Defensive Hybrid Intelligence | 2. Fusion
This is the second pillar of the Defensive Hybrid Intelligence (DHI) architecture, following the structured, lawfully executed collection phase.
Fusion in DHI is defined as the systematic process through which heterogeneous data sources, intelligence feeds, forensic artifacts, operational telemetry, logs, and contextual geopolitical indicators are consolidated, reconciled, and transformed into a coherent analytic product capable of informing lawful decision making.
Collection identifies and acquires information. Fusion determines its meaning, reliability, legal implications, and strategic relevance. It is the core analytical activity that enables a regulated entity to move from raw information to actionable intelligence in a manner that satisfies supervisory expectations of due diligence and informed governance.
Fusion is not a technical correlation exercise. It is an interpretive process governed by the principles of evidentiary sufficiency, regulatory defensibility, attribution logic, and risk materiality assessment. This process reconciles contradictory indicators, it weighs competing hypotheses, and it distinguishes between coincidental anomalies and structured adversarial activity.
Hybrid operations materialize as synchronized digital intrusions, malign information flows, economic pressures, supply chain anomalies, and subtle legal or regulatory manipulations. Fusion requires the evaluation of data that originates from distinct domains, each governed by separate statutes and supervisory expectations. For example, cyber forensic indicators subject to reporting duties under operational resilience frameworks must be fused with disinformation monitoring outputs relevant to reputational risk governance, and with third country legal exposure assessments relevant to sanctions and export control compliance.
Fusion plays a central role in materiality determination, a key legal function across financial sector regulation, cybersecurity law, incident notification regimes, breach classification standards, and corporate governance responsibilities. Raw data may not independently establish whether an incident reaches the threshold of notifiability, systemic relevance, or regulatory exposure.
Fusion gives the interpretive analysis necessary to evaluate if a series of indicators collectively implies adversarial intent, strategic targeting, or credible harm. It provides the basis on which organizations can justify decisions regarding notifications to supervisory authorities, engagement with national security services, and access to cross border cooperation mechanisms.
Example: An enterprise experiences a minor denial of service disturbance, a small scale phishing operation directed at mid level employees, and an unremarkable supplier delivery delay. Evaluated independently, each event may appear operationally insignificant and legally immaterial. Through fusion, the organization discovers that the phishing payload has been used by a known hybrid threat actor, and the denial of service disturbance happens at the same time with a coordinated online disinformation surge targeting the company’s market stability.
Fusion reveals a multi vector hybrid operation, which transforms the legal interpretation of the events. What initially appeared as routine operational noise, now constitutes a hybrid threat that may trigger enhanced reporting duties, engagement with supervisory authorities, invocation of contractual protective clauses, and strategic adjustments to the organization’s risk governance.
Regulators increasingly expect organizations to demonstrate that they interpret data coherently, lawfully, and in a manner proportionate to the systemic risks they face. Fusion is the mechanism through which boards, senior management, and compliance officers obtain a consolidated understanding of risk exposures. This enables them to exercise legally required oversight functions, demonstrate informed decision making, and prove that they fulfilled their fiduciary, regulatory, and governance responsibilities in the face of complex hybrid threat environments.
Fusion is the analytic heart of Defensive Hybrid Intelligence. It transforms collection into understanding, risk signals into legally defensible interpretations, and fragmented indicators into coherent threat comprehension.
Understanding fusion, the disciplined, repeatable, analytic workflow.
The term fusion is abstract until we turn it into a repeatable workflow.
Step 1. Orientation (pre question phase), and question formation. We start from the data to discover whether a question exists. Before an organization can define a precise legal or analytical question, it must perform an initial stage of orientation, sometimes called pre fusion, or orientation analysis.
In intelligence doctrine, including counterintelligence and hybrid threat analysis, this stage is unavoidable and is often the most cognitively difficult part of the entire cycle.
Raw data arrives without context. You may see unusual network telemetry, a small anomaly in supplier performance, an unexplained payment irregularity, a minor phishing wave, a misinformation spike on social media, an unexpected legal or regulatory inquiry. At this point, you have no question yet, you only have fragments.
You do a first pattern scan (not a question based scan yet). The goal is to observe what is unusual, what does not fit normal baselines, what resembles known categories of risk, and what stands out when viewed historically. This is not analysis. This is the stage where you allow the data to speak before you impose structure. You cannot define the analytical question before you understand the anomalies.
Once you see patterns, cooccurrences, or anomalies, you can start framing the proper question.
For example, you see: “These events are unrelated individually, but all involve the same geopolitical region, and all deviate slightly from normal baselines.”
Now you can define the question: “Is this the early stage of a coordinated hybrid campaign, or a coincidence?”
Typical questions include:
- Is this isolated or coordinated?
- Is this operational noise or part of a hybrid attack?
- Does this meet legal or regulatory thresholds for escalation?
- Does this align with known adversarial patterns?
- Does this require attribution, reporting, or containment?
The question must be formulated in a legally cautious manner, using language such as:
- Is there a credible possibility that ...
- Is the observed pattern consistent with ...
- Is there sufficient basis to consider that ...
This preserves legal defensibility, and avoids premature conclusions.
Example:
1A. Orientation (pre question phase).
An organization begins to notice several raw, unconnected signals:
- A normally reliable logistics partner suddenly delays a shipment without providing a clear explanation.
- A mid level employee in procurement receives a spear phishing email containing highly specific operational details.
- A foreign news outlet publishes a short, misleading article that subtly criticizes the company’s supply chain ethics.
- A server in the company’s cloud environment experiences a brief, unexplained authentication spike during an off peak hour.
At this stage, each of these signals could be noise, coincidence, random cybercrime, or routine operational fluctuation. In this stage, we notice all of this without attempting to conclude anything. The analyst may document: “There are multiple deviations from baseline, emerging across different domains of activity.”
No question has yet been defined. After observing the anomalies, the analyst begins to consider whether they form a meaningful pattern.
The signals appear to touch cyber operations (phishing, authentication anomalies), supply chain stability (logistics delays), reputational vectors (media narrative). This cross domain emergence is typical of early hybrid activity, but nothing is proven.
The analyst formulates a cautious and legally sound question:
“Is there a credible possibility that these events, although individually minor, reflect the initial phase of a coordinated hybrid influence or disruption attempt targeting our supply chain or operational stability?”
This question now becomes the foundation for fusion. It is legally appropriate, because it avoids premature attribution. It recognizes plausibility without asserting fact. It is proportionate to the observed anomalies. It frames the analysis around regulatory thresholds (operational resilience, supply chain integrity, cybersecurity governance).
The question supports informed decision making without creating liability through overstatement.
The fusion process will now correlate these signals, evaluate hypotheses, assess legal implications, and determine whether escalation is required.
This scenario demonstrates that orientation is about noticing unusual signals, and question formation comes only after noticing anomalies and patterns to justify deeper inquiry.
Step 2: Scoping, prioritization, structuring, normalization.
Step 2A, broad scoping: After the question is formed in Step 1, the analyst gathers all potentially related inputs, across all domains:
- cyber
- supply chain
- finance
- logistics
- geopolitical
- reputational
- operational
- insider behavior
- physical security
- third-party providers
At this stage, you do NOT try to exclude anything. Everything that has even a remote connection is brought into a temporary high latitude analytical frame.
Be careful! Hybrid campaigns are deliberately designed to appear unrelated, dispersed and ambiguous. This means hybrid threat actors intentionally create noise, ambiguity, false positives, parallel distractions, cross domain irregularities, and long time gaps between signals.
If an organization excludes too much too early, it risks missing the hybrid pattern, misclassifying early stage operations, underestimating materiality, failing to notify regulators, failing to escalate internally.
Step 2B, tiered relevance assessment.
This is the step that replaces simplistic exclusion. Instead of excluding early, analysts classify inputs into tiers of relevance:
Tier 1, directly relevant. Signals are strongly linked to the analytical question.
Tier 2, indirectly relevant. Signals might be relevant if interconnected.
Tier 3, contextually relevant. For example, macro level geopolitical, regulatory, or economic developments.
Tier 4, Currently irrelevant but retained. Signals that appear irrelevant now, but must be retained, because they could become relevant later, or because hybrid operations can activate dormant signals after days or weeks. This tier is what saves analysts from missing early hybrid stages. Nothing is truly excluded yet. They are deprioritized, but kept.
Step 2C, structured preparation.
After the broad scoping (Step 2A) and tiered relevance assessment (Step 2B) are complete, the analyst has a large set of signals across multiple domains. It includes cyber indicators, supply chain anomalies, legal events, financial irregularities, geopolitical developments, reputational narratives, operational disruptions, and insider signals.
Before these can be fused and analyzed, they must be put into a structured, standardized, legally defensible form. This is the purpose of Step 2C, structured preparation.
It transforms raw, heterogeneous, and multi domain signals into a coherent analytical dataset that fusion can work with. It includes:
2C1. Timestamping. Analysts must assign to each signal a precise and consistent timestamp.
Hybrid campaigns rely on timing. Events appear weak in isolation but meaningful in sequence. Without uniform timestamps, correlations collapse or become legally unreliable. Time order reconstruction is essential for attribution, incident classification, breach reporting, and litigation defense.
Timestamping ensures that fusion can identify escalation patterns, synchronized events, pre attack reconnaissance phases, cross domain timing alignment (like cyber + supply chain + media).
In legal contexts, unclear timing invalidates evidence and questions diligence.
2C2. Entity alignment. This means mapping all signals to consistent entities. It includes persons, companies, suppliers, IP addresses, domains, physical assets, functions, jurisdictions.
Hybrid threats often exploit the fragmentation of identity. They use shell companies, proxies, third-party vendors, cloud infrastructure, and fake online identities.
Entity alignment answers the core question: “Which signals belong to the same actor, asset, or vulnerability?”
2C3. Chain of custody recording. Every piece of data must be recorded in a way that preserves origin, collection method, handling steps, transformations applied, who accessed it, and when.
This is essential for regulatory audits (DORA regulation, NIS2 directive, financial regulations), litigation, forensic integrity, internal accountability, and for defending decisions before a board or supervisory authority.
If chain of custody breaks, the fusion output becomes unreliable, and our conclusions may be legally challenged. Hybrid intelligence assessments must be forensically sound.
2C4. Reliability grading. Not all data is equal. Each signal must be graded for source reliability (how trustworthy is the source?), and information credibility (is the data itself credible?). We can use any system, as long as it is consistent.
Fusion must not treat rumor and telemetry as equal. Legal defensibility requires showing that analytical conclusions weighted sources appropriately. Reliability affects hypothesis testing and attribution confidence.
A high volume stream of low reliability information is less significant than a single high credibility forensic artifact.
2C5. Legal sensitivity tagging.
Each piece of information must be tagged according to legal constraints, such as:
- contains personal data (for GDPR compliance obligations, for example).
- contains privileged information.
- contains regulated financial data.
- obtained under NDA or secrecy obligations.
- dual use or export controlled information.
- contains classified indicators.
- triggers sector specific duties (banking, energy).
Hybrid fusion must respect data protection laws, jurisdictional restrictions, privilege rules, export control, confidentiality, contractual limits.
Legal sensitivity tagging prevents the analysis from breaking the law while conducting fusion. This is crucial for organizations operating in regulated spaces.
2C6. Source categorization. This means classifying each signal by its nature and domain: Forensic telemetry, cyber threat intelligence, supply chain intelligence, financial signals, geopolitical intelligence, open source intelligence, internal reports, insider behavior, media narratives, physical security alerts.
Categorization helps the fusion step correlate across domains and detect cross domain patterns. It also helps identify weak points. For example, if all anomalies cluster around procurement, or if disruption appears in both cyber and logistics.
In Step 2C, the organization takes all the signals and imposes order, structure, and legal integrity.
Step 3. Preliminary analytical modelling and hypothesis construction.
Once the raw, chaotic signals have been broadly scoped (Step 2A), tiered by relevance (Step 2B), and transformed into a structured stable foundation for intelligence (Step 2C), the analyst has a coherent body of inputs. But structured data is not knowledge.
In Step 3, analysts:
1. Identify and examine emerging patterns across domains.
The analyst examines the structured signals to identify temporal patterns, geographic clusters, repeated behaviors, multi domain coincidences, escalation sequences, deviations from baselines, and relationships between entities.
This is not yet full fusion, but an initial scan for analytic significance.
Example: A phishing attempt at procurement, a supplier delay, and a foreign news disinformation narrative aligned in time suggest a potential early multi domain hybrid signature.
2. Interpret signals in light of the question formed in Step 1.
Step 1 produced a legal-analytical question. Step 3 begins to test that question conceptually.
For example, if the Step 1 question is, “Is this an early hybrid disruption of our supply chain?” Then Step 3 examines whether the structured indicators could plausibly be consistent with such a pattern.
3. Generate multiple working hypotheses. This is the most important function of Step 3. It reflects best practices in counterintelligence, financial intelligence, military intelligence, and internal investigations. It prevents single track thinking, which is fatal in hybrid threat detection.
Examples of working hypotheses:
Hypothesis A, coordinated hybrid activity. The signals show early coordinated interference involving cyber, supply chain, and reputational domains.
Hypothesis B, opportunistic cybercrime. The phishing is routine criminal activity, and the other anomalies are unrelated.
Hypothesis C, operational coincidence. The delays are logistical, the spikes are misconfigurations, and the media story is irrelevant.
Hypothesis D, internal system failure, incorrectly appearing as threat activity. The cause may be internal misalignment or error.
Hypothesis E, external actor mapping vulnerabilities without executing a campaign yet. Reconnaissance phase of a future operation.
The point of this step is not to choose the true hypothesis. It is to map the plausible explanation space.
4. Assign confidence levels to each hypothesis. Each hypothesis receives a low, medium, or high plausibility score, or an analytic confidence level based on structured data.
Confidence levels reflect the supporting indicators, source reliability (from Step 2C), coherence across domains, absence or presence of contradictions, and timing patterns.
These are not final judgments. They are early assessments. This is crucial for briefing senior management, determining need for escalation, and legal defensibility.
Supervisors ask: “How did you judge plausibility?” This step provides the answer.
5. Identify analytical gaps: what is missing? Every hypothesis raises questions. What additional evidence would confirm or weaken it? What must be collected next? Which domain is underrepresented? Which supplier or system must be examined? Which legal exposure must be clarified?
This step transforms intelligence analysis into actionable direction. It feeds back into collection priorities, monitoring rules, investigative focus, requests for additional information, and engagement with third parties or regulators.
6. Identify the legal and regulatory implications of each hypothesis. The analyst asks:
- Would this require incident notification?
- Would this trigger operational resilience duties?
- Would this affect market stability?
- Would failure to escalate expose the organization to liability?
- Are there any sanctions, export controls, or legal prohibitions involved?
7. Produce an interim analytic narrative. At the end of Step 3, the analyst produces a structured summary, the competing hypotheses, the confidence levels, the gaps and next steps, and the legal exposure assessment.
This is a pre fusion analytic output, not a final intelligence product. It prepares the terrain for Step 4.
Step 4. Fusion.
Fusion integrates everything produced by Steps 1, 2, and 3, and transforms it into defensible intelligence.
Step 4 consists of three major internal components:
4A, cross domain correlation. Correlation clarifies whether events reinforce each other, sequences show escalation, domains show synchronized disruption, and anomalies cluster around specific assets or processes.
Correlation alone cannot answer whether a hybrid operation is occurring. That requires deeper analysis.
4B, hypothesis testing.
This is where Fusion becomes analytical. Using the hypotheses from Step 3, we:
- Test each hypothesis against the full set of correlated, structured data.
- Identify which hypotheses gain support.
- Identify which lose credibility.
- Identify contradictions or insufficient evidence.
This step strengthens or weakens initial interpretations and often leads to hypothesis refinement, hypothesis elimination, or the emergence of new hypotheses.
4C, adversarial interpretation and legal qualification. Hybrid threats always involve intent, strategy, and legal exposure. In this step, analysts consider adversarial interpretation. What could the adversary be attempting? Is there evidence of shaping operations? Does this pattern align with known hybrid campaigns? Is the objective disruption, espionage, coercion, destabilization, market manipulation, supply chain control? Are the timelines or domains consistent with strategic adversarial behavior?
Legal qualification is critical for compliance and defensibility:
- Does the pattern reach regulatory materiality thresholds?
- Does it trigger sector specific reporting?
- Does it invoke operational resilience duties?
- Does it raise issues under sanctions, export control, data protection, or critical-infrastructure law?
- Are there contractual implications?
- Does the evidence support escalation to authorities?
- Would failure to act be legally risky?
Now we are ready to proceed to step 3, interpretation.
LEGAL DISCLAIMER. The information contained herein is provided for general informational, educational, and conceptual purposes only. It does not constitute, and must not be construed as, legal advice, regulatory advice, or any other form of formal advisory service. No legal, regulatory, fiduciary, or professional relationship must be created through the use, distribution, or interpretation of this material.
Laws, regulations, supervisory expectations, industry standards, and evidentiary rules vary significantly across jurisdictions and sectors. Applications of the principles, frameworks, and concepts described herein may differ depending on local legal requirements, organisational structures, regulatory mandates, contractual obligations, and sector specific compliance regimes. The material may not be appropriate, sufficient, or applicable to every jurisdiction or circumstance.
Legal entities and professionals must seek independent advice from qualified legal counsel licensed in the relevant jurisdiction before making any decisions, taking any action, or relying on any information contained in this document. No representation or warranty, express or implied, is made regarding the accuracy, completeness, reliability, or suitability of this material for any specific particular purpose, entity, or situation. We expressly disclaim any and all liability arising from reliance on the content, including but not limited to actions taken or not taken, errors or omissions, or any direct, indirect, incidental, consequential, or punitive damages.
References to regulatory concepts, legal doctrines, or governance practices are presented solely for educational discussion and do not constitute authoritative statements of law. Where examples are provided, they are illustrative in nature and do not describe actual events, individuals, or organisations. By accessing, using, or distributing this material, you acknowledge and agree that you are solely responsible for obtaining appropriate professional advice and for ensuring compliance with all applicable laws and regulations.
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.