The Problem Nobody Wants to Name

You’ve watched someone change.

It happened slowly, a sharper edge in their posts, a narrowing of the sources they cite, a shift from “I disagree with this policy” to “these people are parasites” to something you can’t quite explain but can’t ignore either. You tell yourself it’s just politics. Everyone’s angry right now. The world is genuinely alarming.

But something is wrong. And you can feel it.

This guide is for that moment. Not the moment after something happens, the moment before. The moment when intervention is still possible, when the system can still work, when you’re sitting with a screenshot, a sick feeling and no roadmap.

I’m an engineer. My job is to solve problems with precision. This is a precision problem.

Part One: Understanding the Machine

How Radicalization Actually Works

Online radicalization is not a sudden event. It is an optimization process, and the algorithm is very good at its job.

Every major content platform is built on an engagement maximization engine. Engagement correlates strongly with emotional arousal. Emotional arousal correlates strongly with outrage, fear, and tribal identity. The platform does not care which direction the outrage points. It cares only that you keep scrolling.

The radicalization pipeline looks like this:

1. Entry point: A legitimate grievance. Something real and arguably wrong. The algorithm serves content that validates it.

2. Escalation: The validating content becomes more extreme over time, because more extreme content generates more extreme engagement. The platform rewards it.

3. Identity fusion: The person stops holding views and starts being them. Criticism of the position becomes a personal attack.

4. Dehumanization: Political opponents stop being wrong people and become bad people, then evil people, then something less than people.

5. Acceleration: The person begins seeking out the most extreme confirming content rather than waiting for the algorithm to serve it.

By stage four, the social anchors: friends, family, professional relationships, have been systematically devalued. Anyone who pushes back is a shill, a plant, a sheep, a traitor. The community reinforcing the views becomes the only community that matters.

This is not unique to any political tribe. The architecture is identical across the spectrum. The targets differ. The mechanism does not.

The Difference Between Anger and Radicalization

Not everyone who is politically angry is radicalized. This distinction matters. Getting it wrong in either direction has consequences.

Political anger looks like:

• Expressing strong disagreement with policies or leaders

• Using hyperbolic language in obvious emotional venting (”I could strangle him”)

• Frustration that resolves. The person can talk about other things, laugh, engage with reality

• Maintaining relationships with people who disagree

• Distinguishing between the position and the person

Radicalization looks like:

• A narrowing world: fewer topics, fewer sources, fewer acceptable viewpoints

• Language that dehumanizes entire categories of people consistently, not in one-off frustration

• Loss of proportion: every event becomes evidence of the same overarching threat

• Social withdrawal from anyone outside the ideological bubble

• Movement from “this policy is wrong” to “these people must be stopped” to specificity about how

• An emotional register that is always at maximum: no down-regulation, no humor, no perspective

The key operational distinction: radicalized language tends toward specificity over time, not away from it. Venting gets less specific as the emotion dissipates. Radicalization gets more specific as the ideology solidifies.

Part Two: The Threshold Framework

When Does It Become a Threat?

Not every radicalized person becomes violent. Not every piece of alarming content warrants a federal report. You need a framework, not a panic button.

Here is the one I use. I call it the SITE framework:

S: Specificity Does the language identify a specific target, location, method, or timeframe? “Politicians should be held accountable” is rhetoric. “One for [city] and one for [city]” is specific. The more specific, the higher the threat weight.

I: Intent Language Is the person expressing a wish, or expressing a plan? “I wish he would disappear” is different from “someone needs to erase this person.” Intent language uses active constructions, imperative framing, or declarative statements about outcomes that should happen. Watch for the shift from passive (”I hate this”) to active (”this needs to end”).

T: Trajectory Is this a single incident or a pattern? A single alarming post in an otherwise normal history is different from a documented escalation over weeks or months. Trajectory tells you whether you’re looking at a spike or a slope. A slope is more dangerous.

E: Escalation Triggers Has something changed recently? Job loss, relationship breakdown, public humiliation, perceived injustice, these are acceleration events. Radicalized people with grievance spikes are higher risk than those in a stable (if alarming) baseline. If you know the person’s life circumstances, factor them in.

Scoring: Each factor that’s present raises the threshold. Specificity alone is a flag. Specificity plus intent language plus documented trajectory plus a recent escalation trigger is a report.

The Scoring Logic Gate

In software, we don’t just stack variables; we look at how they interact. Think of the SITE framework as a conditional logic loop where Specificity ($S$) is the mandatory gatekeeper. If $S$ is zero, the loop terminates early.

[ Observe Alarming Content ]
                    │
                    ▼
         Is it Specific? (S)
         ├── NO  ──────► Monitor baseline only (Do not report)
         └── YES 
                    │
                    ▼
   Evaluate: Intent (I) + Trajectory (T) + Triggers (E)
                    │
                    ▼
     Do 2 or more additional factors match?
         ├── YES ──────► REPORT (High Priority)
         └── NO  ──────► Document & Track (Build Pattern)

• The Baseline Filter (S): Specificity acts as a binary multiplier (1 or 0). If there is no specific target, location, method, or timeline, you do not have an actionable threat, you have ugly rhetoric. Document it if you must, but do not trigger a report.

• The Aggregators (I, T, E): Once Specificity is confirmed (S=1), each subsequent factor adds cumulative weight to the operational risk.

• The Action Threshold:

  • S + 1 other factor (e.g., Specificity + Trajectory): This is your Log & Monitor phase. Start the documentation protocol, but hold fire on reporting unless that single factor represents an explicit, immediate threat of violence.

  • S + 2 or more factors (e.g., Specificity + Intent + Trigger): This breaches the reporting threshold. The presence of multiple vectors indicates that the system is no longer just processing anger, it is actively operating a plan.

The Reporting Threshold

Report when:

• There is specific language targeting a named individual or defined group with implied or stated harm

• AND there is a documented pattern, not just a single incident

• OR the single incident is specific enough, operational enough, and credible enough to stand alone

Do not report when:

• The language is purely rhetorical with no specificity

• You are uncertain and haven’t done the work to document the pattern

• Your motivation is to harass, silence, or shock someone you disagree with politically

That last point deserves emphasis. The reporting infrastructure exists to protect the public. Weaponizing it is a serious abuse with real consequences for real people. If your targeting system is off, don’t pull the trigger.

Part Three: Before You Report; The Documentation Protocol

Why Documentation Matters

When you submit a tip to the FBI, you are handing investigators a starting point. The quality of your documentation determines how seriously the tip can be acted on and how quickly. Vague tips get low priority. Precise, well-documented tips with preserved evidence get attention.

Do this work before you make the call.

Step 1: Capture Everything

Screenshot every relevant post, comment, and profile element. Include:

• The full post with timestamp visible

• The account name and handle

• The URL of the post in the screenshot if possible

• Any replies or interactions that add context

Do this immediately. People who sense incoming consequences delete. Once it’s gone from the platform, recovery is possible but not guaranteed.

Step 2: Preserve with WARC Files (See Appendix)

Screenshots can be questioned. A WARC file is a web archive format that captures the full page content, metadata, and HTTP response headers in a single verifiable file. It is significantly harder to dispute than a screenshot. See the appendix for exact tools and process.

Step 3: Hash Your Evidence

Once you have your files, screenshots and/or WARCs, generate cryptographic hashes. A hash is a mathematical fingerprint of a file. If the file changes in any way, the hash changes. This proves your evidence hasn’t been altered since you captured it.

SHA-256 is the standard. See the appendix for exact commands.

Step 4: Build a Timeline

Create a simple chronological document:

• Date

• Platform

• Post content (paraphrased or quoted)

• Screenshot/WARC filename

• Hash value

• Your brief note on why it’s relevant

This gives investigators a readable map rather than a pile of files.

Step 5: Document What You Know About the Person

Only include what you know factually:

• Real name if you know it

• Location if you know it

• Employment if you know it

• Any known weapons access

• Any recent life events that might be escalation triggers

• The nature of your relationship and how long you’ve known them

Do not speculate. Do not editorialize. Facts only.

Part Four: How to Report

The FBI Tip Line

tips.fbi.gov

This is the correct channel for threats against federal officials, public figures, or when the threat crosses state lines. It is taken seriously. Submissions are reviewed by actual analysts.

What to include:

1. Your contact information (you can request confidentiality)

2. The subject’s identifying information

3. A clear, factual summary of the threat: what was said, when, where

4. Your documented evidence (you can attach files)

5. The pattern if one exists, “this is part of a documented history going back [date]”

6. Any escalation factors you’re aware of

What not to include:

• Your political opinions about the subject

• Speculation about motive beyond observable behavior

• Characterizations that aren’t supported by evidence

Write it the way you’d write an incident report. Dry. Factual. Precise. Let the evidence carry the weight.

Other Channels

Local FBI field office: If you believe the threat is imminent or geographically specific, call the nearest field office directly rather than submitting an online tip. Find yours at fbi.gov/contact-us/field-offices.

Secret Service: If the threat targets the President, Vice President, or their immediate families, the Secret Service has independent jurisdiction. Report at secretservice.gov/contact/field-offices or call 1-800-SECRET.

Local law enforcement: If the person is local to you and you believe the threat is immediate, call local PD as well. They can coordinate with federal agencies.

Platform reporting: Always report the content to the platform. This is not a substitute for law enforcement reporting, but it creates a parallel record and may result in account action that slows escalation. Document the report confirmation.

What Happens After You Report

You will likely not hear back with details. This is by design, investigations are confidential. An absence of follow-up contact does not mean the tip was ignored.

The system processes tips through analysts who assess credibility and priority. Credible tips with good documentation go further than vague ones. Your job ends when you submit. Their job begins.

Part Five: The Human Cost Calculation

What a Report Does to Someone

A federal tip can result in a “knock and talk,” agents visit the person, assess them in person, and determine whether further action is warranted. This is not an arrest. It is an assessment. For many people, it is also a significant wake-up call.

In some cases, nothing happens beyond that visit.

In some cases, the assessment reveals a genuine threat and intervention follows.

In some cases, the person is connected with mental health resources.

The outcome depends on what investigators find. Your job is to give them accurate information and let them make that determination. You are not judge or jury. You are a witness providing evidence.

The Cost of Not Reporting

There is a cost to both decisions. People who do not report something they knew was a credible threat and something then happens live with that. Some of the most preventable violence in recent history was preceded by warning signs that people saw and said nothing about.

“I didn’t want to get involved” is not a neutral choice. It is a choice with consequences.

The Alignment Check

Before you report, run this test:

Would I report this same language from someone whose politics I agree with?

If the answer is no, your targeting system is compromised. The threshold for reporting a threat cannot be a function of whether you like the politics of the person making it. Violence does not care about team affiliation. Neither should your assessment.

Conclusion: The Precision Imperative

The people most dangerous online are often not the loudest. They are the ones who have moved from expressing anger to planning its expression, often visible to the people who knew them before the slide, invisible to the platforms and institutions that could intervene.

You are not responsible for fixing radicalization. You are not responsible for saving everyone. But if you have specific, documented evidence of a credible threat, you have a decision to make.

Make it with precision. Document before you act. Report through proper channels. Let professionals assess what you’ve found.

The goal is not punishment. The goal is prevention.

That’s an engineering problem. And engineering problems have solutions.

APPENDIX: Evidence Preservation Technical Guide

For the people who want to do this right.

A1: Creating WARC Files

A WARC (Web ARChive) file captures a complete snapshot of a web page including HTML, CSS, images, and HTTP metadata. It is the gold standard for web evidence preservation.

Option 1: Wget (Command Line: Linux/Mac)

wget --warc-file="evidence_$(date +%Y%m%d_%H%M%S)" \
     --warc-cdx \
     --page-requisites \
     --span-hosts \
     --no-parent \
     "https://[URL OF PAGE TO ARCHIVE]"

This creates a .warc.gz file and a .cdx index file. Keep both.

Option 2: Browsertrix (Browser-Based, No Install Required)

Go to browsertrix.com this is a free, professional-grade web archiving tool maintained by Webrecorder. You can create WARC files directly from your browser without installing anything.

1. Enter the URL

2. Click “Start Crawl”

3. Download the WARC file when complete

Option 3: archive.org Save Page Now

Go to web.archive.org/save and submit the URL. This creates a permanent archived copy at a stable URL AND adds it to the Internet Archive’s record. Screenshot the resulting archive URL as additional evidence.

Note: This method makes the archive publicly visible. Factor that in.

Option 4: SingleFile Browser Extension

Available for Chrome and Firefox. Saves a complete, self-contained HTML file of any page. Not a true WARC but significantly better than a screenshot. Good for quick capture when time is critical.

A2: Generating SHA-256 Hashes

On Linux/Mac:

sha256sum filename.warc.gz
sha256sum screenshot.png

Output format:

a3f5c2d1e8b7... filename.warc.gz

On Windows (PowerShell):

Get-FileHash filename.warc.gz -Algorithm SHA256
Get-FileHash screenshot.png -Algorithm SHA256

Record Your Hashes

Create a plain text file called evidence_manifest.txt:

EVIDENCE MANIFEST
Generated: [date and time]
Case reference: [your internal reference]

FILE: evidence_20260601_143022.warc.gz
SHA256: a3f5c2d1e8b7[full hash]
Captured: 2026-06-01 14:30:22 UTC
Source URL: https://[url]
Notes: Post containing [brief factual description]

FILE: screenshot_001.png
SHA256: 7d9e4f2a1c6b[full hash]
Captured: 2026-06-01 14:31:05 UTC
Source: Same page, full-page screenshot
Notes: [same]

Sign and date this document. If you have PGP capability, sign it cryptographically. If you don’t, a notarized print copy is a reasonable alternative for high-stakes situations.

A3: Metadata Preservation

Screenshots contain EXIF metadata including capture timestamp. Do not process screenshots through apps or platforms that strip metadata before hashing. Capture → hash → then copy for other uses.

To verify metadata is intact (Mac/Linux):

exiftool screenshot.png

Install exiftool via:

• Mac: brew install exiftool

• Linux: sudo apt install libimage-exiftool-perl

A4: Chain of Custody Notes

For each piece of evidence, note:

• Who captured it

• When (to the minute, in UTC if possible)

• What device/browser was used

• What the URL was at time of capture

• Whether the original post was still live at time of submission

This is the same chain of custody documentation used in digital forensics. It doesn’t need to be elaborate, it needs to be accurate and complete.

A5: Storage

Store evidence in at least two locations:

• Local encrypted drive

• Encrypted cloud backup (not a platform that could be subpoenaed separately from your evidence, use something you control)

Do not store evidence only on your phone. Phones break, get lost, get confiscated.

If this is a high-stakes situation, consider burning a copy to archival-grade optical media (M-DISC) and storing it physically. Overkill for most situations. Not overkill if you think this matters.

If you found this guide useful, share it with someone who might need it before they need it.