RED × BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

Severe

Moderate

Low

Baseline

Moderate · Plan Mitigation

3 engagements

MODERATE R-02 ↔ B-02 Re-ID quality structurally capped at 2007-source resolution High

Red R-02

Re-ID quality structurally capped at 2007-source resolution

The case has a structural re-identification ceiling: source imagery is a 2007 retail-kiosk digitization, not a modern biometric capture. The GCP Vision face-detect call returned billing-disabled (ev_019) in this pass, so even commercial face-vector tooling was unavailable. Investigators relying on automated face-match against social platforms or face-search engines will receive low-confidence results that consume verification cycles.

Blue B-02

Commission new forensic-art age-progression via BCA

Automated age-progression against the 2007 source imagery will very unlikely produce a usable current likeness. Request BCA forensic-art services or NCMEC age-progression collaboration for a hand-rendered 2024–2026 age-progression based on the original 2007 digitizations plus family-relative reference photos. The hand-rendered output becomes the next-generation visual anchor; automated face-search remains low-confidence until then.

MODERATE R-01 ↔ B-01 Reward-driven false-tip flooding Moderate

Red R-01

Reward-driven false-tip flooding

The standing $10,000 reward (ent_014) is a known scam-attractor pattern for cold cases. Without a verified routing path (PSPTips → BCA), the operator should treat any inbound tip mentioning the reward amount as likely low-credibility until BCA confirms receipt. Investigative-time-budget exhaustion is the realistic harm vector — fabricated leads consume case-officer cycles that should service authentic ones.

Blue B-01

Tip-routing verification — only act on tips received via BCA channels

Treat the PSPTips $10,000 reward (ent_014) as unverified until BCA confirms a formal partnership. Operator policy: do not act on tips that mention the reward without contemporaneous corroboration of receipt by the Minnesota BCA tipline. Maintain a tip-provenance log noting receipt channel, claimed source, and BCA acknowledgement before allocating investigative cycles.

MODERATE R-03 ↔ B-03 Family / advocacy contact exposure to pretexting Moderate

Red R-03

Family / advocacy contact exposure to pretexting

The combined surface of the case pages enables identification of family contacts, regional advocacy volunteers, and the BCA case-officer (ent_017 Mielke). Each is a candidate target for impersonation pretext ("I have information about the case") or financial pretext ("a reward processor needs verification"). The harm vector is family re-traumatization plus investigative-time consumption.

Blue B-03

Family / advocate contact hardening — designate a single intake spokesperson

Designate a single point-of-contact (BCA case officer or family-appointed advocate) for all inbound tips and inquiries. Coach family members on impersonation patterns: reward-clearance pretexts, journalist pretexts, "new evidence" pretexts. Route all media requests through the BCA PIO. Reduces the social-engineering surface to one trained intake channel.

Baseline · Surface-Wide

2 controls

B-04 Baseline

Digital case-artifact chain-of-custody — fix the 2012 GIMP gap

The Charley Project panoramic (ent_020) carries a 2012-07-16 GIMP modification timestamp with no documented chain-of-custody between the 2007 kiosk digitization and the 2017 Charley Project upload. Baseline control: BCA / GINA / Charley Project should preserve and document the original 2007 digitization masters (and any 2012 derivative source) with hash-anchored archival, so subsequent re-uses can be authenticated against the master rather than against re-encoded derivatives.

B-05 Baseline

Periodic reverse-image sweep of the 2007 corpus

Quarterly automated reverse-image searches (Google Lens exact_matches has proven most productive for this corpus; Google Reverse Image returned zero on multiple URLs per ev_010 and ev_011) detect new appearances of the case imagery on tip-aggregator pages, fundraising pages, or impersonation accounts. The 2026-04 Medium article and the 2026 PSPTips reward post both surfaced this way; the next surfaces will surface the same way.