Blog
Why DISARM Tagging Matters in Coordinated Influence Operations
Coordinated influence operations are rarely a single tactic executed once. They are campaigns: planned, repeated actions designed to shape beliefs or behaviors through manipulation. The DISARM Red Framework helps practitioners classify these actions consistently so teams can communicate findings, compare cases, and design mitigations.
Tagging logic is the practical skill of mapping observed behaviors (posts, accounts, assets, and activity patterns) to tactics (what is being done) and, where possible, to more specific techniques or sub-techniques (how it’s being done). The goal is not to “label everything,” but to create an accurate, defensible description of the operation that supports response decisions.
This guide walks you through a repeatable process to tag tactics in a coordinated influence operation using DISARM-style logic.
Step 1: Define the Unit of Analysis (What Exactly Are You Tagging?)
Before choosing any tactic tags, decide what your “thing” is:
- Single artifact (one post, one video, one meme)
- Actor/account (a persona, channel, or network node)
- Activity cluster (a burst of coordinated posting)
- Campaign segment (a phase with a clear objective)
For most professional workflows, you’ll tag at two levels:
- Artifact-level tags for specific content items (high precision, evidence-based)
- Campaign-level tags for aggregated behaviors across time (better for strategy and reporting)
Actionable tip: Create a simple naming convention like Campaign > Phase > Cluster > Artifact so each tag can be traced to a stable scope.
Step 2: Collect Evidence That Supports a Tactic Claim
Tactics are easiest to mis-tag when evidence is thin. Build a minimal evidence pack for each cluster:
- Content evidence: text, imagery, talking points, narrative themes
- Behavioral evidence: timing, volume, repetition, copy/paste patterns
- Network evidence: coordination signals (shared links, synchronized posting, mutual amplification)
- Operational evidence: infrastructure reuse, persona reuse, cross-platform staging
Actionable tip: For each candidate tactic, write one sentence: “We observed X, which indicates Y, because Z.” If you can’t complete that sentence without guessing intent, keep the tag tentative.
Step 3: Separate “What” (Tactic) From “Why” (Objective)
A common error is tagging based on inferred motive rather than observed behavior. DISARM-style tagging works best when you:
- Tag observable actions first
- Add hypothesized objectives later (and label them as hypotheses)
For example, “spreading conflicting claims” is an observable tactic pattern. “Undermining trust in institutions” may be the objective, but it requires stronger contextual justification.
Actionable tip: Use two fields in your notes:
- Tactic tags (evidence-based)
- Assessment notes (interpretive)
Step 4: Identify the Campaign Stage to Narrow Candidate Tactics
Influence operations tend to follow stages. While real campaigns are messy, stage-thinking helps narrow tagging options.
A practical stage lens:
- Prepare: build assets, personas, credibility, access
- Position: seed narratives, test messages, infiltrate communities
- Amplify: drive reach via networks, repetition, or paid/boosted distribution
- Exploit: trigger offline effects, mobilize, harass, suppress, or disrupt
- Adapt: evade enforcement, pivot narratives, reconstitute assets
How to use this: If you’re analyzing newly created accounts with profile backstories and slow posting, you’re likely in Prepare/Position. If you’re seeing coordinated bursts and cross-posting, you’re likely in Amplify. If you’re seeing targeted intimidation or calls to action, you’re likely in Exploit.
Step 5: Tag Tactics by Observable Signals (A Field Checklist)
Use the checklist below to map evidence to likely tactic categories. You’re not trying to force a perfect fit; you’re trying to capture the dominant behaviors.
A) Persona and Asset Development (Prepare/Position)
Look for:
- Fresh accounts with detailed biographies, consistent “life story,” and staged authenticity
- Content that builds legitimacy: personal anecdotes, community participation, non-political posts
- Reused profile photos, naming conventions, or templated bios across multiple accounts
Tag when you can show:
- A structured effort to create, mature, or disguise identities/assets
- Behavior consistent with long-term positioning rather than spontaneous posting
B) Narrative Construction and Message Engineering (Position)
Look for:
- Repeated talking points, slogans, or frames across accounts
- Emotional hooks: fear, disgust, outrage, moral condemnation
- Selective context, misleading comparisons, or reframing of events
Tag when:
- The content is crafted to shape interpretation, not just share information
C) Community Infiltration and Relationship Building (Position/Amplify)
Look for:
- Engagement targeted at specific groups, hashtags, or communities
- Attempts to become moderators, organizers, or “trusted voices”
- Mimicry of local slang, cultural references, or insider language
Tag when:
- You can show consistent effort to gain access and influence within a community
D) Amplification and Coordination (Amplify)
Look for:
- Synchronized posting windows, sudden volume spikes
- Mutual boosting: retweets/shares in a ring, coordinated replies
- Cross-platform “handoffs” where one platform seeds and another amplifies
- Reposting the same asset with minor edits (watermarks, cropped images, altered captions)
Tag when:
- There is evidence of organized distribution beyond organic spread
E) Deception, Manipulation, and Obfuscation (Across stages)
Look for:
- Impersonation of institutions or public figures
- Fabricated evidence (altered screenshots, doctored media)
- Inconsistent identity signals (language mismatches, time-zone anomalies)
- Claim laundering: reposting a falsehood as “just asking questions” or “someone said”
Tag when:
- The operation relies on misrepresentation as a functional component
F) Suppression, Harassment, and Disruption (Exploit)
Look for:
- Brigading, dogpiling, coordinated reporting, mass replies to intimidate
- Doxing threats, targeted intimidation, or efforts to silence voices
- Calls to boycott, disrupt events, or overwhelm hotlines/inboxes
Tag when:
- The goal appears to be reducing participation, chilling speech, or disrupting processes
G) Evasion and Resilience (Adapt)
Look for:
- Rapid reconstitution after takedowns, backup accounts, mirrored channels
- Language shifts, coded terms, or slight narrative pivots to avoid moderation
- Migration to new communities/platforms while retaining the same network behavior
Tag when:
- You see countermeasures designed to sustain the operation under pressure
Step 6: Resolve Ambiguity With a “Primary vs. Secondary” Tagging Method
Most clusters exhibit multiple tactics. Avoid tag sprawl by using:
- Primary tactic: the behavior driving the effect in this cluster
- Secondary tactics: supporting behaviors that enable or enhance the primary
Example:
- Primary: Coordinated amplification
- Secondary: Narrative framing, persona development, evasion
Actionable tip: Limit secondary tags to what you can defend with direct evidence. If a tactic is plausible but unproven, mark it as candidate.
Step 7: Document Tagging Decisions So Others Can Reproduce Them
Tagging is only as useful as it is explainable. For each tagged cluster, record:
- Evidence excerpt(s): representative posts or assets
- Behavior summary: what happened, when, and by whom
- Why this tactic fits: your “X indicates Y because Z” sentence
- Confidence level: low/medium/high, based on evidence quality
- Alternatives considered: what you ruled out and why
Actionable tip: Use a consistent template. Consistency reduces internal disputes and speeds up peer review.
Step 8: Validate With Peer Review and Counterfactual Checks
Before finalizing, run two quick checks:
- Peer review: Can a colleague apply your notes and arrive at the same tag?
- Counterfactual: Could the observed behavior be explained by organic activity or fandom dynamics?
If the counterfactual explanation remains strong, consider:
- Lowering confidence
- Narrowing scope (artifact-level tags only)
- Waiting for more evidence before assigning campaign-level tags
Step 9: Turn Tags Into Actionable Outputs
Tagging isn’t the end; it supports decisions. Use tags to drive:
- Detection: build queries for coordination patterns, repeated narratives, asset reuse
- Disruption: prioritize takedown targets (coordination hubs, key amplifiers, infrastructure)
- Resilience: prepare for evasion tactics (backup accounts, codeword shifts)
- Reporting: communicate clearly to stakeholders using stable, non-ambiguous labels
Actionable tip: Map each primary tactic to a response playbook. For example, amplification tactics often warrant network-level interventions, while harassment tactics require safety escalation and victim support workflows.
A Practical Tagging Workflow You Can Implement This Week
- Set scope: pick one campaign segment and define your unit(s) of analysis
- Build evidence packs: content + behavior + network notes
- Assign stage: prepare/position/amplify/exploit/adapt
- Apply primary/secondary tags: only what evidence supports
- Write defensible rationales: “X indicates Y because Z”
- Add confidence levels: and list alternatives considered
- Peer review: revise tags until reproducible
- Operationalize: convert tags into detection and response steps
When consistently applied, DISARM-style tagging logic becomes a shared language across analysts, investigators, and responders—making coordinated influence operations easier to identify, compare, and mitigate.