Before you read the next vendor intelligence report, the next AI-generated threat briefing, the next dashboard summary from your SOC, consider this: the most dangerous surveillance operatives in Soviet intelligence history were the ones you never saw coming toward you.

They were already ahead of you.

That is the doctrine of Lidirovanie — Leading —, and it is the most important threat pattern almost no one in corporate security talks about.

The 17th Directorate and What They Built

The KGB's operational surveillance work ran through a unit known as the Naruzhnoye Nablyudenie, or NN — external surveillance. Within the Second Chief Directorate, the 17th Directorate handled physical surveillance operations against foreign targets inside the Soviet Union. Operationally, practitioners called it the Semyorka.

The Semyorka was not simply a team of watchers. It was a doctrine — a structured methodology for maintaining coverage of a target without ever being detected as a threat. The techniques they developed were not improvised. They were engineered. And three of them translate directly to the threat patterns you are dealing with right now.

The three techniques — Chain, Fork, and Leading — were designed around a single insight: the target cannot detect what they are not looking for.

Tsepochka: The Chain

Doctrine

The Chain technique deployed multiple surveillance units in sequence, each handing off coverage to the next as the target moved. No single operative stayed with the target long enough to register as a pattern. The handoff was the point. Coverage was continuous. Exposure was minimal. The target, if they were watching at all, would see different faces, different vehicles, different positions — and conclude they were not under surveillance. 

Modern Parallel

Insider threats and supply chain compromises operate by exactly this logic. No single actor stays in contact with the sensitive material long enough to trigger detection thresholds. The contractor who onboards a vendor. The vendor who scopes a project with the internal team. The internal team member who has legitimate access and uses it for something that falls outside the original authorization.

The handoff is the threat. The individual nodes look clean. The chain does not.

Your monitoring systems are mostly designed to catch sustained access by a single actor. The Tsepochka pattern defeats that entirely. If you are not tracking the full chain of custody on sensitive access — who handed what to whom, across what organizational boundaries, over what timeframe — you are watching for the wrong thing.

Vilka: The Fork

Doctrine

The Fork deployed coverage from multiple directions simultaneously. Where the Chain was sequential, the Fork was parallel. Multiple units would occupy positions that gave them overlapping sightlines on the target, approaching from different vectors. If the target moved toward any single unit to test their suspicions, that unit could withdraw while the others maintained coverage. The observation never stopped. The target could never definitively expose a single observer.

VILKA (FORK)  Simultaneous parallel coverage from multiple vectors; withdrawal and redeployment on Modern parallel: Multi-vector cyberattacks. Coordinated insider-outsider threat combinations. Regulatory and legal pressure are applied simultaneously with operational disruption.

 Modern Parallel

Multi-vector attacks are designed to create exactly the decision paralysis the Fork was designed to produce. When your defenders must simultaneously address a phishing campaign, an anomalous network access pattern, a compliance inquiry, and a vendor audit — all appearing within the same compressed window — the question is not which threat is real. The question is which one is the misdirection.

The Fork works because it forces the target to distribute attention across multiple perceived threats. Defenders triage. Prioritization means something gets deprioritized. That deprioritized item is where the real work is happening.

The detection countermeasure is correlation — not just within your own systems but across time and organizational context. A compliance inquiry arriving two weeks before an unusual vendor access request, and a network anomaly arriving one week before, are not three separate events. It may be one event with three faces. 

Lidirovanie: The Leading

Doctrine

The Leading is the most elegant of the three techniques and the most dangerous.

A surveillance operative deploying Lidirovanie did not follow the target. They drove ahead of the target and monitored through the rearview mirror. They were never in the target's forward field of vision. They were never approaching. They were never suspicious. They were simply a car that happened to be going in the same direction.

By the time the target arrived at their destination, the operative had already been there and left. 

LIDIROVANIE (LEADING)  Operative moves ahead of target; monitors through rearview mirror. Never in Modern parallel: Advanced persistent threats already inside the network. Supply chain compromise is embedded before procurement. Insider threat is positioned before the sensitive project begins. 

Modern Parallel

This is the pattern that should keep security leaders awake. Not the threat that is coming toward you. The threat that is already ahead of you.

Advanced persistent threats are called persistent for a reason. They do not move when you look. They are already in position before the investigation begins. The supply chain compromise was embedded in the software library six months before your organization integrated it. The insider threat had legitimate access before the sensitive project was assigned to their team.

You cannot detect a Leading threat by looking forward. You find it in the rearview mirror — in the retrospective audit of what was already in place before the event you are trying to explain.

The detection methodology for Lidirovanie is fundamentally different from that for a trailing threat. You are not looking for someone following you. You are looking for someone who knew where you were going before you did. That means examining who had access before the project, who had visibility into the planning before execution, and which third parties had positions that only make sense in retrospect.

The Car That Looked Ordinary

The GAI-24 Volga was the Semyorka's primary surveillance vehicle. On the surface, it was a standard Soviet passenger car — the kind driven by mid-level officials and factory managers across the country. Unremarkable. Forgettable. That was precisely the point.

What was under the surface was not ordinary. The 5.5-liter V8 engine was pulled from the Chaika limousine — the same engine used in Soviet government vehicles — giving the Volga dramatically superior performance with no external indication of that capability. Iron ballast plates were installed in the trunk to correct the nose-heavy weight distribution created by the engine swap, keeping the car's handling neutral and its behavior indistinguishable from a standard vehicle. The brake light circuit was modified with an Otsechka — a kill switch — so the car could decelerate at night without illuminating its position.

It was a weapon disguised as a taxi.

The most effective security program is the one that looks ordinary while being anything but.

This is not just a story about a car. It is the operating principle behind every serious corporate security program.

The organizations that get breached most often are not the ones with no security. They are the ones whose security is visible — the ones whose controls are announced, whose response protocols are known, whose detection capabilities are documented in policies that their own threat actors have read. The GAI-24 was effective because it made no announcement of its capability. The brake lights did not give away the position. The suspension did not betray the engine.

Your security program should have the same property. The capabilities that matter most are those that cannot be mapped by someone watching from the outside.

 What the Semyorka Means for Your Program

The three techniques together make a single argument: sophisticated threats are designed around the assumption that defenders are looking forward, looking for someone following them, and looking for single actors sustaining unusual behavior.

None of those assumptions survives contact with the Semyorka.

The Chain defeats sustained-actor detection. The Fork defeats prioritized-response logic. The Leading defeats forward-looking threat modeling entirely.

The response is not to abandon those detection approaches. It is to layer retrospective analysis, chain-of-custody tracking, and pre-project access auditing on top of them. The question to ask before every sensitive initiative is not "who might try to access this?" It is "who is already in a position to access this, and why?"

 Signals in the Noise covers the deeper pattern recognition methodology behind threat analysis, like this — the discipline of reading historical intelligence doctrine as a lens for modern corporate and organizational risk. The techniques change. The patterns do not.