Field Note: The Spies Have Entered the Chat

It began like a hundred other assignments, a client preparing for an overseas trip, and a quiet request to keep things controlled.

The founder of a fast-growing tech company had been invited to speak at a government conference in Cairo. Smart cities, infrastructure, all the right buzzwords. It was the kind of event that could raise his profile and attract the kind of attention his investors wanted. The board liked the optics. His general counsel wasn’t so sure.

Someone had leaked parts of his itinerary online. A few messages appeared in the darker corners of the web, nothing overt but enough to make them uneasy. That’s when they called me.

At first it looked like a standard protective brief, movement routes, venues, local risk, embassy coordination. I built the threat picture the usual way: physical, political, cyber, and informational layers all mapped together. Cairo isn’t the kind of place where you improvise. You prepare, or you fall behind the moment the wheels touch down.

But in the middle of all that planning, I almost missed it.

Buried in a long email thread between his staff and the conference organizers was a name that didn’t belong. A single CC line. The domain was private, encrypted, like Proton, but not. No public record, no traceable host, no affiliation with the event.

It was the kind of small detail you only notice if you’ve stared at enough of them before. It didn’t fit the pattern. It felt like tradecraft.

I reached out to a contact overseas, someone who still kept track of this sort of thing. A few hours later, the answer came back simple and quiet: that domain had appeared in previous traffic linked to a foreign intelligence service, one known to operate through commercial and academic partnerships.

It changed everything.

Up until that point, the focus was on physical risk: routes, drivers, visibility. Now it wasn’t about his safety on the ground. It was about what might be stolen from him in the air.

We restructured the plan overnight.
Nothing sensitive left the United States. No proprietary data, no drives, no removable media. His presentation was stripped of substance, still accurate, but sanitized. All his real work stayed in encrypted cloud systems, accessible only through verified channels we could control remotely.

From that point on, we treated surveillance as a certainty, not a possibility. Devices were isolated, travel communications compartmentalized, and every connection overseas filtered through intermediaries we trusted.

The conference came and went without incident. The client gave his talk, took questions, shook hands, and flew home none the wiser. To him, it was a successful trip. To us, it was something else, a close call that never had to become one.

When we returned, the board asked for a deeper look. We built what I called a whole-of-life audit, every connection, every account, every association that touched the founder or his family. It took months. The result was a security study that mapped his exposure not just online or in travel, but across his entire professional footprint.

What I remember most about that case isn’t the threat itself. It’s how close we came to overlooking it. One email in a string of dozens. A single digital footprint out of place.

It’s the kind of detail you only see if you’ve spent enough time staring into the noise, waiting for something small to move the wrong way.