What leaders need to know to stay ahead of a shifting threat landscape.
Insights from the 2025 Threat Management Conference
Threats are escalating and evolving faster than ever. At the 33rd Annual Threat Management Conference in Anaheim, California, hosted by the Association of Threat Assessment Professionals (ATAP) and the Los Angeles Police Department, our team joined leading experts to examine the dynamic threat landscape. We gained valuable insights into the newest best practices in threat assessment, effective intervention strategies, and the latest legal updates from top employment law experts. In this expanded edition of Left of Boom, we share the key insights and strategies shaping Behavioral Threat Assessment and Management (BTAM) today. We will also explore some of these topics in greater detail in future editions of Left of Boom.
The Shifting Threat Landscape
Organizations face an increasingly complex and fast-moving threat environment shaped by ideological extremism, personal and organizational grievances, and online amplification. Threat Management Teams (TMTs) sit at the front line, but too many organizations remain reactive and siloed. Insights from the conference underscore a central truth: threat management must be proactive, integrated, and adaptive. Targeted violence rarely occurs without warning; the challenge lies in identifying concerning behaviors early, engaging the right expertise, and coordinating across disciplines before grievances lead to attacks.
Incidents are escalating faster, often triggered by catalyst events where one act of violence inspires others. What were once isolated events now ripple outward, driving waves of secondary threats, harassment campaigns, and copycat actions. These catalyst-driven threat surges can overwhelm organizations with hostile communications, concerning behaviors, and heightened operational risks.
Nihilistic Violent Extremism (NVE)
Experts are sounding the alarm over a sharp rise in NVE violent actors driven by anti-social motives, or a desire for chaos and disruption, rather than traditional grievances or ideology. NVEs often embrace apocalyptic, anti-human, and anti-ideological worldviews, glorifying mass violence and destruction as ends in themselves. Many reject political or religious frameworks, promoting dehumanization, despair, and annihilation through online subcultures, digital propaganda, and, increasingly, real-world violence.
The 2025 Global Terrorism Index reports that 65% of recent attacks in Western nations lacked clear ideological or political motives.
Example:
Fertility Clinic Bombing, California (2025): A 25-year-old man detonated a device outside an IVF clinic in Palm Springs. The bomber was killed in the explosion. His online writings expressed despair and disdain for life itself, a hallmark of NVE ideology.
Insights for Threat Managers:
NVE remains an evolving category. For threat managers, the practical path forward involves adapting existing tools like Structured Professional Judgment (SPJ) instruments, digital monitoring, and cross-discipline intelligence-sharing to assess motive-ambiguous threats.
The Mangione Effect:
Corporate Leadership in the Crosshairs
The targeted killing of UnitedHealthcare CEO Brian Thompson was a shocking example of an ideologically framed attack rooted in perceived systemic injustices in the worldwide corporate structure.
This incident acted as a catalyst event across all business sectors and ignited a wave of anti-corporate outrage and dangerous expressions of solidarity with the accused killer, amplifying threats to corporate leaders nationwide. Within hours of the killing, social media was flooded with memes, hashtags like #FreeLuigi, and tens of thousands of posts vilifying health insurers and glorifying and even deifying Mangione as a “folk hero.” Mangione’s first name has become a verb, with online chatter identifying other business leaders that need to be “Luigi-ed”.
While the initial surge of hostile sympathetic activity has subsided, experts warn of a likely resurgence in anti-corporate sentiment and grievance-driven threats as the case gains renewed media attention and progresses through the legal system, potentially amplifying risks for executives and organizations.
Implications of Catalyst Events
Catalyst events are high-profile incidents, such as targeted attacks, mass shootings, or symbolic acts of extreme protest, that inspire others to act, often triggering threat surges, copycat behaviors, and secondary risks for organizations. Here are steps to take to mitigate risk posed by such events:
- Triage but don’t ignore: Develop strategies to assess and prioritize risk present in high volumes of reports quickly and accurately.
- Eliminate reporting gaps: Every customer touch point is a potential vector for threatening communications. This includes unlikely sources like marketing communications or customer satisfaction surveys.
- Separate signal from noise: Access external experts who utilize vetted Structured Professional Judgement instruments to identify credible threats amid surges.
- Monitor ideological amplification: Track narratives across digital platforms to be alert for potential threats and copycat behaviors.
High-profile incidents no longer remain isolated; they ripple outward, inspiring imitators, fueling grievances, and reshaping offender pathways. TMTs must anticipate these surges, prepare intervention strategies, and treat catalyst events as early warnings for enhanced risk.
For a more detailed exploration of contagion, copycats, and managing large-scale threat surges, see the September/October 2023 edition of Left of Boom.
Cyber Threats – New and Disturbing Trends
Organizations face a growing wave of cyber-enabled threats where online activity escalates into real-world harm. Three key trends — doxxing, swatting, and violence-as-a-service (VaaS) are increasingly intertwined, amplifying vulnerabilities and both organizational and personal risk.
Doxxing — Weaponizing Personal Information
Offenders collect and release private details, home addresses, family information, employer data, to intimidate or harass targets. These “dox packets” often circulate on dark web forums, frequently paired with coordinated harassment campaigns or impersonation efforts.
Case example: In 2024, a physician’s personal data was doxxed, triggering weeks of threatening emails and anonymous calls until law enforcement intervened.
Swatting — Manipulating Emergency Response
False emergency reports trigger an armed law enforcement response at a target’s home, office, or event. Once largely tied to online gaming disputes, swatting now targets executives, healthcare leaders, journalists, and public officials, often combined with doxxing to escalate risk.
Case example: Nearly 100 high-profile executives, public officials, and judges were targeted between December 2023 and January 2024 in a wave of incidents.
Violence-as-a-Service (VaaS) — Outsourcing Real-World Harm
On encrypted platforms and dark web marketplaces, threat actors can hire contractors to carry out physical intimidation, arson, assaults, or even targeted killings. Vendors advertise pricing menus, reviews, and “proof-of-work” packages, with cryptocurrency payments shielding identities.
Case example: In 2024, U.S. investigators disrupted a plot where an individual used a dark web platform and cryptocurrency to hire a hitman to kill a romantic rival. In Europe, authorities disrupted a network advertising violent “contracts,” including an arson attack explicitly calling for “no survivors.”
Actions to Counter Cyber-Enabled Threats
Cyber-enabled tactics increasingly blur the line between digital harassment and physical violence. Threat Management Teams (TMTs) must act decisively:
- Monitor online spaces continuously — track open-source platforms, breach forums, dark web, and encrypted channels for early warning indicators.
- Integrate digital intelligence — combine online data with behavioral assessments to create a more complete threat picture. TMTs MUST collaborate with Insider Threat and Cyber Intelligence Teams.
- Establish rapid-response protocols — have predefined plans for managing doxxing, swatting, and other cyber-enabled incidents.
- Strengthen partnerships — coordinate closely with legal, cybersecurity, and law enforcement to respond quickly and effectively.
Cyber-enabled threats move at the speed of information, making it essential for effective threat management programs to embed real-time monitoring and integrated response strategies to protect people, facilities, and reputation.
Move from Reactive to Proactive
Waiting for a direct threat is too late. Early identification of fixation, leakage, and other behaviors of concern is essential to preventing escalation. The biggest barrier to early intervention is the persistent misunderstanding of when to engage the Threat Management Team. Far too often, upon detecting behaviors of concern, organizations delay referrals to their TMT because “the person hasn’t made a threat yet.” This mindset creates significant missed opportunities for early intervention and prevention.
TMTs should be engaged at the earliest signs of behaviors of concern, well before a direct threat or explicit statement of violence occurs. These behaviors might include fixation, boundary testing, inappropriate communications, or sudden personality changes.
Engaging the TMT early does not mean first-line supervisors relinquish managerial control. Instead, the TMT acts as a consultative body of subject matter experts who:
- Provide independent analysis of the behaviors of concern.
- Suggest early, appropriate intervention strategies.
- Partner with HR and frontline managers to create measured, proportionate responses.
Industry best practices emphasize that early collaboration between supervisors, HR, and the TMT is critical. By engaging experts sooner, organizations can manage concerning situations more effectively, reduce risk exposure, and protect both employees and organizational culture.
Legal Defensibility in a Changing Environment
Evolving regulations, OSHA enforcement trends, and new workplace safety laws demand defensible policies, consistent documentation, and integrated mitigation strategies.
Evolving regulations and recent litigation are reshaping organizational duty-of-care obligations around workplace violence prevention. Laws like California’s SB 553 and proposed Workplace Psychological Safety Acts in several states raise the stakes, requiring organizations to demonstrate defensible policies, consistent documentation, and coordinated threat management practices across HR, security, and legal domains.
Key Steps to Take Now
- Clarify thresholds between performance management and threat management so supervisors know when to escalate concerns. Early intervention is a best practice.
- Benchmark policies against recognized standards such as ANSI/ASIS WVPI AA-2020 and OSHA’s General Duty Clause to strengthen defensibility.
- Refine high-risk termination protocols with security, HR, and legal to manage heightened risk events effectively.
- Implement reporting and documentation standards that align with evidentiary needs while protecting employee privacy and ensuring consistency across departments.
Defining The Threshold: Performance Vs. Threat
One of the most challenging areas for organizations involves distinguishing performance-related issues from threat-related concerns:
- Performance issues: Attendance, productivity, and conduct problems generally fall under standard HR processes and progressive discipline models.
- Threat-related matters: When behaviors escalate into fixation, intimidation, boundary testing, or potential violence, early engagement with the TMT is critical.
Best Practices for Defensibility
- Early differentiation: Establish clear policy criteria and train supervisors to recognize when behaviors shift from performance concerns to safety threats.
- Integrated workflows: HR and TMTs should collaborate seamlessly rather than operate in silos. Early consultation with the TMT when cases are ambiguous must be encouraged.
- Documentation consistency: Maintain detailed, factual records of both performance and behavior concerns. Comprehensive documentation protects the organization during litigation, regulatory audits, and claims of retaliation.
By codifying these thresholds and fostering close collaboration among HR, legal, security, and TMTs, organizations can mitigate risk, strengthen defensibility, and ensure fair, consistent treatment of employees while meeting regulatory expectations.
Case Study: Boise Towne Square Mall Shooting
OSHA findings mark a turning point, signaling increased enforcement and emphasizing the need for defensible, standards-based threat management programs.
On October 25, 2021, a gunman opened fire at Boise Towne Square Mall, killing a security officer and a shopper before killing himself when confronted by police.
Following an investigation, OSHA cited the security contractor managing mall security for failing to protect employees from a “recognized workplace violence hazard” under the General Duty Clause. OSHA proposed a fine and further directed the contractor to revise policies to conform with the ANSI National Standard for Workplace Violence Prevention (ANSI/ASIS WVPI AA-2020) as an abatement measure. The citation also faulted training and polices as inadequate.
Earlier this year the citation was vacated after a ruling that the attack was unforeseeable, making it outside OSHA’s enforcement scope. This case is still significant in that it marks the first time that OSHA proposed compliance with the ANSI National Standard as an abatement measure. It is likely that OSHA will continue to propose such compliance as an abatement measure in future cases.
Key Takeaways for TMTs
- OSHA scrutiny is increasing: This case marks the first time OSHA proposed compliance to the ANSI/ASIS WVPI AA-2020 National Standard signaling a likely trend in future enforcement actions.
- Legal defensibility depends on aligning policies with recognized standards, providing documented training, and demonstrating proportionate mitigation strategies.
- Structured threat management programs matter. Even when unforeseeable incidents occur, organizations with structured programs, documented protocols, and cross-functional coordination are far better positioned to withstand regulatory and legal scrutiny.
Closing Thoughts
The threat environment is evolving faster than most organizations can adapt, driven by ideological extremism, grievance-fueled violence, online mobilization, and increasingly sophisticated cyber-enabled tactics. High-profile Catalyst events now amplify these risks, triggering threat surges that overwhelm security teams, fuel copycat behavior, and escalate risk exposure. Lessons from the Threat Management Conference, combined with shifting regulatory and legal standards, underscore the growing pressures organizations face to protect people, assets, and reputation.
Effective threat management programs must integrate behavioral analysis, digital threat intelligence, cross-functional collaboration, and partnerships with external threat assessment professionals to identify concerning behaviors early and respond decisively. To strengthen legal defensibility and improve prevention efforts, organizations must ensure compliance with the ANSI/ASIS WVPI AA-2020 National Standard and align policies with industry best practices.
