The Attack Cycle Remains Relevant

The Attack Cycle Remains Relevant
April 18, 2023 SDC Development 2
Attack Cycle Remains Relevant - TorchStone Global

The Attack Cycle Remains Relevant

By TorchStone VP, Scott Stewart

Analytical frameworks are very helpful in understanding and contextualizing threats.

One of the frameworks that I have used to aid my investigations and analysis for many years now is The Attack Cycle.

The Attack Cycle - TorchStone Global

Last month while attending the Ontic Summit, I had a conversation with someone who believed the concept of the attack cycle was a relic of the past and no longer relevant in the current era of terrorism.

I understand their position, especially given that in places like the United States and Europe, organized terrorist groups are struggling to operate and the threat now stems largely from lone actors and small cells operating under the leaderless resistance operational model.

However, the concept of the attack cycle remains relevant today as long as it is properly understood and applied.

The Attack Cycle

The Attack Cycle was developed in response to the wave of terrorism that erupted in the 1960s and 1970s—the era David Rapoport labeled as “the third wave” of modern terrorism.

That wave of terrorism was characterized by hierarchical terrorist organizations such as the Palestinian Liberation Organization and the Italian Red Brigades.

Many of these organizations sent personnel to terrorist training camps in places like Jordan, Iraq, Libya, and Yemen where they received formal instruction from their state sponsors in terrorist tradecraft skills such as bomb-making, surveillance, covert communications, and attack planning.

This training resulted in groups that were not only well-funded and highly proficient but were also able to operate in hostile environments.

For example, the Provisional Irish Republican Army (PIRA) operated using a highly compartmentalized cellular structure with distinct planning cells, finance and logistics cells, surveillance cells, bomb-making cells, propaganda cells, etc.

In this era, it was easy to visualize how an organized, hierarchical terrorist group such as the PIRA would progress methodically through the steps of the attack cycle, often using different cells to complete the cycle, and the attack cycle model became widely used as a frame of reference for understanding how attacks were planned and conducted.

The concept of the attack cycle featured prominently in the training I received in the 1980s as an Army intelligence officer and as a Diplomatic Security Service special agent.

Elastic Framework

Since that training, I’ve had the opportunity to investigate many terrorist attacks and analyze countless others.

One lesson I learned over the past decades working in this field is that it is important not to interpret the concept of the attack cycle too rigidly.

The concept is intended to be a guideline or framework for understanding attacks and should be applied in an elastic manner rather than viewed as a cookie cutter.

All models are imperfect to some extent and no model can ever fully represent every possible sequence of events in the real world.

However, the more rigidly you attempt to apply the model to a real-life incident, the more quickly it will fail.

The attack cycle model should be used in an elastic manner for two reasons.

First, attacks can be conducted by a wide variety of actors and those actors can possess different levels of terrorist tradecraft.

This tradecraft can impact the amount of time and effort they devote to planning their attack.

A sophisticated actor planning a complex attack is likely to be more diligent and methodical in their planning than a poorly trained actor planning a simple attack.

Second, there are many different types of attacks, and these attacks can be conducted against a variety of targets.

The type of attack being planned, and the target of the attack will also influence how the attack cycle is manifested.

The attack cycle for a complex attack such as 9/11 can take years to execute, while a simple attack against a soft target like the Nov. 2019 Fishmonger’s Hall knife attack in London may be completed in only days or even hours.

Applying the Framework

The target identification and selection stage for a complex attack can be quite lengthy.

The attack planner may compile a list of potential targets and then conduct extensive surveillance on each of them to determine their vulnerability and suitability for the type of attack envisioned.

They may even conduct multiple rounds of surveillance against potential targets during this phase.

In contrast, for someone planning a simple attack, the target identification and selection phase may consist of an attacker deciding to conduct a vehicular assault against pedestrians in a location the attacker knows people congregate.

While this step of the attack cycle can be condensed for a simple attack, it is nonetheless necessary to identify and select a target.

The planning and preparation phase can also vary considerably in its complexity.

The 9/11 attacks required significant international travel and coordination as well as repeated transnational transfers of funds.

The attack plan also meant that the hijacker pilots needed to attend flight school while the muscle hijackers received intensive hand-to-hand combat training.

For an assailant planning an armed assault, planning and preparation may be much shorter and consist of figuring out how they will travel to the attack site, how they intend to launch the attack, and spending some time at the shooting range.

Nevertheless, in all the simple attacks I’ve seen, there is still a planning and preparation stage, even if it is much shorter than that required for a more complex attack.

The weapons acquisition phase will also vary greatly depending on the attack being planned.

It obviously takes far more time and effort to acquire and prepare the materials for a truck bomb than it does for a pressure cooker bomb.

In some cases, this step may even be skipped if, for example, the plan is for an armed assault and the attacker already owns a firearm and has adequate ammunition to conduct the attack.

Deployment of the attacker(s) to the attack site can be as simple as driving across town, or as complex as sending an attack team across the Arabian Sea in a hijacked fishing boat and then entering the port of the targeted city in rubber dinghies like in the 2008 Mumbai attacks.

Depending on the concept of the operation, escape may or may not be part of the plan.

It can obviously be disregarded when it comes to the operatives in suicide attacks, but it can be applied to planners of those attacks who hope to survive to plan and execute future attacks.

There has also been a trend in the white supremacist movement wherein attackers seek to be captured alive and then use their trials and subsequent appeals as opportunities to promote their ideology—exploitation.

In attacks in which the assailant commits suicide or is killed by police, they are clearly not in a position to conduct the exploitation phase of the attack cycle, but the larger extremist movement the attackers are connected to will often take up that role.

This is why we’ve seen jihadist suicide attackers record video statements prior to their attacks and why other extremists compile extensive manifestos.

There has also been a trend whereby extremists livestream their attacks on social media, or attempt to do so, to accomplish the exploitation phase of their attacks.

As in cases like the March 2019 Christchurch Mosque attacks, those videos can be very difficult to take down once they’ve been spread on social media.


By going through the attack cycle phases like this, I demonstrate that when the attack cycle is used as an elastic rather than a static framework, it is still useful as a guide to the planning process no matter what type of attack is being planned by what type of actor.

Simply put, any assailant wishing to conduct an attack must select a target, plan the attack, acquire the weapon to be used, conduct some degree of surveillance, and then deploy to the attack site to conduct the attack.

Once the attack is conducted, whether the attacker(s) dies, survives, or escapes, the movement they are connected with will seek to exploit the attack.

When it comes to lone assailants operating under the leaderless resistance operational model, they are even more vulnerable to the constraints and vulnerabilities created by the attack cycle because they must conduct each step by themselves.

This requires them to expose themselves to detection at more points throughout the cycle than does a group that can assign different tasks to different individuals or cells.