Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Surveillance Detection

Training Camp • Cybersecurity Glossary

What is Surveillance Detection?

The practice of spotting whether you are being watched or reconnoitered, used in physical security and to flag the recon phase of cyberattacks.

Glossary > Threats, Malware & Attacks > Surveillance Detection

Understanding Surveillance Detection

Surveillance detection is the deliberate effort to identify whether a person, facility, or system is being observed or reconnoitered by an adversary. Drawn from physical security and counterintelligence tradecraft, it focuses on recognizing the reconnaissance phase of an attack so defenders can intervene before a breach is attempted.

In practice it combines observation of the environment with analysis of patterns. Physical surveillance detection looks for repeated presence of the same people or vehicles, individuals loitering near entrances or photographing security measures, and probing of access controls. In the cyber domain, the analogous activity is detecting reconnaissance such as port scans, vulnerability probes, OSINT collection against employees, suspicious badge-tailing, or pretext phone calls. Detection relies on cameras, access logs, network telemetry, and trained personnel who establish a baseline and flag deviations.

This matters because nearly every targeted attack begins with reconnaissance. Catching surveillance early, the first stage of frameworks like the Cyber Kill Chain, lets an organization disrupt an operation while the adversary is still gathering information and has not yet gained access. Ignoring this phase means defenders only react after exploitation, when damage is harder to contain. It is especially important for protecting executives, critical infrastructure, and high-value facilities.

For example, a corporate security team notices the same unfamiliar vehicle parked across from the data-center entrance on several consecutive mornings, with an occupant photographing the loading dock and badge readers. Cross-referencing this with a recent spike in scanning against the company's external VPN portal and a wave of LinkedIn connection requests targeting IT staff, analysts conclude an adversary is conducting combined physical and digital reconnaissance. They tighten access procedures, alert staff to phishing, and engage law enforcement before any intrusion occurs.

Learn More About Surveillance Detection:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →