What is Narrative Intelligence?

Narrative Intelligence (NARINT) explained: detecting and countering influence operations, DISARM framework, CIB, and OSINT.

Narrative Intelligence is the discipline of detecting, tracking, analyzing, and countering narratives across the information environment. It sits at the intersection of Open-Source Intelligence (OSINT), Social Media Intelligence (SOCMINT), Information Operations (IO), and computational linguistics. Where traditional intelligence disciplines focus on physical observables (signals, imagery, human sources), Narrative Intelligence focuses on what people are saying, who is saying it, how it spreads, whether it is coordinated, and what operational effect it is designed to achieve.

The term is relatively new. The problem is not. Propaganda, influence, deception, and strategic communication have been instruments of statecraft and warfare for as long as states and wars have existed. What changed is the speed, scale, and accessibility of the information environment. A narrative that once required a printing press, a radio tower, or a television studio can now be seeded from a phone, amplified by bots, and reach millions of people in hours. The defense and intelligence communities have been adapting doctrine and terminology to this reality for the past two decades, and the private sector is catching up fast.

For the operational capability that implements these concepts, see the Narrative Intelligence capability page. For how narrative signals integrate with the broader multi-domain operational picture, see Would the Real COP Please Stand Up.

The Information Environment

Everything in Narrative Intelligence starts with the Information Environment (IE). Joint Publication 3-13 (Information Operations) defines the information environment as the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information. It is not a single domain like air, land, sea, space, or cyber. It permeates all of them.

JP 3-13 describes three dimensions of the information environment: the physical dimension (the infrastructure and hardware that carries information), the informational dimension (the content itself, its format, flow, and the logic of how it moves), and the cognitive dimension (the minds of the people who consume, interpret, and act on information). Narrative Intelligence operates primarily in the informational and cognitive dimensions, but it relies on physical infrastructure for collection and dissemination.

The practical takeaway is that the information environment is not confined to social media. It includes broadcast media, messaging platforms, forums, academic publications, government statements, leaked documents, press conferences, graffiti, and word of mouth. Any platform where humans exchange ideas is part of the information environment. Social media is the most accessible and most instrumentalized, which is why most Narrative Intelligence tooling starts there, but the discipline extends well beyond it.

Information Operations

Information Operations (IO) is the joint function that integrates the information-related capabilities of a military force to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own. That definition comes from JP 3-13 and it is worth reading twice, because it encompasses both offensive and defensive activity.

IO is not a single activity. It is an integrating function that coordinates several related capabilities, which historically include Military Deception (MILDEC), Operations Security (OPSEC), Military Information Support Operations (MISO, formerly PSYOP), Electronic Warfare (EW), and Cyber Operations. More recently, Civil Affairs, Public Affairs, and combat camera have been recognized as information-related capabilities that IO must coordinate.

The important distinction is that IO is the coordination function, not the execution function. An IO officer does not run the MISO campaign or the EW jammer. They synchronize those activities to achieve an information effect that supports the commander's objectives. Narrative Intelligence supports IO by providing the situational awareness of the information environment that the IO officer needs to plan, synchronize, and assess information-related activities.

Outside of military contexts, the concept maps to what the private sector calls brand protection, corporate communications, crisis management, and reputation defense. The mechanics are the same: understand the information environment, detect threats, coordinate a response, and measure the effect.

Military Information Support Operations and PSYOP

Military Information Support Operations (MISO) is the current doctrinal term for what was historically called Psychological Operations (PSYOP). The rename happened in 2010 and the community still uses both terms interchangeably, though MISO is the official designation in Joint doctrine. MISO is defined in JP 3-13.2 as planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals in a manner favorable to the originator's objectives.

MISO units plan and execute influence campaigns. They produce content (leaflets, radio broadcasts, social media posts, video, audio) designed to achieve a specific behavioral effect on a target audience. The targeting process involves understanding the target audience's information consumption habits, cultural context, existing beliefs, and susceptibility to specific message types.

Narrative Intelligence is the sensing layer for MISO. Before you can influence a narrative, you need to understand the existing narrative landscape: what stories are circulating, who is amplifying them, which narratives are gaining traction, and which audiences are most receptive. After you execute a MISO campaign, Narrative Intelligence provides the assessment layer: did the target narrative shift, did the target audience's behavior change, did the adversary adapt their messaging in response?

The relationship is bidirectional. MISO creates narratives. Narrative Intelligence monitors them. Both are subordinate to the IO integrating function.

Influence Operations

Influence Operations is a broader term that encompasses both military and non-military attempts to shape the perceptions, attitudes, and behavior of target audiences. Where MISO is a military-specific discipline with legal authorities, oversight, and doctrinal constraints, Influence Operations describes the full spectrum of state and non-state activity in the information environment.

Russian information warfare doctrine, for example, does not draw the same distinctions between military and civilian information activity that Western doctrine does. The concept of "information confrontation" (informatsionnoye protivoborstvo) treats the information environment as a continuous battlespace where military, intelligence, diplomatic, economic, and civilian instruments are all employed simultaneously. Chinese "Three Warfares" doctrine (public opinion warfare, psychological warfare, legal warfare) similarly integrates information activity across military and civilian lines.

For Narrative Intelligence practitioners, this means the threat landscape is not limited to military adversaries conducting military operations. It includes state-sponsored troll farms, commercial disinformation-for-hire services, extremist organizations, and domestic actors with political or ideological motivations. The technical requirements for detection and analysis are the same regardless of the actor's organizational affiliation.

The DISARM Framework

The DISARM Framework is the information environment's answer to MITRE ATT&CK. Where ATT&CK catalogs adversary Tactics, Techniques, and Procedures (TTPs) in the cyber domain, DISARM catalogs adversary TTPs in the information domain. It was originally developed by the DISARM Foundation (formerly known as the Misinfosec Working Group, which grew out of the Credibility Coalition) and has been adopted by organizations including the EU's European Digital Media Observatory, the World Health Organization, and NATO's Strategic Communications Centre of Excellence.

DISARM uses the same kill-chain structure as ATT&CK: Phases (Plan, Prepare, Execute, Assess) broken into Tactics (the adversary's objective at each phase) and Techniques (the specific methods used to achieve that objective). For example, under the "Prepare" phase, the "Develop Content" tactic includes techniques like "Create Memes," "Create Fake Research," "Create Inauthentic News Sites," and "Develop AI-Generated Content."

The framework serves two purposes for Narrative Intelligence. First, it provides a structured vocabulary for classifying observed influence operations. Instead of describing an influence campaign in ad hoc narrative prose, analysts can map observed activity to specific DISARM techniques, which enables comparison across campaigns, actors, and time periods. Second, it enables defensive TTP mapping: for each offensive technique, DISARM catalogs known countermeasures and mitigations.

The DISARM Red Framework covers offensive TTPs (what the adversary does). The DISARM Blue Framework covers defensive responses (what you do about it). Operational Narrative Intelligence software should support both, allowing analysts to classify observed activity against the Red Framework and recommend responses from the Blue Framework. Empyrean's Narrative Intelligence module seeds the full DISARM Red Framework and supports analyst-driven TTP classification against observed campaigns.

Coordinated Inauthentic Behavior

Coordinated Inauthentic Behavior (CIB) is a term popularized by Meta's threat intelligence team to describe networks of accounts that coordinate to deceive people about who they are and what they are doing. The "inauthentic" part is critical: it is not about the content of the messages (which may be factually true) but about the deceptive coordination behind them.

CIB indicators include: accounts created in temporal clusters, synchronized posting patterns (many accounts posting the same or similar content within a narrow time window), coordinated engagement (accounts liking, sharing, or replying to each other's content in patterns that are statistically unlikely to be organic), shared infrastructure (accounts using the same VPN, the same profile photo sources, or the same URL shorteners), and behavioral anomalies (posting at hours inconsistent with the account's claimed timezone, posting at inhuman speeds, or following identical sequences of accounts).

Detecting CIB requires computational analysis at scale. No human analyst can review thousands of accounts and identify coordination patterns across posting times, content similarity, network topology, and behavioral signals simultaneously. This is fundamentally a machine learning and graph analysis problem, which is why CIB detection is a core requirement for operational Narrative Intelligence platforms.

Counter-Narrative Operations

Counter-narrative operations are the defensive response to adversary narrative campaigns. The term covers a spectrum of activities from passive monitoring (understanding what the adversary is saying) to active response (injecting competing narratives, amplifying authentic voices, or exposing the mechanics of the adversary's campaign).

The doctrinal debate around counter-narrative operations is ongoing. The "counter-narrative" approach (directly contradicting the adversary's message) has been criticized for inadvertently amplifying the original narrative by drawing attention to it. The "alternative narrative" approach (promoting a competing positive message without directly referencing the adversary's content) avoids the amplification problem but is harder to target and measure. The "strategic silence" approach (deliberately not responding) is sometimes appropriate when engagement would give the adversary the reaction they seek.

Narrative Intelligence provides the assessment capability that makes counter-narrative operations possible. Without continuous monitoring, you cannot determine whether your counter-narrative is working, whether the adversary has adapted their messaging, or whether your response inadvertently amplified the threat narrative. The feedback loop between narrative monitoring and narrative response is what separates deliberate counter-narrative operations from ad hoc public affairs responses.

Social Media Intelligence and Open-Source Intelligence

Social Media Intelligence (SOCMINT) and Open-Source Intelligence (OSINT) are the collection disciplines that feed Narrative Intelligence with raw data.

OSINT is the broader category: intelligence derived from publicly available information. This includes news media, academic publications, government records, commercial data, geospatial imagery, and social media. SOCMINT is the subset of OSINT specifically derived from social media platforms: X (Twitter), Telegram, Facebook, Instagram, Reddit, forums, messaging apps, and any other platform where users generate content.

The distinction matters for legal and policy reasons. OSINT collection from news sources and government publications raises few legal concerns. SOCMINT collection from social media raises questions around privacy, consent, Terms of Service compliance, and (in some jurisdictions) surveillance law. Military and intelligence organizations operate under specific legal authorities (such as Executive Order 12333 and DoD Directive 3115.18 in the United States) that govern the collection, retention, and dissemination of SOCMINT involving U.S. persons.

For Narrative Intelligence practitioners, the practical consideration is that the collection infrastructure must be designed with legal compliance in mind from the start. Evidence integrity (cryptographic hashing at ingest, immutable audit trails, chain of custody documentation) is not a nice-to-have feature. It is a requirement for any deployment that may produce intelligence used in legal proceedings, targeting decisions, or congressional oversight.

The Private Sector Problem

Narrative Intelligence is not exclusively a military or intelligence community concern. The same dynamics that make the information environment a battlespace for nation-states make it a threat vector for corporations, executives, critical infrastructure operators, and law enforcement agencies.

Corporate threat intelligence teams monitor social media for brand threats, product boycott campaigns, executive targeting, insider threats, and coordinated attacks on stock price or public perception. Protective intelligence teams responsible for executive safety monitor the information environment for threats against high-value individuals, tracking escalation patterns from online rhetoric to physical indicators. Critical infrastructure operators face coordinated disinformation campaigns designed to incite public opposition to facilities, generate protest activity, or provide cover for physical sabotage. Law enforcement intelligence units monitor extremist forums, encrypted messaging channels, and social media for pre-attack indicators, radicalization trajectories, and mobilization signals.

In each of these contexts, the requirement is the same: continuous monitoring of the information environment, automated enrichment and classification of content, detection of coordination and amplification patterns, and structured analysis that supports decision-making. The doctrinal terminology differs (the private sector says "threat intelligence" where the military says "information operations") but the technical stack is identical.

What Narrative Intelligence Software Actually Requires

Doctrine and frameworks describe the problem. Software solves it. Based on the doctrinal landscape above, an operational Narrative Intelligence capability requires several things that most commercial tools do not provide.

Multi-platform collection is the foundation. The information environment is not one platform. An influence campaign might seed content on Telegram, amplify it on X, repackage it for Bluesky, and syndicate it through RSS-fed news aggregators. Single-platform monitoring produces a fragmented picture. The collection layer must ingest from multiple platforms simultaneously and normalize the data into a common schema that enables cross-platform analysis.

Automated multilingual processing is not optional. Influence operations routinely cross language boundaries. A narrative seeded in Russian on Telegram will be translated (often poorly, which is itself a detection signal) into English, Arabic, Spanish, and other languages for regional amplification. The platform must detect language automatically, translate content for monolingual analysts, and preserve the original text for linguistic analysis.

Enrichment beyond keyword matching is what separates monitoring from intelligence. Keyword alerts tell you that someone mentioned a topic. They do not tell you whether the mention is persuasive, emotional, factual, coordinated, or part of a broader campaign. Entity extraction, geocoding, persuasion classification, emotion detection, stance analysis, and topic clustering transform raw posts into structured intelligence that analysts can act on.

Graph analysis and network visualization are essential for detecting coordination. Influence operations are conducted by networks, not individuals. Identifying the network requires graph analysis: who is connected to whom, who amplifies whom, which accounts exhibit synchronized behavior, and which clusters of accounts share infrastructure or operational patterns. Interactive graph visualization gives analysts the ability to explore these networks and identify the nodes that matter.

Structured TTP classification using frameworks like DISARM enables cumulative institutional knowledge. When every campaign is analyzed as a one-off, the organization learns nothing from one incident to the next. When campaigns are classified against a structured framework, patterns emerge across time, actors, and regions. This is the same logic that makes ATT&CK valuable in cyber threat intelligence.

Sovereign deployment is the hardest requirement and the one most commercial tools fail. Defense and intelligence customers cannot send their collection targets, watch lists, or analytic conclusions to a third-party cloud. The data is classified, sensitive, or operationally significant even when the source material is publicly available. The platform must run entirely on customer-controlled infrastructure, which means all ML models, all processing, all storage, and all analysis must execute on-premises or at the tactical edge. This is not a feature toggle. It is an architecture decision that must be made at the foundation of the platform, not bolted on after the fact. Empyrean's Narrative Intelligence module runs entirely on a single NVIDIA DGX Spark - no cloud dependency, no data exfiltration risk, no internet required after initial deployment.

Evidence integrity and chain of custody are requirements for any deployment where the intelligence product may be used in legal proceedings, targeting decisions, oversight, or audit. Every collected artifact should be cryptographically hashed at the moment of ingest. Every enrichment, classification, and analyst annotation should be logged in an immutable audit trail. The platform must be able to produce an evidence packet that documents what was collected, when, from where, what processing was applied, and what conclusions were drawn, with cryptographic proof that the source material was not altered.

The Doctrinal Trajectory

The information environment is not getting simpler. Generative AI has collapsed the cost of producing convincing synthetic text, audio, imagery, and video to near zero. Deepfake technology makes attribution harder. Adversary use of encrypted and ephemeral messaging platforms makes collection harder. The proliferation of platforms (each with different APIs, data formats, and access policies) makes comprehensive monitoring harder.

Doctrine is evolving to match. The 2022 National Defense Strategy explicitly identifies the information environment as a domain of strategic competition. The 2023 National Cybersecurity Strategy recognizes the convergence of cyber and information threats. NATO's Strategic Communications Centre of Excellence has published extensively on the operational integration of STRATCOM, IO, and PSYOP capabilities.

The direction is clear: the information environment is a first-class operational domain, and the organizations that treat it as such (with dedicated sensing, analysis, and response capabilities) will have a significant advantage over those that still treat social media monitoring as a public affairs afterthought. The convergence of narrative threats with electromagnetic spectrum operations, counter-UAS, and cyber-physical threats means that Narrative Intelligence cannot remain siloed from the broader operational picture. It must be integrated into the same Common Operational Picture and sensor fusion architecture that handles every other domain.

Glossary of Related Terms

CIB - Coordinated Inauthentic Behavior. Networks of accounts coordinating deceptively.

DISARM - Disinformation Analysis and Risk Management. TTP framework for influence operations, analogous to MITRE ATT&CK for cyber.

IE - Information Environment. The aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.

IO - Information Operations. The joint integrating function for information-related capabilities.

MILDEC - Military Deception. Planned actions to mislead adversary decision makers.

MISO - Military Information Support Operations. The current doctrinal term for PSYOP.

NARINT - Narrative Intelligence. Detection, tracking, analysis, and countering of narratives across the information environment.

OPSEC - Operations Security. Protecting critical information from adversary exploitation.

OSINT - Open-Source Intelligence. Intelligence derived from publicly available information.

PSYOP - Psychological Operations. Legacy term for MISO. Still widely used.

SOCMINT - Social Media Intelligence. OSINT subset derived from social media platforms.

STRATCOM - Strategic Communications. Coordinated messaging to advance national objectives.

TTP - Tactics, Techniques, and Procedures. Structured classification of adversary methods.

Related topics

Empyrean Defense

Want to see this in action?

Request a demo or explore the platform capabilities.