Operational security (OPSEC) is the process of identifying what information about one’s own capabilities, intentions, and activities could be useful to an adversary, and then taking measures to deny that information. It is the defensive counterpart to intelligence collection: where collection seeks to obtain the adversary’s critical information, OPSEC seeks to protect one’s own. The discipline emerged formally from a Vietnam War–era study codenamed PURPLE DRAGON, which investigated how North Vietnamese forces consistently anticipated U.S. operations despite communications security measures. The study found that the problem was not encrypted communications being broken but unencrypted indicators — logistics patterns, leave cancellations, ammunition movements — that collectively revealed operational intentions to anyone watching.
OPSEC follows a five-step process: identification of critical information (what, if known by the adversary, would compromise the operation), analysis of threats (who is collecting and what are their capabilities), analysis of vulnerabilities (what observable activities or information expose critical information to collection), assessment of risk (which vulnerabilities pose unacceptable risk given the threat), and application of countermeasures (actions to eliminate or reduce vulnerabilities). The process is analytical rather than procedural — it requires thinking like the adversary’s intelligence analyst and asking what picture one’s own activities present to hostile collection disciplines.
OPSEC failures are rarely dramatic. They are cumulative: a unit’s social media posts reveal its location, a procurement pattern reveals its capabilities, a training schedule reveals its readiness. Each piece is individually innocuous; together they constitute a detailed order of battle assessment delivered free to the adversary’s analysts. The discipline’s core insight is that information security is not a technical problem solvable by encryption alone but an analytical problem requiring continuous assessment of what one’s own observable behavior reveals. In this sense OPSEC is intelligence analysis turned inward — the same skills used to construct assessments of adversary activity applied reflexively to one’s own.
The concept extends naturally beyond military operations. Any organization with adversaries — which is to say any organization operating in a competitive or contested environment — faces the OPSEC problem of controlling what its observable behavior reveals about its intentions and capabilities. The term has accordingly migrated into corporate security, activist tradecraft, and personal digital security, though the analytical framework remains the one PURPLE DRAGON established: identify what matters, identify who’s watching, identify what they can see, and control the exposure.
Related terms
- Counterintelligence — the broader discipline within which OPSEC operates
- Denial and deception — the offensive complement to OPSEC’s defensive posture
- Indicator — the observable events OPSEC seeks to suppress
- Collection disciplines — the adversary capabilities OPSEC defends against