On 21 May 2025, a 31-year-old Chicago native Elias Rodriguez gunned down two Israeli Embassy employees outside Washington’s Capital Jewish Museum. Police pinned him to the pavement as he shouted, “Free, free Palestine!” — words that echoed months of online essays in which he praised “direct action” against “Zionist targets.”

Eleven days later, on a sun-soaked pedestrian mall in Boulder, Colorado, Mohamed Sabry Soliman ignited two Molotov cocktails and a backpack-mounted flamethrower, burning elderly demonstrators who had gathered to demand the release of Israeli hostages. Witnesses heard the same slogan — “Free Palestine!” — while investigators quickly uncovered a year-long YouTube binge on bomb-making tutorials and a Telegram archive filled with fantasies of setting “Zionists” alight.

These atrocities are horrifying, and there are indicators beforehand to help law enforcement and security professionals to flex resources for known events like the one in Boulder. In each case the perpetrators littered the internet with what counter-terrorism professionals call “leakage” — public signals of grievance, capability building and intent. Rodriguez’s Medium essays migrated from anti-war polemics to martyrs-in-waiting rhetoric; Soliman left a viewing record of how-to videos, bulk purchases of glass bottles, and rants on fringe chat channels. While some of this information requires compiling different forms of data and information, none of it required a warrant to access.

The pair joined a dismal roster of recent domestic terrorists who announced themselves online. In July 2024, Thomas Matthew Crooks searched Google for rally venues and posted the ominous Steam message “July 13 will be my premiere, watch as it unfolds” before firing at a campaign appearance for then-candidate Donald Trump in Butler, Pennsylvania. And on 13 April 2025, Cody Balmer scaled a fence at the Pennsylvania Governor’s residence and hurled petrol bombs while Gov. Josh Shapiro’s (D., Pa.) family slept inside — after years of social media posts featuring Molotov-cocktail embroidery and violent anti-government screeds.

Why do these digital sirens keep going unheard? Part of the answer is structural. Federal fusion centers and ISACs scour the web for foreign-directed jihadi plots, local police monitor gangs, and social-media companies focus on policy violations. No single operations center fuses disparate signals from all lifestyle apps, retail purchases and fringe forums. Keyword filters still rely on crude trigger words — “bomb,” “ISIS” — when today’s extremists cloak intent in euphemisms like “light the night” or “globalize Gaza.” Meanwhile, banks that flag suspicious bulk buys of accelerants rarely share those alerts with public-safety analysts.

Privacy concerns are real. Too many agencies treat open-source intelligence (OSINT) as a dashboard for after-action awareness rather than a feed for motive and intent. Precision — not dragnet surveillance — is what OSINT does best. It can chart a person’s, or a group’s, grievances trajectory in real time, spotlight a sudden surge in violent verbs, or correlate a spike in flamethrower tutorials with an unusual hardware purchase.

The PAI and subsequent OSINT products are not predictive policing and it takes a skilled analysts or investigators to make sense of the massive volume of data and information online today. It is an immensely underused tool in identifying key indicators of individuals and groups’ sentiment and intent. Used at the local level by state and local law enforcement with knowledge of the culture and lexicon can be a powerful tool in shifting resources to certain events and public soft targets when they arise.

What would it take to turn these raw clues into actionable warnings? First, law-enforcement and security teams should replace static watch-lists with behavioral-trajectory models that flag sentiment drift over weeks and months; a single tweet proves little, but a six-month pivot from protest memes to martyr worship is a flashing red light.

Second, cross-domain fusion must be made routine in the form of Information Sharing and Analysis Centers, or ISACs: when a user binge-watches incendiary guides and then buys thirty glass bottles, the correlation belongs in an analyst’s inbox — anonymized unless the risk score crosses a lawful threshold. The mix of financial intuitions, OSINT investigators, and law enforcement has proven successful time and time again.

Third, reverse-image search should be trained on high-value venues; a selfie from a museum rooftop hours after a political-event schedule goes live may not be innocent tourism, but surveillance — the first step in planning an operation.

Finally, guardrails matter: collect only public data, strip identifiers until necessary, log every query and publish the rules. The First Amendment protects every American with the freedom of speech, those violent actors use it frequently online and can be key indicators. While law enforcement and security professionals may not have all the pieces of the puzzle, but the more you know, the luckier you are. Measuring public sentiment through OSINT tools can tip off those who serve and protect to increase security around known events.

Congress can help by clarifying the statutory basis for preventive OSINT, much as Suspicious Activity Reports underpin financial-crime detection. Technology platforms must revive researcher-tier APIs for vetted threat analysts — even the ones with differing political view — with rate limits and audit trails, so that copy-and-paste manifestos are caught and archived before they migrate from Telegram to the town square or vice versa. Fusion-center budgets should include multilingual extremist-lexicon models tuned to domestic subcultures, not just jihadist jargon, and every new police cadet should graduate with basic digital-forensics literacy.

None of this requires mass surveillance because it can be found in PAI and refined through analysis and rapidly delivered to decision makers in the form of finished OSINT products at relatively low cost. It demands only the budgets to train and purchase necessary tools to connect open dots that killers scrawl across the internet before taking violent action. The victims in Washington, Boulder, Butler and Harrisburg paid the price. The data — and the tools — to spot their would-be successors before words turn to gunfire or flame exist today. The next move is up to us.

David Cook is a special operations veteran and OSINT expert.