Back to Dossier
Adversary Analysis

Adversary analysis is not threat assessment. It is structured thinking about how another actor sees the world - and what that means for your investigation.

Most investigators begin with a subject. They build a file, run their checks, collect what the record will give them, and organize what they find into a report. This is competent work. It is also incomplete work - because a subject is not static. A subject is a thinking actor who has already made decisions about what to show you and what to hide.

Adversary analysis is the discipline of understanding those decisions before they affect your operation. It shifts the investigator's frame from documentation to prediction. Not what did this person do, but what are they likely to do next, and why.

The term comes out of intelligence tradecraft, where understanding an opponent's doctrine, capabilities, and intent was the difference between effective collection and wasted resources. The principles transfer directly to investigative practice. A claimant managing a soft-tissue injury, a corporate insider moving sensitive data, a subject conducting counter-surveillance during a field deployment - each of them has a logic. Your job is to reconstruct it.

The subject already knows the investigation may be coming. The question is what they have done about it.

Intent, capability, and opportunity

Adversary analysis is built on three pillars: intent, capability, and opportunity. Strip away the investigative context and you are really asking three questions. What does this person want? What can they actually do? And what has the situation given them room to do?

Intent is the hardest to establish directly. You cannot read a subject's mind, and stated explanations are unreliable by definition - if the subject knew you were evaluating their intent, they would manage what they said. Instead, intent is inferred from pattern. Behavioral history, associational networks, financial decisions, and the timing of actions relative to external events all carry signal. A claimant who escalates medical appointments immediately after receiving a denial letter is telling you something about intent without saying a word.

Capability is more observable. Does the subject have the knowledge, the resources, and the access to do what you suspect? In fraud matters, this often means looking at professional background, financial sophistication, and whether the mechanics of the alleged scheme required inside knowledge. A person who claims to have had no awareness of a complex billing irregularity but who spent a decade in a billing-adjacent role is carrying a contradiction the record may help you resolve.

Opportunity is situational. What did the environment give them? A workplace with poor oversight, a medical system that does not cross-reference claims, a surveillance route with reliable cover - opportunity is what transforms intent and capability into action. When you find yourself reconstructing opportunity, you are also building your case theory. Because the same conditions that made the act possible are the conditions your evidence must account for.

ADVERSARY ANALYSIS — CORE FRAMEWORK

01 Intent What does this actor want? Inferred from behavior, not from statement.

02 Capability What can they actually do? Skills, access, resources, and networks.

03 Opportunity What did the environment allow? Situational conditions that enabled action.

04 Adaptation How is the actor adjusting in response to pressure or surveillance awareness?

The actor who knows they are watched

Standard surveillance training prepares investigators for subjects who are unaware. The subject goes about their day. The investigator follows, documents, and builds a record of what the subject does when they believe no one is watching. This is valid methodology. It is also the easiest version of the problem.

Adversary analysis takes on the harder version. What do you do when the subject is surveillance-aware? When your subject has been through the system before, has spoken to counsel, or has any operational familiarity with how investigations work? They have already adjusted. They know approximately what you are looking for and they have shaped their behavior accordingly.

This is not paranoia - it is rational actor behavior. And it requires a response that goes beyond standard field protocol. You need to understand their adjustment strategy before you deploy. Are they creating artificial limitations? Are they selectively performing difficulty? Are they maintaining a consistent behavioral baseline or showing variance at key points? Each of these patterns is information, but you can only read it as information if you went into the field with a prior analysis of what to expect.

Counter-surveillance awareness in a subject also tells you something important about capability and planning. A subject who is conducting their own threat assessment is not an unsophisticated actor. They have resources, they have motivation, and they have done some version of the same analysis you are doing. Understanding that dynamic changes how you structure your approach, your deployment window, and what you decide to document.

Mapping the network, not just the subject

Adversary analysis rarely stops at the individual. In most cases of meaningful complexity, the subject is embedded in a network - family, professional, social, financial - and that network is part of the operation. People who assist a claimant in maintaining a false presentation, colleagues who cover for a corporate insider, associates who serve as surveillance countermeasures - they all become relevant to the analysis.

Network mapping asks not only who the subject knows, but what those relationships enable. A subject with limited direct capability may have access through association. The claimant who could not have executed a sophisticated billing scheme on their own may have had a billing contact. The employee who stole data may have had a planned exit point already arranged. When you map the network, you are mapping the full capability picture, not just the individual's.

This also affects how you build your field approach. If key associates are serving an operational function - active surveillance, communication relaying, logistics support - your subject-centric deployment is already partially compromised before you begin. Adversary analysis at the network level tells you where your exposure is and where you need to adjust.

You are not investigating a subject. You are investigating a system. The subject is the center of it.

Analytical integrity under pressure

Adversary analysis is structured thinking, which means it is vulnerable to the same analytical failures that undermine all intelligence work. Confirmation bias is the primary hazard. When you build a preliminary theory about what a subject is doing and why, that theory shapes what you look for. Information that confirms the theory is absorbed easily. Information that contradicts it tends to be explained away.

The discipline is to hold your analysis accountable to evidence, not to protect it from evidence. If your adversary model predicts the subject will avoid specific activities and your field work shows them engaged in those activities, the model is wrong. The question is why - whether you misread intent, capability, or opportunity, or whether the situation changed. Any of those possibilities is more useful than deciding the evidence is anomalous.

Red-teaming your own analysis is one of the most productive things you can do before a deployment. Assign the contrary position. Make the strongest possible case that your subject is exactly what they present to be. If that case falls apart under scrutiny, your adversary model is on solid ground. If it holds up better than you expected, you have something to think about before you commit resources to the field.

Where this fits in the investigative cycle

Adversary analysis is not a standalone product. It is an analytical layer that sits underneath the investigative plan and informs it throughout. Before a deployment, it shapes your approach, your timing, and your documentation priorities. During a deployment, it gives you the interpretive frame you need to read behavioral anomalies in real time. After a deployment, it helps you identify gaps - things the subject did that your model did not predict and that your report needs to account for honestly.

For litigation-support work, adversary analysis has a specific additional function. It helps you anticipate the counter-narrative. If you understand why the subject behaved the way they did - their intent, their capability, the opportunity available to them - you also understand the strongest arguments available to them on the other side of the file. That understanding makes your evidence more precise, your documentation more defensible, and your final product more useful to the people relying on it.

The investigator who only documents what a subject does is producing a record. The investigator who understands why the subject made those choices, and can demonstrate that understanding in their analysis, is producing intelligence.

THE BRIEF

Adversary analysis is structured thinking about a thinking actor. It asks not only what a subject has done, but what they want, what they are capable of, and what the environment has allowed them to do. In complex investigations, it extends from the individual to the network, and from the current state to anticipated adaptation.

The discipline separates documentation from interpretation. A strong investigator can produce the record. A strong analytical practitioner can explain the record - and build an approach that accounts for what comes next.