Operational Security (OPSEC)

Operational security, almost always shortened to OPSEC, is a systematic process for denying an adversary the information they would need to act against you. NIST defines it as the process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of sensitive activity. The discipline was formalized by a US military team during the Vietnam War, which discovered that enemy forces were anticipating operations not from leaked secrets but from patterns assembled out of seemingly harmless details.

The five-step loop

Classic OPSEC follows five steps: identify your critical information, analyze the threats against it, analyze your vulnerabilities, assess the risk those vulnerabilities create, and apply countermeasures. The insight that makes OPSEC powerful is that individually trivial data points, your routines, purchases, online handles, and offhand comments, can be aggregated into a complete and actionable picture.

OPSEC for sovereign Bitcoiners

For someone holding Bitcoin in self-custody, critical information might include the fact that you hold significant value, where your keys live, and your physical whereabouts. Threats range from remote attackers to physical coercion. Countermeasures include not broadcasting holdings, keeping financial identity separate from social identity, and being deliberate about what metadata your devices and transactions leak. OPSEC is a continuous habit, not a one-time configuration; your threat model and your countermeasures should be revisited as your circumstances change.

OPSEC is the umbrella over more specific practices such as compartmentalization and pseudonymity. Used together, they make you a smaller, harder target.