RRetelnistRequest a briefing →
How-to Guides

How to Run a Cognitive Security Assessment for a Government Department

A step-by-step methodology for scoping, executing, and reporting a cognitive security assessment for a government department or public institution — from surface mapping to CWPI baseline establishment.

By Retelnist Operations TeamMay 26, 2026

Who This Guide Is For

This guide is written for StratCom officers, information security leads, and national resilience programme managers who need to conduct a structured cognitive security assessment of a government department, ministry, or public institution.

An assessment of this type answers three questions: What narratives are currently targeting this institution or its policy area? How effective are those narratives? What is the baseline CWPI for this environment?

Step 1: Define the Assessment Scope

Before monitoring any platform, define the scope with precision. Vague scope produces vague findings.

Key scope dimensions:

  • Policy areas: Which ministries, policy domains, or legislative issues are in scope? (e.g., energy policy, NATO membership, migration, defence budget)
  • Geographic target: Which population(s) are the potential targets of influence operations in this scope?
  • Time horizon: What is the assessment period? We recommend a minimum 90-day window for baseline establishment, with a 30-day intensive monitoring phase.
  • Platform selection: Which platforms are primary vectors for your target population? (In most EU contexts: Telegram, Facebook, X, YouTube; in Balkan contexts, add TikTok and Viber)

Document the scope in writing and get sign-off from the commissioning authority before beginning. Scope creep is the leading cause of delayed assessments.

Step 2: Establish Keyword and Entity Lists

Build three lists:

  1. Primary keywords: The institution name, minister names, policy-specific terminology, official programme titles. These are high-signal; everything in this list gets monitored.
  2. Narrative seeds: Known talking points and framing devices used by actors hostile to the institution's policy area. Sourced from previous assessment reports, open-source intelligence, or allied StratCom units.
  3. Adjacent context: Broader terms that contextualise the policy area. Lower priority, used for trend analysis rather than primary monitoring.

Lists should be reviewed weekly by a domain expert who understands the policy area. Adversaries update their vocabulary; your keyword lists must keep pace.

Step 3: Configure Platform Coverage

In Retelnist, configure monitoring channels for each platform in scope:

  • Telegram: Add public channels and groups known to carry relevant content. Include both pro-adversary channels and mainstream news channels for baseline comparison.
  • X/Twitter: Keyword and hashtag monitoring. Include account-level monitoring for known amplifiers.
  • Facebook: Public page and group monitoring where accessible via CrowdTangle or equivalent.
  • RSS/news: Add primary national news outlets and known partisan outlets across the spectrum.

Cross-platform coverage is not optional. Narratives routinely originate on one platform and migrate to another as they gain traction. A single-platform view will miss the majority of the amplification chain.

Step 4: Run the Baseline Period (30 Days)

Do not draw conclusions from the first week of data. Establish a 30-day baseline to understand what normal looks like for this environment before identifying anomalies.

During the baseline period:

  • Record daily narrative volume across all monitored channels
  • Tag any emerging narrative clusters with initial DISARM technique codes
  • Note any contextual events (elections, policy announcements, crises) that might explain volume spikes
  • Calculate rolling mean and standard deviation for V(x,t) components

At the end of 30 days, you have a statistical baseline against which all subsequent measurements are compared. Anomalies are defined as deviations greater than 2 standard deviations from baseline — this threshold can be adjusted for higher-sensitivity environments.

Step 5: DISARM Tagging and Narrative Mapping

For each identified narrative cluster, conduct DISARM Red v2 tagging. This is analyst work — not automated. Retelnist surfaces candidate clusters; analysts confirm and tag.

A fully tagged narrative cluster record includes:

  • Narrative summary (2–3 sentences describing the claim and framing)
  • First observed date and platform
  • Peak velocity date and platform
  • DISARM technique tags (typically 3–8 per cluster)
  • V(x,t) score at time of tagging with confidence interval
  • Identity coupling assessment (low / medium / high)
  • Actor attribution confidence (low / medium / high / confirmed)

Step 6: Generate the CWPI Report

After the active monitoring period, compile the Cognitive Warfare Presence Index report. This is the primary deliverable for the commissioning authority.

A CWPI report includes:

  1. Executive summary — CWPI score (0–100 normalised scale), trend direction, top 3 narratives by effect score
  2. Methodology section — scope, platform coverage, baseline period, statistical approach
  3. Narrative inventory — full tagged catalogue of detected narratives with V(x,t) scores
  4. Effect analysis — which narratives are driving actual belief-shift, with evidence
  5. Recommendations — prioritised counter-narrative and pre-bunking recommendations based on effect scores
  6. Appendix — raw data tables, confidence interval methodology, DISARM tag definitions

Step 7: Briefing and Handoff

Schedule a structured briefing with the commissioning authority. Cognitive security findings can be alarming to non-specialists; the briefing should lead with what is not a problem (low-effect narratives) before addressing what is. This prevents overreaction to noise and focuses attention on genuine threats.

Leave the commissioning authority with three things: the CWPI baseline, the top-priority counter-narrative recommendations, and a monitoring cadence recommendation for ongoing coverage.

Back to How-to Guides