Lessons From Recent Global Incidents: How Threat Actors Keep Changing the Game

By Ashley Heimerl, Senior Intelligence Analyst
Allied Universal® Enhanced Protection Services

Over the past several decades, violent extremists and hostile actors have adjusted tactics and tradecraft to evade detection and maximize the impact of incidents. In today’s evolving threat landscape, organizations must rethink their approach with proactive preparation in mind. The challenge is not only deciding whether security is needed; it is building a plan that still holds when attack methods shift.
 

The ‘How’ Keeps Expanding

The history of counterterror research illustrates how quickly the tactics and tradecraft of threat actors can evolve and spread. This type of copycat behavior is referred to as contagion or diffusion. Once a tactic is proven to be effective, low-cost, hard to stop, and highly visible, the unfortunate reality is that it tends to spread rapidly across ideologies, geographies, and targets. Groups that otherwise have nothing in common may adopt tactics that appear effective to achieve their own ends. For security leaders, this makes it vital to stay up-to-date on threat trends, quickly identifying and implementing preventive strategies that reduce specific areas of risk and exposure. Let us consider a few recent examples. 
 

Transit Attacks

The 1995 Tokyo subway sarin attack, leading to 13 deaths and 5,800 injuries, was a key flashpoint in the evolution of terrorist tactics. Japanese cult Aum Shinrikyō released the highly toxic nerve agent on multiple train lines converging in central Tokyo. Law enforcement was caught off-guard by these incidents, which demonstrated a civilian capacity to develop and deploy military-grade weapons along with the successful exploitation of crowded, soft-target environments. Threat actors across ideologies have since targeted commuter transit systems in attempts to inflict catastrophic damage. The Madrid train attacks in 2004 left 191 dead and 1,800 injured, and the London transit attacks in 2005 resulted in 52 casualties and 770 injuries. These tactics continue to challenge law enforcement and security systems in more recent years as shown in the 2016 Brussels airport and metro bombings, the 2017 St. Petersburg Metro attacks, and beyond. Security leaders have been working diligently to increase security efforts across transit systems to combat this ongoing threat. 
 

Complex Coordinated Attacks 
 

The 2008 Mumbai attacks have been studied as one of the first examples of a complex coordinated terrorist attack. Threat actors used a mix of firearms and explosives to conduct a series of coordinated attacks against soft targets throughout the city. They remained active, coordinated, and mobile, causing chaos and confusion for law enforcement and first responders. These tactics were later observed in the 2013 Nairobi Westgate Mall attacks which lasted four days, the 2015 Paris attacks, and other plots that have been successfully preempted. These shocking events indicate that smaller businesses and soft targets are just as vulnerable to exploitation as prominent, symbolic targets. Security at these sites cannot be overlooked. 
 

IoT & AI-Enabled Threats 

A newer example of evolving tactics involves new vulnerabilities via the Internet of Things (IoT) and Artificial Intelligence (AI). In a recent non-violent incident, a French software developer discovered a significant vulnerability while attempting to connect his vacuum to a PS5 remote using Claude Code AI. In doing so, he discovered he was able to remotely access 7,000 robot vacuums across 24 countries with the ability to control the devices remotely, view camera feeds, listen to onboard microphones, and generate floor plans of homes thousands of miles away. While he alerted the manufacturer to the security flaw and it has since been addressed, the incident highlights potential vulnerabilities malign actors could exploit, not just at home, but in public spaces as well. Experts believe hostile actors are already evaluating how to leverage AI technology to inflict catastrophic physical harm. The Department of Homeland Security has pointed to the use of AI for targeted radicalization efforts, surveillance, training, and even attack planning. 
 

Drone-Related Threats

Drones are being increasingly leveraged to cause damage. Thus far, this has mainly been limited to overseas warcraft, such as with the Ukrainian-Russian conflict, but the potential for contagion into civilian spaces is beginning to emerge. Drones can be used for delivery of weapons into secure areas, such as sports stadiums, reconnaissance and surveillance of potential targets, and other harmful purposes. In November, 2024, an individual in Tennessee was arrested and charged for attempting to use a drone laden with explosives to attack an energy facility. His goal was to shut down substantial portions of the power grid, impacting critical infrastructure, such as hospitals, without power. Security leaders must pay close attention to this emerging threat vector, and how their security programs can be modified to mitigate new vulnerabilities. 
 

The Takeaway

For business and organizational leaders, the takeaway is not to fixate on any single threat; it is to recognize the pattern and anticipate the evolution. Threat actors move quickly, and tactics can be copied, tweaked, and repeated in new places. The practical challenge for organizations is the diversity of threats. A security plan built around one scenario is likely to fall short. When considering the broad spectrum of concerns across the threat landscape, it becomes clear: preparedness works best when it focuses on behaviors and impacts rather than trying to predict a single type of event.
 

Where Intelligence Fits in the Plan

When discussing security measures, most people picture access control, cameras, personnel, and procedures. But intelligence is what helps those measures stay current, enabling a shift to a proactive security stance, rather than a reactive one. Intelligence empowers security leaders with answers to key questions such as:

• What is happening around us right now? Local events, protests, and crime patterns that can affect risk.
• What is being said online that could affect us? threatening social media posts or direct messages are red flags, but negative or even misinformation about an organization can also drive unwanted attention.
• What could impact our security posture? Holidays, religious occasions, or high-profile incidents can influence copycat behavior and timing.
   

This is not about predicting the future. It is about reducing blind spots so organizations can make informed, measured decisions at critical moments, tighten an entry policy, adjust staffing, update security protocols, or coordinate earlier with law enforcement when a threat appears credible.

Threat tactics will keep evolving—sometimes in predictable ways, sometimes not. Organizations do not need to forecast every event to improve preparedness. They benefit from a flexible plan, facilitated by timely intelligence, and grounded in practical operational practices. This holistic approach helps teams respond with clarity as the threat landscape continues to evolve.

About Ashley Heimerl: 

Ashley is a Senior Intelligence Analyst with Allied Universal® Enhanced Protection Services, where she supports executive protection operations through strategic intelligence analysis and threat monitoring. She has eight years of private-sector intelligence experience supporting clients across multiple industries. Ashley holds a Master of Arts in International Security with High Honors from the University of Arizona, where she focused her research on counterterrorism dynamics in Africa and the Middle East. Her work centers on analyzing complex threat environments, assessing emerging security trends, and providing strategic insights to support informed decision making. Ashley brings a deep understanding of geopolitical drivers, extremist networks, and regional instability, leveraging her expertise to support mission critical intelligence and security initiatives.