Inside the Hybrid Zone

Reading protective intelligence across overlapping domains.

The gap between the lanes is no longer a theoretical space. In the past eighteen months, the protective threat picture has rearranged itself in public view. A Russian intelligence plot to assassinate the chief executive of Rheinmetall was disrupted in 2024, reportedly through a tip from US services to their German counterparts. The chief executive of UnitedHealthcare, Brian Thompson, was shot dead on a Manhattan sidewalk in December of the same year, by a man whose ideological wind-up was visible in his own writings well before he reached for a weapon. Russian-linked incendiary devices entered the European parcel network through DHL hubs, in operations that the Dutch AIVD and other services attribute to a layered sabotage architecture recruiting young, deniable executors through Telegram (AIVD, 2025). The Mossad pager operation against Hezbollah in September 2024 reordered the assumptions of supply-chain security across an entire region. A finance officer at Arup in Hong Kong transferred approximately 25 million US dollars in early 2024 after a video conference in which the chief financial officer and other senior colleagues were synthetic media (Chen, 2024). A near-miss against Ferrari followed a few months later, defeated only because the targeted executive asked a question the deepfaked voice of the chief executive could not answer (Ryan-Mosley and Heaven, 2024). Kidnapping attempts on the families of French cryptocurrency executives drew a line under what happens when public wealth, public visibility, and family digital exposure cluster at the same address. Iranian transnational repression operations against academics, journalists and dissidents continue to move freely between cyber, intimidation, narrative pressure and proximity (AIVD, 2025).

Each of these is a different shape. Each is the same problem.

None of them sits cleanly in one lane. The Rheinmetall plot was state intelligence using criminal proxies. The Thompson case was a lone actor whose grievance had been incubated, framed, and confirmed in echo chambers before he ever acquired a weapon. The parcel campaign was state-sponsored sabotage carried out through commodified violence. The pager operation was a multi-year industrial deception. The Arup and Ferrari cases were cyber-led social engineering that produced financial and operational consequence by impersonating trust itself. The cryptocurrency kidnappings were opportunistic crime piggybacking on the digital exposure of public families. Iranian operations move between domains as a matter of doctrine. These are not separate problems. They are the working environment of high-end protection in 2026. For institutions that are themselves systemic, the same pathway applies with an additional dimension: the executive is not only the protected person, but the attack surface through which the institution itself can be reached.

The recognition that hybrid threats exist is now widespread in the trade. Buyers can name the categories, the courses are sold, the slides are confident, but what is missing is the operational reading of how the categories connect to one another in the life of a real client, a real institution, a real family, a real delegation. I refer to that coupling space as the gap. The gap is where pressure travels between domains and responsibility blurs between functions. It moves with every news cycle, every platform shift, every sanctions package, every recruitment trend, which is to say faster than any committee can convene around it. In the absence of a reading, exposure is processed in lanes, and the gap is no one's brief. Which is convenient for the threat.

A gray zone conflict, no rules, nothing is forbidden

Abbott's (2010) framing of fifth-generation warfare (5GW) is still the cleanest description of the environment in which protection now operates. 5GW is moral and cultural warfare conducted through the manipulation of perception, in which the lines between combatant and non-combatant, state and society, war and peace, have stopped meaning what they used to mean. Everybody fights everybody. When conducted properly, the targeted side may not realise it is being engaged at all. Krishnan (2022) tightened the conceptual map by comparing 5GW with hybrid warfare and gray zone conflict, and arrived at a similar place: the asymmetric actor wins by exploiting exactly the seams the defender has institutionalised. Liang and Xiangsui (1999), at the original Chinese end of this lineage, made the same observation in plainer terms. There are no rules, and nothing is forbidden.