Security operations
Why modern security operations need an operating model that carries context from anticipation through response
An alert rarely answers the first question leadership asks.
For a security analyst, the first notification immediately creates a new set of questions: Is it credible? Does it affect our organization? Who or what may be exposed? How quickly is the situation changing? What should we tell leadership?
That work often happens across separate systems, teams, and communication channels. Finding those answers often means moving between alerts, maps, internal records, public sources, messaging platforms, and response procedures to build a usable picture. Every handoff takes time and creates another opportunity for context to be lost, and delays the moment the organization can make a confident decision
This is the decision gap between awareness and action. It’s the period between knowing something may be happening and understanding enough to make a defensible decision, also known as the messy middle of disruption.
The ADAR framework gives security teams a practical structure for closing that gap: Anticipate. Detect. Analyze. Resolve.
Each stage answers a different operational question:
Anticipate: What could affect us?
Detect: What is happening?
Analyze: What does it mean for our organization?
Resolve: What should we do next?
Together, these stages create a continuous decision cycle that connects early awareness to coordinated action.
The challenge with legacy alerting systems
Cisco’s 2025 Global State of Security report found that 59% of security teams receive too many alerts, 55% deal with too many false positives, and 57% lose valuable investigation time to data management gaps.
Those findings reinforce a familiar reality for most security and safety teams: awareness is rarely the bottleneck. The harder problem is determining which signals matter, understanding how they affect the organization, and turning that understanding into a coordinated response.
These are some of the hidden gaps in traditional security alerting. An alert may tell an analyst that an incident has been reported. It rarely answers the questions that follow:
Is the report credible?
Does it affect our people, facilities, routes, or operations?
Is the situation escalating?
Who needs to know?
What decision is required?
What options are available?
ADAR organizes the workflow around those questions. Information gathered during one stage carries into the next, preserving context and reducing repeated investigation work.
Anticipate: Create options before pressure builds
Anticipation begins before a specific incident requires action.
Security teams need to understand the conditions, not only what is emerging, but what is typical for the places they protect.
Is demonstration activity common around this office? Does this transit corridor regularly experience disruption? Are there recurring crime or weather patterns that should influence planning?
Historical context helps teams distinguish expected conditions from unusual ones before pressure begins to build. These may include severe weather, planned demonstrations, geopolitical developments, major public events, public health concerns, or transit or infrastructure issues.
The purpose is to identify relevant exposure and prepare while the organization still has options.
That can involve:
Monitoring emerging and known risks
Producing recurring or event-specific risk briefs
Reviewing exposed people, sites, routes, suppliers, and operations
Establishing thresholds for escalation
Confirming responsibilities and communication channels
Preparing potential response actions in advance
The earliest indications of disruption rarely arrive as a complete incident report. They appear as scattered local reports, policy changes, forecasts, unusual activity, public posts, or operational anomalies.
Anticipation also benefits from understanding what has happened before. Historical risk patterns can reveal recurring demonstration locations, seasonal weather impacts, crime trends, or operational hotspots that help teams prepare before new signals emerge. By combining historical context with emerging activity, organizations begin an incident with a stronger operating picture rather than building one from scratch.
Teams that can connect those signals before they become headlines gain time to review plans, brief stakeholders, confirm dependencies, and reduce exposure.
Consider a planned demonstration near a corporate office. Before the event begins, the security team can assess the location, expected attendance, transportation routes, nearby facilities, employee schedules, and previous activity. It can also establish clear thresholds for advising employees, changing access arrangements, or escalating to leadership.
The team may never need to activate those plans. The preparation still reduces the amount of work required if conditions change.
The Anticipation stage of ADAR creates decision space before urgency starts narrowing it.
Detect: Find the signals worth investigating
Detection begins when a potential risk becomes observable.
The first indication may come from a local social post, an emergency service update, a government warning, a media report, or a cluster of activity across several sources. At this stage, the information may be incomplete, duplicated, contradictory, or wrong.
The information environment also continues to become harder to assess. The World Economic Forum’s Global Risks Report 2026 places misinformation and disinformation among the leading short-term global risks.
For security teams, the challenge lies in deciding when information is credible enough to act on. Waiting for a complete picture can consume the available response window. Escalating weak or misleading information can create unnecessary disruption.
AI-powered risk detection can process large volumes of information, identify patterns, group related reports, remove duplication, and surface anomalies. Then, human verification can add source judgment, situational context, and an appropriate threshold of confidence.
The goal is a credible starting point for analysis, rather than another ambiguous alert notification in the queue.
Analyze: Translate the alert into organizational impact
Analysis connects the external event to the organization’s real-world footprint. This stage should answer questions such as:
Which employees, travelers, facilities, routes, assets, or suppliers are nearby?
How close is the incident, and is it moving?
What has been confirmed?
What remains uncertain?
Which operations could be disrupted?
How much time is available to act?
Who owns the next decision?
Which thresholds have been crossed?
Location is an important part of that assessment. Plotting an incident against facilities, employee locations, traveller itineraries, delivery routes, or critical infrastructure gives teams a faster way to establish exposure.
Analysis also has to continue as the event develops. Early assumptions may become outdated within minutes. New reports can change the assessed severity, direction, timing, or operational impact.
Resolve: Move the decision into the workflow
Resolution is where shared understanding becomes coordinated action.
By this stage, the question is no longer “What is happening?” but “How do we respond consistently and confidently?”
Depending on the incident, that may involve:
Contacting affected employees or travellers
Rerouting people, vehicles, or deliveries
Changing building access
Pausing activity in an exposed area
Escalating to leadership or crisis management
Coordinating with local teams
Sharing instructions through established communication channels
Recording decisions and actions
Monitoring the incident until the risk has passed
A decision loses value if it remains inside a monitoring platform.
Once the appropriate action is clear, the challenge shifts from understanding the incident to coordinating a response. The context built during anticipation, detection, and analysis needs to move with the decision so the right people can act quickly and consistently.
Rather than recreating the incident across emails, chat messages, and leadership updates, connected workflows allow verified information, leadership briefs, and incident updates to flow into the operational tools teams already use.
For example:
“A road closure affecting an executive route can notify the executive protection team in Slack.”
“A severe incident affecting a traveller can automatically escalate to the travel risk team.”
By preserving context throughout the workflow, security teams spend less time repeating the same investigation and more time supporting operational decisions.
Organizations such as Nutrien and DoorDash have used this type of virtual GSOC model to connect verified incidents with mapping, communication, and operational workflows.
From event monitoring to decision support
Modern security operations extend beyond monitoring external events. Teams are expected to determine what is credible, understand how it intersects with the organization, brief stakeholders, and coordinate action while the situation is still developing. The quality of the operation depends on how well those activities connect.
ADAR provides a practical framework for that work.
It helps teams prepare for relevant risks, detect emerging incidents, assess organizational impact, and move decisions into action through one continuous workflow.
The samdesk decision platform supports that operating model by connecting anticipation, detection, analysis, and response into a continuous workflow. Rather than rebuilding context at each stage, teams carry a shared understanding from the first credible signal through to coordinated action. cation, geospatial context, evolving incident analysis, and connected response workflows.
The result is a shorter path from the first credible signal to the action that protects people and operations. Because awareness doesn’t reduce risk. Better decisions do.




