Maximum

Threat profile: high risk and full OpSec

You operate in an environment where a mistake has serious consequences. Full operational security, compartmentalisation, and minimal digital footprint.

Threat profile: high risk and full OpSec

This article is for people where digital mistakes can have serious personal, legal, or physical consequences. Think: people living under authoritarian governments, whistleblowers exposing state secrets, people who are being seriously threatened or surveilled, or anyone in an active legal conflict where digital evidence plays a role.

This is not a beginner article. The previous threat profiles are the foundation. This article builds on them.

Honesty first: No system is perfect. OpSec is a practice, not a destination. The question is not “am I 100% safe?” — that question has no answer. The question is: “am I making it expensive enough for my adversary?”

The difference from lower risk

At lower risk levels, it’s about protection against automated, mass threats. At high risk, it’s about targeted, sophisticated attacks — an adversary who is specifically looking for you and has resources to invest in that.

That changes the model fundamentally:

One weak link is enough to undermine the entire system
Metadata is just as dangerous as content
Physical security is just as important as digital security
Social engineering (manipulating people) is more effective than technical attacks

Core principles of full OpSec

1. Compartmentalisation Every activity, identity, and device is separated. Your anonymous account must never be traceable back to your real name — not via an IP address, not via writing style, not via a shared contact.

2. Threat modelling Know exactly who your adversary is, what they want, and what they’re capable of. A state actor with access to NSO Group tools is different from an angry ex-partner. Your security adapts accordingly.

3. Minimal footprint Share as little information as possible. This applies to digital traces but also to what you tell whom.

4. Trust nothing blindly No platform, no tool, no person is automatically trusted. Trust is something that is earned and verified.

Devices and infrastructure

Phone

GrapheneOS — no equivalent alternative at this threat level. See the hardening guide for full configuration. (Currently on iPhone and can’t switch? At minimum enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) — this is the iOS measure that most significantly reduces the attack surface for Pegasus-type attacks. See also iPhone privacy settings. Switch to GrapheneOS as soon as that becomes possible.)
Auto-reboot every 6–18 hours — regular return to BFU (Before First Unlock) state
USB fully disabled when charging wirelessly
No SIM card for anonymous activities — use wifi-only with Tor or VPN
Know the duress PIN (GrapheneOS: wipes device when entered)
Physical camera cover if you don’t trust the hardware camera toggle

For anonymous activities: a separate phone, bought with cash, activated over wifi without your real identity.

Laptop

Tails for anonymous tasks — boots from USB, leaves no traces. See tails.boum.org
Qubes OS for daily use with compartmentalisation — each task in a separate VM. See qubes-os.org
Full-disk encryption goes without saying (LUKS on Linux)
BIOS password + Secure Boot
Laptop physically secured: don’t use the built-in webcam (cover it), disable microphone at OS level

Network

Tor for anonymous communication — not for streaming or heavy use, but for sensitive matters it has no substitute
Mullvad VPN (no account, paid with cash or Monero) for daily use — not a Tor replacement, but a layer
Never on public wifi for sensitive activities without VPN + Tor
At home: separate router for sensitive activities, or use a GL.iNet with OpenWrt and strict DNS

Communication

Messaging

Molly (Signal fork) as primary messenger for known contacts.

Database encryption independent of phone lock
Disappearing messages set to 24 hours or less by default
Verify safety numbers with every contact

For contacts without Signal: Matrix via Element with a private server, or PGP email.

Never: WhatsApp, Telegram (default), SMS for anything sensitive.

Email

For sensitive email: PGP is mandatory. See the PGP guide.

Email provider: Proton Mail (Swiss law, end-to-end) or Posteo (German, no tracking). Self-hosting is most secure but requires more expertise.

Remember: email metadata (who sends to whom, when) is always visible to the provider. PGP encrypts the content, not the envelope.

Anonymous communication

For source contact or anonymous information exchange:

SecureDrop — built specifically for anonymous source contact with journalists
Briar — peer-to-peer messaging via Tor, no server, also works without internet (Bluetooth/wifi)
Session — no phone number required, decentralised

Stripping metadata

Every file you share contains metadata: creation time, username, GPS coordinates (in photos), software version.

Required for every file you share:

# Images
exiftool -all= file.jpg

# Documents
mat2 file.pdf

# LibreOffice
File → Properties → remove personal information

MAT2 is available via F-Droid (Android) and most Linux distributions. Always verify after stripping that metadata is actually gone.

Physical security

Digital security stops at the physical world.

Device seizure

Know how to quickly enter lockdown mode (GrapheneOS: power button → Lockdown)
Practice this — it needs to be reflexive
Configure a duress PIN (GrapheneOS)
Don’t store anything you wouldn’t want found — if it doesn’t exist, it can’t be discovered

Bugging and surveillance

Faraday bag for your phone at sensitive meetings — no signal = no location tracking, no microphone activation via network
Meetings on sensitive topics: phones out of the room
Be aware of cameras in public spaces

Social engineering Most successful attacks are social, not technical. Someone pretending to be a colleague, a fake urgent request, a trusted contact who has been compromised.

Always verify identity out-of-band before sharing sensitive information.

What you can’t protect against

Honesty matters. There are limits:

Zero-day exploits — unknown vulnerabilities in software that government agencies or commercial parties (NSO Group, Cellebrite) use. GrapheneOS significantly reduces the attack surface but provides no absolute guarantee.

Compromised contacts — if someone in your network grants access, your own security does nothing. Compartmentalisation limits the damage.

Physical coercion — no software protects if someone physically forces you to unlock. That is a legal and social problem, not a technical one.

Human error — one mistake can undermine everything. Routine, checklist thinking, and deliberate attention are the only protection.

Help resources

EFF Surveillance Self-Defense (Threat Modelling)
Access Now Digital Security Helpline — free help for threatened journalists and activists
Front Line Defenders — digital security for human rights defenders
Security in a Box
Bits of Freedom — Dutch digital civil rights

See also:

Do I need to switch phones? — the spectrum explained
GrapheneOS hardening guide
GrapheneOS profiles
PGP: encrypted communication
Threat profile: journalist or activist
All GrapheneOS guides — complete overview
Which network setup fits your threat profile? — Deciso and OPNsense for high-risk

Reviews:

← Back to Threat profiles