Contextualizing Hybrid Threats
By TorchStone VP, Scott Stewart
As conversations around security evolve, one theme increasingly dominates social media platforms like LinkedIn and X: the rise of “hybrid threats.” Typically, the term describes threats that cross multiple domains— most often combining cyber and physical elements.
This heightened awareness is valuable. It highlights the importance of breaking down information silos and adopting a holistic approach to security. Yet, it is equally important to recognize that hybrid threats are not a new phenomenon. They have been present for decades, and security professionals already have proven strategies for countering them.
Confluence of Technology and Threats
History shows a persistent connection between emerging technologies and the tactics employed by threat actors. As author Michael Burleigh documented in his outstanding cultural history of terrorism, Blood & Rage, there was a distinct connection between the emergence of Fenian terrorism in Ireland in the late 1860s and the 1867 invention of dynamite by Alfred Nobel.
From the earliest days of terrorism, attackers have embraced new technologies with remarkable speed. In response, law enforcement and security services have had to continually adapt, often in a reactive posture. For example, once authorities developed countermeasures to Anarchist bombers in the Victorian era, terrorists shifted to mail bombs. In 1919, a large-scale campaign targeted U.S. government officials and business leaders, including J.P. Morgan, Jr., and John D. Rockefeller.
As targets, mail inspectors, and security teams began to institute measures to mitigate the threat posed by mail bombs, anarchists again pivoted, launching the first terrorist vehicle-borne improvised explosive device (VBIED) attack when they detonated a massive dynamite bomb concealed in a horse-drawn wagon on Wall Street in New York in September of 1920.
This cycle—threat actors innovating first, followed by security teams racing to adapt—continues today. The pace, however, has accelerated dramatically. Technology is now advancing at a mind-bending rate, and internet-enabled smartphones and other devices give threat actors access to an almost incomprehensible amount of information, bridging the cyber and physical realms. When combined with social media and messaging apps, these tools connect people globally in ways never before possible.
The interconnectedness of digital and physical domains, combined with instant access to data, has dramatically expanded the attack surface for individuals and organizations. Cyber attackers from Nigeria can now target a person sitting in a sidewalk café in New York as readily as a snatch-and-run street criminal might in person.
Potential targets now face not only cyber and physical attacks but also cyber-enabled physical attacks. Most attackers cannot yet use cyber tools to directly cause physical damage on the scale of the Stuxnet attack on Iran’s nuclear program in the 2000s, but that day is drawing closer.
Adding Context to the Conversation
All that said, hybrid threats did not suddenly materialize in 2025. The June 14 attacks against state lawmakers in Minnesota—where adversaries use data aggregators to collect pre-operational intelligence—serve as a reminder that such risks have existed for years.
In The Protective Intelligence Advantage, a forthcoming book co-authored with friend and former colleague Fred Burton, one of the protective intelligence case studies we feature is the 2003 kidnapping of hedge fund manager Eddie Lampert. This case is a textbook example of the hybrid threat now so widely discussed.
After police identified and arrested three members of the group that abducted Lampert, they searched the ringleader’s residence. He had fled abroad but was later arrested in Canada, extradited, tried, and convicted. Court records revealed that the ringleader used internet searches to compile a list of high-net-worth individuals residing in Connecticut. He also relied on stolen credit card numbers to purchase information reports from internet data aggregator websites on some of the potential targets and then applied those reports to select Mr Lampert as his primary target.
While this kidnapping lacked the full digital/physical integration we now see in attacks associated with the social media threat continuum, it was clearly enabled by information obtained from the digital realm and, therefore, should be considered a hybrid attack.
Mitigating Hybrid Threats
Because hybrid threats are not new, tested methods already exist to reduce their risks.
- Reduce the Digital Footprint
The first step is limiting the amount of personal information available online. Information removal companies, such as our partners at 360 Privacy, excel at removing personal data from aggregator sites and search results.
However, if a person posts carelessly or ignores privacy settings, they create “digital breadcrumbs” that attackers can piece together to enable an attack. When an individual “self-doxes,” companies like 360 Privacy cannot help. Public figures, in particular—executives, athletes, entertainers, and influencers—must strike a careful balance. Promoting their work online is essential, but doing so requires a strict separation of professional, public information from private details that could be exploited.
The consequences of failing to maintain that boundary can be severe. In October 2016, Kim Kardashian was robbed of $10 million in jewelry in Paris after posting images of her location and valuables on Instagram. More recently, in February 2025, a 22-year-old man from Texas traveled to Ft Lauderdale, Florida, and was arrested after breaking into a house that had been rented by a group of popular female OnlyFans content creators. One of the women had posted a video on TikTok showing the exterior of the house several days before the incident, allowing the obsessed fan from Texas to geolocate the house.
- Implement a Protective Intelligence-Led Security Program
There are limits to the information threat actors can obtain online, and even in a best-case scenario for them, they are unlikely to be able to conduct an attack without first conducting physical surveillance of their target. A protective intelligence-led program limits threat actors’ ability to surveil without being detected.
Not all principals face the same degree or type of threat or have the same risk appetite, and it is critical to “right-size” the security program to the principal’s needs and preferences.
A protective intelligence team can provide assessments of the threat facing the principal, identify risks to the principal’s public profile, assess the security program currently in place, monitor social media for threats, and assess threats or potential threats that are identified. These assessments provide those responsible for security with the information they need to design a holistic security program and deploy the physical and technical security measures and personnel required to address and mitigate the threats facing the principal.
By watching for emerging threats, databasing incidents and individuals, and providing context to the observations of the security team, a protective intelligence team provides a critical and proactive role in defending against both immediate risks and evolving hybrid threats.
Visit TorchStone’s Executive Protection Training Program to learn more about improving your team’s capabilities.