Using OSINT to Anticipate Social Unrest Around Major Events

Liferaft | January 16, 2026

Large crowd exiting a major nighttime event, illustrating the scale and security risks associated with mass gatherings.

May 15, 2024

Demonstration Hypervigilance begins with help from OSINT

May 14, 2023

Corporate Threat Intelligence for Oil & Gas Security

May 16, 2025

Importance of Digital Threat Intelligence in Event Security

Using open-source intelligence (OSINT) to anticipate social unrest and activism around major events is now a core part of digital security planning. With civil unrest activity rising and coordination increasingly digital, security teams that ignore OSINT are simply planning blind.

Why Social Unrest Is A Planning Assumption

Social unrest has become a pervasive, constant, global, and local phenomenon. For any organization responsible for hosting, sponsoring, or providing security for a major public event, such as corporate annual meetings, international summits, or large-scale sporting and entertainment spectacles, adopting an anticipatory, threat-informed stance is the most essential strategic approach.

The volume and geographical spread of organized unrest and demonstrations have reached unprecedented levels, confirming their permanent status in the risk matrix. Data compiled by the Crowd Counting Consortium’s U.S. unrest dataset illustrates the scale of contemporary mobilization vividly. Covering activity since the beginning of 2017, the dataset had swelled to nearly 190,000 recorded social unrest events, or “event days,” by mid‑2024. This activity is not confined to major metropolitan areas. It spans thousands of distinct cities and towns across all 50 states and several U.S. territories, demonstrating a deeply decentralized and widespread capacity for mobilization.

While the vast majority of social unrest remains peaceful and orderly, the environment surrounding them has demonstrably hardened. Analysis from the Armed Conflict Location & Event Data Project (ACLED) indicates that counter‑demonstrations (events organized specifically to oppose the initial demonstration) have increased by an average of approximately 33 percent. This rise in oppositional gatherings significantly raises the risk profile of any environment, making physical confrontations, escalations, and disruptions far more likely, and demanding a higher level of preparation from security personnel.

This phenomenon is not unique to democratic states, proving its global pervasiveness. The Carnegie Endowment’s Global Protest Tracker routinely monitors and lists dozens of significant, active movements operating at any given time. Crucially, this includes robust movements in countries explicitly categorized as “not free,” where the risk of state intervention and violent repression adds another layer of complexity for international organizations and traveling personnel.

These compelling statistics mandate a fundamental shift in planning philosophy for corporate security and risk management leaders. Security protocols, resource allocation, intelligence gathering, and operational planning must proceed from the assumption that activist activity will occur. This shift requires integrating Open-Source Intelligence (OSINT) methodologies specifically designed to anticipate mobilization into the core of pre-event security assessments to ensure organizational safety, business continuity, and brand reputation protection.

Civil Unrest Awareness: A Comprehensive Guide on Leveraging OSINT for Monitoring Civil Unrest

How OSINT Spots Social Unrest Early

Modern organizing happens in the open on social platforms, event pages, encrypted apps with public channels, and niche forums, and OSINT turns that digital exhaust into early warning.

Key OSINT techniques that help anticipate activist activity include:

Monitoring social media posts, hashtags, and event pages for emerging campaigns, locations, and timelines.
Tracking media narratives and political flashpoints likely to “attach” to your event, such as elections, conflict, environmental issues, or labor disputes.
Mapping activist groups, influencers, and networks to understand who is driving mobilization and what tactics they favor.
Analyzing past events with the same themes or in the same city to identify likely demonstration sites, choke points, and escalation patterns.

“We’re in unprecedented times at this moment, and business owners really need to look at what they have in place if they are affected. This type of plan should detail how the business will respond to a variety of situations and emergencies, including civil unrest.”

Mick Fenton, Risk and Safety Consultant at Emplicity

OSINT adds value across the full event lifecycle, from early planning through to post‑event debrief. Weeks or even months before an event, teams can review past incidents and current online ecosystems to identify likely activist themes, key groups, and potential gathering points, then integrate those insights into security design and stakeholder briefings.

During the event, live monitoring of social channels, open messaging groups, and local news helps reveal changes in crowd size, route shifts, or calls for escalation in near real time, enabling dynamic adjustments to staffing, perimeter control, and VIP movements. Afterward, post‑event OSINT supports a structured review of what worked, what was missed, and how narratives about the event are evolving, which is especially critical when reputational risk is tied to how displays of civil unrest were managed.

Ethical, Compliant, and Proportionate Use

The deployment of Open Source Intelligence (OSINT) techniques for monitoring potential social unrest and activism associated with major events presents a complex challenge at the nexus of corporate or public safety, individual privacy, and fundamental civil liberties. Mishandling this intelligence can lead to catastrophic reputational damage, eroding public and employee trust far more quickly and completely than the occurrence of a physical security incident itself. Therefore, a rigorous commitment to ethical, compliant, and proportionate use is paramount.

Practical Guardrails for Responsible OSINT Use

Focus on Publicly Available Data and Strict Adherence to Platform Terms of Service (ToS):

Intelligence gathering must be strictly limited to data that is genuinely public-facing and openly accessible, meaning it is available without circumventing security measures, requiring login credentials (unless the organization is the account holder), or violating explicit privacy settings.
Investigators must have a deep understanding of, and strictly comply with, the ToS, acceptable use policies, and community guidelines of every social media platform, forum, and data source utilized. Violating these terms, particularly through automated scraping or bulk collection where prohibited, is unethical and can lead to legal action against the organization, account bans, and a loss of the intelligence source.

Targeting Behaviors and Credible Threats, Not Political Opinions or Protected Characteristics:

The primary objective of OSINT should be the identification of observable, actionable behaviors that indicate a credible, imminent, and specific threat of violence, illegal activity, property damage, or severe disruption to operations.
Monitoring efforts must scrupulously avoid targeting individuals or groups solely based on their political affiliations, protected characteristics (such as race, religion, sexual orientation, or disability), or their mere expression of dissenting political opinions. The distinction between lawful protest and illegal threat must be clear and absolute.
Intelligence collection must be driven by established, objective threat criteria, such as explicit calls for violence, sharing of plans to breach security, or detailed instructions on manufacturing illegal devices, rather than subjective ideological profiling.

Ensuring Transparent Governance, Robust Audit Trails, and Clear Boundaries:

Governance and Oversight: A formal, documented governance framework must dictate who can conduct OSINT, what they can search for, how the data is processed, and when monitoring must cease. This framework should be subject to regular, independent review.
Audit Trails: Every intelligence search, collection, analysis, and dissemination action must be logged with a comprehensive audit trail. This log must record the date, time, personnel involved, the justification for the search, the source data, and the outcome. This ensures accountability and allows for retrospective scrutiny of compliance.
Clear Boundaries with Law Enforcement: There must be explicit, documented protocols defining the boundary between organizational security monitoring and engagement with law enforcement. Decisions to share intelligence must be made at a senior level, adhering to strict legal counsel and privacy standards. Personnel must be trained to understand that security monitoring is not a substitute for (nor should it be used to improperly facilitate) covert or intrusive government surveillance, respecting constitutional and legal protections for free speech and assembly.

As Harry Kemsley, OBE, President of National Security and Government at Janes, once explained, the intelligence community must effectively harness open-source information to maintain relevance, but it must do so in ways that uphold democratic norms, not erode them. For private organizations, the same principle applies to using insight, and not surveillance, as the goal with OSINT.

A 10 Point OSINT Program Checklist For Event Security

Here’s a quick OSINT program checklist to get you going. It covers the core building blocks needed to turn open‑source signals into practical, event-ready intelligence for your team. The focus is on capturing the right data, interpreting it in context, and pushing only the most relevant insights to decision‑makers.

Think of it as a minimum viable framework you can adapt to your organization’s risk profile, tooling, and maturity level.

Quick OSINT Program Checklist For Event Security:

Cover surface, deep, and dark web sources relevant to the event and location.
Track issue‑specific and location‑specific keywords, hashtags, and influencers.
Apply identity resolution to distinguish authentic actors from bots and inauthentic activity.
Flag foreign influence or coordinated amplification around unrest narratives.
Produce structured assessments of unrest likelihood, timing, location, and likely size.
Assess sentiment and potential for escalation or counter‑demonstrations.
Map key groups, leaders, and typical tactics associated with each movement.
Integrate alerting and reporting into the security team’s existing workflows and tools.
Tie every finding to concrete recommendations for routes, perimeters, staffing, and comms.
Log sources, assumptions, and confidence levels for auditability and post‑event review.