"The principal never feels the threat. That means you did your job."
Threat Assessment and the CAP Framework
Instructor Sele: You cannot protect someone from a threat you haven't identified. Before any EP operation begins, the team must understand who wants to harm the principal, whether they can, and how likely they are to try. The CAP framework is your analytical tool for this.
Section 1 — Why Threat Assessment Comes First
Every EP operation is shaped by the threat. Without a current, accurate threat assessment, the CPO is simply reacting to events — and reaction is the least effective position in close protection.
Threat assessment tells you who is a realistic threat to the principal, what their capability to act is, how likely they are to attempt an attack, and what form an attack is likely to take. This allows the team to allocate resources intelligently, plan routes, select formations, and prioritise vulnerabilities.
Section 2 — The CAP Framework
CAP is the core threat assessment model used by SafeHaven.
C — Capability: Does the threat actor have the means to carry out an attack? Consider access to weapons (firearms, vehicles, explosives), funding and resources, number of operatives, prior history of violence or criminal activity, and technical skills (surveillance, planning, execution).
A — Access (Authority/Access): Can the threat actor get close enough to the principal to act? Consider physical proximity to the principal's home, workplace, and movement routes; access to the principal's schedule or routine information; ability to pass through security layers (social engineering, insider threat); and freedom of movement in the operating area.
P — Probability (Intent): How likely is the threat actor to actually carry out an attack? Consider expressed intent (direct threats, social media, intelligence reporting), motivation (personal, political, financial, ideological), historical pattern of behaviour, and current trigger events (business disputes, political events, personal conflict).
Section 3 — Threat Levels
Based on the CAP assessment, the team assigns a threat level that determines the EP response package.
| Level | Description | EP Response |
|---|---|---|
| Low | No credible, specific threat | Standard CP posture |
| Medium | Elevated indicators — no specific threat | Enhanced CP, advance work on all venues |
| High | Specific, credible threat identified | Full CP package, armed team, route changes |
| Critical | Imminent attack likely | Maximum security measures, restrict movement |
Section 4 — Updating the Threat Assessment
The threat assessment is a living document — it must be updated continuously. A change in the principal's business activities, a political event, a personal dispute, or intelligence about a specific threat actor can all change the threat level overnight. Brief the team before every operation with the current assessment.
- •Threat assessment must precede every EP operation — never begin without one
- •CAP: Capability (can they act?), Access (can they reach the principal?), Probability/Intent (will they act?)
- •Threat levels — Low, Medium, High, Critical — determine the EP response package
- •The threat assessment is a living document — update it continuously
- •Brief every team member on the current threat assessment before every operation
"A client once told me his threat level had 'gone down' because his business dispute was resolved. I asked him: does the other party agree it's resolved? He wasn't sure. I kept the elevated posture for another three weeks while we monitored. Two weeks in, we picked up surveillance on his residence. The dispute was not resolved in the other party's view. The threat assessment is what the threat says — not what the principal feels."
In the CAP threat assessment framework, what does each letter stand for?