The detection window is 90 seconds. Most systems aren't designed around that constraint.
If you're building or running a security operation, the scenario worth war-gaming is this: a person realizes they're being followed. They have roughly 90 seconds of high-signal behavioral data before the situation either de-escalates or hardens into something that requires a physical response. Your system — whether that's dispatch software, a guard deployment workflow, or a close-protection protocol — either has a response path for that window or it doesn't.
Most don't. This post is about what that response path should look like, what the detection logic actually is, and where professional escalation fits in the decision tree.
The 4 S's: a simple pattern-match model
The surveillance detection framework that close-protection professionals use reduces to four signals. Practitioners call them the 4 S's: same face, same direction, shortened gap, sudden stop.
The threshold is deliberately low:
- Same person at 2 locations within 3–4 blocks = coincidence
- Same person at 3 locations = pattern, behavior change warranted
Secondary signals that strengthen the pattern:
- Pedestrian slows when subject slows, with no natural cause
- Phone-check behavior with no actual screen interaction
- Street-crossing that mirrors the subject's crossing simultaneously
- A vehicle that re-parks progressively closer over multiple passes
The key design principle here: you don't need certainty to trigger a response. Suspicion is a valid input state. If you're building escalation logic into an ops workflow, that matters — a confidence threshold set too high means the window closes before anything fires.
The decision tree for the first 90 seconds
Once the pattern registers, the response protocol has four branches that run roughly in parallel:
1. Direction change test
The subject reverses direction. A random pedestrian barely reacts. A tail has to make an observable adjustment or abort. This is essentially a cheap false-positive filter — it costs the subject 10 seconds and generates high-quality signal.
2. Enter a lit, staffed space
A 24-hour pharmacy, hotel lobby, or staffed petrol station creates witnesses and forces a binary decision for the tail: enter and expose, or break off. The anti-pattern here is important: alleys, empty car parks, stairwells. Any space that reduces witness density is the wrong move.
3. Announce location out loud on a live call
"I'm at Fifth and Oak heading toward the Marriott on 6th." This is deterrent communication, not just contact. The subject's location is now in a third party's memory and audibly known to anyone within earshot. For operators: this is the manual version of what a real-time location-sharing handshake does automatically in a well-designed mobile safety app.
4. Activate emergency resources
Emergency SOS or a direct services call. In most jurisdictions, calling while believing you are being stalked is the correct and expected use of emergency lines. The failure mode is hesitation, not false alarm.
Pro tip: The question that kills response time in this moment is "Will I feel embarrassed if this turns out to be nothing?" Build that out of your protocols explicitly. Preparation for a non-event costs nothing. A missed escalation window is not recoverable.
Escalation thresholds: single incident vs. pattern
Escalate to emergency services immediately if:
- The tail closes the gap and a public space is not reachable
- Physical contact or verbal threat occurs
- A vehicle blocks egress
Escalate to professional close-protection if:
- Two or more incidents within a 30-day window
- The subject is a targeted individual — high-profile profession, active restraining order, documented dispute with a known actor
- The subject moves alone on predictable late-night routes regularly
One incident doesn't automatically require a standing detail. Two incidents inside a month warrants a formal threat assessment. That's the threshold. Build it into your intake logic.
What advance work actually looks like as a system
Close-protection isn't a large person walking behind someone. A trained officer runs advance route analysis before any movement happens. That means:
- Identifying chokepoints and camera blind spots on every regular route
- Logging emergency exit options and staffed spaces at 2-minute intervals along the route
- Flagging vehicle intercept risk points
- Verifying transport providers in the operating city
On the night of an incident, that analysis is already complete and queryable. The officer knows the side street between the subject's office and their car park has 47 meters of no-camera coverage. They know the hotel on the corner has two exits. That is not available to someone who booked a guard an hour before departure — it requires advance planning and route intelligence gathered before the threat window opens.
For operators building dispatch or assignment systems: the advance file is the artifact that makes a close-protection deployment meaningful. A guard without it is reacting. A guard with it is operating.
The practical artifact: pre-mapped safe spaces
The lowest-overhead thing any person can do — and the simplest thing you can build into an onboarding flow for end users — is this:
Map 3 regular late-night routes. For each one, identify the nearest lit, staffed space reachable within 2 minutes. A pharmacy, hotel lobby, staffed petrol station. Write it down or store it.
Most nights that map isn't needed. On the night it is, the decision is pre-made. That's the systems principle: move decisions upstream of the threat window, not into it.
Where XGuard fits in this stack
XGuard operates as a real-time marketplace and dispatch system connecting operators, guards, and close-protection professionals — the infrastructure layer for people who are actually building or running security deployments, not just consuming them. If you're an operator managing guard assignments, building response workflows, or thinking about how advance-route logic integrates with real-time dispatch, XGuard is worth looking at as a platform.
Check out XGuard to see how the marketplace and dispatch layer works for operators in this space.
Originally published at marketplace.xguard.app. This version was adapted for this platform's audience; the canonical original lives at the link above.
Top comments (0)