What is Operational Security?

The best encryption in the world won't help if you post selfies from your "secret" location. OPSEC is about identifying and plugging the human holes in your security.

The OPSEC Process

1. Identify Critical Information

• What do you need to protect?
• What would harm you if exposed?
• What are you trying to hide?

2. Analyze Threats

• Who wants this information?
• What are their capabilities?
• How motivated are they?

3. Analyze Vulnerabilities

• How could information leak?
• What behaviors expose you?
• Where are the weak points?

4. Assess Risk

• Likelihood × Impact
• Which vulnerabilities matter most?
• Prioritize countermeasures

5. Apply Countermeasures

• Technical solutions
• Behavioral changes
• Procedural safeguards

Common OPSEC Failures

Social Media

• Location metadata in photos
• Check-ins revealing patterns
• Friends/followers revealing network

Communication

• Using real name with pseudonym
• Reusing usernames across platforms
• Consistent writing style

Behavioral

• Predictable schedules
• Distinctive habits
• Bragging about security measures

Technical

• Same device for different identities
• Browser fingerprint uniqueness
• Network correlation

OPSEC by Threat Level

Casual Privacy

• Separate work/personal accounts
• Don't overshare on social media
• Use basic privacy tools

Moderate Threats

• Separate devices/profiles
• Careful metadata handling
• Compartmentalization

High-Risk Situations

• Air-gapped operations
• Strict information diet
• Professional tradecraft

Key OPSEC Principles

Compartmentalization

• Separate identities completely
• Different tools for different purposes
• Information need-to-know

Consistency

• All-or-nothing approach
• One mistake can undo everything
• Maintain discipline always

Paranoia (Appropriate)

• Assume you're being watched
• Assume networks are compromised
• Assume adversaries are capable