Looking for a certified security provider? View our Advisory and Intelligence service →
Advisory intelligence is not the same as open-source monitoring
Many organisations subscribe to threat-intelligence feeds — automated aggregations of news, dark-web chatter, and incident databases. That is monitoring, not intelligence. Advisory intelligence goes further: a qualified analyst assesses what the data means for the specific client, filters out noise, and produces a written assessment with a confidence rating and a recommended action.
The distinction matters in practice. A monitoring feed that flags rising political tension in a region gives a security manager a data point. An advisory intelligence assessment tells that manager whether the client's supply chain, principal movements, or site locations are actually exposed to that tension — and what to do about it before the next board meeting.
What advisory intelligence actually covers
A full advisory intelligence engagement typically covers four domains. Threat-actor profiling: identifying individuals, organised groups, or state actors with demonstrable interest or capability to target the client. Geopolitical and operating-environment analysis: assessing how macro-level shifts — election outcomes, sanctions, regulatory changes, civil unrest — create or reduce risk for the client's specific operations and geography. Target-hardening assessment: reviewing the client's visible profile, public information exposure, and operational security posture to identify exploitable gaps. Incident horizon scanning: monitoring for early indicators of events that may affect the client — before those events are in the news.
Advisory intelligence is often delivered as a recurring brief — monthly, quarterly, or event-triggered — rather than a one-time report. Ongoing delivery allows the analyst to build a longitudinal picture and flag trend changes rather than reporting snapshots in isolation.
Who needs advisory intelligence services?
Three buyer profiles make up the majority of advisory intelligence mandates. First: multinational corporations with operations in elevated-risk regions or regulatory environments — particularly energy, infrastructure, technology, and pharmaceutical sectors where intellectual-property theft, supply-chain interference, or sanctions exposure are live concerns. Second: governmental bodies, embassies, and diplomatic missions that require independent analysis outside their own intelligence channels — particularly for host-country risk assessments and traveller-security briefs. Third: high-net-worth individuals and family offices where a principal's public profile, business interests, or personal circumstances create a specific and documented threat picture.
In each case, the common factor is a decision-making gap. The buyer has neither the internal analyst capacity nor the cleared-source access to produce the required assessment in-house. Advisory intelligence fills that gap without requiring the client to build a permanent intelligence function.
When to commission an advisory intelligence engagement
Four triggers dominate commissioning decisions. Market entry or expansion: before establishing operations in a new country or region, an assessed risk picture prevents site selection, staffing, and partner decisions made on incomplete information. Principal exposure events: when a C-suite executive, board member, or family principal's profile is elevated by a transaction, legal proceeding, or media exposure, a focused threat assessment establishes the actual level of personal risk. Merger and acquisition due diligence: target company assessments increasingly include a reputational and threat-actor analysis — who has reason to oppose the deal, and what capability do they have to act on it? Post-incident review: after a security incident, advisory intelligence reconstructs the threat picture that was missed and identifies residual exposure the incident may have created.
A recurring advisory intelligence retainer is appropriate where the client's operating environment is permanently elevated — multinational operations, diplomatic exposure, or a known threat actor with ongoing capability and motivation. A project-based engagement suits discrete events: a market entry, a transaction, a specific threat to a named principal.
How to evaluate an advisory intelligence provider
Five criteria separate credible advisory intelligence providers from consultancies that rebrand open-source monitoring. Source discipline: does the provider explicitly distinguish between open-source, human-source, and signals-derived information, and does each assessed product carry a confidence rating? Analyst credentials: are analysts former government, law enforcement, or military intelligence personnel with demonstrated access to the relevant operating environment? Jurisdictional coverage: does the provider have genuine in-country reach for the regions you operate in, or does their 'global' offering mask thin coverage outside Western Europe and North America? Client compartmentalisation: is your intelligence kept strictly separate from other client work — no cross-contamination of assessments, no shared platforms? Reporting clarity: is the output a decision-ready brief, or a volume of data that still requires internal interpretation?
The last point is decisive. Advisory intelligence has one purpose: enabling a specific decision. If the output requires the client to interpret it, the provider has delivered monitoring with a premium label.
Frequently asked
Is advisory intelligence the same as a threat assessment?
A threat assessment is typically a one-time, point-in-time evaluation of risk to a specific person, site, or asset. Advisory intelligence is broader and ongoing — it tracks evolving threat actors, provides horizon scanning, and delivers recurring analysis. Many engagements begin with a threat assessment as the baseline, then move to an ongoing advisory retainer.
How is advisory intelligence different from corporate investigations?
Corporate investigations are retrospective — they establish what happened, who did it, and what evidence exists. Advisory intelligence is prospective — it assesses what is likely to happen, who has the means and motivation to cause it, and how the client can reduce exposure before an incident occurs. Some engagements blend both, particularly in the aftermath of a security incident that leaves residual exposure.
Can advisory intelligence be commissioned for a single event?
Yes. Project-based mandates are common for market-entry risk assessments, principal threat assessments ahead of high-profile travel, and pre-transaction due diligence. A recurring retainer is more appropriate where the operating environment is permanently elevated or where the client requires continuous horizon scanning.
What does an advisory intelligence brief look like?
A properly structured advisory intelligence brief leads with a two to three sentence executive summary — the assessed conclusion and recommended action. It then provides the supporting analysis, source characterisation, and confidence rating. Appendices carry raw data and source notes. A brief that cannot be read and acted on in five minutes by a non-specialist decision-maker is not a brief — it is a research dump.