Soft Targets, Hard Consequences: The Evolving Threat to Mass-Gathering Venues
Crowded places and mass-gathering venues continue to attract disproportionate targeting interest across the ideological spectrum. This briefing examines the indicators, venue typologies, and protective security implications for planners operating in the current threat environment.
The targeting of mass-gathering venues has remained a persistent feature of terrorist planning across ideological traditions, but the character of that interest has shifted materially over the past eighteen months. Where earlier threat cycles were dominated by vehicle-ramming and edged-weapon methodologies directed at tourist-dense urban spaces, current indicators suggest a broader and more methodical reconnaissance interest in a wider range of crowded-place typologies — including indoor entertainment venues, religious festivals, and large-scale sporting events. For protective security planners operating across the EU and Five Eyes jurisdictions, the implication is that venue-category assumptions built around post-2016 attack patterns may require revision.
Expanding the Target Set: Beyond the Obvious Chokepoints
Post-incident analysis of disrupted plots and online planning material consistently shows that attackers and aspiring attackers conduct a form of informal cost-benefit assessment when selecting venues. High-footfall locations with limited access control, predictable crowd density, and constrained egress routes score favourably in this calculus. What has changed is the range of venue types now appearing in that assessment. Stadiums and concert halls have long been recognised as high-risk environments; more recent indicators point to elevated interest in secondary-tier venues — regional exhibition centres, outdoor music festivals, and large-scale religious gatherings — where security investment has historically lagged behind threat posture.
This broadening of the target set is not uniform across ideological actors. Islamist-inspired planning material continues to emphasise symbolic density and casualty maximisation, favouring venues associated with Western cultural identity. Extreme right-wing actors, by contrast, show a more pronounced interest in venues associated with communities they regard as adversarial — religious sites, pride events, and ethnically associated cultural festivals. The distinction matters for protective security planners because it affects both the likely timing of elevated threat and the specific venue categories that warrant enhanced attention at any given period.
Reconnaissance Patterns and Pre-Attack Indicators
Across documented cases in Western Europe and North America, pre-attack reconnaissance of crowded-place targets exhibits a recognisable pattern, though the tradecraft sophistication varies considerably. Physical surveillance — repeated visits at different times, photography of entry and exit points, observation of security personnel positioning — remains the most commonly identified indicator. However, the proportion of reconnaissance activity conducted through open-source means has increased. Venue websites, ticketing platforms, social media event pages, and satellite imagery tools collectively provide a level of site familiarisation that previously required physical presence.
A secondary indicator category that warrants particular attention is logistical preparation proximate to a specific venue or event date. Acquisition of materials consistent with a particular attack methodology — vehicle hire near a pedestrianised event perimeter, purchase of cutting implements ahead of a crowded indoor event — gains significance when it is temporally and geographically correlated with a specific gathering. Analysts using Terriscope have noted that the aggregation of such signals across open and closed sources, even when each individual indicator falls below a reporting threshold, can surface coherent pre-operational patterns that would otherwise remain fragmented across jurisdictional boundaries.
Physical surveillance indicators: repeated venue visits, timing variation, photography of security infrastructure.
Open-source reconnaissance: systematic review of venue layouts, event schedules, and access-control information via public platforms.
Logistical proxies: vehicle hire, material acquisition, or accommodation bookings temporally correlated with a specific event.
Social media signalling: expressions of grievance or intent referencing a specific venue, event type, or date.
Network contact patterns: communications between individuals with prior targeting interest and those with venue access or local knowledge.
The Insider Dimension
One aspect of mass-gathering venue vulnerability that receives insufficient analytical attention is the insider threat. Large events depend on substantial temporary workforces — security contractors, catering staff, technical crews, and volunteers — whose vetting processes are frequently inconsistent and whose access to restricted areas can be considerable. The 2017 Manchester Arena attack demonstrated that perimeter security measures, however robust, are undermined when an attacker can position themselves within the controlled zone by exploiting the operational complexity of a large event. Subsequent venue security reviews across the UK and several EU member states acknowledged this gap, but implementation of enhanced insider-threat mitigation has been uneven.
The risk is compounded by the increasing use of subcontracted labour chains, which can create ambiguity about who bears responsibility for background verification. Where a venue operator contracts a security firm, which in turn engages a staffing agency, the vetting standard applied to an individual operative may reflect the lowest common denominator in that chain rather than the standard the venue operator believes is in place. Protective security planners advising venue operators should treat the mapping of staffing chains as a baseline activity, not an optional enhancement.
Jurisdictional Variation in Crowded-Place Security Standards
The regulatory landscape governing crowded-place security across the EU and Five Eyes jurisdictions remains fragmented. The United Kingdom's Protect Duty — now enacted as Martyn's Law — establishes a statutory baseline for venue security planning and staff training at qualifying premises, representing the most codified national framework currently in force among Five Eyes partners. Comparable legislative instruments are absent in most EU member states, where crowded-place security obligations are typically addressed through a combination of licensing conditions, event-specific police liaison, and voluntary guidance frameworks.
This jurisdictional variation has operational consequences. Threat actors with cross-border mobility can, in principle, conduct reconnaissance or pre-operational activity in a jurisdiction with lighter-touch venue security requirements before executing in a higher-profile target environment. Intelligence-sharing mechanisms under existing bilateral and multilateral arrangements partially mitigate this risk, but the asymmetry in baseline security standards means that the weakest link in a regional security architecture is not always where analytical attention is concentrated.
The divergence also complicates mutual learning after incidents. Post-incident reviews in one jurisdiction generate recommendations calibrated to that jurisdiction's legal and operational context, and the translation of those lessons into actionable guidance for planners elsewhere is rarely systematic. A more structured approach to cross-jurisdictional lesson transfer — particularly between UK and EU partners given the post-Brexit intelligence relationship — would strengthen the collective posture without requiring legislative harmonisation.
Implications for Protective Security Planning
The current threat picture suggests that protective security planning for mass-gathering venues should be stress-tested against a broader range of venue typologies and attack methodologies than the post-2016 consensus assumed. Secondary-tier venues, religious and cultural gatherings, and events with large temporary workforces represent categories where the gap between threat interest and security investment is most pronounced. Planners should treat pre-event reconnaissance detection — both physical and open-source — as an active intelligence-collection opportunity rather than a passive observation task, and should ensure that staffing chain mapping and insider-threat protocols are embedded in event planning cycles from the outset rather than appended as afterthoughts. The threat to crowded places has not diminished; it has diversified, and the security architecture applied to it must diversify accordingly.
Frequently asked questions
What makes mass-gathering venues attractive targets for terrorist attack planning?
Mass-gathering venues combine high footfall, predictable crowd density, constrained egress routes, and often limited access control. These characteristics maximise potential casualties while reducing the operational complexity required of an attacker. Symbolic value — cultural, religious, or national significance — can further elevate a venue's attractiveness to actors seeking to generate widespread psychological impact alongside physical harm.
What are the key pre-attack reconnaissance indicators for crowded-place venues?
The most commonly identified indicators include repeated physical visits at varying times, photography of security infrastructure and entry points, and systematic open-source research into venue layouts and event schedules. Logistical activity — vehicle hire, material acquisition, or accommodation bookings — that is temporally and geographically correlated with a specific event can also indicate pre-operational intent when assessed in aggregate.
How does the insider threat apply to large events and mass-gathering venues?
Large events rely heavily on temporary workforces — security contractors, catering staff, and volunteers — whose vetting is frequently inconsistent. Subcontracted staffing chains can create ambiguity about who is responsible for background verification, meaning individuals with access to restricted areas may not have been screened to the standard the venue operator assumes. This gap has been exploited in previous attacks and remains a significant vulnerability.
What is Martyn's Law and how does it affect venue security in the UK?
Martyn's Law, formally enacted as the Protect Duty in the United Kingdom, establishes a statutory baseline for security planning and staff training at qualifying public venues and events. It was developed following the 2017 Manchester Arena attack and represents the most codified national crowded-place security framework among Five Eyes partners. Most EU member states currently rely on licensing conditions and voluntary guidance rather than equivalent legislation.
Are secondary-tier venues at greater risk than major arenas and stadiums?
Current threat indicators suggest secondary-tier venues — regional exhibition centres, outdoor festivals, and large religious or cultural gatherings — face a growing gap between threat interest and security investment. While major arenas have invested significantly in security following high-profile incidents, smaller venues with comparable footfall often lack equivalent access control, trained personnel, or formal security planning frameworks, making them comparatively more vulnerable.
Related insights
Undersea cable systems and internet exchange points represent a class of critical digital infrastructure that is simultaneously indispensable, geographically exposed, and structurally under-protected. This briefing examines the targeting interest emerging from state-adjacent actors and ideologically motivated networks, the vulnerability characteristics that make these nodes attractive, and the implications for protective security planners across EU and Five Eyes jurisdictions.
Ready to Learn More?
Get in touch to see how Nebula and Terriscope can support your security operations.