AsymmetricIntelligence A public intelligence commons
Monitors European Strategic Autonomy Methodology

Methodology -- European Geopolitical & Hybrid Threat Monitor

Source hierarchy, four-actor framework, attribution confidence standards, and analytical dimensions for the European Geopolitical & Hybrid Threat Monitor (EGHTM).

Last updated: View live dashboard →

Methodology

Source hierarchy, four-actor framework, attribution confidence standards, and analytical dimensions. Coverage period: Q1 2026. Updated weekly, Wednesday 20:00 Gibraltar time.

01 · Editorial Standards

Editor & Publisher

Peter Howitt · asym-intel.info · Gibraltar

Peter Howitt is the editor of the European Geopolitical & Hybrid Threat Monitor — Asymmetric Intelligence, published at asym-intel.info. He writes and advises on geopolitical strategy, hybrid warfare, intelligence operations, and European strategic autonomy. Based in Gibraltar.

Inclusion Standard

An item is included in any analytical dimension if and only if: (1) it is new within the 7-day window or materially updates a tracked trend; (2) a senior policymaker, intelligence professional, or strategic analyst in the target audience would need to know about it; (3) it carries a primary or Tier 1–3 source link; and (4) it is not duplicated by another item in the same reporting period. There are no arbitrary item caps. If a threat dimension yields six signal-quality incidents in a week, all six are documented.

Separation of Fact and Assessment

Factual reporting (what was observed, documented, or officially attributed) is always distinguished from analytical assessment (what the pattern implies, what the risk trajectory suggests). Attribution confidence labels — Possible, Probable, Confirmed — are applied to every claim involving actor attribution. Assessment language is explicit: phrases such as “assessed as,” “probable indication of,” or “consistent with documented doctrine” flag the analytical layer. Claims lacking a source chain are not published.

02 · Source Hierarchy

Five-Tier Intelligence Source Standard

Each tier represents a distinct analytical lens

The EGHTM operates a five-tier source hierarchy. Cross-referencing across tiers is standard practice: it exposes attribution gaps where institutional findings diverge from investigative ground truth. Where such gaps exist — for example, when investigative outlets name a perpetrator months before institutional bodies issue formal attribution — the gap itself is documented and analysed.

TierCategoryNamed SourcesRule
T1Institutional & DiplomaticEEAS 4th FIMI Threat Report; NATO StratCom CoE Attribution Framework (IIAF); ENISA Threat Landscape; EU Hybrid Fusion Cell; European Commission policy documents; official national security assessmentsAlways use. Link directly to primary institutional source. Never cite press coverage of a document when the document itself is available.
T2Real-Time Threat DataACLED Conflict Index; GDELT Analysis Service; EEAS FIMI Explorer (interactive incident dashboard); Ukrainian General Staff daily loss data; OSC/FBIS monitoring servicesUse when no Tier 1 document covers the specific incident or metric. Cross-reference against T1 where possible.
T3Investigative & ForensicVsquare; Lighthouse Reports; Bellingcat; Politico (EU edition); Byline Times; IJ4EU; Mediapart; EUvsDisinfo; DFRLab; OCCRPPrimary use for incident attribution ahead of institutional acknowledgement. Attribution lag between T3 findings and T1 formal attribution is itself tracked as a methodological signal.
T4Infrastructure & TechnicalNetBlocks Europe (internet disruption); MarineTraffic Baltic Sea monitoring; Mandiant M-Trends; CrowdStrike Global Threat Report; Shodan; national CERTsUse for cyber, infrastructure sabotage, and technical attribution. Combined with T3 for full incident picture.
T5Strategic Defence ResearchHybrid CoE (Helsinki); RUSI; DGAP; ECFR; IISS; Chatham House; Carnegie Europe; CIDOB (Barcelona); SWP; RAND EuropeUsed for strategic framing, trend interpretation, and doctrine analysis. Named as T5 in citations. Not used as primary attribution for specific incidents.

Attribution lag as a signal: Where Tier 3 investigative outlets have identified incidents or named perpetrators that Tier 1 institutional bodies have not yet formally acknowledged, the gap is documented explicitly. This pattern — illustrated by the GRU Parcel Bomb Network (Vsquare named GRU in September 2025; Eurojust confirmed publicly March 2026, approximately 18 months after the incidents) — reveals the political and evidentiary thresholds that delay official attribution. Both the investigative finding and the institutional silence are part of the analytical record.

03 · Four-Actor Framework

Methodological Differentiator

Expanding beyond the EEAS two-actor ceiling

The EEAS Foreign Information Manipulation and Interference (FIMI) framework — as operationalised in successive annual threat reports and the FIMI Explorer incident database — formally tracks Russia and China only. This constraint is institutional and political, not analytical. It reflects the diplomatic parameters under which the EEAS operates, not the actual threat landscape facing European democratic institutions.

The EGHTM explicitly monitors FIMI and hybrid operations across four state actors. CIDOB (Barcelona Centre for International Affairs) has formally identified the EU’s two-actor limitation as a critical analytical gap in published research. This monitor operationalises the correction.

RU · Russia

Russian Federation Primary FIMI actor. GRU, FSB, SVR active operations. Active kinetic and hybrid war in Ukraine. 540 EEAS-documented incidents (4th Annual Report, Q1 2026). Full T1 institutional coverage.

CN · China

People’s Republic of China EEAS-tracked. CRI network amplification, influencer laundering, state media penetration. ECFR “Borrowed Mouths” report documents five core techniques. Growing European infrastructure investment leverage.

US · United States

United States of America Not tracked by EEAS. US NSS contains explicit interference doctrine. 2025–26 conduct includes: tariff coercion tied to regulatory compliance, Vance threats to NATO support over DSA enforcement, Big Tech allied with far-right MEPs, 66 multilateral withdrawals. Documented from Carnegie, ECFR, CIDOB, and national intelligence.

IL · Israel

State of Israel Not tracked by EEAS. Hasbara operations documented at $725M annual budget. Black Cube election interference operations documented. ELNET institutional lobbying network in EU. Operations documented from IJ4EU, Mediapart, DW Fact Check, and OCCRP investigations.

Scope Boundary

This monitor covers European-theatre operations by these four actors: interference in EU member state democratic processes, hybrid attacks on EU/NATO infrastructure, legislative and regulatory capture, economic coercion affecting European strategic autonomy, and narrative operations targeting European public opinion. For global FIMI campaign attribution across all six actors (including Iran and Gulf states), actor doctrine, commercial cognitive warfare operators, and cross-jurisdictional platform responses, see the Global FIMI & Cognitive Warfare Monitor — the dedicated hub monitor for FIMI intelligence across the asym-intel.info suite.

04 · Analytical Dimensions

Dashboard Sections & Analytical Scope

What this monitor tracks

  • S.01 Ukraine War Situation Front-line status, Russian military losses (Ukrainian General Staff primary source, cross-referenced ACLED), ceasefire framework tracking, NATO posture, nuclear doctrine signals. The Trump-Witkoff settlement framework is tracked as a European strategic risk event.

  • S.02 FIMI Incident Tracking Cross-referenced to the EEAS 540-incident framework but expanded to cover all four actors. Each incident carries attribution confidence label and source tier. Incidents where T3 attribution precedes T1 formal acknowledgement are explicitly flagged.

  • S.03 Election Threat Assessment Per-country risk ratings for EU member states with scheduled elections. Vectors assessed: FIMI operations, infrastructure attacks, financial flows to political actors, algorithmic amplification, and disinformation narrative seeding. Rating: Critical / High / Elevated / Monitored.

  • S.04 State Capture Risk Tracked for six member states at elevated risk: HU (Hungary), GE (Georgia), SK (Slovakia), RS (Serbia), AT (Austria), CY (Cyprus). Dimensions: executive capture, judicial independence erosion, media control, foreign financial dependency, and veto leverage within EU institutions. Scoring model details are not published.

  • S.05 Democratic Health Scoring 1–10 composite score per tracked member state. Drawn from V-Dem, Freedom House, Reporters Without Borders, and Hybrid CoE data, supplemented by original analysis. Scores are directional indicators, not precision measurements.

  • S.06 Network & Infrastructure Analysis Hybrid attack networks: sabotage incidents, arson, subsea cable interference, cyberattacks on critical infrastructure. Baltic Sea monitoring (MarineTraffic). NetBlocks data for internet disruption events. CCD tracker: 151+ Russian-linked hybrid attacks across Europe since February 2022.

  • S.07 EU Legislation Impact Impact scoring of major EU legislation (DSA, DMA, AI Act, NIS2, CER Directive, AI Liability Directive) across all four tracked actors. Assessed: compliance pressure, regulatory capture attempts, lobbying expenditure, and legal challenge vectors.

  • S.08 Lagrange Point Framework Measures European strategic autonomy progress across five policy vectors: defence industrial base, energy independence, digital sovereignty, financial instruments, and diplomatic capability. Progress scored against threshold levels. Detailed weighting methodology is not published.

  • S.09 Weekly Intelligence Brief Top 10 items selected by strategic significance across all dimensions. Ranking is editorial, not algorithmic. Each item carries source tier, attribution confidence (where applicable), and a one-sentence strategic significance statement. Published Sunday 20:00 Gibraltar time.

  • S.10 Strategic Response Tracking EU institutional responses: European Defence Fund allocations, PESCO developments, ReArm Europe mechanism, FIMI Deterrence Playbook implementation, counter-hybrid operations. NATO posture and Article 5 trigger thresholds. Member state defence spending trajectories.

05 · Attribution Confidence

Three-Level Confidence Standard Applied to all actor attribution claims

Every claim involving attribution of an operation, incident, or influence activity to a specific state actor carries an explicit confidence label. Labels reflect the evidentiary basis, not political sensitivity. An operation formally attributed by institutional sources may carry lower confidence than one with strong multi-source forensic documentation if the institutional attribution is itself contested or politically motivated.

POSSIBLE Circumstantial indicators consistent with the actor’s known doctrine, capability, and historical patterns. No direct forensic link. One or more plausible alternative attributions exist. Reported as: “consistent with documented [actor] doctrine” or “assessed as possible [actor] operation.”

PROBABLE Multiple independent indicators converge. T3 forensic investigation and/or T4 technical analysis point to the actor. No formal T1 institutional attribution yet, or formal attribution is pending. Reported as: “probable [actor] attribution” or “assessed as probable.”

CONFIRMED Formal T1 institutional attribution (EEAS, member state intelligence service, court proceeding, official sanctions listing) and/or independently corroborated forensic evidence. Reported as: “confirmed [actor] attribution” or citing the specific institutional finding by name and date.

Attribution labels are reviewed when new evidence emerges. Where a label is upgraded — for example, from Possible to Confirmed following a formal EEAS or Eurojust statement — the original assessment and the upgrading evidence are both retained in the record.

06 · Coverage & Limitations

Coverage Scope

Geographic scope: European Union member states and candidate countries; NATO European members; European Economic Area. Operations by tracked actors that originate externally but target European populations, institutions, or infrastructure.

Temporal scope: Current coverage period is Q1 2026, with contextual references to earlier events where required for pattern analysis. The Ukraine war is tracked from February 2022 as the baseline strategic event. Update cadence is weekly; substantive breaking events trigger immediate annotation.

Actor scope: Russia (RU), China (CN), United States (US), Israel (IL). These four actors are tracked for European-theatre operations. Other actors (Iran, Gulf states, domestic far-right networks) are referenced where they intersect with tracked actors or EU institutions, but are not primary tracking subjects of this monitor. See the Global FIMI & Cognitive Warfare Monitor for full multi-actor coverage.

Stated Limitations

Open-source ceiling: This monitor uses exclusively open-source intelligence. Classified assessments from EU, NATO, or member state intelligence services are not available. Where classified products are referenced in published T1 sources (for example, the EU Hybrid Fusion Cell), the public summary is used.

US and IL attribution gap: Because neither the United States nor Israel is formally tracked by EEAS or equivalent EU bodies, attribution for their operations relies predominantly on T3 investigative journalism and T5 strategic research, rather than T1 institutional sources. This asymmetry is disclosed where it affects confidence levels.

Real-time data latency: The dashboard reflects the state of open-source data as of the most recent Sunday update cycle. Rapidly developing events (breaking military actions, major cyberattacks, election night interference incidents) may not be fully integrated until the following weekly update.

Scoring model opacity: The Democratic Health Score (1–10), Lagrange Point Progress assessments, and State Capture risk ratings are composite editorial judgements drawing on the sources listed. The detailed weighting models are not published in order to prevent gaming. Direction and magnitude of change are more reliable than absolute scores.

What This Monitor Is Not

This is an open-source intelligence synthesis product, not a classified intelligence assessment, academic research output, or legal document. It does not carry the authority of an institutional attribution. Nothing in this monitor should be read as a finding of fact for legal or regulatory purposes. Users seeking institutional-grade attribution should consult the primary T1 sources cited.

09 · Weekly Research Process

The following seven-step sequence is the canonical weekly cycle for the EGHTM. It is documented here so that the monitor is fully reproducible and the analytical chain from raw source to published output is transparent.

Step 1 — Load Baseline Read data/persistent-state.json. Load all current KPI values, active actor campaign states, election risk ratings, state capture scores, and the Lagrange Point progress reading. Every value carries forward unchanged unless new primary-source evidence contradicts it this week. Do not re-derive what is already established.

Step 2 — Actor Scan (RU, CN, US, IL) Run dedicated searches per actor covering: new FIMI incidents, legislative or regulatory interference, hybrid operations, and economic coercion.

Mandatory weekly search strings per actor:

  • RU: EEAS FIMI Explorer, EUvsDisinfo daily digest, Bellingcat, NATO StratCom CoE
  • CN: ECFR China analytical framework, DFRLab, EU–China tracker, Xinhua monitoring
  • US: Carnegie Europe, ECFR, POLITICO Brussels, Eurointelligence
  • IL: IJ4EU, Mediapart, OCCRP, DW Fact Check

Attribution lag check per actor: identify any T3/T4 finding not yet formally acknowledged at T1. Document the gap — the lag itself is an analytical signal tracked in §05 Attribution Confidence.

Step 3 — Dimension Scan Structured search across the ten analytical dimensions in §04:

  • Ukraine war status (ISW, Ukrainian General Staff, ACLED)
  • Elections per country (OSCE/ODIHR, national electoral commissions)
  • State capture (HU, GE, SK, RS, AT, CY) using §04 S.04 named sources
  • EU legislation impact — DSA, DMA, AI Act, NIS2, CER, AILD
  • Network and infrastructure (Baltic Sea MarineTraffic, NetBlocks, CCD tracker)
  • Lagrange Point indicators across five policy vectors

Step 4 — Source Verification and Tier Assignment Each new item is assigned a source tier (T1–T5) per §02 and cross-checked against at least one independent source from a different tier. Attribution confidence labels (Possible/Probable/Confirmed) are applied to every actor attribution claim per §05.

Critical Friction Note triggered where T1 official claims are directly contradicted by T3 or T4 evidence. The gap is documented, not suppressed.

Step 5 — Scoring Update Update KPI values where primary-source evidence justifies change. Run Lagrange Point scoring across all five policy vectors. Update Democratic Health scores only where V-Dem, Freedom House, or equivalent primary-source data justifies revision — scores do not drift on the basis of commentary. State capture scores reviewed for HU, GE, SK, RS, AT, CY.

Step 6 — Weekly Intelligence Brief Select up to 10 items by strategic significance. Each item carries: source tier, attribution confidence where applicable, and a one-sentence strategic significance statement. Named reports hyperlinked to primary sources. Items ranked editorially, not algorithmically.

Step 7 — Publication Dashboard updated via git clone/push to static/monitors/european-strategic-autonomy/dashboard.html. Brief published to content/monitors/european-strategic-autonomy/YYYY-MM-DD-weekly-brief.md. JSON pipeline updated: report-latest.json, dated archive copy, archive.json (append), persistent-state.json (carry forward + update). All four JSON files committed in the same git push as the dashboard.

08 · Companion Monitors

Asymmetric Intelligence Monitor Suite Cross-linked analytical coverage

The EGHTM is one of four monitors published under the Asymmetric Intelligence brand at asym-intel.info. Each monitor covers a distinct analytical domain; they cross-link where coverage intersects.

Hub Monitor Global FIMI & Cognitive Warfare Monitor Full actor attribution, campaign tracking, platform regulatory responses, and doctrinal frameworks — covering Russia, China, Iran, Gulf states, United States, and Israel globally. The dedicated hub for FIMI intelligence across the suite. This monitor’s FIMI material cross-links here for depth. AI Governance Monitor AI Frontier Monitor AI regulation, model frontier, military AI, investment, and governance — global weekly intelligence synthesis. Covers EU AI Act implementation, US–China AI competition, and AI in FIMI operations. Three-tier source standard. Democratic Integrity Monitor World Democracy Monitor Democratic backsliding, rule of law trajectories, and institutional resilience globally. Provides the comparative democratic health baseline against which EGHTM state capture risk assessments are calibrated. Macro Monitor Geopolitical Macro Monitor Economic coercion instruments, sanctions architecture, trade dependencies, and financial warfare. Provides the economic sovereignty dimension that complements EGHTM’s Lagrange Point strategic autonomy tracking.

10 · Persistent Data

The dashboard maintains the following state week-to-week:

  • KPI values — threat actor counts, FIMI incident totals, states at capture risk, elections under threat, and EU legislation targeted carry forward and are updated only when primary-source evidence supports revision.
  • Timeline events — cumulative. New entries are appended; historical entries are not revised retrospectively except for source corrections.
  • Actor profiles — RU, CN, US, IL — persist with rolling updates. Attribution confidence labels are revised upward only when corroborating Tier 1–2 sources emerge.
  • Weekly Brief — published to asym-intel.info/monitors/european-strategic-autonomy/ each Wednesday. Full archive of all published briefs available at that URL.
  • Dashboard version — sidebar footer version string (OSINT v1.x) is incremented only on structural methodology changes, not weekly content updates.