Stages of an Attack (Preparation → Execution → Aftermath)
Why Understand the Stages of an Attack?
Security Control Room (SCR) Operators are often the first to detect suspicious behaviour and the last to manage the consequences of an incident. Understanding how attacks typically unfold, from the early preparation stage through execution and into the aftermath, gives you the insight to spot risks early, respond effectively, and protect both people and assets.
Compliance with SIA licencing requirements, ACS best practices, and BSI/NSI operational standards ensures that your decisions are legally sound and professionally delivered. But beyond compliance, it is your awareness and vigilance that make the difference between prevention and reaction.
Stage 1: Preparation
Most attacks, whether they are criminal, violent, or terror-related, begin with planning. Offenders may carry out reconnaissance, test security responses, or exploit weaknesses in systems.
What this looks like in practice:
Individuals loitering near entrances or CCTV blind spots.
Repeated visits at unusual times, often with no clear purpose.
Attempting to tailgate through secure access points.
Unauthorised photography of entrances, exits, or CCTV cameras.
Real-world example: In the run-up to the 2017 London Bridge attack, suspects were seen conducting hostile reconnaissance, driving around the area and assessing possible targets.
Tips for SCR Operators:
Take all suspicious behaviour seriously, even if it seems minor.
Log unusual activity with times, dates, and CCTV evidence.
Share intelligence with supervisors or law enforcement when necessary.
Use BS 7499 and BS 7958 guidance for guarding and CCTV monitoring as best practice references.
Stage 2: Execution
This is when the attack takes place. It may be sudden and violent, or it may start quietly, such as theft or insider threats. During this stage, your calm, accurate, and timely response can save lives and reduce damage.
What this looks like in practice:
Alarms triggering, either from forced entry or fire.
Aggressive or violent behaviour in public or workplace spaces.
Suspicious packages or vehicles left unattended.
Real-time incidents unfolding on CCTV.
Real-world example: During the Manchester Arena bombing in 2017, CCTV and control room staff played a vital role in piecing together events, assisting first responders, and guiding evacuations.
Tips for SCR Operators:
Stay calm and communicate clearly, using recognised emergency protocols.
Prioritise safety first, call emergency services, then escalate internally.
Use plain language, avoiding jargon, to prevent confusion.
Maintain situational awareness, do not fixate on one aspect of the incident.
Compliance reminder: The SIA standards require operators to act proportionately and within the law. Unlawful actions, even during a crisis, can lead to suspension of licences or legal action.
Stage 3: Aftermath
Once an attack has been stopped or subsided, the control room’s role is not over. The aftermath is just as important, involving evidence collection, incident reporting, and supporting recovery.
What this looks like in practice:
Coordinating emergency services access and site lockdowns.
Providing time-stamped CCTV footage as admissible evidence.
Ensuring accurate logs are handed to investigators.
Supporting debriefs and post-incident reviews.
Real-world example: After the 7/7 London bombings, CCTV evidence from buses and train stations became central to investigations. Control room logs and footage provided the timeline that helped identify perpetrators.
Tips for SCR Operators:
Secure all evidence, following NSI codes of practice for chain of custody.
Avoid speculation in reports, keep records factual and detailed.
Take part in post-incident reviews to identify improvements.
Support staff welfare, as aftermath periods can be stressful.
The Role of Intelligence Sharing
Security does not happen in isolation. Control rooms are most effective when they share intelligence with other sites, law enforcement, and stakeholders.
Why it matters:
Many attackers carry out reconnaissance across multiple locations.
Information from one site can help protect another.
Collaborative working supports both compliance and prevention.
Example: Before several UK plots were disrupted, control room staff reported repeated suspicious activity to police. These reports, combined with other intelligence, allowed early intervention.
Tip for Operators: Always escalate suspicious behaviour and follow the chain of communication set out in your site’s procedures. Even minor details may become crucial when combined with other intelligence.
The Importance of Drills and Training
The best way to prepare for real-world incidents is through drills and structured training. The SIA and ACS expect licensed officers to maintain competence through ongoing professional development.
Why drills matter:
They test both people and systems under pressure.
They reveal weaknesses before a real attack occurs.
They build confidence, so actions during an incident are instinctive.
Example: A London-based corporate site ran regular evacuation and lockdown drills. When a genuine fire occurred, operators and staff responded quickly, with clear communication and safe evacuation.
Tip for Operators: Treat every drill as the real thing. The habits you build in training are the ones you will rely on in a crisis.
Consequences of Getting it Wrong
Legal risk: mishandled evidence can be rejected in court.
Professional risk: failure to follow procedures may result in loss of your SIA licence.
Safety risk: poor communication during execution or aftermath can cost lives.
Reputation risk: organisations that mishandle incidents may lose contracts or public trust.
Reflection Scenario
You are monitoring the control room when you notice a person pacing repeatedly outside the building, often stopping to check their phone and glance at the CCTV cameras. Hours later, the fire alarm goes off, and crowds begin to exit.
Would you have logged the suspicious behaviour earlier?
How would you balance the alarm response with monitoring for possible hostile intent?
After the incident, what steps would you take to secure evidence?
Did You Know?
Research shows that most terror attacks involve reconnaissance lasting weeks or months before the execution stage. Vigilant control room staff can often be the first line of defence.
According to the Home Office, more than 90% of major crime investigations in the UK involve CCTV evidence. This highlights why your logging and evidence handling are critical.
Final Reflection: Your Role in Each Stage
Attacks rarely happen out of nowhere, they usually follow the stages of preparation, execution, and aftermath. By recognising early warning signs, responding calmly and lawfully during the event, and securing evidence afterwards, SCR Operators become a critical line of defence. Intelligence sharing and regular training drills make your responses sharper, while following UK compliance standards ensures you remain professional, effective, and trusted at every stage.
