Part 04 — Source Evaluation Without Institutional Context

Series: Field Manual Index · ← Part 03 — Collection · Part 05 — Analysis →

Source evaluation is where independent intelligence work most visibly diverges from institutional practice. An analyst inside a service grades a source against a stack of priors the open-domain practitioner will never see — recruitment files, polygraph history, prior reporting compared against ground truth, technical authentication of intercepts, the upstream chain that produced a piece of imagery. Strip that backstop away and the grading problem changes shape. This chapter is about working that problem honestly: what you can still know, what you can no longer claim, and how to write products that survive scrutiny when the only thing standing behind your source assessment is your own reasoning.

The thesis of the chapter is simple. The independent analyst must be more explicit about source uncertainty than the institutional analyst, not less, because the analyst is also the vetting apparatus. Confidence ceilings exist. They should be visible in your products.

1. The Institutional Advantage in Source Evaluation

What the independent practitioner is missing is not a single capability but an entire apparatus. It is worth naming the components so the deltas are explicit.

HUMINT vetting infrastructure. Inside a national service, a HUMINT source carries an identity verified through documentation review, biometric capture, background investigation, and — for sustained relationships — polygraph and ongoing motivation assessment. The case officer maintains a written record of every claim the source has made, scored retrospectively against confirmed facts and against reporting from other sources unknown to the principal. A new analyst inheriting a source file inherits years of structured ground-truth scoring. The independent analyst working off a Telegram channel, a Substack, or a leaked-document drop has none of this. Identity is typically a handle. Motivation is an inference. Prior performance is whatever you can reconstruct from the public record, which is itself filtered by the same source you are trying to grade.

SIGINT authentication. Communications intercepts inside a service arrive with a chain that includes the technical means of collection, an authentication assessment (was this a real conversation between the claimed parties, or a deception transmission?), and — for any product cleared for release — analyst notes on linguistic, contextual, and behavioral consistency with prior collection on the same target. The open-domain equivalent is a leaked transcript or a public statement. The independent analyst can sometimes authenticate via stylistic comparison, voice analysis, or platform metadata, but cannot authenticate against a multi-year collection baseline.

GEOINT exploitation chain. A national imagery product is the end of a chain that begins with classified satellite tasking, includes sensor calibration data, and ends with a trained imagery analyst applying tradecraft against a target the agency has been collecting on for years. Commercial imagery — Planet, Maxar, Sentinel, Capella — is genuinely transformative for the independent analyst, but it is not the same product. Revisit rates are lower, resolution is bounded, and the analyst typically lacks the comparison stack that lets the institutional GEOINT analyst flag “this looks normal for this site at this time of year” versus “this is anomalous.”

Counterintelligence overlay. Every institutional source assessment is filtered through a counterintelligence layer that asks, structurally, whether the source has been turned, whether the reporting is a deception channel, and whether collection is being shaped by the adversary’s awareness of the collector. The independent analyst is exposed to the same threat — adversaries actively plant material into open-domain collection — but lacks the dedicated CI function and the access to other-source ground truth that lets the institutional CI officer flag inconsistencies.

The implications for tradecraft are direct.

Source reliability assessments are probabilistic and structural. Reliability is a function of the source’s observable track record, the structural incentives shaping the source’s output, and the corroboration available to you — never of verified identity, vetted motivation, or authenticated access. This is not a softer claim. It is a different kind of claim, and it should be communicated as such in your products.
The analytical burden shifts onto explicit uncertainty. Where the institutional analyst can carry confidence on the strength of unseen vetting, the independent analyst’s confidence has to be earned visibly. A reader of your product should be able to reconstruct, from the citations and the source notes, why you rate the underlying material the way you do. If they cannot, you have not done the work of source evaluation; you have hidden it.
Confidence ceilings on source-dependent claims. This is the single most important operational rule in this chapter. When your best available source is a Telegram channel, a corporate filing, a single state-media report, or an unverified leak, “High confidence” on intentions claims is almost never epistemically defensible. Capability claims grounded in physical indicators — imagery of a deployed platform, a verified procurement document, a confirmed deployment via geolocation — admit higher confidence. Intent claims — what an actor means to do — require either explicit on-the-record statements at decision-making level or a convergence of behavioral indicators across independent channels.

Operational ceiling — independent OSINT. Single-source intent claims: cap at “Moderate confidence.” Multi-source intent claims with convergence: cap at “Moderate-to-High.” “High confidence” on intent should be reserved for cases with explicit decision-level on-the-record statements and corroborating behavioral indicators.

2. Admiralty Code / 5×5×5 Without Agency Priors

The Admiralty Code (formalized in NATO Allied Joint Publication AJP-2.1 / Allied Administrative Publication doctrine) and the UK 5×5×5 evaluation system remain the field standard for source grading. Both are usable by independent analysts, but the absence of institutional priors changes what the grades mean in your hands. This section gives the working adaptation.

2.1 The Admiralty Code — refresher

The Admiralty Code is a two-axis grading system: source reliability (A–F) and information credibility (1–6).

Source reliability:

Grade	Label	Standard meaning
A	Completely Reliable	Source of unquestioned integrity; long history of confirmed reliable reporting
B	Usually Reliable	Source with prior reporting record largely confirmed
C	Fairly Reliable	Source with some prior reporting record, mixed
D	Not Usually Reliable	Source with frequent prior failures or significant doubts
E	Unreliable	Source with established record of unreliable reporting or motivation to deceive
F	Reliability Cannot be Judged	Insufficient track record to grade

Information credibility:

Grade	Label	Standard meaning
1	Confirmed by Other Sources	Independently corroborated by sources of demonstrated reliability
2	Probably True	Consistent with other reporting, plausible, fits known patterns
3	Possibly True	Not corroborated but plausible; not inconsistent with known facts
4	Doubtful	Not corroborated; possible but not probable
5	Improbable	Contradicts other reporting; implausible
6	Truth Cannot be Judged	Insufficient basis to assess

2.2 The 5×5×5 expansion

The UK 5×5×5 system (used in National Intelligence Model contexts and adapted in policing intelligence) extends the Admiralty Code with a third axis — handling/dissemination — and collapses reliability and credibility to 1–5 scales. For independent practice the third axis is largely irrelevant (you are typically your own handler), but the explicit intent assessment baked into 5×5×5 reliability grading is useful and should be carried forward.

2.3 The independent-analyst adaptation

The hard truth for independent practitioners is that Grades A and B require an observable track record that almost no open source can demonstrate to the satisfaction of a careful analyst. The standard requires:

A sustained reporting history — operationally, 12+ months of consistent, verifiable output at a non-trivial frequency
Multiple instances where the source’s reporting was independently confirmed by sources whose reliability you have separately assessed
Demonstrated methodology transparency — the source explains how it obtains and verifies its material
No structural conflict of interest that would systematically bias output

Applied honestly, Grade A should be extremely rare in independent OSINT. Almost no open source — including outlets the field treats as gold-standard — fully meets the institutional bar for “completely reliable, unquestioned integrity, long history of confirmed reliable reporting.” Grade B is achievable. The default for an unknown but plausible source is C or F, not B.

2.4 Practical grading table — common open-source categories

The following is an operational starting point. Always grade individual sources, not categories — these are anchors, not assignments.

Source category	Reliability	Credibility (per item)	Notes
State media — Western liberal democracies, official PR function (e.g., MoD press desks, State Department briefings)	B–C	2–3 depending on corroboration	First-hand for the state’s declared position; not factual reporting of underlying events. Editorial independence varies by outlet and topic.
State media — authoritarian/hybrid systems (RT, CGTN, PressTV, IRNA, TASS, Xinhua)	E	2–5	Structural motivation to deceive. Treat as primary statement of the state’s preferred narrative; never as factual reporting; never as sole corroboration. Label `[state-aligned]` or `[primary, state]`.
Independent investigative consortiums (OCCRP, ICIJ, Bellingcat, Forensic Architecture, Meduza, iStories)	B–C	1–3	Methodology disclosure is the discriminator. Strong outlets publish their evidence trail. Grade per investigation, not per outlet.
Major international wire services (Reuters, AP, AFP, Bloomberg)	B	2–3	Fact-checking infrastructure is real; speed-vs-accuracy tension is also real. Breaking-news first reports degrade reliability.
National outlets of record (FT, NYT, WSJ, Le Monde, Der Spiegel, El País)	B–C	2–3	Strong on home-country and developed-economy coverage; weaker and slower on grey-zone and conflict-zone reporting where they rely on stringers.
Telegram / social media — war-zone reporting	D–E	3–5	Identity unverifiable, motivation unknown, no editorial oversight. Useful as raw collection; never as standalone evidence. Apply Berkeley Protocol verification before any use in product.
Official documents — corporate filings, court records, government releases	A–B for existence of the document; C–D for accuracy of content	2–4	Documents can lie. SEC filings, court pleadings, and government press releases are primary sources for what was filed/said, not for the underlying facts asserted.
Commercial satellite imagery (Planet, Maxar, Sentinel, Capella)	A–B for physical indicators visible in imagery	N/A for interpretation	The imagery itself is high-reliability for what it shows. The analyst’s interpretation of what it means is a separate confidence call.
Academic peer-reviewed research	B–C	2–3	Assess individual papers, not the category. Methodology, sample, peer-review quality, funding disclosure all matter. Replication record where available.
Think-tank reports	B–C	2–3	Per-organization methodology standards and funding disclosure are the discriminators. Funding source ≠ disqualifying, but undisclosed funding is.
Leaked-document repositories (DDoSecrets, ICIJ leaks, archived dumps)	C–F	2–4	Authentication of the leak is a precondition. Content authentication is per-document. Some leaks have been adversarially curated.
Open data / official statistics (national statistical agencies, central banks, IMF/World Bank)	A–B	1–3	High reliability for what the issuing body publishes; lower confidence for content from authoritarian states where statistical agencies are politically captured.
NGO / human-rights reporting (HRW, Amnesty, ICG, regional rights orgs)	B–C	2–3	Strong methodology in mature organizations; regional and country-specialist orgs vary widely. Mandate bias is structural — does not invalidate, but should be noted.

Worked example — applying the grading.

Claim: A specific Russian Iskander-M battery deployed to the Kaliningrad oblast in March 2026.

Sources:

Telegram channel “Rybar” reporting the movement, with imagery. Grade: D, 3 — identity of operators is known but state-aligned; imagery requires independent verification; channel has prior corroborated reporting but also prior placed-information episodes.

Sentinel-2 imagery showing apparent military convoy along claimed route, timestamp consistent with Rybar claim. Grade: A, 2 — imagery is the imagery; interpretation of convoy composition is a separate call.

A Lithuanian MoD press release confirming “increased Russian military activity” in adjacent areas. Grade: B, 2 — state primary source, no incentive to fabricate, but vague claim does not directly confirm Iskander-M specifically.

A Reuters wire citing “Western officials” describing the movement. Grade: B, 2 — anonymous sourcing degrades, but consistent with other reporting.

Aggregate finding: Capability claim (Iskander-M battery presence) supportable at Moderate confidence — physical-indicator imagery converges with multi-source reporting. Intent claim (escalatory signaling vs. routine rotation) is Low-to-Moderate confidence and requires explicit caveating in any product.

This is the level of source-by-source grading work that should sit behind every product paragraph that makes a non-trivial claim. In practice, full Admiralty grading on every citation is too expensive; the working rule is to apply explicit grading to the sources that carry the load of the analytical argument, and to apply category-default grading to everything else. See Source Verification Framework for the full SOP on running this process at scale.

3. State-Aligned and State-Controlled Outlets

State-aligned and state-controlled media are the most common source-evaluation failure point in geopolitical OSINT. The failure mode is treating them as ordinary news outlets that happen to be biased, when they are in fact a different kind of source entirely — primary statements of state position dressed in the form of journalism.

This is not a binary distinction. Real-world media ecosystems exist on a spectrum from direct state control through structural capture to genuine independence, and the spectrum is itself unstable — outlets move along it as ownership, regulation, and economic conditions shift.

3.1 The spectrum

Pure state outlets. Direct government ownership and editorial control. Russia’s RT and TASS; PRC’s CGTN, Xinhua, and CCTV (and the English-language editions of People’s Daily and Global Times, which operate under Party editorial supervision); Iran’s PressTV and IRNA; North Korea’s KCNA. These outlets are not journalism in the operational sense — they are state instruments with a journalistic form factor. The correct analytical treatment:

Use as primary source for the state’s declared position, the preferred narrative, the line being pushed at a given moment, and — significantly — the inconsistencies between what is said for domestic audiences versus international ones.
Never use as factual reporting of contested events.
Never use as sole corroboration for any claim.
Label explicitly in all products: [state media], [state-aligned], [primary, state]. Never [primary, authoritative].

State-adjacent / captured outlets. Privately owned (often through opaque structures) but operating under structural pressure: ownership ties to state-aligned business interests, dependence on state advertising, legal jeopardy under broad media laws, editorial pressure short of outright dictation. Examples vary by jurisdiction and time — Hungarian outlets after the 2010s media consolidation, large segments of Turkish print and broadcast media post-2016, Russian outlets that survived the post-2022 crackdown by adapting editorial line, much of the PRC-adjacent Chinese-language press in third countries. Case-by-case assessment: who owns it, what is their relationship to state interests, what is the editorial track record on contentious topics?

Nominally independent outlets in authoritarian environments. Outlets that operate as journalism but under conditions where coverage of certain topics carries real legal or physical risk. Self-censorship here is a structural feature, not an individual failure of nerve. The analytically important point: coverage gaps are themselves data. When a credible domestic outlet in an authoritarian environment systematically does not cover a topic that one would expect it to cover, that is a signal about either the topic’s sensitivity or the outlet’s red lines. Do not read absence of coverage as absence of event.

Independent outlets-in-exile. Outlets that have relocated to escape domestic pressure — Meduza (Russian, in Latvia), the Insider, iStories, Novaya Gazeta Europe, Apple Daily’s diaspora successors, multiple Iranian outlets in London and Washington. These can be high-reliability for the geographies they cover, but operate under access constraints (no in-country reporters, reliance on diaspora and signal-intercept sources) that should be flagged.

Genuinely independent commercial media in open environments. The mainstream Western press, the major wire services, the strong national outlets of record. Subject to the standard biases of commercial media — speed pressure, ideological tilt of editorial pages, advertising and ownership relationships — but operating in environments where independent reporting is structurally possible.

3.2 The EN-vs-native-language divergence problem

For PRC and Russian state media in particular, there is a consistent and analytically significant gap between what is published in the source language and what appears in English-language translation. The English-language outputs of fmprc.gov.cn, the People’s Daily English edition, and Xinhua’s English wire are systematically moderated compared to their Chinese-language counterparts. The same is true for kremlin.ru Russian-to-English and TASS RU-vs-EN. The framing delta is itself an intelligence product:

Domestic-language version carries the line intended for the regime’s core audience — typically more strident, more explicit on grievances, more direct on threats.
English-language version carries the line tailored for international audiences — typically more moderate, more emphasizing of legitimate-grievance framing, more careful on direct threats.

Operationally, this means non-native-language primary sourcing is mandatory for any serious analysis of PRC, Russian, or Iranian state communication. The framing delta — what was said for domestic audiences that did not make it into the English version, or vice versa — is a recurring analytic finding in influence-operations and signaling analysis. See the standing multi-lingual OSINT rule in the series methodology and the actor→language tier mapping in the project memory.

3.3 Operational rules for state-media handling

Label every state-media citation with the explicit tag. No ambiguity.
Cite what the source demonstrates — the state’s position, the preferred narrative, the line being pushed — separately from any factual claim.
Source factual claims independently — never on state media alone, regardless of whether the state in question is friendly or adversarial.
Read original language where the actor’s primary language is not English for any state-actor analysis of substance. Flag framing deltas explicitly.
Treat coordinated messaging as a signal: when state outlets across an actor’s ecosystem (Russia: TASS + RIA Novosti + RT + Sputnik + MFA + MoD) push synchronized framing inside a narrow window, that synchronization is itself the finding — a deliberate messaging operation. See Cognitive Warfare and Maskirovka for the doctrinal frame.

4. The Berkeley Protocol Framework

The Berkeley Protocol on Digital Open Source Investigations, published by the UC Berkeley Human Rights Center and the UN Office of the High Commissioner for Human Rights (OHCHR) in 2020 and updated since, is the field standard for the verification and documentation of digital open-source evidence intended for legal or quasi-legal proceedings. Every independent analyst working in conflict zones, accountability investigations, or domains that may produce evidence for legal action needs to know this framework — and to know when full Berkeley Protocol compliance is required versus when lighter procedures suffice.

The detailed methodological treatment of the Protocol lives in Geolocation Methodology and the broader Source Verification Framework. This section gives the operational frame for when and why the independent analyst applies it.

4.1 Core principles

The Protocol organizes verification around three pillars:

Authenticity. Is this artifact what it purports to be? Has it been manipulated? Is the provenance traceable?
Accuracy. Does the artifact accurately represent what it claims to show? A real image can still be misrepresented — wrong date, wrong location, mislabeled actors.
Reliability. Is the source from which the artifact was obtained trustworthy? This is the Admiralty-Code question, applied at the artifact level.

And around three operational requirements:

Documentation. Chain of custody from acquisition to product, including who obtained the artifact, when, how, and any transformations applied.
Preservation. The artifact and its metadata must be preserved in original form. Hash the original. Store separately from any working copy.
Provenance. The history of the artifact prior to your acquisition — original publisher, prior re-shares, edits along the way.

4.2 When full Berkeley Protocol standards apply

Apply full Berkeley Protocol-compliant procedures — including hashed preservation, structured metadata extraction, time-stamped acquisition logs, and chain-of-custody documentation — for any investigation that may produce evidence used in:

International Criminal Court (ICC) proceedings or other international tribunal submissions
Universal jurisdiction prosecutions (Germany, Sweden, Argentina, France, others) for war crimes, crimes against humanity, or genocide
UN Commissions of Inquiry or Fact-Finding Missions
National-level war-crimes or terrorism prosecutions
Formal regulatory or sanctions-evidence submissions (OFAC, EU sanctions packages, national export-control bodies)
Corporate due-diligence reports that may enter litigation
Civil-society accountability work where artifacts may later be requested by prosecutors

For ordinary geopolitical analysis intended for newsletters, briefings, or strategic-assessment products, lighter verification suffices — but the structure of Berkeley Protocol thinking (authenticity / accuracy / reliability; documentation / preservation / provenance) should be habitual. You do not need to hash every image in a weekly brief. You should know how, for the ones that matter.

4.3 Independent-analyst constraints

There are points at which the Berkeley Protocol assumes resources the independent analyst may not have:

Long-term preservation infrastructure. The Protocol assumes durable storage with integrity verification over years. The independent analyst should at minimum maintain hashed copies of any artifact used in product, stored in a separately-versioned location (not in the working vault), with acquisition metadata logged.
Forensic specialist access. The Protocol acknowledges that deep manipulation analysis (Error Level Analysis, deep-fake detection, advanced metadata forensics) may require specialist tools. For independent practitioners, the working stack is: ExifTool, InVID/WeVerify, FotoForensics, Ghiro for static analysis; SunCalc and Sentinel Hub for temporal and geolocation cross-check; yt-dlp for video acquisition with metadata. Beyond this, refer out — and document the limit of your in-house verification capability.
Legal review. The Protocol assumes a workflow that includes legal counsel for evidence destined for proceedings. Independent investigations producing artifacts that may be used in legal contexts should engage with the receiving organization’s legal function early.

5. Digital Evidence Verification Methodology

The technical procedures below are the working toolkit for image, video, and document verification at the independent-analyst level. They do not replace the full Source Verification SOP — see Source Verification Framework — but they constitute the minimum competence floor.

5.1 Image verification

Reverse image search, parallel-engine. Google Reverse Image, TinEye, and Yandex Images return different result sets; Yandex is often superior for Russian-language and Eastern European content and for finding earlier reposts that Google has deprioritized. Run all three. Use the earliest verifiable appearance to anchor the timeline.
Metadata extraction. ExifTool (exiftool <file>) extracts embedded Exif, IPTC, XMP, and proprietary tags. Look for GPS coordinates (rare but decisive when present), creation timestamp, camera model and serial, software-edit history. Note that uploading to most major platforms strips metadata — original-file metadata typically only survives in direct shares, leaked dumps, and some messenger platforms.
Manipulation detection. FotoForensics (Error Level Analysis), Ghiro (batch forensic analysis), InVID/WeVerify browser extension (combined keyframe extraction, metadata, reverse search). ELA is not a definitive test — modern manipulation evades it — but consistent ELA patterns combined with other indicators raise or lower confidence.
Geolocation. Extract visible landmarks (signage, distinctive architecture, terrain features, vegetation, vehicle plates). Cross-reference against Google Maps and Bing Maps (often different satellite capture dates — useful for temporal cross-check), Sentinel Hub for free recent imagery, OpenStreetMap for street-level features. Where shadows are visible, SunCalc gives sun azimuth and elevation for any date/time/location — this is decisive for either confirming or breaking a claimed location and time.

5.2 Video verification

Acquisition and keyframe extraction. yt-dlp for download and embedded metadata; InVID/WeVerify for browser-based keyframe extraction and per-frame reverse search. Preserve the original file before any analysis — hash it.
Reverse search on keyframes. The same parallel-engine approach as for images, applied to each significant frame.
Date verification via environmental cross-check. Weather Underground and the historical weather archives provide ground-truth weather for any location and date — a video claiming a sunny day in Mariupol on a date when the location was overcast fails this check. Sun position via SunCalc gives time-of-day verification independent of any claim.
Audio analysis. Ambient sound (artillery types, vehicle signatures, broadcast IDs picked up in background) can be diagnostic. Language and dialect analysis — accent, regional vocabulary, military jargon — can confirm or refute claimed-origin assertions when handled with appropriate caveats.
Continuity and editing analysis. Frame-level inspection for cuts, splices, and re-encodings. Multiple re-encodes (visible in metadata and in compression artifacts) indicate the video has passed through several hands — not disqualifying, but reduces confidence in any embedded metadata claims.

5.3 Document verification

The verification approach for documents differs from images and video in one key respect: the document can be authentic and the contents still false. A genuine corporate filing can contain fraudulent statements; an authentic government press release can contain deliberate misinformation. Document verification has to address both axes.

Source chain. How was this document obtained? By whom? What chain of custody between origin and your acquisition? Documents that emerge through leak repositories (DDoSecrets, ICIJ collaboration leaks) carry a chain that is sometimes documented; documents that appear via anonymous social-media posts carry essentially no chain.
Content consistency. Internal dates, organizational language, official markings, formatting, signature blocks — consistent with known-authentic documents from the same organization? Reference samples are essential. Build a reference library of authentic documents from organizations you investigate repeatedly.
Metadata. Document properties (author, creation date, software version, edit history) accessible via ExifTool, PDF metadata viewers, or Office document inspector. A “leaked Russian MoD document” allegedly created in 2023 but with embedded metadata showing creation in Microsoft Word with a Cyrillic author field and a timestamp consistent with the claimed event is one finding; the same document with metadata showing creation in LibreOffice in 2024 with a Latin-script author field is a different finding.
Independent confirmation. Has another credible source independently obtained or verified this document? Multiple-channel acquisition of the same document — through different chains, with different curators — raises authenticity confidence substantially.
Content corroboration. Do the document’s substantive claims align with independently observable facts? A leaked procurement order can be authenticated as a document and still contain inflated figures or fabricated line items intended to deceive.

6. The Absence of Evidence Problem

Absence of evidence is one of the harder source-evaluation problems, and one where the institutional vs. independent gap is structural. Institutional analysts can often explain an absence — a classified source confirms the negative, a no-tasking period covers the window in question, a sister service’s reporting fills the gap. Independent analysts cannot. Two failure modes follow.

Failure mode 1: treating absence as proof of absence. “I found no open-source reporting of X, therefore X did not occur.” This is invalid reasoning in the open domain. Open-source coverage is uneven, geographically biased, language-biased, and topic-biased. Many things happen that produce no open-source signal.

Failure mode 2: treating absence as meaningless. Equally wrong in the opposite direction. In well-monitored environments, the absence of expected indicator evidence is itself a significant data point. If the historical record shows that events of type X reliably generate observable signal Y in this environment, and Y is absent over a sustained period, that is a finding — not a non-finding.

6.1 When absence is analytically significant

A working decision framework:

The monitored environment has high historical coverage density for the type of event in question. (If X had occurred, it almost certainly would have produced observable signal — the geography is covered, the relevant social-media ecosystem is well-monitored, the official-document flow is observable.)
The absence is sustained, not a reporting-gap artifact. Single-day gaps are noise. Sustained gaps over weeks or months are signal.
Multiple independent collection channels all show the same absence. If your Telegram monitoring, your satellite imagery, your local-press monitoring, and your wire-service monitoring all return null on a topic that one would expect to generate signal in at least one of those channels, the convergent null is the finding.
The absence is anomalous against historical baseline. Events of this type in this environment have historically produced signal at frequency Z; the current observed frequency is materially lower.

6.2 How to write absence findings

Label absence-of-evidence reasoning explicitly. Do not let an absent-X claim live as an implicit assumption in your product. A working template:

No open-source reporting corroborates [claim X] over the period [date range]. Assessment is based on the historical coverage density of [source environment Y], which makes false negatives [unlikely / possible / likely]. The absence is therefore [moderate / weak / not significant] evidence against X. Confidence: [Low / Moderate].

This is not a verbose tic. It is the load-bearing structure that distinguishes a defensible negative finding from an indefensible one. A reader of your product should be able to evaluate, from the explicit framing, whether your absence reasoning is sound.

7. Source Contamination and Adversarial Deception

The final layer of source evaluation is the one most easily underweighted by analysts who came up in conventional journalism: open-source environments are not passive. Adversaries actively shape what is available to be collected. They plant material, create inauthentic accounts, contaminate corroboration chains, and run sustained deception operations against the open-domain analyst community. Failing to model this is a tradecraft failure.

7.1 Adversary techniques in the open domain

Russian Maskirovka adapted for open-source environments. Russian military deception doctrine — historically applied to conceal capability, intent, and disposition from adversary intelligence — has been adapted to exploit the open-source collection environment that Western analysts and journalists rely on. Mechanisms include: coordinated release of false operational information through Telegram channels attributed to nominally Ukrainian sources but operated by Russian or Russian-aligned services; selective leaking of partial real information embedded in larger false context to anchor analyst attention on a deceptive frame; cultivation of long-running “milblogger” accounts that establish corroboration-grade credibility over months before being used to seed targeted false reporting at a moment of operational consequence. The recurring tell is timing: information that emerges precisely when it would most advantage a Russian operational objective, through channels that had not previously been on that topic.

PRC narrative seeding. Distinct in form. Less reliant on covertly-attributed channels, more reliant on shaping the upstream environment: funding of nominally independent think-tank work through intermediary organizations and university programs, cultivation of Western academic and commentator voices through access and platform incentives, large-scale production of low-quality but high-volume content (academic papers in pay-to-publish journals, op-eds in marginal outlets) that creates a citation environment supporting PRC-aligned framings. The grey zone between legitimate scholarship and influence operations is wider for the PRC than for Russia, and the analytical work is correspondingly harder. Funding-disclosure analysis is the primary defense.

Corporate-investigation contamination. Subjects of due-diligence and accountability investigations sometimes plant counter-narratives once they detect investigation is underway. Mechanisms: paid placement of favorable press in marginal outlets, fake-review and astroturf campaigns, SEO poisoning to bury negative results, coordinated complaints to platforms to suppress critical content, strategic litigation (SLAPP suits) against investigators. The defenses are temporal — establish a baseline of public information about the subject before investigation goes overt — and structural — track which positive-coverage sources emerged when.

Iranian and Iranian-aligned operations show a distinct pattern: heavy use of inauthentic personas across multiple platforms with cross-platform narrative coherence, frequently targeting diaspora and dissident communities. The pattern is well-documented in the Meta/Twitter/Google takedown disclosures from 2018 onward; treat any single-source narrative from a previously-unknown account in Iran-adjacent topic spaces with heightened skepticism.

7.2 Indicators of contamination

The diagnostic signals that should raise contamination concern:

Implausibly convenient timing. Information that emerges at precisely the moment when it advantages a specific actor’s operational or messaging objective. Not dispositive — sometimes events are convenient by accident — but a trigger for harder verification.
Synchronized appearance across nominally unrelated sources. Identical or near-identical narrative formulations appearing in multiple sources within a narrow time window. The coordination is itself the finding. See Cognitive Warfare for the doctrinal frame.
Sources without history suddenly becoming prolific. Accounts that posted sporadically for months and then begin producing high-volume, high-engagement content on a single topic in a single window are a classic operational signature.
Methodology opacity in newly-prominent sources. Sources that produce high-impact reporting without explaining how they obtained their material — especially when the material would require significant access to produce — should not be trusted at face value regardless of how plausible the content is.
Embedded partial truths. The most effective deception is real information adversarially framed. The presence of verifiable elements does not authenticate the overall claim.
Asymmetric corroboration. A claim corroborated only by sources that share a common upstream origin — multiple Telegram channels in the same ecosystem, multiple think-tank papers funded by the same intermediary — is not corroborated. Independence of corroboration is what matters, not count.

7.3 Counter-deception practice

The doctrinal frame is Maskirovka → Denial and Deception: assume that adversaries are actively trying to deceive your collection environment, and structure verification accordingly. Concretely:

Cross-check across sources with demonstrably different motivations and collection environments. A claim corroborated by a Russian-aligned Telegram channel, a Western wire service, and a Ukrainian government statement carries more verification weight than the same claim corroborated by three Russian-aligned Telegram channels, even if the latter is a higher source count.
Track temporal signatures. Build the habit of asking, on every significant claim: who benefits from this surfacing now? If the answer points cleanly at one actor, that is not disqualifying — but it is a flag.
Maintain source-baseline files for the channels you rely on. When did the source emerge? What was its early-period reporting? Was that reporting confirmed? Did its volume, focus, or tone shift at a particular point? Sources that have demonstrated cross-period consistency are more trustworthy than sources with short or discontinuous histories.
Apply Analysis of Competing Hypotheses as a routine counter-deception tool. ACH is structurally robust against single-source dominance — it forces evidence to be evaluated against multiple competing explanations, including the explanation that the evidence itself is fabricated.
Be willing to under-call. Where contamination concern is meaningful and cannot be resolved, the honest move is to drop the confidence level or drop the claim. Independent analysts who consistently call high and are occasionally wrong build worse track records than analysts who call moderately and are occasionally right — and the latter survive longer in the field.

Closing — Source Evaluation as Continuous Discipline

Source evaluation in independent intelligence work is not a step in the process. It is the substrate the process runs on. Every collection decision, every analytical line, every product paragraph rests on prior source judgments. The discipline is to make those judgments visible — to the reader and to yourself — and to hold the confidence ceilings the open domain imposes.

The institutional analyst has an apparatus that does much of this work invisibly. The independent analyst is the apparatus. That is not a disadvantage in every dimension — the independent analyst is also free of the cognitive biases that institutional priors introduce — but it is a load that must be carried explicitly. The product that says “Moderate confidence, single state-media source, structural motivation to deceive, no independent corroboration” is doing the work. The product that says “High confidence” without showing the source stack is not.

The next chapter, Part 05 — Analysis Without Institutional Support, takes the source-graded material from this chapter forward into the analytic process itself: how independent analysts structure hypotheses, run ACH, handle the absence of red-team and devil’s-advocate functions, and produce analytic products that survive scrutiny.

Intelligence notes

Explorer

Independent Intelligence Analysis — Part 04: Source Evaluation Without Institutional Context