Peace” operational category built explicitly around multi-domain operations.
The doctrine has caught up to the reality that the maritime threat now arrives simultaneously through spectrum, network, ownership, crew, and seabed, and that the old physical layer is only the part you can see. While doctrine, regulations, and essays are a great start, they do not exactly blunt the threats. When you factor in the usage of economic warfare by controlling chokepoints, threats on Unmanned Surface Vessels (USVs), and the aging shipbuilding infrastructure within the United States and abroad, we are close to a boiling point.
The Cost of Doing Nothing About Maritime Security
The cost of doing nothing is not a single incident. It is the normalization of deniable attrition against the infrastructure the economy sits on.
The reason to care is scale, because the sea carries the physical economy and a cheap attack against it produces losses out of all proportion to its cost. By most estimates roughly 80 to 90 percent of world trade by volume moves by sea, and the cables lying on the seabed alongside the shipping lanes carry a widely cited 99 percent of intercontinental data traffic along with the financial settlement that rides on top of it. A handful of chokepoints gate the whole system. The Strait of Hormuz carries around a fifth of the world’s seaborne oil, and the Bab-el-Mandeb, the Strait of Malacca, the Suez Canal, and the Panama Canal each concentrate a share of global commerce into a lane a few miles wide. Concentration is efficient in peacetime and catastrophic under pressure, because a threat that reaches one of those lanes reaches a disproportionate slice of the global economy at once.
I have already brought some of the most recent conflicts just in the last 3 years into frame and will continue to do so. Asymmetric forces such as the Houthis were able to cripple global traffic through the Bab-el-Mandeb using old-generation anti-ship cruise missiles, drones, and very crude USVs. During the most recent conflict with Iran, the IRGC incurred grievous damage to their surface warfare fleet. However, taking advantage of the rough terrain on the Iranian side of the Strait, the IRGC was able to continuously rain anti-ship cruise missiles, loitering munitions, Fast Attack Craft (FACs), One-Way Attack (OWA) drones, and naval mines onto civilian vessels.
Ukraine and its Western backers were able to rapidly develop, employ, and streamline targeting and strike infrastructure against the Russian Black Fleet and continue to harass Russian port infrastructure in Novorossiysk, the Crimean Peninsula, and even as far afield as the Mediterranean and Bering Sea with co-developed USVs and Unmanned Subsurface Vehicles (USSVs). These unmanned systems are used to destroy everything from ferries, coastal patrol vessels, Russian frigates, shadow fleet tankers, and everything in between.
Not to be undone, the Russians also employ a variety of USVs, OWAs, and high precision standoff munitions such as the Zircon hypersonic anti-ship missile against Odessa and could theoretically cripple most Eastern European ports if this proxy war develops into a proper large scale combat operation. While the conflict has not reached a tipping point in that direction, neutral parties have had their own shipping vessels destroyed in the line of fire from constant Geran-2 and Geran-3 salvos upon Odessa.
While these various threats and tradecraft represent different allegiances, doing nothing about them will continue to cripple global trade or even intra-regional trade. The downstream effects hamper military logistics, healthcare, create famine conditions, fuel shortages, civil unrest, and several other compounding secondary and tertiary effects.
Now put the anchor back in the water. A single poorly crewed hull drags its anchor across the seabed, severs a nation’s power interconnector or a data cable, and the outage runs for a median of roughly 40 days by the estimate the Atlas Institute drew from the Bulletin of the Atomic Scientists in 2025, while the courts struggle to prove the drag was deliberate. The attack costs the price of fuel and the length of the chain. The damage is measured in a nation’s connectivity, its energy prices, and the confidence of everyone who depends on the link. That asymmetry, cheap and deniable against expensive and exposed, is the entire threat model in one image, and it is why the maritime gray zone is attractive to any actor that wants to impose cost without crossing a threshold that would invite a military response.
Advanced USSVs such as the Russian Harpiscord, purportedly a research vessel, can reach awe-inpsiring depths in Arctic subsurface environments. It has long been reported that Russian submarines, Anti-Submarine Warfare (AWS), and USSVs have been used to probe undersea cables and even disrupt them at times, especially in the Baltic region. While the Houthis and IRGC can pull this off, a global superpower like the Russian armed forces have far more devious technological means to achieve disruption in the maritime domain.
The cost of doing nothing is not a single incident. It is the normalization of deniable attrition against the infrastructure the economy sits on. When a cable is cut and no one is charged, the next cut is cheaper: politically and operationally. When a tanker spoofs its position to load sanctioned oil and faces no consequence, the practice spreads to the next hundred hulls. When a port’s operational technology is probed and the probe is written off as a glitch, the intruder learns the map for free.
The Red Sea makes the aggregate cost visible: the Houthi campaign against shipping pushed a large share of Europe-Asia traffic around the Cape of Good Hope, and by the estimate reported in maritime coverage in early 2026 the throughput of container ships through the Suez Canal had fallen from roughly 80 per week before the crisis to about 26 per week in mid-January 2026. A campaign where individual operators treated it as someone else’s problem reshaped global logistics and every insurance book attached to it.
For a critical-infrastructure operator specifically, the exposure is not abstract. Ports, terminals, cable landing stations, offshore energy, and the coastal grid are the landward end of every one of these threads, and they are where the deniable maritime campaign comes ashore. The vessel that lies about its position, the owner that hides behind a shell, the crew that photographs the wrong pier, the jammer that blinds the approach, and the anchor that finds the cable all converge on fixed, expensive, hard-to-relocate assets that someone has to defend with a fixed budget. Doing nothing does not hold the line at the current cost. It cedes the initiative to the cheapest actor in the water.
As I am sure you picked up by now, this is a multi-domain threat environment with a mix of State, State-aligned, and non-State actors competing for theological goals, dominance in their spheres of influence, or just in it for the sake of causing irreparable harm to their respective peer and near-peer threats. This cuts not only across actor archetypes and domains, but also different styles of warfare whether we want to admit it in the civilian sector or not; and because of the residual risks and second- and third-order effects: we’re all a target.
Maritime Awareness is Not Maritime Intelligence
MDA is the understanding built on that maritime situational awareness, the effective comprehension of anything associated with the maritime domain that could affect security, safety, the economy, or the environment, including who owns what, what it is doing, what it is likely to do next, and whether any of it deserves a response.
Maritime domain awareness, maritime situational awareness, and multi-domain operations are three different things, and treating them as synonyms is the first mistake. This split is much like space situational awareness (SSA) and space domain awareness (SDA) - which we have written about in the past - one helps your Sense and the other helps you Make Sense and eventually Act.
Maritime situational awareness is the picture: the gathering of static and dynamic data to represent what is happening in an area of interest right now, the vessels, their tracks, and the environment around them. This includes every raw signal that is used across port security, maritime operations, shipping & logistics, compliance intelligence, business intelligence, route planning, insurers & underwriters, militaries, law enforcement, and more. For instance, everything from port RF data, AIS positions, IMO numbers, inspection & detention data, lading data, flag registeries, the size of the boats, as well as wave heights, subsurface temperatures, oil spills, sea ice, algae blooms, fisheries reports, and more.
In a vacuum, this data is NOT intelligence. It is data that can be formed into information that may be useful for crafting an intelligence product depending on the end goal. Maritime signals intelligence is going to need a baseline of maritime situational awareness data as well as specific data sources; counter threat finance and financial intelligence specialists will need another set of data for detecting Trade-Based Money Laundering (TBML) or resolving a beneficial owner at the end of a chain of shell and holding corporations. The doctrine that bridges the gap between furnished intelligence products and law enforcement or military action is Maritime Domain Awareness (MDA).
MDA is the understanding built on that maritime situational awareness, the effective comprehension of anything associated with the maritime domain that could affect security, safety, the economy, or the environment, including who owns what, what it is doing, what it is likely to do next, and whether any of it deserves a response. On its own, registry details can be important for identification but until you tie it together with patterns-of-life, lading data, persistent surveillance, and the beneficial owner, you cannot Act.
MDA is carried out using dedicated maritime intelligence fusion platforms, whether maritime specific or not. Following the money is only one piece, you will not enter into a counter threat of finance or sanctions enforcement operation without the rest of the pieces. You will still need persistent maritime surveillance mechanisms to detect and interdict the crew. Surveillance tells you who is on the vessel and if they’re packing heat beyond a few FALs. The weather lets you know what cutter, corvette, frigate, or guided missile destroyer or helicopter airframe can be used. That does not get into the non-maritime intelligence thjt must be fused to carry out a Vessel Boarding, Searching & Seizure (VBSS) or other interdiction and/or detention missions, that leads us to Multi-Domain Operations (MDO).
MDO is the doctrine for acting across land, sea, air, space, and cyberspace as one integrated effort. I have written about this, in part, in my first blog entry: Why JADC2 Needs Sensor Fusion at the Edge. Whether you know it as MDO, JADC2, Joint All-Domain Operations (JADO), or some other synonym, the outcome is the same. It is Sensing and Making Sense of the various data points across all the domains that impact your job, mission, and/or operation and using them to create actionable intelligence that will lead to said action.
Within the maritime domain specifically, just about everyone’s job is multi-domain by default whether they know it or not. Solar storms and ionospheric disruption can endanger crews just the same as directed jamming attacks against AIS transceivers and shore-based receivers. That same space weather or atmospheric conditions can impact the satellites that provide a backup to ship tracking. The financial intelligence function and business intelligence is what lets us find out registry data, lading data, trade data, inspections, and compliance. Cyber is what protects the systems ashore and on the waves and also ensures that communications can continue to flow. Maritime domain awareness has and will always be a multi-domain effort.
The cleanest way to hold the distinction is the operating logic that runs through joint doctrine: Sense, Make Sense, Act. Sensing is collection, e.g. the radar returns, the AIS broadcasts, the satellite passes, the buoy reports. Making sense is fusion and characterization, the work of turning a catalog of contacts into an assessed understanding of identity, ownership, behavior, and intent. Acting is the decision and the response, gated by authority and law. Most maritime tools stop at the first step and dress it up as the third. They render a great many dots on a chart; each dot is simply a cooperative broadcast taken at face value, and they call the resulting display awareness. It is inventory, __and inventory is not intelligence__.
The gap between the pretty picture and the understanding of the ground truth is exactly where every threat in this guide lives. A dot on a chart cannot tell you that the vessel’s broadcast identity was cloned from a scrapped ship, that its registered owner dissolved last quarter, that its crew was swapped in a port under sanctions pressure, that its reported position is a spoofed fiction while its true track loiters over a cable, or that the maintenance laptop on its bridge is beaconing to an address in a country the vessel has never visited.
None of those facts are answerable with astrophysics and a few database joins. Each of them requires correlating signals from different domains that arrive in different formats at different times with different reliability, and then holding the contradictions long enough to resolve them. That correlation is the discipline of intelligence fusion, and it is the subject of a separate technical reference; here it is enough to say that awareness without it is a comfortable illusion.
Maritime Intelligence & Security Beyond AIS
Regardless of the technical and regulatory implementation, AIS is not sufficient to protect our ports, vessels, or crews from harm; whether it comes from a threat actor, the environment, fatigue, or otherwise.
The single most trusted signal in maritime security, the AIS broadcast, is also the easiest to falsify. AIS is mandatory for vessels over 300 gross tons on international voyages and for most commercial vessels in United States waters, it is cheap, and it is widely available through commercial and government feeds, which is exactly what makes it dangerous when it is treated as ground truth.
The system transmits identity, position, course, and speed over an open VHF channel with no authentication, so any of those fields can be set to any value the transmitter chooses. Spoofing, the deliberate broadcast of false position, course, or identity, is documented and recurring in contested waterways and around sanctioned vessel operations. Dark activity, operating with the transponder switched off to avoid tracking, is a standard technique for sanctions evasion, smuggling, and pre-operational surveillance. And a large and growing share of the maritime threat - the small craft, the go-fast boats, and the uncrewed surface vessels - sits entirely below the AIS carriage requirement and almost never appears on the cooperative picture at all.
The practical consequence is that a facility security officer watching an AIS display sees the vessels that want to be seen, in the positions they want to report, and nothing else. That is a security posture built on the honesty of the adversary. The correction is to stop treating the transponder as the truth and start treating it as one claim among several to be checked.
AIS positions can be correlated against independent radar returns, so that a vessel claiming to be at position A while radar holds a contact at position B surfaces as an alert rather than an unnoticed contradiction. It is our opinion that every ship should be a sensor. The superstructure of VLCCs and Panamax ships and even smaller coastal vessels can mount commercially available radars to provide standoff. If not, shore-based installations of S, X, or K-Band radars can also be used on masts to provide similar corroboration on high-risk approaches.
Synthetic aperture radar from satellites can detect vessels that broadcast nothing in nearly every terrestrial weather condition. Electro-optical and infrared cameras in shore-based sensor networks, and radio-frequency direction finding all add ways to see the non-cooperative contact. A cooperative broadcast must be reconciled against non-cooperative sensing before it earns any trust. The more sensor modalities, the more accurate the sensor fusion ground truth becomes.
Aviation is one regulatory generation ahead of maritime on exactly this problem, and its solution is worth borrowing. The United States Federal Aviation Administration’s proposed Part 108 rule, the beyond-visual-line-of-sight framework published as a notice of proposed rulemaking in August 2025 under RIN 2120-AL82, would require drones to carry detect-and-avoid capability and to yield to crewed aircraft broadcasting their position by ADS-B or, in the FAA’s own language, “other electronic conspicuity equipment.”
The premise is that cooperative broadcast is welcome but insufficient, and that an operator must independently sense the traffic that is not cooperating. The companion proposal, Part 146, would establish Automated Data Service Providers, certified entities that supply strategic deconfliction, conformance monitoring, and traffic awareness through standardized, interoperable interfaces, so that many operators share one deconflicted picture instead of a scatter of proprietary silos. Both rules remain as proposals, not law, and their final form is unsettled, but the architecture is the relevant part.
Map that architecture onto the water, and the maritime gaps become obvious. AIS is the electronic conspicuity of the maritime domain, and it is the incomplete, unauthenticated version of it. Maritime has no mandated detect-and-avoid equivalent that forces an operator to sense the dark vessel, and it has no equivalent of a certified, interoperable data-service layer that would let a port authority, a coast guard, and a terminal operator work from the same reconciled picture rather than three partial ones.
The hardest part of the gap is the part no cooperative system solves. Even satellite AIS, which extends the cooperative picture far offshore, only sees the vessels that choose to broadcast, and it is blind by definition to the small craft, the fishing vessels, and the uncrewed surface vessels that carry no transponder and represent the fastest-growing threat vector in the maritime approaches.
As mentioned earlier, closing that gap requires independent, multi-sensor detection of non-cooperative contacts. Ships as sensors, upgraded shore-based sensing equipment, interoperability sensor fusion architectures and software, as well as remotely operating sensors (buoys, USV patrols, improved space-based payloads) will all be needed to do this. This will require the same governance that the FAA lays out, and whether that lives within Homeland Security, the Department of Transportation, or a joint interagency framework that promotes private-public teaming like JIATF-401 for Counter UAS is up for debate.
Regardless of the technical and regulatory implementation, AIS is not sufficient to protect our ports, vessels, or crews from harm; whether it comes from a threat actor, the environment, fatigue, or otherwise.
Beyond the Hull: Beneficial Ownership & Sanctions Compliance
While I do not expect every port to throw together a counter threat finance cell, this goes back to the improvement of collaboration we need for AIS and vessel detection.
A vessel’s real risk profile lives in its ownership chain, not in its hull, and that chain is engineered to resist inspection. The clearest live example is the so-called shadow fleet, sometimes called the dark fleet, the loose network of aging tankers that moves sanctioned oil outside the Western insurance and finance system.
Estimates of its size vary because the thing is built to be hard to count, but the Geopolitics and Security Studies Center assessed in April 2026 that the broader shadow fleet runs to roughly 600 to 800 tankers, on the order of 10 to 15 percent of the global crude and product tanker fleet. The maritime-analytics firm Windward, whose figures are a vendor estimate rather than an official count, identified more than 1,900 vessels engaged in dark-fleet practices as of the third quarter of 2025 and reported that the beneficial ownership of roughly 60 percent of them remained unknown. The attribution gap is not incidental. It is the product.
The tradecraft is layered and mundane. Vessels rename, reflag, and switch registries to shed sanctioned identities; they broadcast false positions, and/or they run under flags they were never actually granted. The International Maritime Organization’s own ship database listed 367 tankers as falsely flagged as of early April 2026, flying the colors of states that never registered them, and permissive registries from Gabon to Comoros to Gambia have churned sanctioned tonnage on and off their books under pressure.
When Western interdictions accelerated, Windward tracked a structural shift in which stateless vessels reflagged to Russia itself, often the only registry willing to take them, because a flag restores a legal protection that a stateless hull loses. The Geopolitics and Security Studies Center noted that as of early 2026, 623 tankers had been designated by at least one sanctions regime, yet 111 of them continued loading Russian oil, which is a blunt measure of how little a vessel-by-vessel designation accomplishes against a network that treats identity as disposable.
For the operator ashore, the lesson is that the entity, not the vessel, is the unit of risk. A hull is a temporary costume worn by a company, and the company is worn by another company, and somewhere at the end of the chain is a beneficial owner and a purpose. Screening a vessel against a sanctions list at the moment it requests a berth catches the costume, not the actor, and the actor has a wardrobe. Resolving the true entity behind a vessel, connecting a hull to its manager, its manager to its owner, its owner to a network of related tonnage, and that network to a pattern of sanctioned trade, is the discipline of entity resolution and counter-threat finance, and it is where a great deal of the real maritime risk assessment happens.
That is its own deep subject and its own cluster of tradecraft that is out of scope for this blog. The point to carry into port operations is that the vessel’s paperwork is the least reliable document in the file, and the ownership graph behind it is where the risk is written. While I do not expect every port to throw together a counter threat finance cell, this goes back to the improvement of collaboration we need for AIS and vessel detection. There needs to be an ability to centralize and share data instead of relying on a small handful of specialized intelligence, military, and private firms who comb the dozens of data sources needed to just start down this path.
There is a physical edge to this financial story that operators forget at their peril. The shadow fleet is structurally old, with the Geopolitics and Security Studies Center noting that the great majority of these crude and product tankers are more than fifteen years old, running outside the maintenance, classification, and insurance regime that keeps a normal hull seaworthy.
That produces groundings, collisions, fires, and engine failures at a rising rate, and it produces a specific hazard for the coastal state, because a stateless, uninsured, badly maintained tanker in a chokepoint is an environmental and safety incident waiting for a heavy-weather night. However, simply relying on Ukrainian SBU units based in other countries to drive Sea Baby USVs into them is not the right call. Setting hulks alight so they listlessly wander around the Mediterranean, the Caspian, or the Arctic Sea does not improve the environmental hazards. If anything, it makes it worse. We have enough issue stopping oil well leaks, let alone a Russian shadow tanker that sinks and destroys pipelines and undersea internet infrastructure.
The June 2025 collision between two tankers off the United Arab Emirates, which occurred against a backdrop of heavy navigation-signal interference, is a preview of what happens when opaque ownership, deferred maintenance, and a contested electromagnetic environment intersect in a crowded strait. While this is well out of the hands of everyone except for international law enforcement, intelligence agencies, and militaries, we can all do our part increasing our maritime domain awareness to catch up these sanctions evaders and capture the ships whole, with crews intact.
Likewise, continual pressure on other countries with looser registries continues to bear fruit. On July 3rd, 2026, as reported by Business Insider Africa, Cameroon has removed 39 vessels tied to the shadow fleet. The ocean is vast, but if you follow the money long enough, we will catch them all out.
Vessels and Crews are a Signature
There is a further, quieter dimension, which is that the crew and the vessel together emit a signature that an adversary can collect.
The people aboard a vessel are a signature and a risk surface, and both are routinely overlooked. Crew vetting is the front edge of it. A vessel’s manifest is a claim about who is aboard, and in some cases is no less opaque than the beneficial ownership, which is to say: not clear at all.
Crews are rotated through ports that can keep poor records, identities are thin, and the same networks that launder a vessel’s ownership can launder the people on it. For a facility that is about to allow a hull alongside a critical pier, the question of who is actually on that hull, and whether any of them have a reason to be interested in the pier rather than the cargo, is a security question that a berth-scheduling system does not ask. That doesn’t even get into the point if the co-travelers on that vessel have been there before, when they’re not supposed to be, or additional human cargo.
The insider and access problem is sharper than most landside operators assume, because a crew has legitimate reasons to be exactly where you least want a stranger. Recent reporting on the shadow fleet has documented a harder version of this. An investigation by SourceMaterial covering roughly 140 dark-fleet voyages between May 2025 and April 2026 found 83 Russian security personnel aboard, at least two dozen of them former mercenaries including sixteen who had fought for the Wagner Group, placed on the ships to keep non-Russian captains from cooperating with European enforcement.
European security officers quoted in that reporting acknowledged that the mere possibility of armed personnel aboard was deterring them from boarding, which is the point of the tactic. When the crew is a hard target that resists inspection, the ordinary tools of maritime enforcement degrade, and the vessel gains freedom of action it should not have.
This tradecraft (and subsequent deterrence) unlock even more capabilities in the form of standoff ISR assets launched from these vessels. In a story that has broken by The Guardian during the time of writing this blog is that Russian assets are launching drones around European critical infrastructure for the last 18 months, across 144 tracked incidents. It is much harder to deduce if this is strategic ISR or simply brinkmanship, it is not as if the Russian Aerospace Forces do not control several dozen mixed-used and military space-based platforms. However, it extends the deterrence of VBSS, drones that can carry sophisticated IMINT and SIGINT sensors can also carry explosives. There is not a Navy or Coast Guard in the West that wants to risk having helicopters carrying SOF or Marines blown up coming in for a fast rope.
That said, this cuts two ways. Drones have their own signatures that can and will be captured, especially given the tens of billions of dollars going to fund Counter UAS companies and government purchases of Counter UAS technology. We have written an extensive guide on carrying out Counter UAS within a multi-domain operational context, but vessels carrying military drones that are not already known to be friendly are a signature unto itself.
There is a further, quieter dimension, which is that the crew and the vessel together emit a signature that an adversary can collect. The pattern of crew communications, the devices they carry, the ports they favor, the routines they keep, and the electronic emissions of the vessel itself all form a profile that can be tracked, correlated, and exploited over time. This is the maritime face of a broader problem, sometimes called ubiquitous technical surveillance, in which the sheer density of collectable signals makes it hard for any actor to move without leaving a trail.
For a defender that trail is an opportunity, because a vessel and crew that behave anomalously against their own established pattern are surfacing intent. For the same defender’s own personnel and facilities, the trail is a vulnerability, and reducing one’s own signature is a discipline in its own right. The care here is to treat this as awareness rather than instruction; the value for a critical-infrastructure operator is recognizing that the human layer of a vessel is neither neutral nor invisible, and that behavior over time is often the most honest signal a hull emits.
Seafarer welfare closes the loop, and it is not a soft aside. The dark fleet runs on crews who are frequently underpaid, poorly protected, and legally exposed, sometimes abandoned in foreign ports when a shell company folds, and a person in that position is a person who can be pressured, recruited, or coerced to extract intelligence value.
The same conditions that make the shadow fleet cheap make its crews a vector, whether as unwitting participants, as coerced ones, or occasionally as willing ones. A maritime security posture that treats the crew purely as a manifest line and never as a population with its own risks and its own intelligence value is missing a domain that adversaries are already working.
For shipping and logistics companies this is inverted, but there is a lot of legal and even ethical consequences utilizing ubiquitous technical surveillance against their own crews. However, it is my opinion that there should not be an expectation of privacy aboard vessels. If a ship is already using Starlink or some other internet SATCOM, there is a precedent for using Data Loss Prevention (DLP), proxies, next-gen firewalls (NGFW), and other security tools in-line to detect malicious or suspicious behavior. Crews are a vector for foreign intelligence as well and can willingly or unwittingly become vectors for targeting data.
Digital Force Protection (DFP) is the mechanism in which we counteract ubiquitous technical surveillance. You must collect a baseline and continuously collect data to measure digital exposure and behavioral patterns. Understanding that shows you exactly what an adversary can (and likely already does) capture. It also helps you understand if the easily geolocated selfie was taken on purpose or accidentally.
Space-based Impacts on the Maritime Domain
For a port or coastal operator, the practical exposure is twofold...
When the satellite signal lies, every system that trusts it lies with it. Global navigation satellite signals arrive at the earth’s surface extremely weak, on the order of a hundred-billionth of a watt, which makes it easy to overpower. Jamming floods the receiver’s frequencies with noise and denies a position outright, and it announces itself, because the receiver knows it has lost lock.
Spoofing is the more dangerous technique, because it broadcasts counterfeit satellite signals that the receiver accepts as real, and the receiver computes a confident, precise, and entirely false position without any indication that anything is wrong. The reason this is a maritime security problem rather than a navigation footnote is that the falsified position does not stay in the receiver. It propagates into the Electronic Chart Display and Information System and into the AIS broadcast, both of which treat the satellite-derived coordinate as authoritative, so a spoofed fix becomes a false chart position, a false AIS report, a false compliance record, and an impaired collision-avoidance picture all at once.
The scale of the problem has grown from a regional nuisance into a structural condition of several major waterways. Interference is now described as endemic near conflict zones, including the Baltic, where an academic study of AIS anomalies from late 2025 into early 2026 found concentrated false-position events around Kaliningrad and Saint Petersburg, and the Black Sea and Eastern Mediterranean, where in April 2024 falsified signals placed 117 ships simultaneously at Beirut airport by the account carried in Lloyd’s List.
The most dramatic escalations have been in the Gulf. The maritime analytics firm Windward, whose counts are vendor estimates, reported more than 3,000 vessels disrupted in the Persian Gulf and Strait of Hormuz inside two weeks in June 2025, and compilations of the same period put more than 10,000 vessels affected across the second quarter of 2025, an eightfold jump from the quarter before. After the military strikes of late February 2026, transits through the Strait of Hormuz fell to near zero, with only a handful of crossings recorded on some days.
The safety consequences are already concrete. In June 2025, navigation-signal interference was assessed as a factor in a collision between two oil tankers off the United Arab Emirates, and in January 2026 the Royal Institute of Navigation published a study, drawing on more than a hundred experts and three hundred vessel captains, on the impact of navigation interference on maritime safety.
For a port or coastal operator, the practical exposure is twofold. Vessels approaching under a spoofed position may believe themselves to be somewhere they are not, degrading traffic management in exactly the congested water where errors are least survivable, and a facility’s own timing and positioning systems, which quietly depend on the same satellite signals, can be degraded along with the ships.
This is also where the maritime and space domains meet, because the signal in question is space infrastructure and the interference is a spectrum event. Space situational awareness, the tracking and characterization of what is happening overhead, is not a separate hobby from maritime security; it is part of the same picture, since the health of the constellation, the space-weather environment that affects it, and the ground-based emitters that attack it all bear directly on whether the ships below can trust their own position.
The resilience answers exist, and they are worth naming even where they are not yet standard: multi-constellation and multi-frequency receivers, terrestrial timing backups, and positioning derived from signals of opportunity such as cellular and other terrestrial transmitters that are harder to jam or spoof than a faint satellite signal. The strategic point for the defender is that navigation is a trust assumption, and any assumption an adversary can cheaply break has to be independently verified rather than believed.
An emerging problem set in this threat environment is counterspace activity. Whether it is “nesting doll” satellites that can disable, damage, or change the orbital behavior of positional and surveillance satellites or (even worse) kinetic actions. This has been an area of deep investment and worry; I have also written about these types of threats in detail in the past. Activities in one domain will often spill to others, and in the maritime domain the cost of counterspace activity degrading vessel navigation can and will be devastating. While we cannot do much to counteract it, having the space domain awareness as part of your multi-domain maritime awareness can at least help mitigate this second-order effects.
Maritime Environment & Weather as a Variable
A defender who knows the sea state knows how far to trust the maritime radar picture that hour, and a defender who can predict the drift of a spilled cargo or a disabled hull knows where the next problem is heading.
The ocean environment is an active input to every maritime engagement and treating it as a static backdrop hides risk. Sea state, currents, sea-surface temperature, wave height, wind, sea ice, and reduced visibility all shape what sensors can see, what small craft can operate, and how a response can be mounted, and they change hour to hour.
Radar performance degrades in high sea states as clutter rises, electro-optical and infrared sensors lose range in fog and rain, and a search-and-rescue or interdiction response that ignores the drift of wind and current will look in the wrong place. Environmental awareness is not a weather widget bolted to the side of the security picture. It is a set of variables that continuously modify the reliability of every other signal and the feasibility of every response. Oh yeah, that is something I have also written about in this past, albeit aligned to the air domain and not maritime - but the same principles apply.
The data to model this is public, mature, and underused in security contexts. The United States National Data Buoy Center operates a network of well over a thousand moored buoys, coastal stations, and reporting ships, national weather services publish gridded ocean wave model output with significant wave height, peak period, and swell direction on regular forecast steps, and satellite products detect sea-surface temperature, sea-ice extent, harmful algal blooms, and oil slicks. The demand signal for exactly this is visible in the search behavior of maritime operators, who look for maritime weather as a first-class concern, and the reason is operational rather than academic. A defender who knows the sea state knows how far to trust the maritime radar picture that hour, and a defender who can predict the drift of a spilled cargo or a disabled hull knows where the next problem is heading.
There is a security-specific edge to the environmental layer that goes beyond seamanship. A spilled or deliberately released cargo, whether from an aging shadow-fleet tanker breaking up in a strait or from a targeted incident, becomes a drifting hazard whose future position is governed by wind and current and can be predicted with physics rather than guessed. Detecting oil spills is an area of science that takes advantage of space-based sensors that are also used to detect fires such as NASA FIRMS which uses MODIS, VIIRS, and NOAA constellations. However, it is a different scientific domain to detect the propagation of these spills. I would be loathe not to mention that the Empyrean Defense Decision Dominance Engine does both today.
Sea ice reshapes the accessible approaches in the high north and opens new lanes and new vulnerabilities as it retreats, a change that NATO’s 2025 maritime strategy calls out explicitly as a threat multiplier in the Arctic. And the environment interacts with every other domain in this guide, because the same heavy weather that makes a radar picture unreliable is the cover a dark vessel prefers, and the same fog that blinds a camera is the window an intruder chooses. Folding the environment into the security picture is what turns a set of separate alarms into an assessment.
The Subsurface Threat Environment
The seabed is where the cheapest deniable attack in the maritime domain meets the hardest attribution problem and closing that gap is a fusion problem before it is a policing one.
The most consequential maritime attacks of the past two years did not target ships at all, because they targeted the cables and pipelines lying on the seabed beneath the shipping lanes. The Baltic Sea has been the proving ground.
- In October 2023 the Balticconnector gas pipeline and nearby telecommunications cables between Finland and Estonia were damaged, with suspicion falling on a vessel dragging its anchor.
- In November 2024 two telecommunications cables, the C-Lion1 between Finland and Germany and the BCS East-West Interlink between Sweden and Lithuania, were severed, and investigators tied the damage to a bulk carrier that had dragged its anchor across a long stretch of seabed.
- On Christmas Day 2024 the Estlink 2 power cable and several telecommunications lines connecting Finland and Estonia were cut, and Finnish authorities boarded and detained the tanker Eagle S, which they assessed had dragged its anchor for a distance measured in tens of miles. The pattern continued into the seizure of a cargo vessel, the Fitburg, on the last day of 2025.
By early 2025, defense reporting counted at least eleven Baltic cables damaged since October 2023. This is not an exhaustive list at all, there have been other attacks against gas pipeline infrastructure such as the Nordstream II by Ukrainian-aligned actors, and countless of other attempts. Not to mention unattributable attacks from deep-sea USSVs which can be used for offense as often as inspection.
The modus operandi is consistent and cheap. A commercial vessel operating in international waters drags its anchor across the seabed, damage results, and attribution is difficult because a dragged anchor is deniable as an accident and the law of the sea grants ships broad rights of passage. Naval assessments have repeatedly noted that some of these anchors were dragged for distances far exceeding anything a genuine accident would produce, in some cases hundreds of kilometers, which a competent crew would notice.
The response has been substantial. NATO launched the Baltic Sentry mission on January 14, 2025, committing frigates, maritime patrol aircraft, and naval drones to the region, and a parallel Joint Expeditionary Force effort applied AI-assisted tracking of suspect vessels. On February 5, 2026, the European Commission announced a 347 million euro subsea infrastructure package with a Cable Security Toolbox, including a pilot to pre-position modular repair equipment, an acknowledgment that the median repair time for a submarine cable fault runs to roughly 40 days and that pre-positioning is the only way to shorten it.
The hard part is not detection. It is attribution and consequence, and that is where the seabed threat exposes the limits of single-domain thinking. In October 2025 a Finnish court dismissed the case against the Eagle S crew, ruling that prosecutors had failed to prove intent and that any negligence was a matter for the vessel’s flag state, and the ship and its owner walked. That outcome is the whole problem in miniature.
Proving that an anchor drag was deliberate requires more than the fact of a cut cable. It requires correlating the vessel’s precise track against the cable’s mapped position, the vessel’s speed and heading changes at the moment of the drag, the anchor’s behavior, the vessel’s ownership and its links to a hostile interest, and the pattern of similar incidents across the region, and holding all of it to a legal standard. No AIS display and no single sensor produce that case.
The seabed is where the cheapest deniable attack in the maritime domain meets the hardest attribution problem and closing that gap is a fusion problem before it is a policing one. The good thing is that the problem's surface is not exhaustive. There are several geotechnical products available that map out the undersea infrastructure. Locating tracks loitering near the infrastructure is a simplistic geometry equation. When you combine that with readily available bathymetry, organizations can (and already do) map out the vulnerable ends of the cables. These are simple geofences and intelligence fusion activities that law enforcement, naval units, and coast guard units can utilize to perform ad-hoc inspections.
However, that does not account for actual subsurface detection. There are mechanisms for detection, mostly in the hands of intelligence agencies and militaries, not something researchers and founders like me have access to. Anti-submarine warfare (ASW) hydrophones, hydrostatic sensors, and a myriad of other subsurface MASINT sensors can be used against the USSV threat, which will only increase. Don’t wrinkle your nose to it, in 2015 ISIS was flying DJI drones to drop grenades on allied forces, 10 years later we have stealth UCAVs and swarming technology. USVs and USSVs are already in use by militaries today, and the technology will only become more proliferated.
We are already in a collective deficit, and this is another area that requires industry partnerships and regulatory planning to build more undersea infrastructure to deter and/or detect undersea infrastructure attacks. Expecting everyone to rely on the handful of public data sources from seismic sensors and satellite feeds to attempt to Sense this environment is a losing proposal.
Cybersecurity Impacts on Maritime Security
Daily losses of an attack on a major port can exceed $2B a day; multi-vector attacks widen the damage even more.
A modern port and a modern ship are both computers, and the regulations now treat them that way. A single vessel’s bridge is a small operational-technology environment in which the Electronic Chart Display, the AIS, the Global Maritime Distress and Safety System, the satellite communications terminal, the voyage data recorder, and the engine and ballast controls all run on networked equipment exposed to chart updates, satellite links, vendor remote access, and the occasional crew USB drive.
A port adds another layer entirely: the operational technology that runs cranes, fuel systems, and cargo handling, the electronic data interchange that governs load planning and container weights, the credentialing and access-control systems, and the IT that ties it together. This is the landward computer that every threatening hull is steaming toward, and it is the critical-infrastructure operator’s home ground.
The regulatory environment caught up to this reality in a compressed window that operators need to understand as a hard deadline rather than a guideline. The International Maritime Organization’s Resolution MSC.428(98), adopted in 2017.pdf), made cyber risk management a mandatory element of every shipping company’s Safety Management System under the International Safety Management Code, and the associated guidelines, most recently revised in 2025, describe how to do it.
In the United States, the Coast Guard’s final rule on cybersecurity in the marine transportation system, published in January 2025 and effective in July 2025, requires United States-flagged vessels and facilities regulated under the Maritime Transportation Security Act to develop and implement approved cybersecurity plans. On the newbuild side, the International Association of Classification Societies unified requirements E26 and E27 apply cyber-resilience obligations to vessels contracted from July 1, 2024, mandating network segmentation, secure update mechanisms, and equipment-level security at the design stage. The practical effect is that an operator now must be able to prove, not merely assert, that it governs vendor's remote access and segments its operational technology.
The attack surface is specific, and it rewards understanding the mechanics. The most realistic path to compromising an Electronic Chart Display is not a Hollywood chart edit but corrupted input, a manipulated satellite feed or a malicious update arriving without integrity verification, which is another reason the navigation-spoofing problem and the cyber problem are the same problem seen from two angles. AIS, being unauthenticated over RF, can be spoofed to inject ghost vessels or launder a sanctioned ship’s identity.
Voyage data recorders can be tampered with to destroy the evidence of an incident. On tankers, the emergency shutdown and cargo-management systems carry manufacturer remote-access tunnels that must be strictly controlled, because a support connection left open is an intrusion path into a system that moves hazardous cargo. For a port, the crane and fuel and cargo systems are the equivalent exposure, and the convergence of cyber access with physical consequence is exactly the point where a deniable maritime campaign produces a kinetic effect ashore.
The reason this section closes the walk from deep water to the pier is that the terminal is where every prior thread lands. The vessel that lied about its identity, the owner that hid behind a shell, the crew that carried the signature, the spoofed navigation, and the anchor that found the cable all converge on a fixed, computerized asset that an operator has to defend under a fixed budget and a new set of legal obligations.
Cyber-physical convergence is not a separate discipline to be handled by a separate team. It is the landward face of the maritime threat, and it correlates directly with the RF, the ownership, and the behavioral signals arriving from the water. The threat environment is much larger than just the maritime-specific pieces of it. Think about all the AI chatbots, Software-as-a-Service applications handling everything from payments to HR to logistics management, and other apps we need. An attacker just needs to get a foothold in one of these systems. A few misconfigurations later they’re jumping onto the OT backbone from the IT backbone.
This has been happening for two decades already. Everything from intrusion, corporate espionage, cyber warfare, ransomware, and good old fashioned Distributed Denial of Service (DDOS) are all well within the attacker’s tool bag. The outcome is largely driven by how closely the threat of actor is to a state actor, but the outcome is the same. Daily losses of an attack on a major port can exceed $2B a day; multi-vector attacks widen the damage even more.
Is this something your team is capable of protecting against? A DDOS against a cloud-based logistics or planning tool, a concerted effort within the IT or OT environment, and then if you add subsequent electromagnetic and physical threats, that would be a doomsday scenario that is coming closer to reality. While we may never see an IRBM launched against the Port of Galveston or New York and New Jersey, it is not beyond the realm of possibility for smaller cells to wreak havoc with cyber-physical convergent attacks.
Is your maritime security posture ready for hybrid warfare?
Maritime Threat Intelligence: Actors and Influence
This is what gray-zone conflict means in the maritime domain, and it is why a defender who can only see one domain at a time is structurally disadvantaged.
While there is a myriad of maritime threat actors, three actors in particular define the current maritime threat picture, and all three share one design principle, which is deniability.
The first is the shadow-fleet ecosystem, the network of opaque owners, permissive registries, and aging tankers that moves sanctioned oil and, increasingly, does double duty in the gray zone. These vessels look commercial, they carry commercial paperwork, and they enable state objectives while preserving the state’s ability to deny involvement, which is why the same hulls implicated in sanctions evasion keep appearing in the anchor-drag incidents over cables.
The addition of armed security personnel aboard some of these ships, documented in reporting on roughly 140 voyages between May 2025 and April 2026, hardens them against boarding and pushes them further from ordinary commercial behavior toward an arm of state policy wearing a merchant’s flag. Likewise, as mentioned in an earlier section, some of these vessels are even carrying drones which can further deter seizure and provide standoff engagement capabilities in open oceans.
It is easy to point to Russia as the monolithic actor in this space, but there are more than a handful of State and non-State actors who take advantage of this. Pirates along the Horn of Africa and Western Africa, Yemeni tribes, Southeastern Asian countries, and further afield can also take advantage of this. Iran, Russia, and in certain cases specifically sanctioned companies and beneficial owners likewise rely on the global shadow fleet registry in various capacities.
Likewise this same infrastructure, whether overtly shadow fleet or state-sponsored, has secondary benefits to foreign terrorist organizations, drug cartels, and human trafficking organizations. Munitions, trafficking victims, drug precursors, and other sanctioned technology often makes it way across waterways instead of via airborne assets. This is how cartels can receive precursors to make fentanyl, how the Houthis can secure modern ballistic missiles and electronics, and how trafficking victims are moved across hemispheres.
The second actor is the Houthi movement, and the important reframing for an operator is that this is a campaign with an on-off switch, not a closed chapter. Since seizing the car carrier Galaxy Leader in November 2023, the group has conducted more than a hundred attacks on merchant shipping, sinking four vessels and killing seafarers, with reported death tolls varying across sources and at least eight confirmed. While technically reactivated in support of the IRGC against the IDF, the attacks on shipping have greatly diminished as they continue their ground-based fights against Saudi Arabian proxy and advisory forces in the east of the Country.
The Houthi tactics use a diverse set of anti-surface warfare techniques as the group has access to Anti-Ship Ballistic Missiles (ASBMs), Anti-Ship Cruise Missiles (AShCM), One-Way Attack (OWA) drones, and a diverse set of USVs such as the Toufan-series and other retrofitted skiffs and dhows with remote pilot capabilities. Additionally, earlier in the campaigns against global shipping, the Houthis used rotary aircraft such as Soviet era Mi-8 helicopters to conduct their own fast-rope insertions for their VBSS activities.
Additionally, they possess their own surface and air defense sensor suites, SAMs, conventional Short-Ranged Ballistic Missiles (SRBMs), and Medium-Range Ballistic Missiles (MRBMs), cruise missiles, and loitering munitions. The Houthis have proved resilient against multi-axis, multi-domain US and coalition attempts to thwart them, taking great advantage of their terrain and foreign sponsors of tactics and munitions to continue the advanced persistent threat in the region.
The Houthi posture is one of conditional deterrence, calibrated to regional politics, which means the threat to a shipping lane can switch from dormant to active on a political trigger rather than a military one.
Because maritime insurance carriers operate on risk assessment rather than actual hull damage, the Houthis can weaponize the information domain; the mere threat of reactivation sends insurance premiums and carrier rates spiraling without a single shot being fired. This forces commercial shipping to bypass the Suez Canal entirely, passing the burden of increased fuel costs and transit delays directly to global companies and average citizens.
Ultimately, the multi-theater campaigns waged against the Houthis since 2011 have proven structurally ineffective because they ignore a brutal reality of cost asymmetry. Western coalitions are trapped in a losing economic loop, expending multi-million-dollar air-defense missiles to intercept ten-thousand-dollar Houthi loitering munitions. Furthermore, the threat defies traditional military destruction: whether it is the UAE-backed Southern Transitional Council (STC) utilizing ground-based proxy forces, NAVCENT conducting targeted air strikes against mobile launchers, or SOF-centric counter-terrorism campaigns led by SOCCENT and JSOC (supported by Horn of Africa assets like SOCCE-HOA), the coalition has only ever blunted, never ceased, Houthi operational capacity. Until Yemen achieves baseline internal stability or the Houthis' attention is permanently diverted, military force alone cannot erase an adversary that leverages low-cost tech to impose high-cost global economic paralysis.
The third actor is China’s maritime forces, and specifically the People’s Armed Forces Maritime Militia (PAFMM) operating alongside the People’s Liberation Army Navy (PLAN) and the China Coast Guard (CCG) as a coordinated three-part structure. This triumvirate of naval deterrence is coming into focus increasingly given the United States' “Pacific Pivot” to counter PRC influence in the South China Sea and around Taiwan. This represents a pure peer threat in comparison to shadow vessels, Houthis, and even the IRGC (whose conventional Navy was all but destroyed in Spring 2026).
The militia is a government-directed fleet of ostensibly civilian fishing vessels used to assert territorial claims through presence, harassment, and interference, and its value to Beijing is precisely its legal ambiguity, because a modified fishing boat is hard to categorize as a use of force under international law and hard to attribute to the state. A dataset published in early 2026 documented 270 open-source incidents of harassment, assault, or interference against Filipino and Vietnamese fishing crews between 2012 and 2025, with nearly half occurring jointly with the China Coast Guard, and the blockade of Philippine resupply missions to the grounded Sierra Madre at Second Thomas Shoal is the emblematic case. A 2016 international arbitral ruling rejected the expansive nine-dash-line claim these operations advance, and the operations continued regardless.
The tactics and strategy employed by the PAFMM will only continue to evolve as the temperature of the coming conflict within INDOPACOM increases. It is not hard to imagine these vessels being part of the overall People’s Liberation Army Rocket Forces (PLARF) kill-web, providing low-visibility and persistent ISR all along the First Island Chain and beyond. Likewise, SOF units can be stashed on these various fishing vessels and trawlers and used to deploy advanced passive ELINT sensors, OWA drones, ISR drones, and even be used to lay mines, launch USSVs, and otherwise skirmish with shallow water coast guards from other states.
The common thread across all three of the actors is that the attribution problem is the strategy, not a byproduct of it. The shadow-fleet tanker, the deniable anchor drags, the fishing boat that rams a rival, and the missile fired by a non-state proxy are all engineered to impose cost while staying below the threshold that would justify a clear response.
This is what gray-zone conflict means in the maritime domain, and it is why a defender who can only see one domain at a time is structurally disadvantaged. The adversary is choosing tactics specifically because they are hard to see whole. The counter is to see them whole, anyway. While I do not foresee conventional munitions aboard global shipping infrastructure, I do believe we need to likewise use the fleet as sensors in their own rights. Is it really too much for a shipping company carrying 100s of millions of dollars' worth of minerals or POLs to purchase some radars to provide situational awareness against USVs or drones? Is it so hard to envision drones onboard commercial shipping ships providing a longer range of detection and deterrence? Or having security specialists using fusion and intelligence software on the boats themselves?
We are preparing for this and are working with a few partners to make it a reality.
Maritime Intelligence Fusion is non-negotiable
Giving crews and vessel owners the ability to detect their vessels far from shore and detect threats several kilometers away can be the difference between life or death, and second order effects on the rest of us.
Every threat in this guide is invisible to a tool that watches one domain, because none of these campaigns confine themselves to one domain. Return to the hull from the opening. A radar shows the contact but not its ownership. A sanctions screen shows the owner but not the spoofed position. A navigation-integrity monitor shows the jamming but not the anchor drifting toward the cable. A cyber sensor shows the beaconing laptop but not the crew that carried it aboard.
Each of these tools is correct within its own domain and blind to the campaign that spans all of them, and the adversary is counting on this fragmentation. The vessel that is merely anomalous on any single axis becomes unambiguous the moment its spoofed position, its dissolved owner, its swapped crew, its loiter over a cable, and its probing of a terminal network are held in one view.
The discipline that produces that single view is intelligence fusion, the correlation of signals across domains and sources into an assessed understanding of identity, ownership, behavior, and intent, and it is the maritime application of multi-domain operations doctrine. In practice it means wrapping every vessel in its full context automatically: reconciling its cooperative broadcast against non-cooperative radar and satellite detection, attaching its regulatory and ownership history, overlaying the environmental conditions and the navigation-integrity picture around it, checking its behavior against the seabed assets it is passing, and correlating any cyber indicators from the terminal it is approaching.
The organizational form of this is a maritime fusion center or a maritime common operating picture, a place where the vessel picture, the ownership graph, the spectrum picture, the seabed geometry, and the terminal telemetry are held together and assessed against pattern of life rather than viewed on five separate screens by five separate teams.
This is the seat I am writing from. Empyrean Defense builds this kind of cross-domain fusion as software that runs at the edge, wrapping each vessel in its environmental, regulatory, and threat context the moment an operator selects it, and correlating the maritime picture with the space, spectrum, cyber, and other domains on the same platform rather than in separate tools. The value is not any single feed. It is the reconciliation, the ability to surface the contradiction between a claimed AIS position and a radar return, or between a vessel’s stated business and its ownership network, as an assessed alert rather than a fact buried in one of a dozen systems nobody had time to cross-check.
If as an industry we can continue to deepen our deployments (not just Empyrean Defense alone) on vessels, ports, maritime infrastructure, and otherwise with increasingly sophisticated sensors and fusion software, I know we can improve the safety of mariners and vessels. Giving crews and vessel owners the ability to detect their vessels far from shore and detect threats several kilometers away can be the difference between life or death, and second order effects on the rest of us.
Improving Maritime Domain Awareness & Intelligence
In conclusion, the maritime problem for a critical-infrastructure operator is not a shortage of data, but rather the absence of a reconciled picture.
The signals already exist in abundance: AIS and radar and satellite imagery, ownership registries and sanctions lists, navigation-integrity feeds, seabed asset maps, operational-technology telemetry, and mature environmental products. What is missing is the fabric that pulls them into one honest view at the point and moment of decision, and the discipline to stop trusting any single cooperative signal on its own. The gap is not sensing. It is sense-making.
Four recommendations follow everything above, and they are ordered from most immediate to most ambitious.
- First, stop treating cooperative broadcast as truth, and reconcile every AIS report against independent non-cooperative sensing before it earns trust.
- Second, resolve the entity rather than the hull, because the vessel’s paperwork is disposable, and the ownership network behind it is where the risk is written.
- Third, treat the seabed and the spectrum as part of the perimeter, because the cable under the approach and the navigation signal over it are as much a part of the defended asset as the fence line.
- Fourth, build or buy the shared, reconciled data fabric that aviation is now standardizing through its detect-and-avoid and data-service-provider rulemaking, so that the port authority, the coast guard, and the terminal operator work from one picture rather than three partial ones.
The frontier, and the honest limit of every cooperative system, is the vessel that never broadcasts at all. Even satellite AIS sees only the ships that choose to be seen, and the small craft, the fishing vessels, and the uncrewed surface vessels that carry no transponder are the fastest-growing threat in the approaches and the least visible on any cooperative picture.
Closing that gap requires independent, multi-sensor detection of the non-cooperative contact fused into the same reconciled view as everything else, and it is a large enough subject to deserve its own treatment, which we will take up separately. For now, the takeaway is the one the whole guide has been building toward. The sea has become the cheapest place on earth to do expensive, deniable damage, and the defender who can see across every domain at once is the one who makes that damage expensive again.
Ready to see how Empyrean Defense can help implement this strategy? Reach out to us to setup an exploratory call or a demo now. The threats do not wait, why will you?
Stay Dangerous.