The Prologue

Over the past several days, multiple violent incidents reported in the United States have attracted public attention. At first glance, they may seem connected. In some cases, witnesses reported statements referencing religion or ideology. In others, the targets themselves expressed concerns about identity-based violence. However, when analyzed through an investigative and behavioral perspective, these incidents reveal an important insight.

Violence does not develop through a single pathway.

Recent events in San Jose, West Bloomfield, New York, Norfolk, and Austin reveal several distinct patterns that investigators and threat-assessment professionals are increasingly identifying. Understanding these differences is crucial because the indicators that precede violence vary by case.

The San Jose Incident: Escalation in the Moment

Police in San Jose, California, are investigating an assault that took place in the Santana Row shopping district.

According to authorities, three suspects approached two men, and an altercation became physical. The suspects escaped before police arrived, and the victims received treatment at the scene for minor injuries.

The victims reported that antisemitic language was used during the confrontation, which is why investigators are considering the incident a possible hate crime.

At this point, there is no public evidence that the suspects arrived with a premeditated plan to commit violence.

Based on current information, the incident seems to have escalated from a confrontation.

Events like this tend to happen quickly: a verbal exchange turns hostile, group dynamics develop, and physical violence ensues.

The West Bloomfield Incident: Targeted Identity Violence

A very different situation happened at Temple Israel in West Bloomfield, Michigan.

Authorities said that an attacker drove a vehicle into the synagogue and was armed with a gun. Security personnel confronted the suspect, and the incident ended before anyone inside was hurt.

The location itself is important.

When a religious place linked to a specific identity group becomes the target of violence, investigators often look at ideological or identity-based reasons.

Right now, authorities are focusing on the attacker’s target choices and actions, while the broader motivations behind the attack are still being investigated.

Targeted attacks on religious places often come from grievances related to geopolitical conflicts or ideological hatred.
But confirming those reasons needs more investigation.

The New York Incident: Ideological Preparation

In New York City, federal prosecutors state that two Pennsylvania men tried to deploy improvised explosive devices during protests outside Gracie Mansion.

According to the Department of Justice, investigators allege the suspects:

  • obtained materials used to make explosive devices
  • assembled improvised explosives
  • tried to ignite and deploy those devices during a protest

Investigators also reported that the suspects expressed support for ISIS.

This case represents a different kind of threat. It involves planning, gathering materials, and attempting to deploy explosive devices in a crowded area. These elements elevate the incident from a confrontation to a planned violent attack.

The Norfolk, Virginia Incident: Resurfacing Ideological Violence

Another incident occurred on Thursday at Old Dominion University, where a gunman opened fire inside a classroom connected to the university’s ROTC program. Authorities identified the shooter as Mohamed Bailor Jalloh, a former Army National Guard member who had previously been convicted in federal court for attempting to support ISIS militarily. Jalloh had served several years in prison before being released in 2024 under supervised conditions.

According to investigators, Jalloh entered the classroom and opened fire, killing an ROTC instructor and injuring two others before students subdued him on the scene. The FBI stated the incident is being investigated as an act of terrorism.

This event introduces another scenario that investigators must consider.

Unlike attacks that happen suddenly or by individuals who radicalize quickly online, this case involves a person with a documented history of ideological extremism and previous criminal charges related to terrorism.

Events like this pose an additional challenge for investigators and threat-assessment experts: they must determine whether individuals who have previously engaged in extremist acts have truly disengaged from those beliefs or are still vulnerable to radicalization.

Cases involving individuals with a history of radicalization show that the path to violence can take years. Even after incarceration or monitoring, the core grievances or ideological commitments may still endure.

This event adds another scenario that investigators need to consider.

Unlike attacks that happen suddenly or by individuals who radicalize quickly online, this case involves a person with a documented history of ideological extremism and previous criminal charges related to terrorism.
Events like this create an additional challenge for investigators and threat-assessment experts: they must determine whether individuals who have previously engaged in extremist acts have truly disengaged from those beliefs or are still vulnerable to radicalization.

Cases involving individuals with a history of radicalization show that the path to violence can take years. Even after incarceration or monitoring, the core grievances or ideological commitments may still remain.

The Austin Incident: Mass Casualty Environment

Another incident took place on West Sixth Street in Austin, Texas, where a gunman opened fire in a busy nightlife area. Investigators reported that the attacker used firearms in a crowded entertainment district, leading to multiple casualties. Authorities are still investigating the motivations behind the attack. Mass-casualty shootings often happen in environments with large crowds, which increases the potential impact of the attack regardless of the motive.

What These Incidents Have in Common

Although the pathways vary, these incidents share several similarities.

Public Environments

All happened in places meant for open access:

  • shopping districts
  • religious institutions
  • protests
  • entertainment districts

These settings let large crowds gather freely, which, unfortunately, also opens the door for violence.

Small Number of Attackers

None of the incidents involved large, organized networks.

Instead, they involved:

  • individuals
  • lone actors
  • small self-directed groups

This reflects a broader shift in the modern threat environment toward individual or small-cell actors.

Statements Referencing Religion or Ideology

In several incidents, witnesses reported that attackers shouted phrases referencing religion or ideology during the attack.

However, statements made during an incident alone are not enough to establish a link to terrorist groups.

Investigators must verify those statements and determine whether they genuinely reflect ideological motivation or were made in the heat of the moment.

What Must Be Shown to Confirm Radicalization or Terrorism

When investigators assess whether an attack is related to radicalization or a terrorist organization, several key elements must be confirmed.

What Must Be Established to Confirm Radicalization or Terrorism

When investigators determine if an attack is linked to radicalization or a terrorist group, several elements must be confirmed.

These typically include:

Ideological Alignment

Evidence that the suspect embraced extremist ideology through:

  • writings
  • online communications
  • social media activity
  • statements of allegiance

Operational Preparation

Evidence of preparation activity, such as:

  • acquisition of weapons or explosives
  • research into targets
  • surveillance of locations
  • construction of devices

Communication With Extremist Networks

Investigators look for contact with:

  • known extremist groups
  • online radicalization communities
  • individuals encouraging or facilitating violence

Target Selection

The choice of target can also reveal motivation. Attacks on religious institutions, government officials, or symbolic sites may indicate ideological grievance narratives. However, target selection alone is rarely enough to confirm terrorism without additional evidence.

Predictable Patterns

What these incidents ultimately show is that violence and disruption rarely follow a single, predictable pattern.

Some events stem from spontaneous confrontations and quick escalation. Others involve ideological grievances, preparation activities, and deliberate attempts to carry out attacks. In some cases, individuals or small groups also try to create disruption through cyber-enabled actions targeting infrastructure or public systems.

For investigators, security professionals, and threat-assessment teams, the key task is to identify the signs associated with each pathway before an incident occurs.

The following assessment examines how these dynamics apply to the current threat environment, with a special focus on conditions in New York State and the types of physical and cyber risks that organizations and communities should be prepared to address.

Applying the Threat Environment to Real-World Regions

Although the incidents mentioned earlier occurred in different parts of the country, they reveal patterns that investigators and security professionals are increasingly recognizing across many regions of the United States. The risk environment varies by location. Population density, infrastructure, political prominence, and public gathering habits all shape how threats develop in a specific area. New York State exemplifies this complexity clearly. The state includes one of the world’s largest metropolitan areas, essential transportation and financial infrastructure, and densely populated urban regions. At the same time, many parts of the state are made up of smaller cities, rural communities, and critical infrastructure systems that support regional services. Because of these differences, studying New York demonstrates how physical and cyber risks can present themselves differently across urban, suburban, and rural areas.

From Incident Analysis to Risk Assessment

The incidents discussed above illustrate how violence and disruption can arise through various behavioral pathways. Recognizing these patterns is only the initial step.

Security professionals and investigators must also consider how these same pathways might manifest within specific regions, infrastructure systems, and public environments.

The following assessment explores these dynamics using New York State as an example, showing how physical and cyber risks can appear differently in urban, suburban, and rural settings.

New York State – Physical and Cyber Risk Considerations

Recent violent incidents in the United States reveal an evolving threat landscape where attacks can occur through various pathways. Some incidents stem from confrontation and escalation, while others involve ideological grievances, preparation activities, or operational planning.

At the same time, cyber-enabled disruption is increasingly serving as an additional threat vector with real-world consequences, even when executed by small groups or individual actors.

For investigators, security professionals, and threat-assessment teams, understanding how these pathways develop is crucial for identifying opportunities for early intervention.

PGI Protective Intelligence Brief

Pathways to Violence and Disruption
Physical and Cyber Indicators in the Modern Threat Environment

This brief expands on the behavioral framework discussed in this article and outlines indicators associated with physical and cyber threat escalation.

Read the Brief

New York State – Physical and Cyber Risk Considerations

The incidents described above reflect the range of behaviors investigators increasingly encounter across the United States. While the motivations and methods differ, they illustrate how violence can emerge from several distinct pathways rather than a single cause.

In New York State, protective planning must account for both physical security risks and the growing role of cyber-enabled disruption. These threats do not always originate from large organizations or coordinated networks. Increasingly, they involve individuals or small groups acting independently, often influenced by online narratives, geopolitical grievances, or ideological belief systems.

Understanding how these actors move from grievance or belief toward preparation activity remains central to early detection and prevention.

Current Threat Environment

Federal threat assessments continue to emphasize that the United States remains in a heightened threat environment. Recently, there has been an increase in incidents involving individual actors or small groups motivated by extremist beliefs, geopolitical grievances, or online radicalization.

These actors are often autonomous rather than centrally coordinated, and they frequently carry out attacks with little warning.

Recent incidents across multiple states reveal various forms of violence, including:

  • escalation driven by confrontations in public settings
  • targeting based on religious identity
  • attempted attacks motivated by ideology using explosive devices
  • -mass casualty shootings in busy public areas
  • Each pathway shows different indicators and therefore needs different prevention strategies.

Each type shows distinct signs and therefore requires different prevention strategies.

Regional Defensive Priorities in New York

Instead of identifying specific cities as potential targets, defensive planning should focus on regional characteristics and environmental factors that have historically attracted violence or disruption.

New York City Metropolitan Area

The New York City metropolitan region remains the top priority environment for protective awareness because of:

  • high population density
  • international tourism
  • iconic government sites
  • major transportation hubs
  • frequent demonstrations and protests
  • large and visible religious communities

The concentration of symbolic sites and large public gatherings creates environments where attackers might attempt to carry out acts aimed at gaining high visibility or causing mass casualties.

Downstate Suburban Region

The counties surrounding New York City also warrant elevated awareness.

These regions include:

  • large residential populations
  • houses of worship and religious schools
  • public gathering spaces
  • transportation corridors connecting directly to New York City

While these environments may seem less prominent than Manhattan, they contain many similar types of vulnerable public spaces.

Major Upstate Population and Institutional Centers

Upstate cities serving as regional hubs also need attention.

These locations often include:

  • universities and college campuses
  • hospitals and medical institutions
  • government facilities
  • entertainment districts
  • religious communities

These environments regularly host public events and large gatherings, which increases the potential impact of an attack or disruption.

Soft Target Categories Requiring Elevated Awareness

Throughout New York State, certain location types frequently emerge in threat assessments.

Houses of Worship

Religious establishments continue to be among the most common targets in identity-based attacks.

These sites are especially at risk because they are intended to serve as open community spaces.

Protective considerations include:

  • controlled access during services
  • trained safety teams
  • collaboration with local law enforcement
  • clear emergency communication plans

Public Demonstrations and Protests

Public demonstrations draw large crowds in emotionally charged settings.

These gatherings may involve individuals driven by ideological concerns, political messages, or symbolic displays.

Protective planning should account for:

  • crowd density
  • opposition groups
  • symbolic locations
  • limited participant screening

Entertainment and Nightlife Districts

Nightlife areas have unique vulnerability profiles. Open movement, large crowds, and limited access control create environments that can attract attackers aiming for mass-casualty impact.

These environments often include:

  • bars and restaurants
  • music venues
  • pedestrian corridors
  • late-night crowds

College Campuses

Universities combine several risk factors:

  • large gatherings of students
  • protests and demonstrations
  • open campus environments
  • frequent public events

Being aware of behavioral warning signs and escalation cues is especially important in these settings.

Cyber Infrastructure Risk Environment

Beyond physical attacks, the current threat landscape shows an increasing concern about cyber-enabled disruptions. Federal reports indicate that nation-state adversaries and ideologically aligned actors continue to target U.S. networks and critical infrastructure.

Meanwhile, many recent cyber incidents demonstrate that advanced state control isn’t always necessary to cause disruption. State-sponsored campaigns often produce publicly visible tools, methods, or tactics that can later be adopted by sympathizers, loosely connected hacktivist groups, or individual actors. Therefore, cyber-enabled disruption should be viewed as part of the broader threat environment.

Critical Infrastructure Sectors Requiring Attention

Several infrastructure sectors have appeared repeatedly in federal cyber threat reports.

Water and Wastewater Systems

Operational technology in water systems has been targeted through exploiting programmable logic controllers and exposed remote access systems.

These systems are especially vulnerable when remote administration tools are exposed to the internet.

Energy and Utilities

Energy systems remain attractive targets because disruptions can cause cascading effects across communities.

Even minor interference with control systems can lead to noticeable service disruptions.

Food and Agriculture

Food distribution and agricultural infrastructure are also vulnerable due to their importance to regional supply chains.

Disruptions to these systems can result in significant economic and public confidence impacts.

Transportation and Public Infrastructure

Transportation systems, ports, and municipal infrastructure can be attractive targets for actors seeking symbolic disruption or visibility.

Local Government Systems

Municipal governments often operate essential services with smaller cybersecurity budgets and fewer technical resources. Public-facing systems and service portals can serve as entry points for disruptive activities.

Connecting Cyber Activity to Radicalization or Terrorism

When we determine if a cyber incident is linked to extremist ideology or terrorist influence, several elements must typically be confirmed.

Ideological Alignment

Evidence may include:

  • online statements supporting extremist causes
  • writings or manifestos
  • social media communications expressing allegiance

Isolated phrases or symbols alone are rarely sufficient evidence.

Operational Preparation

Preparation activity may include:

  • reconnaissance of networks or infrastructure
  • credential harvesting
  • acquisition of cyber tools
  • staging malware or access pathways

Technical Linkage

We assess whether the actor’s infrastructure or methods are connected to known threat actor groups or extremist networks.

Intent

Determining whether the actor intended to:

  • coerce or intimidate a population
  • advance ideological objectives
  • disrupt essential services
  • create psychological or symbolic impact

helps distinguish terrorism-related activity from cybercrime.

Network Coordination

Evidence of communication with extremist networks, facilitators, or ideological communities may also establish a connection to organized movements.

Behavioral Indicators Relevant to Cyber Threat Activity

The pathway-to-violence framework used in physical threat assessment can also apply to cyber-enabled threats.

Indicators may include:

  • ideological hardening combined with grievance narratives
  • fixation on specific infrastructure or institutions
  • interest in control systems without a legitimate reason
  • collection or sharing of attack instructions
  • movement from rhetoric to technical capability-seeking behavior

The key transition occurs when individuals move from belief to preparation activity.

Recommended Protective Measures

Organizations responsible for critical infrastructure should implement several practical defensive measures.

Technical Hardening

  • reduce exposed remote access services
  • segment operational technology from enterprise networks
  • inventory control systems and unmanaged devices
  • apply current vendor security guidance

Monitoring and Detection

  • monitor unusual access attempts to operational technology
  • flag remote administrative anomalies
  • review third-party access pathways
  • monitor open-source references to infrastructure systems

Intelligence Integration

Cyber indicators should be assessed alongside behavioral and physical signs, rather than viewed as isolated technical incidents.

Crisis Preparedness

Organizations should develop response plans that address potential service disruptions, including communication protocols and continuity-of-operations planning.

Key Operational Insight

Violence and disruption in public spaces are often seen as a single type of threat. However, the causes behind these incidents can vary greatly. Some stem from personal conflicts and quick escalation. Others arise from ideological grievances, radicalization, or intentional operational plans. Increasingly, online-enabled activities also need to be viewed as part of the broader threat environment.

Recognizing these differences helps investigators, security experts, and threat-assessment teams spot warning signs earlier. Detecting these signals sooner allows for more opportunities to intervene before the situation escalates to violence.