Real-World Threat Assessment Examples: From Schools to Corporations

By Warren Pulley, CrisisWire Threat Assessment Expert

A middle school teacher in Honolulu notices a student's creative writing assignment contains graphic descriptions of school violence. The student writes about shooting classmates, describes specific weapons, and details escape routes through campus buildings. The teacher reports the concerning content to administration, triggering the school's threat assessment process.

This scenario represents one of hundreds of threat assessments conducted daily across schools, workplaces, healthcare facilities, and organizations nationwide. Understanding how threat assessment works through real examples demonstrates why behavioral threat identification prevents violence more effectively than reactive security measures.

School Threat Assessment Example: Student Social Media Monitoring

The situation: A peer reports that a high school student posted concerning content on Instagram—photos posing with firearms, captions referencing "don't come to school tomorrow," and comments about being bullied and seeking revenge. The posts appeared Friday evening, discovered Saturday morning by a classmate who reported to school administrators.

The threat assessment process: The school's multidisciplinary threat assessment team—principal, school counselor, school resource officer, and district safety coordinator—convenes immediately via emergency phone conference. Research published in School Threat Assessments 2025: Preventing Violence Before It Happens demonstrates this team approach reduces school violence incidents by 82% when properly implemented.

Team members divide responsibilities. The counselor reviews the student's behavioral history, academic records, and any documented mental health concerns.

The school resource officer examines the social media content for explicit threats versus vague statements, verifies weapon access through law enforcement databases, and determines if the student has prior police contact. The principal contacts parents for immediate home visit and interviews peers who may have additional context about the student's emotional state.

The team discovers the student recently experienced significant trauma—parental divorce, bullying incidents not previously reported, and deteriorating academic performance. The social media posts represent a cry for help rather than concrete attack planning. However, the student does have access to firearms in the home through a parent who hunts.

The intervention: The team conducts immediate risk evaluation following frameworks detailed in Behavioral Threat Assessment & Management. They determine moderate risk requiring immediate intervention but not imminent threat necessitating arrest. The school resource officer conducts welfare check with parents Saturday afternoon, arranges emergency mental health evaluation, and coordinates temporary firearm removal from the home through family cooperation.

The student receives mental health treatment, returns to school Monday with safety plan including counseling sessions, peer support group for bullying victims, and modified academic accommodations. The threat assessment team monitors for six months through regular check-ins, social media observation within legal parameters, and ongoing communication with mental health providers. No violence occurs, the student's condition improves, and the intervention prevents what could have become a school shooting.

Training resources for school threat assessment teams available through K-12 Threat Assessment Consulting and School Threat Assessment Consulting. Federal protocols detailed in Secret Service School Violence Prevention.

Workplace Violence Threat Assessment Example: Pre-Termination Evaluation

The situation: A Hawaii corporation plans to terminate a property manager for performance deficiencies and policy violations. HR reviews the employee's file and discovers concerning patterns—multiple complaints about aggressive behavior toward coworkers, angry outbursts during meetings, social media posts expressing resentment toward company leadership, and statements to colleagues about being treated unfairly. The employee has facility access codes, keys to multiple properties, and detailed knowledge of executive schedules.

The threat assessment process: Before conducting the termination meeting, HR initiates pre-termination threat assessment following protocols in Workplace Violence Prevention Solutions. The company's threat assessment team—security director, HR manager, legal counsel, and external threat assessment consultant—evaluates violence risk using structured professional judgment rather than algorithmic prediction.

The team gathers information from multiple sources. HR interviews the employee's supervisor about specific behavioral incidents and escalation patterns. Security reviews the employee's building access logs for after-hours activity or unusual facility visits. The consultant examines social media activity for explicit threats, fixation on perceived enemies, or interest in weapons and violence. Legal counsel reviews whether any protective orders, criminal history, or workplace violence incidents exist in the employee's background.

The assessment reveals moderate to high risk indicators. The employee expressed verbal threats during a recent disciplinary meeting, stating "people who treat others like this deserve what they get." Social media shows posts about workplace injustice and revenge fantasies. The employee recently purchased firearms, documented through public records search. Family members report the employee has been increasingly agitated and discussing being wronged by the company.

The intervention: Based on threat assessment findings detailed in The Prepared Leader: Threat Assessment & Emergency Planning, the team modifies termination procedures to reduce violence risk. They schedule the termination meeting for Tuesday morning when security staff are present rather than Friday afternoon when the employee would have weekend to ruminate. Two security officers stand by during the meeting in adjacent office, ready to respond if the employee becomes aggressive. The company immediately revokes all access credentials—building keys, alarm codes, computer access, and parking passes—before the employee leaves the building. Security escorts the employee from the facility and monitors for return attempts for 30 days.

The company notifies law enforcement about the termination and threat indicators, providing officers with the employee's photo and vehicle description for increased patrol around facilities. HR arranges continuation of employee assistance program benefits for mental health support despite termination. The threat assessment team monitors the employee's social media for 90 days for escalating threats requiring law enforcement intervention.

The employee does not return to the facility and commits no violence. The pre-termination threat assessment successfully identified risk and implemented management strategies preventing workplace violence. Analysis of similar cases available in Case Study: SMBs That Survived vs. Collapsed.

Healthcare Insider Threat Assessment Example: Data Access Monitoring

The situation: A Hawaii hospital's IT security system triggers automated alerts showing a billing specialist accessing unusually high volumes of patient records outside normal work duties. Over three weeks, the employee viewed records for 2,400 patients—ten times typical access patterns. The records accessed include high-profile individuals, elected officials, and celebrities treated at the facility.

The threat assessment process: The hospital's insider threat team—IT security director, compliance officer, HR representative, and legal counsel—initiates investigation following frameworks in Insider Threat Management. Research in Insider Threats in Hospitals: Silent Dangers Within Your Walls demonstrates healthcare facilities experience insider threats in 43% of data breaches, making behavioral monitoring essential.

The team conducts covert investigation before confronting the employee to gather evidence and determine scope. IT tracks which specific records were accessed, whether any data was downloaded or emailed externally, and if the employee used personal devices to photograph screens. The compliance officer reviews the employee's job responsibilities to determine legitimate business reasons for the access patterns. HR examines the employee's behavioral history for financial stress indicators, policy violations, or concerning statements to coworkers.

Investigation reveals the employee has significant personal debt, recently divorced, and facing foreclosure. The employee accessed records of wealthy patients and downloaded contact information to personal email. Evidence suggests the employee planned to sell patient data to medical identity theft networks or attempt blackmail of high-profile individuals whose medical conditions could cause embarrassment if exposed.

The intervention: The threat assessment team determines immediate action required to prevent data breach and potential identity theft affecting thousands of patients. They coordinate with law enforcement before confronting the employee, ensuring criminal investigators can seize evidence. The hospital immediately terminates the employee's system access and places them on administrative leave pending investigation. Law enforcement executes search warrant on the employee's home, discovering downloaded patient files and communications with identity theft networks.

The employee faces criminal prosecution for HIPAA violations and identity theft conspiracy. The hospital conducts damage assessment, determines which patient records were compromised, and provides notification to affected individuals as required by law. The organization implements enhanced behavioral monitoring systems, mandatory access audits for all employees with patient database access, and pre-termination threat assessments for all future separations.

Framework detailed in How to Conduct an Insider Threat Audit in 10 Steps.

Corporate Executive Threat Assessment Example: Online Harassment Escalation

The situation: A technology company CEO receives escalating threatening communications through social media, email, and company contact forms. The messages progress from criticism of business practices to personal attacks, then explicit threats of violence. The sender references the CEO's home address, children's school, and daily routines—demonstrating surveillance capability.

The threat assessment process: The corporation's executive protection team engages external threat assessment specialists following protocols in Executive Protection in 2025: Why ASIS's New Standard Changes the Game. The assessment involves behavioral analysis, digital forensics, and coordination with law enforcement.

Threat assessment specialists analyze communication patterns for escalation indicators, specificity of threats, evidence of attack planning, and capability to carry out violence. Digital forensics teams trace threatening messages through IP addresses, email metadata, and social media accounts to identify the sender. Corporate security conducts protective intelligence gathering on the CEO's public exposure—speaking engagements, travel patterns, and social media presence that could enable targeting.

Investigation identifies the sender as a former customer whose complaint was denied by customer service. The individual fixated on the CEO as responsible for perceived injustice, researched the CEO's personal life through public records and social media, and began surveillance documented through geo-tagged social media posts near the CEO's residence. Mental health history reveals untreated psychiatric conditions and past violent behavior.

The intervention: Based on threat assessment findings detailed in The Rising Threat to CEOs: Lessons from World Security Report 2025, the executive protection team implements comprehensive security measures. The CEO receives 24/7 executive protection during high-risk period, residential security enhancements including cameras and alarm upgrades, and travel security protocols. Law enforcement obtains restraining order against the subject and increases patrol near the CEO's residence. The corporation coordinates with FBI when threats cross state lines, potentially involving federal jurisdiction.

The subject violates restraining order, resulting in arrest and involuntary mental health evaluation. Psychiatric treatment and ongoing monitoring prevent violence. The CEO maintains enhanced security protocols, and the corporation establishes permanent executive threat assessment capability for future incidents.

Additional frameworks available through Executive Protection Consulting.

Nonprofit Client Threat Assessment Example: Domestic Violence Spillover

The situation: A Hawaii nonprofit serving domestic violence survivors employs a case manager whose ex-partner has been calling the office demanding to speak with her. The ex-partner obtained a restraining order violation charge previously, has history of violent behavior, and recently purchased a firearm documented through background check alerts available to law enforcement.

The threat assessment process: The nonprofit's small threat assessment team—executive director, HR consultant, and external security advisor—evaluates risk following Workplace Violence Prevention training protocols. Analysis detailed in Leadership Liability in Crisis: How CEOs Can Be Held Responsible demonstrates organizations have duty-of-care obligations to protect employees from known threats.

The team reviews restraining order documentation, coordinates with the case manager's victim advocate, and consults with law enforcement about the ex-partner's escalating behavior. Assessment determines high risk based on documented violence history, restraining order violations, weapon access, and persistent attempts to locate the victim at her workplace.

The intervention: The nonprofit implements protective measures balancing security needs with limited budget constraints. Front desk receives photo of the ex-partner with instructions to immediately call police if he appears and refuse entry. The case manager receives modified work schedule allowing remote work during highest-risk period and security escort to vehicle at end of shifts. The organization installs panic button at reception desk and conducts active shooter response training for all staff. Law enforcement increases patrol frequency near the facility and provides direct contact number for immediate response if the subject appears.

The ex-partner attempts to enter the facility twice, both times refused entry and immediately reported to police. Enhanced patrol and rapid police response deter continued attempts. The case manager transitions to permanent remote work for several months until threat subsides. No violence occurs due to proactive threat assessment and protective measures.

Resources for nonprofit threat assessment available through Crisis Management Consulting.

Why Threat Assessment Examples Matter

These real-world examples demonstrate threat assessment effectiveness across diverse settings. Organizations implementing structured threat assessment protocols following FEMA IS-906: Workplace Security Awareness and FBI Making Prevention a Reality frameworks prevent violence through early intervention rather than reactive response after attacks occur.

The common elements across successful threat assessments include multidisciplinary teams combining security, mental health, HR, and legal expertise; behavioral analysis identifying concerning patterns before violence; information gathering from multiple sources; structured risk evaluation using professional judgment; appropriate interventions matching threat level; coordination with law enforcement when necessary; and ongoing monitoring to ensure threats don't re-emerge.

Organizations lacking threat assessment capabilities face catastrophic consequences when warning signs go unrecognized. Research across thousands of workplace violence, school attacks, and targeted violence cases shows 80-95% of attackers exhibited observable warning behaviors others could have reported—if systems existed to receive reports, conduct assessments, and implement interventions.

Get Professional Threat Assessment Training

CrisisWire Threat Management Solutions provides comprehensive threat assessment training and implementation for Hawaii organizations across all sectors. Services align with Partner Alliance for Safer Schools (PASS) methodologies and federal guidelines from DHS Threat Assessment Resources.

Contact CrisisWire:

Email: crisiswire@proton.me

Quick Contact: bit.ly/crisiswire

LinkedIn: linkedin.com/in/warpul13

Training: Behavioral Threat Assessment Fundamentals

Services: CrisisWire Complete Services

Resources: Academia.edu/crisiswire

About the Author:

Warren Pulley is founder of CrisisWire Threat Management Solutions with 40 years of experience spanning U.S. Air Force security, LAPD, Baghdad Embassy Protection, and Director of Safety at Chaminade University of Honolulu. He holds 30+ certifications including U.S. State Department Worldwide Protective Specialist and is a member of the Partner Alliance for Safer Schools (PASS). Featured by ABC7 Los Angeles and NPR as a threat assessment expert. Research available at Academia.edu/crisiswire.