Threat Convergence or Threat Confluence?
By TorchStone VP, Scott Stewart
“Threat convergence” is a buzz phrase that is being widely used across the protective intelligence and security industries. I’ve lost count of the number of times I’ve heard or seen the phrase used at conferences, in podcasts, and in articles over the past couple of years.
When I was presented with the opportunity to speak on the current threat environment at the Board of Executive Protection Professionals’ Executive Security Operations Conference this month I decided it was a good opportunity to begin to explain why I believe conceptualizing the current threat environment as a convergence is harmful.
In general, I believe it is good that people are recognizing the dynamic of threat streams becoming intertwined in terms of domain, ideology, and tactics. However, I believe that if we view this phenomenon as a convergence, we detract from our ability to fully understand the implications posed by this dynamic to the current threat environment. More importantly, I believe it detracts from our ability to identify and counter those threats because you simply can’t recognize and defend against something you don’t properly understand.
I believe that what we are watching develop in the threat environment is, in fact, more of a confluence, than a convergence. Excuse me for being a bit pedantic, but I believe there are some important distinctions between the concepts of convergence and confluence, and these differences can impact how we understand and respond to the threats emerging from this environment. Let me explain by looking at the definitions of the two terms.
A Convergence describes discrete threat streams — actors, vectors, capabilities — intersecting at a definable point in time, space, or domain. But they retain their original form and nature. For example, when a red truck and a blue car converge at an intersection, they remain a red truck and a blue car. The conjunction does not create something new.
A Confluence describes discrete threat streams — actors, vectors, capabilities — intersecting and then merging into a combined, mutually reinforcing whole. For example, when two creeks merge, the water from the first creek fully mixes and mingles with the water from the second creek and it becomes extremely difficult, if not impossible, to distinguish which molecules of water originated from which creek. In a confluence the combined factors combine to produce something that is new and complex.
The dynamics driving the current period of heightened threat activity is the confluence of technological, ideological, political, social, economic, and geopolitical factors. They are deeply intertwined, difficult to separate and a confluence can produce beliefs and behaviors that would not necessarily arise from any single factor.
• Technological: Artificial intelligence, smart phones, social media, and other emerging technologies are driving a confluence of the physical and digital worlds and it is becoming increasingly difficult to separate the physical from the digital when assessing things such as indicators related to the attack cycle or the pathway to violence.
• Ideological: Postmodernism and the “post truth” world have led to extreme skepticism, relativism, and a growing mistrust of authority. This is also leading to a confluence in which threat actors select and combine grievance narratives from different extremist movements.
• Political: There has been a rise in “us vs. them” populism in politics. It is no longer enough to disagree with someone’s politics, instead people with differing views are demonized. This leads to “in group” vs. “out group” grievance narratives that lend themselves to extremism.
• Social: Issues such as gender, race, religion, the environment, immigration, social welfare, become heavily politicized and are used to produce more “in group vs. out group” grievance narratives—and as a result more extremism.
• Economic: Economic conditions like inflation or recession, and issues such as wealth inequality, anti-corporate sentiment, and anti-elite sentiment, also drive grievance narratives.
• Geopolitical: Wars, natural resources, great power competition, and migration can all raise tensions internally and internationally.
For an example of threat confluence, consider how geopolitical rivals of the United States such as Russia, China and Iran are currently waging information operations to stir up divisions inside the U.S. (and the broader West) using technological, ideological, political, social, and economic grievance narratives.
There have also been many examples of Russian and Iranian intelligence using social media platforms to spot and recruit people to conduct physical sabotage attacks and then paying their recruits using crypto currencies. It is very difficult to disentangle the cyber from the physical in such an operation.
An example of ideological confluence was the attacker in the January 2025 school shooting at Antioch High School in Nashville, TN. He was not only radicalized and motivated by “Columbiner” school shooting ideologies, and nihilist ideology, but had also been heavily influenced by neo-Nazi racial grievances — even though he himself was African American. In this case we saw a melding of various grievances, personal crisis, ideological validation, and weapons access flowing together into a single attack.
If you closely examine the Nihilist Violent Extremist (NVE) movement, for example the 764 network, it is not difficult to recognize that their misanthropic beliefs have been shaped by a number of confluent, and at times conflicting, influences and ideologies. Unlike converging factors, in the beliefs and actions of a network like 764, we can see how these confluent drivers lose their separability; they amplify one another, and you can rarely identify any individual driver as being decisive.
Security Confluence
The most effective way to counter confluent threats is to develop a confluent security capability. There’s been a lot of discussion over the past couple decades over the need to break down silos between physical and cyber security, and rightly so. However, despite all the talk about companies and organizations adopting a modern Enterprise Security Risk Management (ESRM) approach, very few have done so in practice and operations remain siloed. Unfortunately, the result of these silos is that they produce blindness to the emergence of confluent threats because such threats don’t normally fit neatly into any one box. I strongly believe that more effort needs to be placed into true security confluence.
This means making real and viable connections between all the security and other relevant teams to include the protective intelligence team, the GSOC, the threat management team, facility security, residential security, executive protection, cyber security, legal, corporate communications, HR, and operations. This confluence doesn’t have to occur in a physical space like a fusion center, although it can. The most important part is establishing communication channels and procedures, establishing close working relationships, and ensuring regular sharing of information between the various participants. Each node that has a specialized field of knowledge, or access to unique information, can contribute to enrich the overall awareness and understanding of the group.
Achieving confluence also requires broadening the intake of threat intelligence and adopting a “see something, say something” approach to intelligence sharing. Threat information can and will come from unexpected sources and should not be discounted just because the source of that information—or the information itself—does not fit into a pre-defined threat category. For example, we have seen jihadist threats arise from Muslim converts who do not at first glance meet the stereotypical profile of a jihadist threat actor. We have also seen Iran’s Islamic Revolutionary Guard Corps attempt to recruit Mexican cartel sicarios and other criminals to conduct attacks inside the United States.
These coordination/confluence efforts should also extend beyond the organization to include appropriate law enforcement contacts at all levels, other relevant government contacts, liaison with other contacts in the sector and industry, and partners who support an organization’s security efforts.
Threat confluence poses a challenge, but that challenge can be mitigated through the resources that can be focused to obtain greater situational awareness and provide an enhanced degree of situational understanding through the power of security confluence.