Something happened last week that I want to share.
A client called me at 11 pm. His son had just been approached at a gas station by someone asking questions about where he lived.
It might have been nothing. A confused stranger. An innocent mistake. Someone who thought they recognized the car from somewhere.
It might not have been.
We activated immediately.
Not because we were certain there was a threat. Because certainty isn’t the standard.
The First 48 Hours
Within two hours, we had eyes on the family’s properties. We’d briefed the household staff on elevated awareness. We’d adjusted the children’s transportation arrangements for the next 48 hours. We’d begun reviewing recent digital footprint activity to see if anything correlated with the incident.
Within 24 hours, we’d identified the individual.
He was a landscaper who’d recently been let go by a neighboring property. He was looking for work. He’d recognized the son’s car from jobs he’d done in the area and thought he might know the family.
Completely innocent.
No threat. No danger. Just a confusing interaction that turned out to have a mundane explanation.
Here’s why I’m telling you this.
The Response Was Everything
The outcome was nothing.
But the response was everything.
If there had been a real threat developing, if that interaction had been the beginning of surveillance or targeting, the 48 hours after that gas station encounter would have been critical.
Threats don’t announce themselves. Surveillance often starts with casual contact designed to look innocent. Someone approaches to ask a question, gauge a reaction, test what kind of security awareness exists.
The first 48 hours after initial contact are often when the adversary is most vulnerable to detection and disruption. They’re assessing. They’re planning. They haven’t committed yet.
That’s also when the target family is most likely to dismiss the incident as nothing.
The families who have response architecture execute it. They activate protocols. They gather information. They make decisions based on what they learn rather than what they assume.
The families who don’t have response architecture start scrambling. Who do they call? What do they do? Is this serious enough to warrant action? By the time they figure it out, days have passed.
And scrambling creates gaps that adversaries exploit.
The Ambiguity Problem
I think about this constantly.
Not the dramatic scenarios. Those are actually easier. When there’s an obvious threat, the response is clear. Call the police. Activate security. Move the family.
The hard scenarios are the ambiguous ones.
The moments when something feels off but you can’t be sure. The interactions that might be nothing and might be something. The observations that could be coincidence and could be surveillance.
Someone takes photos in front of your house. Probably a tourist. Maybe not.
A car drives slowly past the property multiple times. Probably lost. Maybe not.
Your assistant mentions someone called asking about your schedule. Probably a vendor. Maybe not.
A stranger at your child’s school asks which car is yours. Probably another parent. Maybe not.
Each of these incidents, in isolation, is almost certainly innocent. The vast majority of suspicious-seeming events have mundane explanations.
But surveillance and targeting often begin with these kinds of incidents. And the only way to distinguish between coincidence and threat is to investigate.
The Certainty Trap
The biggest mistake families make is waiting for certainty before responding.
“Let’s see if anything else happens.”
“It was probably nothing.”
“I don’t want to overreact.”
These are reasonable human responses. Nobody wants to feel paranoid. Nobody wants to disrupt their family’s life based on something that’s probably innocent.
But the cost of overreacting is inconvenience. A few days of elevated awareness. Some schedule adjustments. Maybe an investigation that turns up nothing.
The cost of underreacting, if the threat is real, is exposure during the critical window when the adversary is still assessing and planning.
The discipline is having a plan for the uncertain situations. The ones where you don’t know yet. The ones where the cost of overreacting is inconvenience and the cost of underreacting is exposure.
Having a plan for obvious threats is easy. Everyone knows to call 911 if someone breaks into their house.
The hard part is having a plan for the moments when you can’t be sure.
What Response Architecture Looks Like
Response architecture is the ability to move from normal to elevated to active without having to figure it out in the moment.
It’s a pre-established set of protocols that answer the questions you shouldn’t be trying to answer during a potential incident:
Who do I call first?
What information do I need to gather?
What immediate steps should be taken?
How do I assess whether this is serious?
What resources can I activate and how quickly?
At what point do we involve law enforcement?
How do we communicate with family members during the incident?
What’s the threshold for escalation?
These questions should be answered before an incident occurs. The protocols should be documented, understood by relevant parties, and practiced periodically.
When the 11 pm call comes, you shouldn’t be improvising. You should be executing.
The Three Response Tiers
We typically structure response architecture around three tiers:
Tier 1: Awareness. Something has happened that warrants attention but doesn’t indicate an immediate threat. A suspicious interaction. An unusual observation. Information that needs to be assessed.
Response: Document the incident. Notify relevant parties. Begin initial investigation. No immediate changes to family routine, but enhanced situational awareness.
Tier 2: Elevated. Investigation has revealed information suggesting possible threat development, or the incident itself was serious enough to warrant proactive measures.
Response: Adjust transportation and movement protocols. Brief household staff. Increase monitoring of properties and digital footprint. Active investigation to identify and assess the potential threat.
Tier 3: Active. A credible threat has been identified. This could be confirmed surveillance, a direct threat communication, or an incident that indicates immediate risk.
Response: Implement protective measures. Coordinate with law enforcement as appropriate. Potential relocation or sheltering. Continuous monitoring and response.
The gas station incident started at Tier 1 and was briefly elevated to Tier 2 while we investigated. Once we identified the individual and confirmed the innocent explanation, we returned to normal.
Total disruption: minimal. Information gathered: comprehensive. Confidence in the assessment: high.
Why Most Families Don’t Have This
Most families have security for the known scenarios.
Alarm systems for break-ins. Cameras for property monitoring. Background checks for new staff. Insurance for various loss scenarios.
They have nothing for the ambiguous ones.
No protocol for the suspicious interaction at the gas station. No process for investigating the car that drove by three times. No framework for assessing whether an unusual inquiry is innocent or the beginning of something else.
Why? Because ambiguous situations are uncomfortable to plan for. They require acknowledging that threats can emerge gradually, that surveillance might already be occurring, that the boundary between normal life and potential targeting isn’t always clear.
It’s easier to assume that threats will announce themselves. That you’ll know when something is wrong. That your instincts will be sufficient.
Sometimes they are. The Singapore CFO’s instincts saved $4.2 million.
But instincts aren’t a security architecture. Response protocols are.
The Investigation Capability
Response architecture isn’t just about reacting. It’s about having the capability to investigate.
When the gas station incident occurred, we could:
Review CCTV from the location to get a description and potentially a vehicle
Cross-reference the description against known threat profiles and recent suspicious activity reports
Check digital footprint activity to see if there had been any unusual online interest in the family
Brief security personnel to watch for similar individuals or vehicles near family properties
Coordinate with contacts in local law enforcement to check for any relevant intelligence
Within 24 hours, we’d identified the individual and confirmed the innocent explanation.
Most families don’t have this capability. They have a suspicious incident, they worry about it for a few days, nothing else happens, and they eventually decide it was probably nothing.
Maybe it was. Or maybe whoever was assessing them concluded they were too aware and moved on to an easier target. Or maybe they learned what they needed and are now in a planning phase.
Without investigation, you don’t know. You just hope.
Building Response Capability
If you don’t have response architecture, here’s how to start building it:
Define your tiers. What kinds of incidents warrant attention? What threshold elevates concern? What triggers active response? These definitions should be clear enough that family members and staff can categorize incidents appropriately.
Establish your contact chain. Who gets called first? Who needs to be notified at each tier? Who has authority to make decisions? This chain should be documented and accessible.
Build investigation capability. Either through internal resources or external partnerships, you need the ability to investigate suspicious incidents. This might be a security consultant, a private investigation firm, or a managed security service.
Document protocols. Write down the response procedures for each tier. What steps are taken? In what order? By whom? Documentation ensures consistency and prevents critical steps from being forgotten in the moment.
Brief relevant parties. Family members, household staff, executive assistants, and security personnel should all understand the protocols. They should know what to report, to whom, and how.
Practice periodically. Run tabletop exercises where you walk through scenarios and practice the response. Identify gaps and refine the protocols.
The Conversation About Risk
Response architecture requires a family conversation about risk that many people avoid.
It requires acknowledging that threats can emerge. That your wealth, visibility, or position might make you a target. That the world isn’t always safe.
This doesn’t mean living in fear. It doesn’t mean paranoia. It means preparedness.
The families who handle this well treat security like any other aspect of life that requires planning. They have health insurance and financial advisors and estate plans. They also have security protocols.
The families who struggle with this avoid the conversation entirely. They tell themselves it won’t happen to them. They hope their instincts will be enough.
Hope isn’t a strategy.
The Gas Station Outcome
My client’s son is fine. Nothing happened. The landscaper was just looking for work.
But for 24 hours, the family operated under the assumption that something might be developing. They had the capability to investigate that possibility thoroughly. They had protocols that guided their response. They had resources that could be activated quickly.
And when the investigation concluded that there was no threat, they could return to normal with confidence, not just hope.
That capability, that confidence, is what protection actually looks like.
Not after you’re certain. Before.
Next Steps
If your family doesn’t have response architecture for ambiguous situations, we offer a complimentary 30-minute consultation to discuss your specific situation and outline what a response framework might look like.
We also have a downloadable Incident Response Protocol Template that provides a starting point for building your own response architecture.
Reach out through our website or contact our team directly.
Because the next suspicious incident might be nothing. Or it might be the beginning of something. The question is whether you’ll have the capability to find out.
ABOUT THE AUTHOR
John Hamilton is the founder of HK Defense Solutions, a converged security firm serving ultra-high-net-worth families, family offices, and corporate executives. He spent twelve years in U.S. Air Force special operations, where he helped build combat search-and-rescue infrastructure across active war zones.
