Counter-surveillance and security awareness training for dog owners, extreme or a necessary service?

Dog guards the house concept with door keyhole and portrait of looking Jack Rusell dog.  Pet dog stay at home and watch. Copy space.

One of the reactions of the pandemic is the uptake in pet ownership, with more time to enjoy country walks and a desire for companionship many people have added a new dog or puppy to their family. The negative impact of this is a surge in pet theft by organised criminals who target dogs which they breed for profit, use for illegal fighting and even ransom back to their owners.


More than 60 dogs are stolen in the UK per week and less than 5% of these cases lead to a conviction. In October Tom Hunt MP called for pet theft to become a specific offence, this would result in tougher sentencing for pet theft. Currently most cases are heard in the magistrates court where convictions typically only incur a £250 fine, the same punishment as the theft of an inanimate object. For more information see


The stories that unfolded in 2020 tell heartbreaking tales of support dogs, working dogs and children’s pets being stolen often in blatant and planned attacks. The stereotypical example of a dog being taken from outside a shop whilst their owner popped in for a quick pint of milk has been replaced with accounts of sophisticated methods of breaking and entering property, people being placed under surveillance and followed home whilst walking their pets and even being violently attacked for their dogs.


These advanced attacks have resulted in the need for serious countermeasures. We have recently been asked to provide several of our clients and their households with security awareness and counter-surveillance training which they can subtly deploy to remain safe whilst walking their dogs. This has led to the creation of our specialist canine counter-surveillance project which 2021 will see us roll out as an online and in-person security awareness service for our clientele.


Our training programs are based on years of counter-espionage experience and include subjects such as how to raise your awareness levels, how to identify if you are under surveillance, how to deter potential criminals, what to do if you suspect that you are being followed and safety and security advice which should be adopted in everyday life.


For more information regarding any of our services including:


Physical penetration testing

Close protection



Security awareness training

Bug sweeping

OSINT and Due Diligence



Please contact us;

0203 897 22 72



Physical Penetration Testing and Security Awareness Training - the vital and often missing links in an organisations security strategy.

Physical penetration testing, sometimes known as black teaming or red teaming, is a hybrid between a security test and a security assessment focusing on the vulnerabilities which can be exploited via an attacker gaining physical access to a building. Once the vulnerabilities are identified they are tested through the methods which would be used by both opportunistic and sophisticated attackers. This is a very pragmatic service that businesses can utilise to explore known and unknown threats against their assets. Learn more about physical penetration testing

My organisation has excellent security infrastructure why would we need to worry?

Security budgets frequently prioritise physical defences, little attention is given to ensuring that staff understand the security policy and why compliance is so important. The best access control methods are useless if someone holds the door open for the person behind them or is not confident to react to a tailgate alarm.


When asset and risk registers are created a common mistake is to calculate the value of physical office assets as items such as furniture and IT hardware, the result is a fairly low value and the security provision to protect them is on par with that equation.


An organisations intellectual property and data and the risks from malware and ransomware are often assessed to be at risk purely from external attack, falling under budgets dedicated to cyber security rather than local physical prevention. Often loopholes can be exploited enabling network access to be achieved through a simple action such as inserting a USB device directly into a computer.

There is no reason for our organisation to be targeted

In the case of ransomware, hackers rarely care who they target. The threat is not coming from state sponsored actors motivated by industrial espionage or political agenda. It may be simply about holding your files or systems to ransom to make easy money.


The human factor is frequently the weakest link in the security spectrum. Recent attacks against blue chip companies have occurred through the exploitation of staff, this can be overtly or covertly. Overt methods include offering large sums of cash to entice a staff member to take an action such as the thwarted plot against Tesla in which an employee was offered $1 million to insert a device containing ransomware onto Tesla systems. Covert attacks include staff being exploited without their knowledge; this was seen in the twitter hacking scandal where the attacker impersonated a member of IT staff in order to gain employee log in credentials resulting in a hack which provided access to celebrity twitter accounts which the attacker then used to commence a $110,000 bitcoin scam. Attacks against smaller companies are a constant occurrence but don’t make the headlines in the same way as companies which float on stock markets or those who control large amounts of data.


In many cases regardless of the threat actors origin and objectives common attack methods are used, these include leaving USB devices where curious staff members may find them and plug them into unguarded systems, phishing attacks and gaining physical access under a pretext in order to plant a device which will access a companies network, steal their log in credentials or simply record sensitive conversations. Learn more about corporate surveillance

How can we improve our security strategy to mitigate these threats?

Physical penetration testers act in the same way as the attackers, they are well trained and highly experienced in the arts of persuasion, impersonation and pretexting, otherwise known as social engineering. They will gain physical access to a company through a combination of simple factors such as looking like they belong there, speaking about the right people within the organisation, knowing where they are going and having a reason to be there so as not to appear in any way suspicious.


They will operate under the parameters of the particular task and will attempt a range of exploits to assess security procedures and infrastructure at every level of the organisation from the situation of cameras, effectiveness of access control, standard of physical security personnel and levels of staff security awareness. The company is then provided with an in-depth report which will score all security risks and will provide recommendations if improvements need to be made.


Educating staff in the importance of security procedures, knowing how to identify a well disguised attacker and providing them with the confidence to alert security or office seniors of people who appear out of place is in our experience the most vital line of defence to prevent malicious attacks. It is also a relatively inexpensive option with high results.


Once we have completed a physical penetration test, we offer the company a bespoke staff security awareness training session based on our findings, this can be tailored to fit with staff schedules over multiple sites if required and is designed to be a non-judgemental session where the aim is to educate rather than point out individual failings.


For more information regarding our range of services including physical penetration testing, executive digital profiling, and surveillance awareness, or to create a bespoke employee security awareness training package for your organisation no matter how large or small please contact our training department.

Please see our other blogs dedicated to social media exploitation, surveillance and physical penetration testing.

Phone 02038972272

71-75 Shelton St, Covent Garden, London, WC2H 9JQ


Social Media as an OSINT tool

It is that time of the year again, the one that is particularly annoying for people who have lots of friends with small children.

It is the ‘back to school’ or ‘stand by the front door’ week. Many parents do this, I have been guilty of it myself and this year it will be even more prominent as due to Covid the majority of children ended the summer term without meeting the annual leaving milestone as expected, which was especially hard for those reaching the end of their primary schooling or even completing their first year in reception. This year going back to school is a bigger deal for most than ever before and this will be accurately reported on social media and with various versions of #backtoschool and #firstdayatschool

So what? you might ask. What is wrong with uploading a photo of my child looking super cute in their new school uniform?

For many people, nothing at all. I don’t aim to scaremonger with this post, many people have a Facebook or Instagram account with locked down privacy settings and they only share this sort of picture with their close friends and family.

However, in times where employees are manipulated via social engineering to give away confidential information or access such as was initially suspected in the recent twitter hacking breach, people need to be aware of what they are posting on social media and to have a good awareness of what could be compromised if they were manipulated.

Sloane Risk Group specialise in identifying and preventing vulnerability’s which enable malicious access to information security, this is both the physical security of buildings, offices and systems and the access which is obtained through hacking people, by manipulating them to give away vital information leading to data loss or physical breach.

We have worked with clients in businesses that specialise in software development, pharmaceuticals, and research all with their own reasons to be targets of malicious attackers, some of which have experienced campaigns against them including threats of direct violence towards the family members of their staff.
When we look at an organisations staff and their attitude towards security, we frequently find links between accounts such as linked-in and various social media platforms which inadvertently give away far more personal information than can be recommended from a security aspect. We find that people often take measures not to show their address but then they miss other exploitable personal identifiers. This is especially prevalent in spouses who do not realise the access to information or development that their partners may have.

If a malicious attacker is able to trace your children to a local primary school it would not take long to identify them being dropped off, your vehicle and from there your home address. This could be to place you under further surveillance, plant audio devices at your address, search through your rubbish, place tracking devices on your vehicle or even to directly threaten you.

If you are not in the category of people who could be exploited for criminal or competitor gain, the general security of your children should always be a cause for concern. In many child abduction incidents, the perpetrator has conducted some sort of research around that child first especially in kidnap for ransom cases.

What steps should I take to stay safe?

Before you or your spouse post anything with details such as school jumpers with emblems stating exactly where that school is, consider the following:

• Am I in a position where I could be bribed, blackmailed or tricked into giving away company secrets?

• Could the organisation that I work for be a target for hackers, scammers, criminals or protestors?

• Is the company information so valuable that someone could even threaten me or my family to get it?

• Am I giving away too much information about my family and our routines?

This is extreme but unfortunately not unheard of. If you feel that you should maintain the freedom to post about your family life, consider blacking out emblems or logos on uniform, think about the wording you use when you make your posts, and what other information you may be giving away in the picture such as door numbers or car number plates.

If you would like more information regarding counter espionage, a company security assessment, security audit, black team/physical penetration test, staff security awareness training or an employee security profiling test then please contact us.

Applying the Consultancy Cycle to a Black Team Assessment

Security consultancy

A UK tech company requested our services to review their current security strategy, they stipulated a focus on improving staff attitudes towards physical security.

The client was satisfied that their outward facing cyber security was very strong but they were concerned about the damage which could be achieved by insider threat or by an attacker who might gain internal physical access

Stage 1 - Entry and Primary Analysis

We visited the client at their London HQ and ascertained that their main threat was commercial espionage by competitors.

Their need was to develop long term security resilience rather than to see a quantitative regain on their investment. Our pitch focused on the fact that as a black teaming specialist we provide a unique service involving accessing the buildings using the resources of a hostile attacker. This quickly detects the grass roots vulnerabilities faced by the client and creates the starting place for an advanced security strategy to be developed.

Stage 2 – Contracting

Our proposal stated the set times we would allow for each step such as the black team deployment, use of gap analysis and how we planned to work across the spectrum of people within the business, tackling policy and procedure problems as well as identifying the staff shortcuts.

We explained how we would identify the range of security threats and vulnerabilities to the business and use existing framework to strategize ways to reduce them.

Stage 3 – Gathering Data

The first step was the specialist activity of the black team, this enabled us to rapidly ascertain the main human based problems facing the business. For instance, the staff were extremely polite and held access-controlled doors open for each other, by fumbling with a similarly looking badge or by holding multiple cups of coffee our testers found entry was easily obtained. Once inside they were accepted as people who should be there. This stage also enabled us to assess the security hardware of the buildings and the perimeter defence zones.

The next step was to create an asset register and to place a value to the things that were important to the business. We reviewed the policy and processes and interviewed staff informally to establish the security-based strengths and weaknesses throughout the organisation.

Stage 4 – Diagnostics

We identified the majority of the client’s problems during the first stage of the assessment. Our Black Team are experts at finding the holes in physical security and identifying how human nature can be exploited to gain access or to encourage staff to perform an action such as clicking on a phishing link.

We assessed that the physical security was generally to a high standard except for an RFID weakness, however due to us managing to breach the building and remain inside for prolonged periods on five separate occasions the human element needed improvement. There were also some policy and contract points which we considered to require amendment.

Stage 5 – Generate Options

For the outlay of the cost, the client expected to see the implementation of a tougher security strategy and a clear improvement in their security culture.

Our shared vision was to achieve this by investing in the organisations people, showing them why security is important and teaching them to recognise and avoid the manipulation tactics used by hostile attackers such as impersonation, phishing, pharming, vishing and smishing.

We presented the client with a range of options which addressed both the quick fixes and long-term goals needed to improve their security resilience which included;

a, doing nothing
b, developing the security strategy by investing in all business departments with business wide initiatives, improvement of the RFID issue, advice regarding contract and policy changes and using our results to deliver an informal staff security awareness session.
c, the additional option of a more in-depth training feature and ongoing staff security culture testing program with measurable results.

Stage 6. – Implement Actions

The client chose the most in-depth option which involved ongoing staff training and subsequent testing. Our consultant led the project with a team of our training consultants and an external partner organisation who implemented an RFID frequency upgrade.

Stage 7- Disengagement

The scope of the work that we conducted was clearly defined and easily measurable. The client was extremely happy with our service and asked us to re-contract to provide quarterly security spot checks and annual training for new staff members.

For black team/physical penetration testing assessments, security awareness training packages for staff and executives and for corporate surveillance investigations contact us:
0203 897 22 72

71-75 Shelton St, Covent Garden, London, WC2H 9JQ


Protecting yourself from spying, stalking and surveillance from your spouse or a former partner.

Sloane Risk Group London

Would your spouse spy on you?

Many of our clients suspect that they may be subject to stalking, surveillance and spying by a spouse or partner. We have experienced cases where our client’s email and social media accounts have been accessed, stalkerware has been installed on their phones, tracking devices placed on their vehicles, and their homes have been bugged with audio and video surveillance devices.


This article explores some of the easily obtainable software, programs, devices and equipment that can be used to invade your privacy and the basic ways in which you can prevent yourself from becoming a victim of stalking, surveillance and spying by your spouse or partner.

Stalkerware, Spouseware, Spyware

There are lots of tracking apps for mobile devices available, many are marketed as apps for tracking children but when used maliciously are known as known as stalkerware, spyware or spouseware. Their capability includes monitoring emails, messages, locations, accessing photographs, contact details, obtaining social media passwords, even remotely turning on the devices camera and gaining a view of the surroundings of the device, all whilst running undetected.


On an Android some of the current tracking programs can be seen in the form of an obvious app, they may appear as a technical settings that you are unlikely to explore such as; wifi settings, access tool or system update service, on an iPhone you may find an app called Cydia or iKeyMonitor. You may also notice that your battery life drains quicker than normal or your location arrow may be constantly visible.


One of the extra problems with stalkerware is that when data is stolen it is not necessarily secured and is then open to compromise by third party’s.  It may also leave your phone open to further attack.

How stalkerware is placed on a device

There are a range of ways to do this, but these are the most common:


1 – You could receive a Link via text or email such as something that looks like it goes to an interesting article, photograph or website, this is called a phishing attack and when clicked on will start installing the spyware onto your device. This could also be in the form of a pop-up requesting access and location permission which in a rush you may accidently accept.


2 - Access to your pin and apple ID, this could be easily obtained by your partner or former partner shoulder surfing and over time seeing what details you enter to access your device and accounts or from a note you may have written down when first setting up your phone.


3 - A gift, be wary of anything technical being given to you as a gift or anything you might conveniently find dropped outside your front door.

What to do if you think stalkerware has been installed onto your device

There are many variants of stalkerware and things evolve quickly, the recommended actions vary depending on the type of phone and the install but advice includes; (if using iOS) to log in to your ICloud account and sign out of all active sessions.  It is also advised to perform a full reset on your device, this however is not a failsafe and does not work against all attacks, if you can then consider a professional forensic examination or a new phone. There are tools to search for this type of malware however these are more available for Android than I phone and not all are simple to use. Stay up to date with software updates as they are constantly fighting threats such as this.

If you are however stuck in a situation of domestic abuse then it is advised to retain your phone and carry on as normal so as not to endanger yourself, instead try to discretely obtain a second phone for any sensitive conversations and messages.


Next change all of your passwords including your apple ID and follow the below steps to limit your personal identifiers and secure your accounts.

How to protect yourself online and prevent becoming a victim of account exploitation

Reduce your online visibility, if you would not tell everyone that you meet your full name, email address, phone number, home address and details of your partner and children, friends and family don’t do it online.

Step 1 – Use a VPN (Virtual Private Network)

Every computer has an individual IP address which can be used to trace your location.  A VPN such as PIA or Proton VPN disguises your IP address.  There are a range of both free and paid for services although paid for versions generally receive better press. Your account will enable you to use a VPN on multiple devices and you should remember to install it on your smartphone.


Step 2 – Create new passwords and usernames

You should not recycle usernames and certainly not passwords. Even if you are not a specific target it is very common for websites to be hacked and data stolen, this data is then dumped in pastebins, these are repository’s which can be accessed by anyone, and your passwords and usernames exploited. If you use the same password on multiple sites it is then very easy for you to be hacked. There are several services that allow you to check if your email password has been compromised such as or


Step 3 – Use a password manager

A password should be a mixture of numbers, letters and symbols. Instead of trying to remember complex passwords sign up for a password manager. This is a program that can run on your computer and mobile device which stores and autofill’s all of your passwords, you only have to remember one password to access it. There are many different types of password manager such as Last Pass or Bitwarden


Step 4 – 2FA, (Two Factor Authentication)

The next step is to secure accounts and your password manager with 2FA, this is often a text message that you will enter when accessing the account, but a more secure way is to use a physical token such as a yubi key. You place this like a USB into your computer or phone and simply touch it to confirm that it is you accessing the account.


Step 5 - Consider avoiding profile pictures

We all like to have a profile picture on our social media and linked-in accounts, in most cases this is totally fine, however if you are at risk from malicious activity consider not using them, this also applies to little used accounts where you might add a picture once and then forget that it is there, if someone obtains a reused user name it will be easy to view the pictures that you have used and perhaps forgotten about.


Step 6 – Privacy Settings

Set your social media account settings to maximum privacy, make sure that people you do not know cannot access your personal information. Also check your security settings, when you forget a password but someone has accessed your username or email they can use the “forgot your password” option to obtain some of the characters of your phone number or email, this can be slowly pieced together to gain your contact details.


Step 7 – Don’t use your real name

This is for people who have a genuine fear of being stalked, don’t let vanity take over, your friends know who you are and can find you if needed.


Step 8 – Be aware of what you post

It is possible for investigators to search for text in images, an innocent picture with your vehicle registration in the background could later reveal what you, your house or your children look like. Likewise, with check-in’s and geotagging, consider if you really need to publish where you are and what you are doing. Even if you show this information retrospectively you still create a dossier on the places that you visit, the things that you like and potentially annual events that you go to.


Step 9 – Change your phone access password regularly

Avoid being a victim of revenge Porn

In hindsight this is an obvious suggestion but in the moment it is not uncommon for people to engage in exchanging sexual imagery. Our advice to all parents is please have this conversation with your teenagers, blackmail regarding compromising images is very common. If you have any compromising images on your devices, erase them and don’t forget to empty the wastebin, you may also want to consider clean up software often known as file shredding.

Bugging your house or vehicle

In more extreme cases consider a bug sweep, there are many quick plant devices that are easily obtained, they might not have a long battery life but the quality is good and they can be accessed remotely. Focus on the areas of your home where you are likely to have sensitive conversations and spend a lot of time. If your spouse is likely to have placed the item themselves then conduct a logical search starting from left to right, high to low. Check everything, books, objects, behind sofa cushions. If you believe that they may have contacted someone to install a more professional device with some longevity, consider contracting a professional TSCM (technical Surveillance Counter Measures) expert.

Are you likely to be under physical Surveillance?

See our other blogs describing surveillance techniques, if you feel that you are being followed you first need to establish if that is the case, depending on your situation you may want to do this overtly or covertly. Overt methods include manoeuvres such as driving twice around a roundabout, turning on quiet stretches of road or randomly when walking to establish if you see the same person, people or vehicles more than once. Covert methods involve finding a reason to look behind you without appearing to look or to notice anything for example pausing to stroke a dog, looking back as you cross the road. To detect a professional surveillance team, we suggest employing experienced counter surveillance. If you are under surveillance your options very much depend on your situation and the level of threat against you and we advise our clients accordingly.

We hope that this blog will enable you to protect yourself from stalking, surveillance and spying by your spouse or partner.

For more information regarding our range of security risk mitigation and protective services including surveillance, close protection, TSCM bug sweeping and counter surveillance please visit our website or contact us by email

We have offices in Brighton and London and operate worldwide

Sloane Risk Group

Physical Penetration Testing

The importance of Business Security

A layered approach to security is vital for all businesses from start-ups to international corporations. Starting with perimeter security and external access control, leading to internal access controls and then secured areas and cabinets, security is the first, second and third ring of defence against corporate espionage, hostile attackers, opportunistic intruders, and a large range of threats which can cost a business time, reputation and money.

What is Physical Penetration Testing?


Businesses invest a great deal in fencing, alarms, access control and manned guarding. Physical Penetration Testing is a proactive way to identify if these security measures are working sufficiently and to assess a company’s security vulnerabilities through the eyes of a would-be attacker enabling the business to improve its weaknesses before a real attacker can exploit them potentially causing a data breech, loss of IP, theft and even physical damage and harm to employees.

How is Physical Penetration Testing Conducted?

Each deployment is bespoke to the client requiring the service, after establishing the location, nature and size of the business the client is generally offered three levels of test to choose from, some organisations especially those who have a reason to be at high risk from a hostile attack such as research facilities and Government buildings take a very forward facing approach to their security concerns and will choose a level of service that simulates the real-time that a hostile attacker would spend conducting open source intelligence (OSINT), hostile reconnaissance and surveillance of the building, its key executives and employees. Smaller businesses with a lower security budget but whom understand their responsibility towards facing security threats might opt for a shorter project but will provide some basic information about the running of the business which the testers would have found out themselves had they conducted a longer surveillance period.


The first step is OSINT, this will show the profile of the company, related media and its areas of interest. Geographical information such as mapping of the area in which it is located, the thoroughfares, staff areas, parking, travel options and other local facilities and businesses which can be utilised during the attack phase.


Most importantly it will show the security awareness of staff members. Through a range of media options OSINT can identify who works for the business, which department and position they hold, who they report to and who reports to them. If staff are not overly cautious it can show when they are on holiday, what the internal office areas look like, even what type of ID they wear and what operating systems they use.


All of this information will build a picture for the next stage of the attack.

Social Engineering

The social engineering part of the attack will start before the main deployment, vishing (voice phishing) calls will be made to identify routes via staff members into the building and to find out additional information about the daily operations and procedures. Pretexts will be established, and appointments will be set up to enable later access or to gain further information about the security procedures.

Cyber Attack

A Cyber penetration test will assess the cyber security of the organisation. How far the team are required to penetrate will depend on the appetite for a realistic result by the client versus their natural precautions surrounding very sensitive client data and the budget available.


Whilst malware can be specially created and deployed during a spear phishing attack

many clients opt for a shallower test to determine if any improvements need to be made.


The range of typical tests include:

  • Internal Infrastructure test - the type of test which will detect any vulnerabilities which could be exploited by a threat such as a disgruntled employee
  • External Infrastructure and web application penetration tests - to simulate hostile attacks over the internet or intranet
  • Wireless penetration tests - to determine the security of WIFI networks
  • Voice communications tests - these can assess if the telephone network is susceptible to attack
  • Mobile devices and application tests and assessment of their build - to ensure they are secure especially in an age of bring your own devices
  • Cloud configuration reviews - to establish if cloud systems are secure


These tests are performed against benchmarks for industry best practises.


A physical penetration test can be conducted with or without a cyber penetration test, if they are in conjunction then the physical part will involve the operators planting various devices such as key loggers and USB sticks inside the building.


Red teaming, Blue Teaming, Purple Teaming and Black Teaming


Red teaming is an objective led penetration test typically scoped to obtain data or to gain access to sensitive areas or networks. A Blue team is a team who react to the red team and try to prevent the attack. A purple team is where the two teams work together either in conjunction or by sharing information after the test.

A Black team is a phase used to describe a physical penetration test.

What happens when the testers gain access to the building?

Once the testers have identified the pattern of life of the building, business, staff and contractors the physical attack phase will commence. The testers aim is to gain entry under a pretext, SE or covertly and to blend in. They may have been tasked to access certain rooms or areas such as the data centre, to photograph unlocked workstations assessing staff security awareness, to acquire or photograph sensitive documents or in some rare instances to cause disruption inside to see how the staff and security team deal with it. The majority of clients require a soft approach and wish to see how easy it is to tailgate employees in to access controlled areas and to extract themselves with company information without being detected. On some occasions the client requires a Covert Methods of Entry (CMOE) attack which will utilise qualified lock pickers to test the physical aspects of the building’s security.

What are the benefits of this type of test?

The test is not purely to see how far the testers can penetrate, the report and recommendations provided to the client at the end of the test will examine the feasibility of a hostile attacker conducting each breach the team have identified. It will score the impact to the business against a risk matrix. A report will be provided that will make recommendations proportionate to the likelihood of attack at each stage. The end result is that your building will be more secure and less likely to receive a security breech or physical attack and as the implementor you will be able to take the credit for improving the buildings security plan and potentially adding to or improving security policy.

What is the most common vulnerability that you find?

The most consistent vulnerability that we find is the human factor, staff members who are too keen to help or provide information without being aware of the security implications of their actions. Sometimes corner cutting is an issue, and very often we find that people are not sufficiently invested in the security of the building to have the confidence to challenge people who are not supposed to be there. We can assist with this by returning with our evidence and in a friendly way explain to staff why they must take security seriously, what the consequences can be if they don’t and train them in a workshop focused on improving security procedures to be comfortable to challenge people who they do not recognise or who are not wearing the correct Identification.

For more information about Physical Penetration Tests please contact us:



A Day in the Life of a Commercial Surveillance Operation


Part 2 The Follow


Our former blog post A Day in the Life of a Commercial Surveillance Operation Part 1 talks about some of the things that we take in to account before commencing a Surveillance Operation. This post focuses on some of our techniques and dilemmas during the actual follow, things that can go wrong and some of our operating procedures that can attribute to a successful follow.


One of the main principles of covert surveillance is flexibility, even after all of the necessary due diligence, preparation and OSINT has taken place we never presume the subject will do what we are expecting, and we are prepared for anything to happen.


For the purposes of simplifying this blog post I am describing details of a fictitious corporate surveillance operation, the operational objectives are; see who the subject meets when out of his home and office environments and to identify any financial transactions that he makes.


At 0800 hrs the subject exits his home address, he boards a chauffeur driven private vehicle which has been positioned outside his address for the last 30 minutes. The driver takes a logical route to the subject’s office address in Knightsbridge. The subject (S1) enters the office address.  Later at 1240 hrs S1 exits the address on foot, he walks a 5-minute route East to Hyde Park Corner where he boards an eastbound Piccadilly line underground train and exits at Green Park, he then walks for 5 minutes and arrives at a well-known restaurant in Mayfair at 1300 hrs.  He enters alone and joins a male already sat at a table inside. The two men eat a two-course lunch and are in conversation throughout. At the end of the meal S1 and the male exit together and S1 hails a taxi from the street outside the restaurant, the male then walks away to the East. S1 travels directly back to his office where he is seen entering, he remains there until 1800 hrs when he exits he boards the mornings chauffeur driven vehicle and returns directly to his address.


In this instance the operation would begin before the subject is expected to leave home in the morning. Operators would ideally be positioned with a view of the building exits or if that is not possible on the areas around them. What is common is that there will be a period of waiting around followed by a period of intense activity.


When the subject emerges, it may be a dynamic decision whether to follow by car or by foot, depending on what the subject does. Operators will be preparing to move, obtaining imagery, checking radio connectivity, and getting in to positions to allow them the correct time and distance behind the subject.


For the purposes of this fictitious operation we have 3 vehicles and an additional 2 people on foot. One dilemma in the world of commercial surveillance is that generally operators will be in their own vehicles, this means that when they are crewed with another person unless they want to trust that person to drive their vehicle and they have the correct insurance the team is limited with the amount of people free for the foot parts of a follow this is especially relevant in central London where parking is restricted.  Depending on the client’s budget, and for overseas work hire cars may be used which allows a lot more flexibility, team members can rotate between driving and foot work therefore limiting the consecutive period of time on foot directly behind the subject and reducing the chance of exposure.  On smaller operations there may only be 1-2 people who can follow the subject on foot, many operations are at least 12-hour days and changes of appearance are frequently adopted.


Changes of appearance might include use of wigs, hats and even whole outfit changes right down to shoes. Props can be vital, it is important for operators to look like they belong in the area of operation, some of the cover identities that we have used include bringing prams, dogs, acting as homeless people, joggers, workmen, posing as researchers with clipboards. Even something as simple as wearing a fictitious name badge can give an operator validity for sitting on a bench as if they are on a lunchbreak. The important thing is to blend in and not stand out in any way, this includes interacting with the surroundings, for example if an operator is following a subject around a shop they will put things in a basket. They have to act like they normally would as a member of the public.


It is important to remember that it is fine to be seen by the subject of surveillance but not to be noticed. In everyday life whilst walking around a town centre it would not be unusual to see the same person more than once, however when moving from one area to another is when a change in appearance becomes necessary, if an operator is noticed in two totally different locations that is when a compromise could occur.


In this fictitious operation we will assume our subject was driven to work by a regularly used driver, many drivers come from a former police or military background and it is worth considering that they may have good awareness levels and may have even received anti or counter surveillance awareness training.  We would try and gauge how aware the driver is, assessing if they check their mirrors regularly and what are they doing when they are parked up outside the client’s address.


As we would probably know the subjects work location the first part of the follow would not be too difficult, a temporary loss due to traffic would be easily regained if the first vehicle had an idea of what the subject’s logical route would be. If team numbers allow we would generally send one member ahead to the venue that we expect the subject to travel to.


When the subject reaches the work venue the operators would be trying to confirm visual identification of him entering the location, this may be possible from vehicles or some operators may have to transition to foot to establish the subject has entered the expected building. At this stage the team will revert back to their earlier positions and apply them to the new venue.


At lunchtime when the subject re-emerges, the 5-minute walk to the tube station is covered mostly by foot operators but with support from the vehicles when they are able to get ahead to salient points. The vehicle drivers are unlikely to be able to park close enough to join the tube follow it will generally be the foot operators who will follow the subject on the tube and they will hopefully be able to communicate their progress with the vehicles if they can access wifi at stations along their route. A future post will describe how to follow a subject of surveillance on the underground.


In this instance we have a very simple follow and our subject only boards one tube without multiple line changes, he exits at Green Park and walks to a restaurant in Mayfair.


In this scenario we did not have any intelligence to indicate that our subject was going to this particular restaurant and his pattern of life did not show it to be a regular spot therefore we were unable to get any operators inside before his arrival, as our objective is to see whom the subject comes in to contact with sending operators inside is imperative. A common dilemma is whether to send one or two people in to a restaurant, two especially a man and a woman is very natural and unlikely to threaten the subject however one well-placed operator can sit naturally on their own without the need to talk to anyone and therefore is more likely to gain intelligence regarding any conversations that they are close enough to overhear.


In this case we would initially send one operator inside to secure a table, that will give us the flexibility of sending another to join them or if they have been unable to obtain a table close enough it is possible that a second operator or even a small group might manage to acquire a better position. Quite frequently especially if imagery is required operatives will have to orchestrate a way to get a table close to the subject without raising suspicion. If covering a meeting is the main objective it would not be uncommon to send most of the team into the restaurant until someone manages to get located in the spot that they need to be in.


Once inside again it is important to blend in, many corporate cases will result in being in very good and popular restaurants, hotels and locations. If it is not their normal habitat operators need to become comfortable with being in these establishments. If a recce can be carried out beforehand it is always beneficial but quite often operators will walk blindly into a venue and have to look and act like they belong there. When we conduct training exercises, we familiarise ourselves with the best hotels and restaurants which make belonging at a later date much easier.


In this instance our operator is able to identify whom the subject meets and gain imagery of the meeting without any collateral intrusion of other diners. She is able to send a photo to our ops room who then contact the client to gauge the importance of the contact. A question we would be asking the client at this point is if they believe the contact is relevant to the operation, if for example in corporate espionage cases we suspect material may have been handed over the operation could switch to the new subject.  In this instance the new contact is known to the client and we remain with our initial subject.  Our operator feels secure and the subject has not taken any notice of her so she remains for the duration and holds her position until the meeting is over and the subject has left the restaurant. She will be paying attention to things such as who is leading the conversation, who makes the payment and how they pay and the body language between the two men.


There are no set rules when covering meetings, as with Close Protection it is always a good idea to be a course ahead, this means that if necessary operators can linger over coffee or leave ahead if they are part of a particularly small team and will be required to then change their appearance, get back in a vehicle and join the follow away from the meeting venue. This of course has to be weighed up against missing something vital at the end of the meeting or walking out of the restaurant too closely behind the subject and raising suspicion, especially if it is a case where counter surveillance could be in play.  One of the main mitigators of risk here and standard operating procedure is to maintain coverage outside the restaurant/meeting place by another team member who will be communicating with the inside team, they will be positioned to follow the subject immediately away from the venue and will be able to let the inside team know that it is clear to exit. Clear commentary and location information is then required to enable the following operators to catch up with the ensuing foot or vehicle move.


In our scenario the subject hails a cab outside the restaurant, our vehicles now come in to play. As we have successfully fulfilled our main objective and only have 3 vehicles we are not going to take any risks and want to remain with our new vehicle (the taxi) as we do not know where it will go. We do not want a vehicle to delay in following and become unable to catch up, nor do we want to risk our subject seeing our restaurant operator boarding our vehicles so in this instance we would leave our operator to exit from the restaurant once we have cleared the area, she would then catch when possible.


There will always be factors that cause problems during a surveillance follow, a common one especially in central London is traffic, one set of red lights can result in half of the team being completely unable to remain with the follow unless the subject makes a stop, this is where knowing the Pattern of Life (POL) of the subject may help as the team will have an idea of what sort of places are worth searching as a priority.


It is not uncommon to lose a subject especially if operating in a particularly busy area or just down to sheer bad luck, assuming anti surveillance is not being used good methodology when dealing with a loss is to think of how far in a logical route from where you last saw them can your subject possibly have gone. Travel to that point first and work your way backwards. This works particularly well if on foot but can also be used in some mobile instances especially if in a reasonably well contained area.


Communications can cause problems, we would always plan to send a team out with radios using our own frequency but every now and again a fast ball operation will require the team to travel immediately to a job and they will rely on an phone based radio app to communicate until the radios can be delivered. Even the best radios have problems such as black spots, and picking up unwanted frequencies on the underground and busses can cause difficulties. In the commercial world live locations are often used to keep track of where team members are.


Compromises are extremely rare but operators should always have a cover story ready to deploy to explain why they have been in the same area for a sustained period. It is also vital that operators are honest with their other team members if they suspect they have attracted any third-party interest, this might result in the team leader altering the team positions or covering the main egress points in a slightly different way.


For the sake of our blog this has turned out to be a simple day, our subject is picked up by his regular driver and returned to his home address. Generally, the team will be booked for either a set 10 or 12-hour day and our team leader will contact the client to ask if they would like us to remain in position for any evening movement or to cease at the agreed time.


A later blog A day in the life of a Commercial Surveillance Operation Part 3 will cover vital equipment that our operators need, and what considerations operators need to be aware of at the end of an operation.


If you would like any further information regarding corporate surveillance, matrimonial surveillance, protective surveillance, anti and counter surveillance, physical penetration testing or black teaming, TSCM bug sweeps, close protection or staff security awareness training please contact us:


Email -

Web –

Phone - 0203 897 22 72












Surveillance Canary Wharf


Part One – The Start


Operating in the commercial world where the subject of surveillance is often related to matters such as civil litigation, problematic business deals, or a corporate investigation is very different from operating as part of a government, police or military team where the aim is likely to be related to counter terrorism or serious crime and the resources and team sizes considerably larger.


Although over the last few years Sloane Risk Group have been involved in some very in-depth and lengthy operations crossing more than one continent, the majority of our corporate investigations last from a matter of days to a few weeks.


Many clients come to us with corporate fraud problems where they are trying to trace a business debtor or someone who has cheated them financially. Sometimes the amount at stake is big enough to justify a large surveillance team however more often than not the client’s budget is a considerable restraint to the hours that can be spent on the surveillance part of an operation and dictates the size of the team.


A Surveillance team in these situations will often be formed of 4-6 operators. We have a duty of care to our operators as well as an aim to achieve results for our clients, we are therefore very unlikely to send out a single operator, firstly for their own health and safety and secondly because it severely limits what can be achieved. If one person is in a car and the subject exits a location and boards the underground the operator has a dilemma of being able to park for the necessary time period and still keep visual contact with the subject, if the operator is on foot it is just as likely that the person will move by car or taxi. If two operators are in one vehicle there is one that can jump out quickly and follow a subject in to shops, restaurants and on public transport therefore reducing the chances of a loss.


Before we agree to undertake an operation, we will determine if we have ground for surveillance, we will complete a data protection impact assessment (DPIA) and ensure that all information we collect complies with GDPR. We will ensure that all, of our operators are up to date with their Information Commissioners Office (ICO) registrations and their necessary insurances and qualifications are in date. We will also only undertake an operation if we are satisfied that the client has a legitimate interest and both parties are happy with the set objectives.


We always try to determine the subjects pattern of life (POL) before an investigation takes place, this will enable us to identify when the subject is active, how they move around, the type of vehicle they drive or are driven in, where it is parked and if their immediate route from their home or office takes them through multiple traffic light controlled junctions.  We can then choose the hours of operation and the composition of our team carefully, for instance deciding how many operators we need to cover the exits that the subject may take, what sort of vehicles we need to use, if we need to use motorbikes, if more men or women on the team will be beneficial, and how they should dress to blend in to the subjects surroundings. Quite often this pre-planning will include in-depth Open Source Intelligence (OSINT) techniques, the most basic searches being related to mapping of the subject’s address, information from their social media interactions, their interests and the people and places that they visit.


On the day that surveillance commences we have to take in to account where we will be positioned to gain visual identification of our subject and then to follow them, we have to consider restrictions such as red routes and areas where traffic will build up causing large vehicles to block the view that we need. Our Operators could be in the same spot for many hours and they need to fit in to that location, to build a cover story, to be aware of attracting any 3rd party interest around them and to rotate the position between the team if necessary. This part of the job is for some the hardest, the operators need to remain alert and not become distracted whilst being ready to respond quickly at a moments notice.


When the subject is sighted the operator needs to remain calm, even the most experienced officers still get an adrenaline spike when a long awaited subject appears, it is vital for operators to control their actions, relay clear and concise information via the radio to the rest of the team, gain imagery of the subject and retain as much detail as possible, in a small team it may also be necessary to take notes for the operational log.


Once the subject starts to move the operators need to maintain excellent judgement and timing. If operating in Central London the team will need to remain very close to the subject as if they are held at one set of red lights they could suffer a loss and that could be the end of the follow. At the same time, they cannot be too close as they will risk compromising themselves especially if the subject is surveillance aware. It is very important that our clients are honest with us if they know the subject has been under surveillance before as this may have an impact on the subject’s awareness levels and may require a larger team and more frequent rotations.


We will consider using tracking devices to support an operation, our lead investigators are members of the Association of British Investigators (ABI) who strive to maintain high standards in an unregulated industry, they approve of tracking devices being used in support of an operation which we agree with as it makes the follow much safer for the operators who will not be tempted to violate traffic regulations or risk themselves to maintain control of the subject. Tracking devices are however only an aid, operators still need to have an excellent knowledge of the area in which they are operating, if the tracking device is slow to relay the location which is common the operators need to be able to respond to commentary from a callsign who will gain control of the subject, this commentary will state information such as where exactly where the subject is, what they are doing, how far from traffic lights, what lane they are in, what general direction they are heading in and any other information that will help the rest of the team maintain suitable timing and distance from the subject. If an operator knows the road names and the area, they are far more likely to be able to take alternative routes, get ahead if required and maintain the correct place in the follow.  In an ideal world operators would be two up in a vehicle, this enables the passenger to direct the driver and someone is always ready for the foot moves however with a small team this is not always possible and it is quite normal for operators to have to navigate themselves, know where the subject is, give commentary and drive safely. This sort of ability takes years of training and experience and knowing the area of operations is a massive advantage. We frequently run training exercises to enable our operators to keep their skills up to date, test new equipment and to help integrate newer team members.


Further blogs will cover part 2 of a Surveillance operation “The follow” and part 3 “The end of the operation”


If you would like any further information regarding corporate surveillance, matrimonial surveillance, protective surveillance, anti and counter surveillance, physical penetration testing or black teaming, TSCM bug sweeps, close protection or staff security awareness training please contact us:


Email -

Web –

Phone - 0203 897 22 72



A member of our team was recently involved in recovering two children who were kidnapped by their father and taken to the ISIS front line in Syria. The amazing mission to reunite them with their mother was organised by Clive Stafford Smith, legal director of Reprieve and funded by Roger Waters of Pink Floyd.


Read the Telegraph article