Deconfliction Systems for Multi-Team Intelligence Operations: When Two Units Are Working the Same Target
T. HoltTwo teams. One target. Neither knows about the other.
Photo by AMORIE SAM on Pexels.
One team has spent six weeks cultivating a persona close to the target's network. The other team, running a separate collection tasking, just pinged the same account with a direct message. Now the target is spooked, both operations are burned, and nobody inside either team did anything wrong. They just had no way to know.
This is what deconfliction failures look like in practice. Not a dramatic breach, not a mole. A system problem that masquerades as an operational problem.
What Deconfliction Actually Means
In law enforcement, deconfliction systems exist to prevent two undercover officers from buying drugs from each other. The concept maps directly to intelligence operations running parallel collection efforts against overlapping target sets.
Deconfliction has two layers: target deconfliction (are we both working the same person, organization, or infrastructure node?) and method deconfliction (even if we're working different angles, do our methods interfere with each other?). Most teams think about the first. Almost nobody builds systems for the second.
Method deconfliction matters because passive OSINT collection against a target changes the target's exposure profile. Repeated profile views, aggregated link analysis, and scraping activity leave traces. When two teams independently rack up that exposure against the same node, the cumulative signature looks like surveillance to anyone watching their own digital footprint.
The Engineering Side of the Problem
Building a deconfliction capability is fundamentally a database problem wrapped in an access control problem wrapped in a trust problem.
The database problem: you need a shared registry of active operational targets, collection activities, and methods in use. That registry needs to be queryable before any new tasking is issued, not after the operation is underway.
Here's the basic flow:
graph TD
A[New Tasking Request] --> B{Deconfliction Query}
B --> C[No Match Found]
B --> D[Partial Match Found]
B --> E[Active Conflict Detected]
C --> F[Tasking Approved]
D --> G[Route to Deconfliction Officer]
E --> H[Tasking Blocked Pending Review]
G --> F
G --> H
The query happens before tasking approval, not as a post-hoc audit. That ordering is non-negotiable. Retroactive deconfliction is just incident documentation.
The access control problem is thornier. Compartmentalization exists for good reasons. Team A may not be cleared to know that Team B is working a particular target; the existence of that operation is itself sensitive. So the deconfliction system needs to answer the question "is this target conflicted?" without necessarily revealing who has the conflict or why.
One workable approach: a hashed target identifier registry. Each team registers a one-way hash of their target identifiers (usernames, email addresses, IP ranges, organization names normalized to a canonical form) along with a conflict contact point. A query against the registry returns only a boolean and a contact identifier, not operational details. The querying team knows to call the contact before proceeding. Details get exchanged through appropriate channels with appropriate clearances.
This is sometimes called a "blind deconfliction" model, and it preserves compartmentalization while still preventing the most catastrophic collision scenarios.
What Goes Into the Registry
Target identifiers need normalization before hashing, or the system breaks immediately. "@john_doe_official" and "john_doe_official" and "johndoeoffficial" (typosquat) are potentially the same operational target. Infrastructure targets need CIDR normalization. Organization names need canonical resolution against a reference dataset.
Skip normalization and you get a registry that looks complete but misses conflicts on orthographic variants. That false sense of coverage is worse than no deconfliction system at all.
Method tags matter too. A team conducting passive observation has a different conflict profile than a team running active elicitation. Your registry schema should capture method type, intensity, and last-activity timestamp. Stale entries are their own hazard: an operation that closed eight months ago shouldn't block new tasking indefinitely.
The Operational Culture Problem
Building the system is the easy part. Getting teams to register their targets before collecting is the hard part.
Deconfliction systems fail when operators treat them as bureaucratic overhead rather than protective infrastructure. The fix isn't better tooling; it's making non-registration carry more organizational cost than registration. Mandatory pre-tasking review gates, automated conflict queries baked into collection tooling, and post-operation audits that surface unregistered activities all push in the right direction.
If your deconfliction query is a separate manual step that operators can skip under time pressure, they will skip it. Embed the query into the tasking workflow itself. Make the path of least resistance the path of correct behavior.
Two teams burning each other's operations because nobody built the plumbing is an engineering failure. Treat it like one.
Get Intel DevOps in your inbox
New posts delivered directly. No spam.
No spam. Unsubscribe anytime.