OPSEC (operational security)

OPSEC stands for Operations Security. Originated in the US Vietnam-era military as the practice of identifying and protecting unclassified information that adversaries could combine to compromise an operation. Adopted civilian: by intelligence services, by privacy professionals, by journalists working with sources, by lawyers protecting client confidences, and by anyone whose threat model assumes a competent adversary watching.

What it means in practice

OPSEC is not encryption, not VPN, not Signal. OPSEC is the discipline that decides which encryption you need, which VPN you trust, when to use Signal, and (most importantly) which operations to never perform from this device, this network, this identity. The five-step OPSEC process from the US military formalizes it: identify critical information, analyze threats, analyze vulnerabilities, assess risk, apply countermeasures. The civilian version is shorter: what would hurt if it leaked, who might want to leak it, where do they look, what cuts that, what does the cut cost in convenience. The hardest part is the last column, because the cost of OPSEC is usually paid in convenience long before the threat materializes.

Where it shows up

Every Predaxia category touches OPSEC explicitly. Journalists protecting sources need a separate device, a separate identity, a separate network path. Lawyers under privilege need physically isolated client-matter compartmentation. Military families need to scrub deployment patterns from social media. NGO staff in adversarial jurisdictions need cover stories that survive a checkpoint. Divorce clients need device hygiene that does not look like spoliation. Travelers crossing borders need a clean device that does not carry the digital weight of their real life. The same five-step framework applies; the threat surface and the cost of countermeasures change.

What you can change today

Spend 30 minutes building your own one-page threat model. Write down: the three pieces of information whose disclosure would cost you the most, the two adversaries most likely to try, the four vectors they would probably use, the countermeasures you have today, the gaps that countermeasures do not cover. The output is not a permanent document. It is a snapshot you revisit every six months because the threat moves and so do you. Most operators discover that the gap is not the encryption tool, it is the recovery email, the LinkedIn profile, the Strava account, or the family member who tags them on Instagram.

Related articles