Most security teams are not blind to influence operations. They see the signals, but they see them late: content already spreading, impersonation already live, narratives amplified. By then, the early-stage indicators – cloned domains, coordinated account creation, AI-generated content being tested – have been visible for weeks on platforms their security stack doesn’t collect from. The problem is structural. These early signals originate on platforms outside a standard security stack’s collection scope — social media, ad networks, open web forums. They don’t map to existing detection categories, and fall between organisational functions. This gap exists equally inside government agencies, national CERTs, critical infrastructure operators, and Fortune 500 enterprises. Drawing on three documented European cases, this session examines why early-stage signals fall through the cracks and presents a practical model for connecting them to the workflows security teams already operate.
