Step-by-step workflow guide for investigators

VIP/Executive Protection

This guide walks you through setting up a VIP/executive protection case from scratch, and then refining it so that the content flowing in is focused, actionable, and as noise-free as possible. By the end, you will have a live case that works for you in the background, surfacing what matters and filtering out what does not.

Before you start:

First Steps

  • Gather full names, nicknames, initials of the VIP; company name and its common abbreviations; HQ address and any other key physical locations.
  • Create a new case skipping the Case Wizard.

To enlarge, double-click on the video.

Platform Limits

  • 4 hour-backfill only — when you create a new case, Monitor retrieves posts from the previous four hours only and cannot go further back. 
  • Max 5 languages per search – never leave language blank
  • Filters hide results; they do not reduce your data quota
  • X, Instagram, Facebook, Snapchat have monthly caps
  • Cases auto-pause — set to longest available period 

Access

  • Open Maltego Monitor from maltego.monitor.com or app.maltego.com
    Note that you need a Maltego ID to log in.
  • Make sure your plan includes access to Maltego Monitor (only Maltego Enterprise customers have Monitor included in their plans).

Resources

This guide assumes basic familiarity with Monitor. Feature names link to the documentation where needed. It helps to have the following pages open before you start: 


Video Overview

Watch a real VIP/executive protection case being set up in Monitor from scratch — searches, filters, and refinements included. Then follow the step-by-step guide below to build your own, or skip the video and jump straight to the steps.

To enlarge, double-click on the video.

Step-by-Step Guide

1. Set up your Searches

Search Example Query Key Notes
Executive Name(s)
"Tim Cook" OR "John Ternus" #TimCook #JohnTernus
  • Always quote multi-word names — without quotes, Monitor returns any post with "Tim" anywhere and "Cook" anywhere, producing huge noise.
  • Add the compound hashtag variant (#TimCook) — Instagram and Facebook content only appears if hashtagged.
  • Include incoming or predecessor names if a leadership transition is underway.
  • Set at least one language — leaving the field blank returns all languages.
Company / Organization
=Apple Inc= AND ("Tim Cook" OR boss OR executive OR leader)
  • Use == search operator to return an exact match of words (including capitalizations) in a specific order. It does not matter whether you get results referencing Tim Cook or Cook Tim, but with company names, you would want to have an exact match. This allows to catch threats that never name the executive directly — e.g. "the boss at Apple".
  • If the company name is a common word, add a qualifier (e.g. =Apple Inc= not just Apple).
  • Use AND to combine company name with role-reference terms to reduce noise (e.g. =Apple Inc= AND boss).
Company + Threat Language
=Apple Inc= AND ([Executive Protection building block] OR [Threats building block])
Location 
Location search: [HQ address or city]
  • Very few people geotag threatening content. Add the location last, after core searches are stable.
  • Useful for detecting unusual activity near physical premises.
  • Skip initially if case is already high-volume; revisit once the previous steps are refined.
⚡ Add this only after 24–48 hrs of baseline data

2. Refine and Analyze 

Once your case has been running for 24-48 hours, you will have enough content to start analyzing what is being captured and making informed refinements. This section explains three refinement techniques: using word-count insights to exclude noise, identifying high-volume accounts for closer tracking, and using additional building blocks to sharpen your filters. 

Please note that customizable building blocks are available only to Full Feature Monitor customers.

Essential steps

Exclude irrelevant terms

Within the dropdown list with additional analysis tools, you will find a word-count view — a ranked list of the terms that appear most frequently across all the content in your case. When a high-frequency term is irrelevant to your search and contributes to noise, you can exclude it 


Calibrate with filters

Keeping the name search broad and adding keywords as a filter — rather than combining everything into one search — lets you toggle between the full content stream and a filtered view showing only threatening content. The gap between the two is itself a signal: a wide gap means most conversation is neutral; a narrow gap means a high proportion is already threat-relevant.

Narrow down the search with
custom building blocks

A building block is a saved collection of keywords or phrases that you can apply to multiple searches without re-entering them. If a search is generating high volume and the results feel unfocused, consider creating a building block specifically for the company name and its variants. 




Other guides you might find useful:

  • Event Monitoring
  • Discourse Monitoring
  • Threat Actor Monitoring
  • Supply Chain Monitoring

Give us your Feedback!