Hardening soft targets: A 2026 guide to resilient venue operations and public safety

By nature of their purpose, certain public areas are inherently open. Transportation centers, parks, restaurants, shopping centers, special event venues and similar facilities do not often incorporate strict security measures.

For this reason, bad actors have often weaponized these soft targets for terroristic incidents.

How to harden these soft targets using a layered security approach is the subject of this guide. In advance of the FIFA World Cup 2026™, the guide draws on the work of the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S., which has developed comprehensive guidance to help venue operators identify, manage risk and maintain security resilience.

In that spirit, this guide aims to help venue owners enhance public safety, protect assets, create secure environments and ensure resilient operations through effective security measures and best practices.

The vulnerability of soft targets

Hours before the Sugar Bowl was to be held at the Superdome on New Year's Day 2025, New Orleans experienced one of the worst terror attacks in its recent history. A man drove a truck into the crowd at Bourbon and Canal Streets as New Year's Eve celebrations were waning. Revelers were still on the streets, as the attacker assumed they would be. All told, 14 people perished; 35 were left injured.

The incidents, occurring in proximity to a venue of significance, underscore the vulnerability of soft targets to attack. Venues hosting major events, including international summits, political conventions, large-scale sporting events and music festivals, carry outsized physical and operational security risk, particularly those perceived as political, social or religious in nature.

Understanding the soft target threat landscape

Effective venue security begins with a clear-eyed understanding of the threats operators are protecting against. Potential threats fall into three broad categories.

Physical and violent threats

• Active shooter: An individual or individuals actively engaged in killing or attempting to kill people in a confined and populated area, typically using firearms.
• Vehicle incident: A harmful event involving a motor vehicle in transport that causes injury or property damage, excluding incidents resulting from firearms or explosive devices.
• Improvised explosive device (IED): A device placed or fabricated in an improvised manner incorporating destructive, lethal, noxious, pyrotechnic or incendiary chemicals. IEDs are designed to destroy, incapacitate, harass or distract.
• Micro-IEDs: Smaller, harder-to-detect explosive devices disguised as everyday tech.
• Vehicle-borne IED (VBIED): An explosive attack using a vehicle as the mode of delivery for an improvised explosive device.
• Chemical hazard: A substance intended to kill, seriously injure or incapacitate individuals mainly through physiological effects.
• Biological hazard: A natural or man-made microorganism that causes disease in individuals, plants or animals or causes matter to deteriorate.
• Hostile patrons: Individuals exhibiting aggressive, violent or disruptive behavior that pose a threat to venue property, attendees or staff.
• Civil disturbance: Deliberate and planned acts of violence and destruction arising from organized demonstrations on or near the venue.
• Unmanned aircraft systems (UAS): Unmanned aircraft and the equipment necessary for operation.

Operational and infrastructure threats

• Loss of services/disruption: Disruption to the usual flow of services to a venue, including power, internet or communications infrastructure.
• Industrial incident: An unexpected occurrence in an industrial establishment causing injury or damage.
• Insider threats: Use of insiders with unique positions of access, often short-term employees, contractors or volunteers, to facilitate and conduct attacks, enter secure areas and obtain sensitive information to exploit security procedures.
• Event cancellation: The abrupt cancellation of an event due to security threats or operational failure.

• Cyber-physical attacks: Hacking of building automation systems (lighting, HVAC or digital signage) to create panic.

• Cybersecurity threats: Cyberattacks that affect the confidentiality, integrity or availability of digital systems and technology that a venue or major event is reliant on (e.g., access control platforms including turnstiles, ticketing systems, Wi-Fi and CCTV networks).
• Deepfake: Use of AI-generated audio, video or social media content to spread false information, trigger panic or manipulate crowd behavior.

Environmental and incidental threats

• Natural disaster/extreme weather: Unusually severe weather or climate conditions that can cause devastating impacts on attendees, infrastructure and operations.
• Theft and vandalism: The unlawful taking or deliberate destruction of venue property or assets.

FIFA World Cup™ 2026 venue security

To be held across the U.S., Canada and Mexico, the World Cup presents a stern security challenge for the 16 venue operators hosting matches this summer, as well as those organizing affiliated fan events. Local law enforcement agencies in each host city must coordinate with federal partners, including DHS, CISA and the FBI, to address complex security requirements spanning stadiums, training facilities, transportation hubs, hotels and fan zones. Cross-border coordination between the three host nations adds a further layer of complexity, which is unprecedented in World Cup history.

In preparation, the U.S. government earmarked $625 million for the 11 U.S. host cities to enhance venue security and preparedness. Countering hostile drones remains of paramount concern. To that end, FEMA awarded $250 million to the 11 host states to strengthen their ability to detect, identify, track or mitigate the UAS threat.

The risk assessment (RA)

Understanding the threat landscape provides the foundation for the risk assessment (RA). The RA is a formalized process for identifying potential hazards and analyzing what could happen if each were to occur.

The RA is a core tool across venue resilience, incident management and all-hazards planning, not just venue security. An RA specifically covers three key elements:

Security measures

Security measures are the specific actions implemented to maintain safety and order. These include fencing, lighting, access control, crowd management protocols, surveillance systems and more. A thorough RA will typically identify multiple security measures across several categories. Each measure should be evaluated against two key limiting factors: cost and complexity.

Cost levels

Security is a significant financial investment. Staff, systems and equipment all carry major costs. Few meaningful measures require little to no funding. Posting signs of prohibited items or marking entry or exit points are the exceptions.

Complexity levels

Alongside cost, complexity of implementation determines which security measures to pursue. Complexity refers to the number and availability of resources needed to implement a measure.

Types of security measures

With cost and complexity understood, venue operators can select from a broad range of security measures. The most robust security postures draw from all of the following categories, combining measures across different cost and complexity levels to create a layered defense.

Coordination and administration

Effective security begins with planning and coordination before any physical measure is installed or any staff member is trained.

• Develop procedures for patrons with access and functional needs.
• Verify that the emergency action plan (EAP) includes established procedures for sheltering and evacuation.
• Develop scenario-specific incident response plans as part of the EAP.
• Schedule fire, EMS and law enforcement to tour the venue and participate in training.
• Establish pre-set emergency management communications plans with clear decision points.
• Establish procedures to ensure only authorized personnel and vehicles can enter restricted areas.
• Develop and post entry requirements, including clear bag policies, bag size restrictions and prohibited items.
• Develop traffic flow patterns and designate drop-off areas for ride-share, handicapped and other designated personnel.
• Establish safe handling procedures for responding to downed personnel or communications.
• Develop an event-specific occupancy plan and a venue emergency action plan.
• Develop a traffic management plan in conjunction with the crowd management plan, incorporating hostile vehicle threat mitigation.
• Establish plans with local, state and federal response agencies.
• Complete a risk assessment or security survey of the venue.
• Establish a Crime Prevention Through Environmental Design (CPTED) strategy.
• Coordinate food waste pickup procedures.
• Use bomb squad and explosives detection canine teams for event screening.
• Acquire the appropriate city, county or local permits for the venue.

Installation

Physical infrastructure forms the backbone of a venue’s security posture.

• Install fencing for traffic, crowd control and perimeter security.
• Install a video surveillance system (VSS) to support crowd monitoring and incident response.
• Install adequate lighting in critical areas including evacuation points, parking areas and camera coverage zones. LED lighting enhances both visual aid and camera performance.
• Install security systems for HVAC, mechanical, gas, fuel and drainage systems.
• Refer to the Primary, Alternate, Contingency, Emergency (PACE) communications framework when installing radio, cellular and communication systems. Ensure back-ups are in place and recovery plans are frequently tested.
• Consider UAS detection, tracking, and identification (DTI) technology, Remote ID receivers and CCTV configurations to monitor for aerial threats.

Train and exercise

Technology and infrastructure are only as effective as the people operating them.

• Train screening staff on safety actions to take in accordance with the EAP, including equipment handling, physical searches and medical screening.
• Train all staff on the code of conduct on acceptable and unacceptable patron behavior.
• Train staff on their individual responsibilities under the emergency action plan and incident response plans.
• Train staff on UAS identification and response.
• Train staff on procedures for screening visitors with special needs and service animals.
• Conduct exercises on all incident response plans within the EAP, including active shooter, evacuation, shelter-in-place and reunification scenarios.
• Deploy verification protocols for emergency orders to reduce the impact of fake orders to evacuate sent via spoofed radio or SMS.

Perimeter security

The outer perimeter is the first line of defense and the initial opportunity to reduce risk.

• Ensure venue property boundaries are clearly marked and distinguishable to visitors.
• Secure all unstaffed perimeter entrances.
• Secure ground level access points including windows.
• Keep shrubbery near gates, entrances, windows or access points to a minimum to maximize visibility.
• Post “No Drone Zone” signs in areas where UAS takeoff or landing is restricted.
• Establish security zones including standoff distances for VBIED threats.
• Post signage clearly indicating all prohibited items.

Access control

Limiting and verifying access is central to preventing unauthorized entry to sensitive areas.

• Create public access through dedicated checkpoints only.
• Ensure designated trained security personnel are present at entry points.
• Conduct a visual search of handbags. Screen all visitors using walk-through metal detectors.
• Plan restricted areas and implement appropriate access controls, lock management and credentialing.
• Use color-coded tickets and credentials to assist staff in directing patrons and limiting access to appropriate areas.
• Ensure tickets are electronically scanned.
• Establish background checks for all event staff; require photo IDs or credentials.
• Develop an identification system for vehicles permitted into the venue’s inner perimeters.
• Ensure utility areas are alarmed.

Crowd management

Managing the movement and behavior of large crowds requires both technology and well-positioned personnel.

• Restrict access to non-public areas.
• Use public address systems, social media, email and message boards to communicate locations, restrictions, evacuation routes and entry control points.
• Ensure security and staff personnel are positioned to assist with end-of-event egress and to monitor for suspicious activity.

Traffic management

Vehicle management is both a logistical and a security priority.

• Create drop-off areas per the traffic management plan.
• Ensure law enforcement officers are present to support traffic flow on public streets.
• Post traffic monitors with safety vests and radios to support traffic flow on venue property.

Emergency management

Even the best-prepared venue must be ready to respond when an incident occurs.

• Mark evacuation routes and standoff distance points clearly.
• Test emergency notification systems regularly.
• Coordinate with first responders to pre-designate medical triage and EMS staging areas.

Resource allocation examples

The Dynamic Ongoing Risk Assessment (DORA)

A one-time risk assessment establishes a baseline, but it’s not sufficient as threat levels, venue configurations and operational conditions change. In high-risk environments, the primary factors that determine risk, namely threat, vulnerability and consequence, can shift rapidly.

This ongoing process is known as the Dynamic Ongoing Risk Assessment (DORA). One-time events at large venues, for example this year’s World Cup matches, may even warrant standalone risk assessments specific to each event.

How to conduct a DORA

The assessment should be proportionate to the venue’s size and risk profile. Key principles include:

• Involve the right stakeholders: Representatives with planning, mitigation, response and recovery responsibilities across the full incident management lifecycle should participate collaboratively in the development of the RA.
• Deploy appropriate technology: Security management software and technology should be used during the exercise itself, not only as outputs of the assessment.
• Build a complete venue profile: A thorough DORA begins with a detailed profile of the venue. Such a profile will include venue name, owner and operator, address, size, capacity, core operational purpose, type of events hosted before, event frequency and how the venue is used. Critical assets should be identified and their importance to operations documented in a security management system. This profile forms the base layer of data for the mandatory vulnerability assessment.
• Assess threats against the profile: The DORA team should identify all plausible threats, assess their relative probability and then analyze each threat based on its relationship to vulnerability and consequence.
• Coordinate with external agencies: High-profile venues often conduct threat analysis in coordination with roadway management agencies to understand traffic and crowd flows as risk vectors. This collaborative approach recognizes that attacks on key support infrastructure can lead to cascading consequences.
• Monitor social media and open-source intelligence: For politically or socially significant events, social media monitoring and open-source intelligence gathering provide early warning signals that should feed into the ongoing assessment.

Layered security for resilient venue operations

The risk assessment ultimately informs a venue’s response plans and security architecture. When it comes to implementation, though, venue security is most effective when applied in a layered approach that hardens soft targets against both physical and operational threats. Each zone adds a level of protection, and each layer reinforces the others.

Outer perimeter (outer zone)

The outer perimeter is often linked to area transportation. As such, it provides the initial opportunity to reduce risk. This means coordination with relevant transit operation agencies is critical.

All vehicles docking at the venue should be considered a potential threat. Personnel should be thoroughly screened, and pre-cleared delivery procedures strictly enforced. Bags specifically represent a risk as containers for IEDs. They should be screened at the perimeter where possible.

Middle and inner zones

Risk mitigation measures in the middle and inner zones include periodic sweeps and CCTV coverage. Venues should have sufficient cameras to provide coverage of all major and minor areas, including the outer perimeter.

Clearly defined areas with access limited to credentialed personnel are essential for inner zone security. All possible intrusion paths identified during the vulnerability analysis should be addressed. Bad actors may use any method of entry, including food contamination, mail delivery or service repairs.

Event-day operational best practices

The following operational measures should be implemented before, during and after attendees access the venue:

• Assign staff to parking areas with mobile security apps to relay information to a central command.
• Check vehicles parked within approximately 100 feet of the venue using a pre-determined vehicle security screening process.
• Employ at least one method of patron screening, for example, pat-down, wanding or the equivalent.
• Screen all bags entering the venue.
• Estimate queue length to assess the risk to patrons waiting in line.
• Only allow pre-cleared deliveries; examine the delivery manifest against submitted contents and verify the credentials of the delivery person.
• Inspect media vehicles permitted on the premises.
• Conduct random checks of food vendor products as they are unloaded.
• Use clear signage to indicate which areas patrons can and cannot access within the inner zone.
• Use color-coded credentialing to limit employee and patron access to appropriate areas only.
• Plan for the possibility of mass fatalities.
• Incorporate government agency best practices as they are published and updated.

Specific scenario planning

In addition to a general EAP, venue operators should develop specific response plans for each of the following scenarios:

• Bomb threat including mail bomb threat
• Fire
• Utility outage
• Hazardous material incident
• Civil unrest
• Active shooter
• Improvised explosive device
• VBIED
• Medical emergencies
• Shelter-in-place, partial evacuation and complete evacuation

Conclusion: Building a resilient venue security program

All of the planning measures covered in this guide are only as effective as their execution. Security teams should formalize all assumptions and unwritten plans into documented policies and procedures, then drill those procedures regularly through tabletop exercises and realistic scenario-based training that can be quantified and evaluated.

As recent events have demonstrated, venue security planning in 2026 is never finished. Since threats evolve consistently, so must the systems, procedures and technologies that venue operators rely on.

Noggin’s security management software helps venue operators put these best practices into action. From risk assessment and threat intelligence to real-time situational awareness, incident reporting and post-event review, our security solution helps you restore normal operations quickly and strengthen organizational resilience when faced with adverse events.

Request a software demonstration to see Noggin in action.