The Terrorist Attack Cycle Remains Unbroken

While our team and many protective intelligence professionals across the industry like to speak to the benefits of new technologies and new methods for protecting assets, we acknowledge that everything we do has a foundation in the tried and true methods that our colleagues in public sector security have developed over the decades. Specifically, it is important to understand how fundamental concepts such as the terrorist attack cycle inform the work that we do on a daily basis. For that reason, we would like to share an article with you from our colleagues at Stratfor. In this article, Scott Stewart (VP of Tactical Analysis) gives us his perspective on the importance of maintaining a flexible mental model for applying the terrorist attack cycle to the challenges we face everyday in protecting clients’ assets.

Last week while attending a conference where I was a speaker, I had the opportunity to listen to a U.S. government representative give a presentation on terrorism. One of the topics he discussed was the trend in recent years toward what he called “homegrown violent extremists” — individuals we at Stratfor refer to as grassroots jihadists.

The official noted how the vast majority of jihadist terrorist attacks in the United States in the post-9/11 era — and indeed all successful attacks — have been conducted by grassroots jihadists. As he discussed the challenges for authorities that grassroots jihadists operating under the leaderless resistance operational model present, the speaker showed a slide depicting the terrorist attack cycle on which, as he clicked, most of the steps in the cycle were marked off by red X’s indicating that they didn’t apply in cases involving grassroots jihadists conducting simple attacks.

As red X’s filled the slide, I thought to myself, “Has the terrorist attack cycle really become obsolete?” I have pondered this question over the past week, and I believe the answer is more a matter of the attack cycle being misunderstood when applied in a leaderless resistance context than it is a matter of the cycle itself no longer being a useful frame of reference for examining terrorist attacks.

The Terrorist Attack Cycle

On the drive back to Austin after the conference I discussed this topic with one of my colleagues, who asked, “Who invented the terrorist attack cycle?” That’s a good question. I told him I didn’t know, but that the concept was something I had always been taught. My first exposure to it came during the terrorism block of instruction at my U.S. Army Military Intelligence Officer Basic Course. The concept was repeated when I took the Federal Law Enforcement Training Center’s Criminal Investigator Training Program and the Diplomatic Security Service’s Basic Special Agent Course.

Later, after I transferred to the Diplomatic Security Service’s counterterrorism investigation office, the terrorist attack cycle proved a useful guide when investigating attacks, especially since we weren’t tasked just with finding the perpetrator, but were expected to conduct a more holistic investigation that provided guidance on how lessons learned from an attack could be used to prevent or thwart future attacks. To do this we needed to look at both the security of the target as well as the way terrorists applied their tradecraft to attack the target. Breaking the attack into the steps of the attack cycle was a useful way to identify and examine the tactics and tradecraft required to complete each step.

This is an approach Fred Burton and I brought to Stratfor in 2004. We have found that the attack cycle continues to be a useful reference for examining terrorist attacks. Indeed, we even have seen parallels to other types of crime and have borrowed the concept to create a frame of reference for examining the criminal planning cycle.

An Elastic Guideline

One of the lessons I’ve learned over the past 30 years of investigating and analyzing terrorist attacks is that it is important not to interpret the concept of the attack cycle too rigidly. It is a guideline, and an elastic one at that. For one, each terrorist is different, and the level of tradecraft a terrorist possesses affects the manner in which that terrorist approaches planning and executing an attack. For another, different types of attacks require different degrees of planning and preparation. Some complex attacks, such as the August 1998 U.S. Embassy bombings in Tanzania and Kenya or the November 2008 attacks in Mumbai, India, take years to plan and carry out. On the other end of the scale, a simple attack against a large, static target, such as the December 1989 rifle grenade attack against the U.S. Embassy Seafront Compound in Manila, the Philippines, may have taken only hours to plan and execute if the attackers already had the rifles and grenades in hand.

In a long, deliberate attack cycle, the target identification and selection stage can be quite complex. The attack planner may compile a list of potential targets and then conduct surveillance on each of them to determine their vulnerability. In a simple attack, the target identification may consist of an attacker deciding to conduct a vehicular assault against pedestrians where the attacker knows they congregate. While this step of the attack cycle is condensed, it is nonetheless necessary to select a target for attack, even if the attack is a simple one.

Likewise, the planning and preparation phase of the cycle can vary considerably in its complexity. The 9/11 attacks required significant transnational travel and coordination as well as the transfer of funds. They required the hijacker pilots to attend flight school while the muscle hijackers received intensive training in hand-to-hand combat. Even in terms of weapons acquisition during the planning phase, there can be a great deal of difference depending on the attack being planned. It takes far more time and effort to acquire and prepare the materials for a vehicle bombing that it does a simple pipe bomb attack.

Nevertheless, in all the grassroots attacks we’ve seen, there is still a planning stage, even if it is much shorter than the planning required for a more complex attack. Omar Mateen conducted several rounds of surveillance while planning the Pulse nightclub attack in Orlando, Florida; Syed Rizwan Farook and Tashfeen Malik purchased guns, tactical gear and assembled bombs while planning their attack in San Bernardino, California. Even Esteban Santiago’s seemingly random attack in the baggage claim area of the Fort Lauderdale-Hollywood International Airport in Florida was the result of a planning process that required several steps.

The escape step in the attack cycle can be disregarded when it comes to the operatives in suicide attacks, such as 9/11 or the November 2015 Paris attacks, but it can be applied to planners of the attacks — figures such as Khalid Sheikh Mohammed or Abdelhamid Abaaoud — who hope to survive to equip and deploy future suicide operatives. And we’ve seen several non-suicide attacks by grassroots jihadists, such as the 2013 Boston Marathon bombing, the San Bernardino shooting, and the June 2009 shooting of an armed forces recruitment center in Little Rock, Arkansas.

Although grassroots operatives who conduct suicide operations are not in a position to conduct the exploitation phase of the attack cycle, the larger jihadist movement is. Internet and social media applications have made it easy for the media wings of jihadist groups to receive video wills or statements from attackers before they conduct their attack. Preparing and transferring such recordings to jihadist group media wings before an attack is a distinguishable action that grassroots jihadists frequently take during the planning phase of the attack cycle.

There have been times when jihadists have reacted with violence when approached by police seeking to arrest them. For example, when police and agents tried to arrest Usaamah Rahim on a Boston street in June 2015, he lunged at them with a knife and was shot dead. But incidents that occur as a result of police-initiated action need to be distinguished from an intentional attack launched by a grassroots jihadist. At the very least, such incidents should not be used to support the idea that the terrorist attack cycle is no longer a relevant framework for understanding attacks.

When we view the terrorist attack cycle as elastic rather than static, it becomes clear that even grassroots jihadists operating as lone attackers or in small cells are still bound to follow the steps in the cycle, no matter how abbreviated the steps are. Any attacker wishing to conduct an attack must select a target, plan the attack, acquire the weapon(s) to be used, conduct some degree of surveillance, and then deploy to conduct their attack. Indeed, in many ways, lone attackers are even more vulnerable to the constraints of the attack cycle because they must conduct each step by themselves. In this manner, they expose themselves to detection at more points throughout the cycle than does a group that can assign different tasks to different individuals.

The concept of the attack cycle is alive and well. It continues to give investigators, analysts, and citizens a framework for understanding how terrorist attacks are executed so plots can be spotted and stopped.

The Terrorist Attack Cycle Remains Unbroken” is republished with the permission of Stratfor, a leading global geopolitical intelligence and advisory firm. Learn more about Stratfor Worldview and Stratfor Threat Lens, their protective intelligence solution, at

Explore Now

Take a look at more resources from The Center for Connected Intelligence