TrapWire Interview Series Part 2 – Seeing the world through the eyes of a surveillant: TrapWire’s Red Team

April 28, 2023

Recap of TrapWire Interview Series Part 1 – Attack Planning: Left of Boom

In our previous interview, Mike spoke about Attack Planning: Left of Boom. He discussed how a criminal attack happens in 3 stages: left of boom, boom, and right of boom. The left of boom is the planning prior to a crime, the boom is the actual crime itself, and the right of boom is the investigation that follows the crime– when evidence needed to solve the case is gathered and we learn what could have been done to prevent the attack before it happened. In today’s interview, we will learn about TrapWire’s Red Team operations – demonstrating how terrorists and criminals conduct their operations and how these Red Team exercises help clients protect their personnel and assets. This segment offers a unique opportunity to see the world through the eyes of a terrorist or criminal surveillant. 


Today we are speaking with Mike Chang, Director of Operations for TrapWire, Inc. Prior to working at TrapWire, Mike served at the Central Intelligence Agency for 14 years as a counterterrorism operations officer, security officer, and senior instructor. He conducted counterterrorism operations and implemented crime prevention training programs focused on high-threat operations, surveillance detection, and weapons and tactics. Mike also served as a special agent on the personal security detail of the Director of Central Intelligence.  

At TrapWire, Mike manages teams that help clients understand the potential threats posed to them by pre-attack and pre-criminal activity. Put simply, Mike’s team conducts surveillance and other Red Teaming activity against client sites to help them better understand their threat vulnerabilities. These exercises enable organizations to understand precisely how and why terrorists, active shooters, criminals, hostile intelligence services, and other bad actors would collect intelligence against them in preparation for a hostile act. This is a unique approach to security, and we hope to get a much better understanding of such operations today from Mike.  

Seeing the world through the eyes of a surveillant: TrapWire’s Red Team


Within TrapWire, how many pre-attack “Red Team” operations have you been a part of, and what types of locations have they been?

Mike Chang 

A very unique aspect of TrapWire’s services is the fact that we conduct what we call attack planning and surveillance Red Teams, where our operations team will deploy to our client site or sites and engage in the left of boom activity against them. The goal is to show our clients exactly how threat actors will operate against them; how they will study, test and view their sites, their security personnel, their assets.  In short, we show them what their organizations look like through the eyes of the surveillant.

We have done this type of activity against hundreds of locations across the country, including airports, military facilities, mass transit systems, financial institutions, and numerous government buildings at the federal, state and local levels. We have also surveilled critical infrastructure, like oil and gas, electrical grids, and water treatment facilities; hospitality and resort facilities across the country; and special events, including concerts, sport venues and other events involving large crowds. 


When your team goes to a client’s site, for example, because there has been information in a pattern that they have noticed from their own surveillance detection, what would your team do once you get there? For instance, at the Academy Awards, or some kind of special event, if your team is there to help with detecting surveillance of a potential attack that may be happening, what would be some of the things you look for?

Mike Chang  

We look at several different aspects., from the perspective of a terrorist threat, to plan an assassination, for example.  We also look at it from the perspective of a hostile intelligence service and even from a criminal angle. We start with a survey of those facilities: we survey the people that work at those locations, personnel who are assigned to protect those facilities, we probe the security operations, we probe the facilities themselves. We go into restricted areas, we photograph, document, assess all of these different measures used for protection of those facilities. 

As a potential threat, we’re looking at circumventing those defensive measures in order to get around them. So, how do I get around somebody’s security system? Well, I’ve got to collect information on that security system, to know exactly how it works, exactly what it protects. And then at that point, I can figure out the vulnerabilities of the system and circumvent it. 

That’s the entire goal of the red team: we collect intelligence and then we flip it, we flip it on the bad guys – we teach the security personnel and the protective personnel at those facilities what to look out for and how to report it into TrapWire. 

When we conducted these left of boom activities against you, this is what we did and why we did it. This is where we did it from. This is when we did it.” 

In our training of security personnel, we put in those people’s minds: when I’m conducting my security job, this is what I should be looking for. This is where I should be looking for it. Because we train them not only on the tactics used, how the threats do what they do; but also on the “why,” why they engage in these activities. When the personnel protecting a location understand the “why” of these operations, it is much easier for them to detect the what, or the tactics that will be used against them.  

“When we conducted these left of boom activities against you, this is what we did and why we did it. This is where we did it from. This is when we did it.”


It sounds like there are a lot of different targets that you have conducted surveillance against — from hard targets to soft sites. 

Of the hundreds of government, private sector, and critical infrastructure sites across the country that have engaged your services in this area— can you talk about what that was like and by whom your teams were detected during some of these exercises?

Mike Chang 

Well one, it’s a very risky operation. Normally when we are doing it, there are only one or two people at the facility who are cognizant that we are doing this type of activity. Of course, we carry what we call our “ Get Out of Jail Free” letters, so that if we’re detained by security or law enforcement, we explain exactly what we’re doing and they look at the letter and they can make their phone calls. 

Personally, I’ve been detained at three different facilities when conducting this type of operation. And normally, just like the threats, it’s when I become complacent in what I’m doing that I get caught. So, I become very comfortable in the environment. Because when we first approach a site, we approach that site just like any other bad actor would.  For example, we don’t have IDs to get on-site. We only have Virginia driver’s licenses or Texas driver’s licenses or North Carolina driver’s licenses. That’s all we have, just like the bad guys. And so, we have to be able to get on to the site to conduct our reconnaissance and surveillance and probing operations.  

Our first job is to get into that facility. We start with online intelligence collection. And then, using that intelligence, we combine it with our ground operation. Quite often you get more and more comfortable on a site and get this sense that nobody is seeing you or watching you, nobody cares. You become complacent as an operator. And every time I’ve fallen into that mode, I have gotten caught. And at times, I’ve been thrown against the wall at gunpoint or in a patrol car in handcuffs. That’s happened a couple of times, which is actually a good reaction, right? We want security law enforcement to be able to detect this type of operation and stop you if that does happen. 


When you’ve been caught, would you then have to go back and try and do the test a different way to see if you can get through, or perhaps have someone else on your team go since you might be recognized? Is there a plan B? 

Mike Chang 

We continue our operations. Even though we’ve been caught, we explain to them what we are doing and their reactions vary. Sometimes they say well, okay, we understand that you guys are testing us… now get out of here. Or they say okay, guys, go ahead and do your operations. 

Of course now it’s no longer “real world” because security and law enforcement there know that they’re being tested. But usually at that point, we have collected enough intelligence on the location to complete our assessment. And, what we do from that point is we take all of that information and we present it to the stakeholders. And again, this not a “gotcha” type of assessment, but rather an opportunity to show them “Hey, this is how I operated left a boom. This is how threats perceive you. And this is how they’ll run their operations against you.” 

We then take all that data and turn it into a customized training program for each client. We conduct what’s called operational training programs. Our flagship program is called Attack and Crime Prevention and Surveillance Detection. And if a client site had us do an attack planning and surveillance Red Team, we customize their training program with all of our findings so that not just your chiefs or deputy chiefs see the results of our assessment, but every single officer, every single guard, every single security officer sees the results of our assessment and sees what we saw on the ground.  Once they are aware of their vulnerabilities to these types of operations and exactly how they will be conducted, it is much more difficult for a real threat actor to conduct such activities and get away with it in the future.


How many people are on the planning team typically? I think you said it’s usually a group of people that would sub in and out, so they don’t get recognized. 

Mike Chang  

At that particular facility, we had two on the ground, and I joined the team later in the operation. So, a total of three covering that particular facility.  The number of personnel involved tends to emulate the threat we are portraying, whether terrorist, criminal, hostile intelligence organization, etc.  

In this instance, the initial team did their pre-attack planning and on-ground surveillance, and then I came in. The week that I had chosen to be on ground was during a family event at this campus, which was at a larger federal government facility.  And so the week begins with what’s called a family day, where family members come on board to the campus. They get to see where the students live. They don’t get to see the students yet, but they get to see where they live, where they train and all of that stuff. So basic ID checks are done. I just went with the flow and come in on board as a family member, without telling them my “family member’s” name. I go into all the living quarters and all the facilities with the tour groups and family groups. And I just blended into the environment. As a result, I was able to build upon what my team had collected already. And I’m also there to correct any information they may have gotten wrong or different from what I was observing.

A family event occurs on this campus in a large common area, – a very large rectangular area that is cordoned off.  All visitors must enter through a security station.

I arrived very early in the morning and parked my car just like any other family member. I’m also dressed like any other family member, and I proceed to the first security checkpoint. I am casing and collecting intelligence on all of the security aspects of checkpoint one. It’s very important because we had never attended a family event at this facility before. I’m the first person of our Red Team on the ground. I’m collecting all the intelligence we’d need to plan an attack: the number of security personnel present, the types of weapons they’re carrying, and the type of security technology they’re using. 

Then I move away, eventually to checkpoint two. I go around to checkpoint three, then checkpoint four — that takes me probably about an hour and a half. Then I make my way back to checkpoint one. So I’ve covered the entire perimeter of the event area. I’ve surveilled and cased all four checkpoints, now comes my time to go through a security checkpoint so I can go inside the perimeter. 

At this point, my bag has to go through an x-ray machine, and I have to step through a magnetometer just like at an airport. I keep my video camera active as I’m going through the security checkpoint. So it’s on the belt, it’s sitting on my camera bag, and it’s recording. The camera goes through the X-ray machine and I go through the magnetometer. I retrieve my bag, I go and buy a cup of hot chocolate because it’s really cold, and I walk around and I start looking at what we call “attack objectives,” which are specific areas that I’m going to plan to attack with my attack team. During this particular event, there were several HVTs (High Value Targets) on hand, including several important government officials sitting in the VIP area, and I’m getting good photography of them – as well as the overall crowd and choke points. I’m doing all my normal things. 

What I didn’t know was that when I moved from checkpoint one to checkpoint two, about two – hours prior, a support officer, who had been there to support the event – he wasn’t even part of the security team – observed me moving from checkpoint one to checkpoint two. And in his mind he’s thinking “that’s really strange,” because people don’t normally do that at our events. Normally, they come up to a checkpoint and are all “oohs” and “ahhs” because there are people carrying guns, which always gets attention as they snap a few pictures. But he told me later, “Nobody ever does what you did. Nobody goes from one checkpoint to another checkpoint. So I found that kind of weird. I watched you at checkpoint two, and then saw you move from there to checkpoint three, and that’s when I called it in.”  

So the entire time that I had been moving from checkpoint two all the way back to checkpoint one, roughly about an hour, they were surveilling me and I had no idea. And simply because this one support officer saw something out of the ordinary and decided to tell someone “Hey, you guys should look at that.”  

After I had taken some video and pictures of people in the crowds, I was walking to another area where crowds were gathering, when this security officer walks by me, he’s a quick reaction force and SWAT team member. He says, “Good morning.” I said, “Hey, good morning, how are you doing?” He says, “Great” and walks by me. I continue walking and about two steps later, I get a hand on my shoulder. I turn around and it’s him. He said, “Sir, good morning, again. I want to welcome you to our family event.” I say, “Great – thank you very much.” He goes, “Sir, I just want to ask you, are you here to see your son or your daughter participate in the event today? Maybe, perhaps, a niece or nephew?” And I said, “Yes, I am.” And he said “Well, sir, if you don’t mind me asking what group are they in?” I had come prepared, so I had a group number and I gave him the number. He goes, “Sir, thank you very much for answering my question. I very much appreciate it.” He takes out a program and he turns to that group number and says, “Sir, if you don’t mind, would you mind telling me your relative’s name?” And I didn’t have a name. So he said, “Sir, you’re gonna have to come with me.” He puts the program away, shoulders his rifle and he escorts me around a small building. There, an entire law enforcement detachment was waiting for me. And that’s where I ended up in handcuffs and in the back of a patrol car. 

My point in telling you this very long story is that this was all born out of a support officer who just saw something out of the ordinary and decided to report it. It was a simple action of See Something, Say Something in real life. And luckily, four months later, when I came back to do training for them, I was able to have that support officer in my class. I asked him before the class if he would stand up and tell his side of the story. And he did. 

I can tell you numerous stories of where that’s happened to us as a team, where a small act that we think will appear innocent or normal, just sticks out to the people who live, work, and play in an environment. And it can’t get more visceral than when we are casing a school. When we are casing a school, and somebody sees us, it gets nasty, which is good, right? It’s great, you know, a parent coming up to my window and banging on my window saying, “Why did you just take a picture of my kid getting off the bus?” I was actually just filming the bus and the kid happened to get off right then. But that’s the type of reaction we want from people: when you see this type of activity, do something about it!. 

It was a simple action of See Something, Say Something in real life.


What is the process for using the TrapWire Red Team? Does an organization hire you directly to test their security teams and technology? 

Mike Chang  

A client will hire us to do attack planning and ground surveillance against their assets, which could be a protected individual with a security detail, or a large campus, or even an office building. Whatever their asset is, they ask us to do our attack planning and surveillance against that facility or asset. 

We normally begin with online and open-source intelligence gathering about the location, such as blueprints, diagrams, pictures, satellite photos, anything we can find online to familiarize ourselves with the site, especially if the site isn’t local to us. 

Then we will gather as much social media content as we can regarding that site or asset. If an employee who happens to work for their security team puts a lot of information about their job online, we gather that information. When we’re ready, we deploy the first team, who will go out and conduct an initial round of surveillance and intelligence collection against that target. From that point on, it gets more and more detailed, and more and more focused. Rather than focusing on the entire facility we start looking at specific locations we are going to attack, or where we’re going to steal sensitive information from (if that’s the goal), or identify mass casualty locations…whatever the goal is for that particular operation. If the goal is to kidnap a child from a Child Development Center or school, then that’s our focus. If it’s to plan a burglary or robbery of a secure facility, we’ll develop a plan for that. So it kind of differs depending on the type of asset and the threats they are likely to face.


When you are undercover on one of these red teams, are there different behaviors that you learn or you recommend in your training to look out for? When someone is asking you a question in a high-stress situation — do you watch to see if someone stutters, or displays unusual body language? Are there specific things that you recommend looking for, as well as make sure you yourself are not doing them to stand out?

Mike Chang  

What we tell officers who are conducting a field interview of a suspect is simple: listen to the answer. That’s the key; don’t just ask the question to ask the question, listen to their answer, and play off of it. If they say they’re a student, terrific. “That’s great. Thank you for answering my question. Would you mind showing me your student ID?” And when they claim they don’t have their ID with them, they left it in their apartment. “Okay, that’s, that’s okay…so what university are you enrolled in? What field of study? What’s your major? We just need to verify everything.” Find different ways of breaking down that cover to see if that cover is valid, or to see what that person’s reaction is going to be as you start to break down that cover.


I see. So as an investigator, it’s sometimes less about what you’re seeing and more on what you’re hearing if you’re able to break down into even deeper layers to try and crack a story. 

Mike Chang  

Right. And it’s because a cover in itself is designed to blend into the environment. 

Let me an example of a certain type of federal facility that I will not define beyond that— for security reasons— these types of facilities often have ongoing construction projects.  When I’m conducting surveillance at these facilities, I’m often dressed in my construction gear. I have a hard hat, which is perfectly clean and doesn’t have a union sticker or anything like that. I have a construction vest on, which is also perfectly clean. And I wear a button down shirt and dress slacks with casual shoes – all of which are bright and clean, and I’m carrying a clipboard with some papers on it. The appearance that I’m trying to give is that either I am a supervisor, or I’m an inspector. The inspector cover is what I prefer people think, because nobody wants to talk to the inspector, and inspectors are usually left alone to go about their business. People who do their work, they don’t want to talk to the inspector. That’s the appearance that I’m trying to give off – the feeling that I want people to leave me alone. 

During training, I tell security officers that when it comes to cover, people will often work very hard on their appearance and will have a few rehearsed responses to use with you. So when they actually speak, please listen to their answers carefully. Do they sound normal, relaxed? If not, then use what they’ve said and play off of it and see where that answer takes you. Because quite often it’ll take you in all sorts of different directions.

This is the wrap up of Seeing the World through the Eyes of a Surveillant: TrapWire’s Red Team with Mike Chang. In the next interview, Mike will dive into See Something, Say Something.

Interested in learning how TrapWire Services can help you?

Check out a few of our solutions, or request a demo to learn more.

Leave a Comment

Your email address will not be published. Required fields are marked *

Contact Us



[email protected]

Monday–Friday | 9-5 pm EST


Contact Us