← All Resources

What is OPSEC?

A technical reference on Operations Security (OPSEC), Ubiquitous Technical Surveillance (UTS), and Digital Force Protection: the OPSEC doctrine and five-step process, the five UTS threat vectors that broke the traditional model, signature reduction as the modern response, and why managing your signature is a fusion problem for military and dual-use operators.

OPSEC, Operations Security, is the discipline of protecting critical information about your own activities from an adversary who is trying to collect it. The classic definition is narrow and precise: identify what information would hurt you if an adversary got it, figure out how they could observe it, and deny them that observation. What has changed is the adversary. Ubiquitous Technical Surveillance has made the old model of guarding a few secrets insufficient, and Digital Force Protection and signature reduction are the disciplines that grew up to answer it. This page covers all three and how they fit together.

The one-line version: OPSEC protects specific critical information, signature reduction shapes observable behavior across every domain to manage attribution, and OPSEC is best understood as a subset of that broader discipline. Ubiquitous Technical Surveillance is the threat that forced the shift.

OPSEC: the doctrine and the process

OPSEC is a formal discipline with a doctrinal lineage. The national program was established by NSDD 298 (National Security Decision Directive 298) in 1988, and it is now overseen at the national level through the NCSC (National Counterintelligence and Security Center). Inside the Department of Defense it runs on DoDD 5205.02E and its manual DoDM 5205.02, with joint doctrine in JP 3-13.3 (Operations Security) and the Navy and Marine Corps tactics publication NTTP 3-13.3M / MCTP 3-32B.

At its core OPSEC is a five-step process, and the steps are worth knowing because they are the same loop whether you are protecting a battalion or a board meeting:

  1. Identify critical information. Determine the specific facts about your intentions, capabilities, and activities that an adversary needs and that would do you harm if obtained. This is the CI (Critical Information) list, sometimes framed as essential elements of friendly information.
  2. Analyze the threat. Identify who is trying to collect on you and what they are capable of: their collection disciplines, their intent, their tactics.
  3. Analyze vulnerabilities. Find the indicators, the observable, detectable activities that an adversary could piece together to derive your critical information.
  4. Assess risk. Weigh the likelihood and impact of each vulnerability being exploited, and decide which risks are unacceptable.
  5. Apply countermeasures. Select and execute OPSEC measures that eliminate the risk or reduce it to an acceptable level, balanced against the cost to the mission.

One distinction that matters and gets confused constantly: OPSEC denies information without misrepresenting it. That separates it from cover and from military deception, which actively misrepresent. OPSEC makes you quiet; deception makes you lie. They are complementary, but they are not the same.

The reason OPSEC is universal is that the process has nothing intrinsically military about it. A merger team protecting deal terms, a protective detail guarding a principal's schedule, and a pipeline operator concealing the location of a critical valve are all running the same five steps under different names.

What changed: Ubiquitous Technical Surveillance

For most of OPSEC's history, the model assumed an adversary who had to task collection against you: point a sensor, run a source, intercept a signal. Protect the few discrete things that mattered and you were largely safe. Ubiquitous Technical Surveillance (UTS) broke that assumption.

UTS is the condition in which the digital and physical traces left behind by ordinary activity are so pervasive, persistent, and cheaply fused that an adversary can reconstruct who you are, where you have been, and what you are doing without tasking anything special at you. It is commonly organized into five threat vectors:

  • Online. Your internet and data exhaust: accounts, app telemetry, commercial location data sold by brokers, social media, and the metadata around all of it.
  • Electronic. The emissions of the devices you carry: cellular, Wi-Fi, and Bluetooth beacons, device identifiers, and the patterns they paint.
  • Visual-physical. The dense fabric of cameras, CCTV, and automated license plate readers, increasingly paired with facial recognition and other biometrics.
  • Financial. The trail of transactions, cards, and accounts that ties identity to movement and association.
  • Travel. Ticketing, border biometrics, loyalty programs, and the records that document every crossing.

Overlay any combination of those vectors and you get a vivid pattern of life: the routine that lets an adversary spot the anomaly, the operation, the meeting, the thing you were trying to keep quiet. And because the data persists, UTS is retrospective: events can be reconstructed long after they happen, the way investigators have unwound clandestine operations years later from camera, card, and travel records.

This is not a fringe concern. The CIA and its partners have characterized UTS as an "existential threat" that is persistent, pervasive, and increasingly automated across all domains. A 2025 FBI report documented a criminal organization exploiting UTS, cameras, phone data, and more, to identify and kill a federal informant. The threat is real, it is here, and artificial intelligence is an accelerant: the analytics that fuse these vectors keep getting cheaper and faster.

Why UTS breaks traditional OPSEC

The shift is not just "more surveillance." It is a change in kind that defeats the classic protect-the-secret model in four specific ways.

It is passive and untasked. The adversary does not have to decide to watch you. The data is already being collected, for commerce, for convenience, for compliance, and is available to be fused after the fact.

It is cumulative. No single data point is sensitive. The damage comes from aggregation, the death by a thousand cuts where dozens of individually harmless exposures combine into a complete picture. Classic OPSEC, focused on discrete critical information, does not naturally catch this.

It is commercial. Much of what an adversary needs is for sale. Commercially available data and fused analytics can reveal indicators that once required dedicated intelligence collection, which means the barrier to entry has collapsed.

It makes "going dark" obsolete. Suddenly producing no signal is itself an anomaly in a world where everyone produces signal. The absence of a pattern is a pattern. You cannot simply switch off; you have to manage what you emit.

Digital Force Protection and signature reduction: the response

If UTS is the threat, signature reduction is the doctrine that answers it, and Digital Force Protection (DFP) is force protection extended into the digital, electronic, and signature domain. The vocabulary varies across the field, signature management, signature reduction, digital signature management, managed attribution, cyber privacy, but the core idea is consistent.

The central concept is signature: the totality of your observable behavior across the physical and digital domains. Not one secret, but everything an adversary can see. Signature reduction is the deliberate shaping of that totality to manage attribution, controlling what can be observed, what can be linked to you, and what can be inferred. In this framing, OPSEC is a valuable subset of signature reduction: OPSEC protects specific critical information, while signature reduction governs the whole observable footprint that surrounds it.

Three things distinguish the modern discipline from a checklist:

  • It is behavioral, not just technical. Encryption and burner devices help, but the load-bearing element is disciplined behavior across domains, sustained over time. Tools without discipline leak.
  • It is cross-domain. Online, electronic, visual, financial, and travel signatures have to be managed together, because the adversary fuses them together. Hardening one vector while leaking another defeats the purpose.
  • It is human-centered. The doctrine emphasizes human judgment, awareness, and decision over any single technology, and connects to the broader irregular-warfare framing in policy such as DoDI 3000.07.

For practitioners, the practical work is understanding your own signature the way a fused adversary would, then reducing and shaping it deliberately. That is the bridge to the next point.

Managing your signature is a fusion problem

Here is the part that is easy to miss: UTS works because the adversary fuses. Online, electronic, visual, financial, and travel data are individually weak and collectively decisive precisely because they are correlated against one identity and one pattern of life. The adversary's UTS capability is, structurally, a multi-INT fusion problem solved against you.

That has a direct consequence for defense. You cannot reduce a signature you cannot see, and you cannot see your own signature one vector at a time, because the exposure lives in the correlation, not the individual feeds. Effective Digital Force Protection requires the same fused, cross-domain view of your own footprint that the adversary is building of it. Defending against fusion requires understanding fusion. This is why signature work and intelligence fusion are two sides of one coin.

Not only a special operations problem

The doctrine matured in the special operations and intelligence community, where the stakes are obvious, but the threat is dual-use and the exposed population is enormous.

An executive protection detail manages a principal's UTS signature the same way a mission unit manages an operator's. A journalist or NGO worker in a hostile environment faces the same pattern-of-life reconstruction. A corporation running a sensitive acquisition leaks deal indicators through travel and financial signatures. A critical-infrastructure operator exposes maintenance patterns that map its vulnerabilities. A law-enforcement undercover effort faces exactly the threat that killed the informant in the FBI case. The underlying problem, an exposed signature in a world of pervasive, fused collection, is the same for all of them, which is what makes signature reduction a broadly applicable discipline rather than a niche one.

Where Empyrean fits

Empyrean's Digital Force Protection capability is built on the premise above: that managing a signature against ubiquitous technical surveillance requires seeing your own footprint the way a fused adversary would, across domains, on one picture. We treat it as an application of the same fusion and policy architecture that runs the rest of the platform, deployable on your own infrastructure rather than someone else's cloud. For the capability detail, see Digital Force Protection.

Related reading

Related topics

OPSEC, UTS & Digital Force Protection FAQQuick-reference answers on Operations Security (OPSEC), Ubiquitous Technical Surveillance (UTS), and Digital Force Protection: the OPSEC five-step process, the five UTS threat vectors, signature reduction, and why managing your signature is a fusion problem.What is Counter Threat Finance?A technical reference on Counter Threat Finance (CTF): the doctrine behind DoDD 5205.14 and JP 3-25, the difference between defense CTF and financial-sector AML/CFT, how sanctions, PEPs, debarment, shell companies, and trade-based money laundering fit together, the interagency architecture, and what operational counter-threat-finance software actually requires when the money trail has to tie back to a live sensor picture.Counter Threat Finance FAQQuick-reference answers on counter threat finance (CTF), sanctions screening, beneficial ownership, OFAC SDN lists, trade-based money laundering, and the operational requirements for tying financial intelligence to a live sensor picture.What is Intelligence Fusion?A technical reference on intelligence fusion: the JDL/DFIG data-fusion model from signal to decision, the difference between data, sensor, information, multi-INT, and all-source fusion, the intelligence disciplines (GEOINT, SIGINT, MASINT, OSINT, HUMINT, FININT), the JADC2 and Multi-Domain Operations doctrine it serves, and what fusion looks like for civilian and dual-use operators who never use the word JADC2.Intelligence Fusion FAQQuick-reference answers on intelligence fusion: what it means, the JDL/DFIG data-fusion model, the difference between data, sensor, information, multi-INT, and all-source fusion, and what fusion looks like for civilian and dual-use operators.TAK Server on AWS: From Zero to Operational in Under Ten MinutesA practical guide to deploying, hardening, and securing your own TAK Server on AWS using CloudFormation - from zero to operational with TLS certificates, Docker, and security best practices for the person who manages everything else too.
Empyrean Defense

Want to see this in action?

Request a demo or explore the platform capabilities.

Request a DemoExplore Capabilities