Until recently, twenty-four-hour protective intelligence coverage for a single principal cost somewhere between half a million and several million dollars a year. A dedicated team of human analysts working in shifts. A private security operations center. Custom liaison with law enforcement. Manually pulled OSINT reports compiled into briefs that landed on a CSO’s desk the morning after the night they were written.
It worked. It was also reserved — for the handful of corporate principals whose risk profile and budget could justify it, and for the government agencies that protect heads of state. Fortune 500 disclosures bear this out: top-tier corporate security programs routinely run into the seven figures per principal per year.
Today, the intelligence layer of that program can be assembled on a single machine.
This is not an exaggeration. The combination of large language models, open-source AI agent frameworks, and around-the-clock automation has collapsed the cost of continuous protective intelligence by roughly an order of magnitude — and brought the capability within reach of executives, founders, family offices, and public figures who never had access to it before.
This is the new economics of protection. And the unit of work that made it possible is the AI agent.
The Third-Party Signal Moved Online
The need has not changed. The 1998 U.S. Secret Service Exceptional Case Study Project — the foundational study of every individual who attacked or came close to attacking a prominent American public figure across nearly fifty years — produced a finding that still defines the work: attackers rarely warn their target. They warn third parties. The signal is there; you just have to be present where it appears.
Twenty-eight years later, the third party is the internet. What an attacker once told a roommate they now publish to a username on Reddit. What once required a phone call to an angry uncle now happens on a Substack with twelve subscribers. What was once a confession over a beer is now a 4 a.m. thread on a forum the principal has never heard of.
The signal is no longer scarce. It is abundant. The constraint shifted from “can we get to the third party?” to “can we monitor every third party that matters, continuously, at scale?”
Where Threats Actually Live
Different threat-actor populations cluster on different platforms. A working map of the modern ecosystem:
X (formerly Twitter). Public conversation at scale; the mainstream news cycle. Where coordinated harassment campaigns originate, where grievance accounts surface, where the public framing of a principal is set.
Reddit. Where grievance communities organize. Specific subreddits provide the cultural conditions for fixation; the same threat actor whose name will eventually be in the news was often active across three subreddits for a year before the act.
Substack and Medium. Where ideology gets elaborated. Manifestos no longer require a printing press. A motivated actor can publish a four-thousand-word grievance essay with a subscribe button. Substack is where adherents accumulate and where future attackers source their justifications.
Instagram and YouTube. Where the principal’s life and family are visually exposed and where parasocial fixation builds.
Telegram, 4chan, niche forums. Where the more committed live — lower friction to extremism, lower expectation of moderation, higher tolerance for explicit planning language. Technically harder to monitor; disproportionately rich in signal.
A protective intelligence program does not monitor every platform with equal intensity. It monitors the platforms its specific principal is most likely to be attacked from — and it has to know which those are before the attack, not after.
Why AI Agents — Not “AI”
The arithmetic of modern coverage forces the conclusion. X now processes roughly five hundred million posts per day. Reddit publishes more than eight million comments daily. Substack hosts more than two million active publications. No human analyst — and no human team — can read enough of this to be useful.
But “use AI” is not yet a strategy. A general-purpose chatbot cannot run continuous coverage. A sentiment dashboard cannot read for ECSP-derived behavioral patterns. What protective intelligence needs is a different unit of work: a purpose-built agent that wakes on a schedule, pulls content from a specific platform, classifies it against a specific framework, escalates by a specific protocol, and goes back to sleep — twenty-four hours a day, every day, indefinitely.
Until recently, building such an agent required a substantial in-house engineering team. That changed when the agent-framework ecosystem matured.
Open-source frameworks like OpenClaw and Hermes now provide the harness for custom AI agent builds. They handle the parts of an agent that used to take a full engineering team to assemble — model routing across hundreds of LLMs, scheduled execution via built-in cron, persistent memory with full-text recall across past conversations, deployment to channels like Telegram and Discord and Slack, the spawning of subagents for parallel work, screen capture and vision for agents that need to watch what a human would watch. Hermes, from Nous Research, even includes a self-improving learning loop — the agent refines its own skills from experience. OpenClaw provides the cross-platform assistant chassis. Neither framework is the agent itself. They are the chassis on which a domain-specific agent is built.
This is the unlock. With a modern agent framework, a small protective intelligence firm can construct what previously required a corporate engineering org: a fleet of custom agents, each tuned to a specific platform, a specific risk profile, a specific behavioral framework. The framework collapsed the build cost. The build cost was the barrier. The barrier is gone.
What an Agent Actually Does
A protective intelligence agent runs in three layers, continuously.
Layer 1 — Collection. The agent pulls content from each monitored platform on a schedule. APIs where available (X, Reddit); scrapers, snapshot diffs, and headless browsers where they are not. Sweep cadence is matched to actor velocity — background grievance communities scanned daily, an active Person of Interest revisited every fifteen minutes.
Layer 2 — Prefiltering. Most posts are not about the principal. Most posts about the principal are not threatening. Lightweight classifiers — keyword sweeps, named-entity detection, context windows — discard the obvious noise before any expensive analysis runs.
Layer 3 — Classification and rating. Large language models read the survivors of prefiltering and score them against the ECSP-derived behavioral framework: motivation, fixation, threat communication, research and planning, approach and proximity, capability, destabilizers, persistence. Content earns a rating; actors earn a tier; tier movement triggers escalation.
The architecture is not “one sweep.” It is many sweeps, each tuned to a different surface and a different urgency, running in parallel, twenty-four hours a day, for the price of a modest cloud bill and a single machine.
The Economics
The historical cost of comparable intelligence coverage — a human analyst team capable of monitoring multiple platforms in shifts, with behavioral assessment, escalation protocols, and law enforcement liaison — sat as part of a security program that regularly ran in the high six figures to low seven figures per principal per year. That total cost confined deep protective intelligence to government-protected principals, top-tier corporate executives, and a small number of family offices.
Modern AI-agent architecture changes the math on the intelligence layer specifically. A single custom agent built on an open framework, monitoring multiple platforms continuously, producing classified and escalation-ready output, costs a small fraction of the historical figure to build and a smaller fraction to operate. The principal who could not justify a six-figure intelligence retainer can justify a four-figure one. The CSO who used to choose between physical coverage and digital coverage now has both.
This is not a story about AI replacing analysts. It is a story about AI making protective intelligence at all economically possible for principals who previously had to do without it.
The Human-in-the-Loop Layer
AI does the work of volume. It does not — yet — do the work of judgment.
A protective intelligence agent that escalates without human review will burn out the security team it reports to. False positives are corrosive. The first HIGH alert that turns out to be a misread joke teaches the CSO to discount the next one. By the third, the agent is being ignored. By the tenth, the program is over.
The mature architecture treats AI as a funnel, not a verdict. The agent filters millions of posts down to thousands of flagged items, thousands down to dozens of MEDIUM-or-higher rated incidents, dozens down to the handful that warrant escalation. A human analyst then reads the survivors with context the model cannot have — knowledge of the principal, prior threat history, the geopolitical moment, the gut feel that comes from a thousand previous reads.
This is the hybrid model. AI does ninety-five percent of the noise filtering. The human does the judgment that earns the client’s trust and the law enforcement referral’s credibility.
Pure AI is not protective intelligence. Pure humans cannot keep up. The architecture is both — and that combination is what the new economics has finally made affordable.
The Quiet Edge
The watcher used to be a team. Now the watcher is an agent, and the team is the small group of humans who read what the agent surfaces.
The principal does not need a feed. The principal needs the one post that matters, surfaced before it matters more.
Everything else is architecture in service of that one post.
And for the first time, that architecture is within reach of the principals who need it most.