Three sectors. Three patterns of failure that repeat across markets, across geographies, and across organisations that had every intention of doing it right. And what VIGIL changes in each one.
Data centre development moves fast. Markets open, hyperscalers commit, sovereign funds deploy. The pressure to select a site, sign a lease, and begin the design process often runs ahead of the intelligence needed to make that decision safely.
A data centre site is selected. Capital is committed. The architect is engaged. The planning application is filed. Then — eighteen months into the project — someone discovers that the nearest substation cannot supply the required megawatts at the timeline the project needs. Or that a petroleum depot sits 180 metres from the eastern boundary. Or that the grid operator's published capacity figures were aspirational, not confirmed.
The project does not stop. It continues. With a constraint that was always there — and was findable from day one.
Power constraint found after lease execution. Grid connection feasibility is assessed at desktop level using publicly available tariff data. Actual MW availability from the named grid operator — the number that determines whether the project is viable — is not confirmed before commitment. It is confirmed during detailed design, when reversing the decision costs as much as proceeding with the constraint.
Hazardous adjacency identified after architect is appointed. A petroleum storage facility, a chemical plant, or a high-pressure pipeline within the consultation zone is identified during planning — not before site selection. The blast separation requirement enters the design at the point where it causes maximum disruption to the layout and maximum cost to the capex budget.
Connectivity assumption rather than confirmation. The site is selected on the basis that a major carrier has infrastructure nearby. Nearby turns out to mean a trunk route 2.1km away with no planned extension. Carrier-neutral connectivity — the defining characteristic of a data centre — is absent and cannot be established within the project timeline.
Climate headroom not designed in. A site in a market where peak ambient temperature already exceeds 48°C is designed to a standard cooling specification. Within seven years, the design temperature is regularly exceeded. The cooling system that was adequate at commissioning is not adequate at year five. The constraint was in the IPCC projections for that region. Nobody checked them at site selection stage.
Regulatory timeline underestimated. A new market is entered on the basis that the regulatory framework is "developing favourably." The specific requirements of the national data centre regulation — licensing, data localisation, mandatory redundancy standards — are not assessed against the project timeline. The facility completes construction before the regulatory pathway is clear. Operations are delayed by fourteen months.
The constraint existed before the decision was made. In every case above, the information that would have changed the decision was available before the lease was signed. It was not hidden. It was not classified. It existed in public databases, grid operator records, planning authority documents, and published climate projections. It was simply not collected, structured, and scored in a way that made it visible at the right moment.
The methodology was subjective. The site was evaluated by a consultant who applied professional judgement. The score reflected experience. It did not reflect a structured, evidence-backed, reproducible process. A different consultant, on the same site, with the same information, would have produced a different number. Neither number could be defended when challenged.
The confidence level was unknown. Nobody knew how much of the assessment was based on verified primary data and how much was inference. There was no mechanism for that question to be asked — let alone answered. A finding with MCI 34 (6 of 14 required data points verified) was presented with the same confidence as a finding with MCI 91 (14 of 14 verified).
The future environment was not assessed. The site was suitable at the time of assessment. The question of whether it would remain suitable over a 20-year asset lifecycle — given climate trajectory, urban expansion, grid decarbonisation timelines, and regulatory evolution — was not asked. It is never asked. Until the answer becomes expensive.
VIGIL scores Grid Connection Feasibility against five anchor statements. A score of 0.75 requires the named grid operator to be confirmed, the connection pathway to be confirmed, and the timeline to be estimated from comparable connections. A score of 1.00 requires a written confirmation with MW commitment. The difference between 0.50 and 0.75 is the difference between an assumption and a finding.
OSM Overpass pulls all hazardous facilities within defined radii at the moment of site assessment. A petroleum depot at 180 metres is not discovered during planning — it is scored during site evaluation. Constraint Significance = Severity × Cost × Permanence. A permanent hazardous adjacency scores 1.00 on permanence. It enters the design brief as a blast separation requirement, not a planning surprise.
Telecom Route Diversity is a scored indicator in D3 Infrastructure. The number of independent carriers with active infrastructure within 2km is confirmed from named provider data — not proximity to trunk routes. Carrier-neutral connectivity is a condition of the site selection verdict, not an assumption embedded in the brief.
MRI Component LRE (Lifecycle Resilience Erosion) scores temperature trajectory against IPCC RCP4.5 projections for the specific region. A site where peak ambient is projected to exceed 52°C by 2040 receives a deteriorating LRE score. The cooling specification is designed to the 20-year ambient, not the commissioning-day ambient.
"The constraint was always there. It was findable from day one. Nobody structured the question correctly before the decision was made."The pattern. Repeated across markets.
Port-adjacent logistics assets, bonded warehouses, and regional distribution hubs are among the most capital-intensive and operationally sensitive sites in modern infrastructure. Their value is entirely dependent on the stability and accessibility of the environment around them — an environment that is changing faster than the assets can adapt.
A logistics hub is selected for its location: port proximity, highway access, workforce catchment. These are real advantages. But the assessment stops at location. It does not assess what is adjacent to the location, what is happening to the environment around it, or what the site will look like in year ten of a twenty-year lease.
Supply chain disruption rarely comes from the supply chain. It comes from the environment the supply chain operates in.
Cargo theft risk underestimated at site selection. A distribution hub is located in a district that scores well on standard crime indices. What the crime index does not capture is the specific pattern of organised cargo theft on the approach routes to the site — a pattern visible in freight operator incident data and local police reports but not in the aggregate index used in the assessment.
Single-provider power dependency not identified. A bonded warehouse requires continuous cold chain power. The site has a grid connection. What is not assessed is whether there is a redundant feed available, whether the single substation serving the district has a history of outages, or whether the grid operator's expansion plan will relieve the capacity pressure before the lease term is up.
Labour unrest on access routes not captured. A port-adjacent facility depends on consistent HGV access. Industrial action at a neighbouring facility, a fuel depot, or the port authority itself creates an access disruption that is not a security incident — it is a supply chain incident. It was predictable from historical labour relations data. It was not assessed.
Flood risk reclassified after commitment. A site is assessed as being outside the 1-in-100 year flood zone. Within four years, updated climate modelling reclassifies the tidal drainage channel adjacent to the site. The site is now in the 1-in-75 year zone. The insurance cost increases by 40%. The constraint was in the trajectory data at the time of assessment. The MRI component was never run.
Port expansion changes the risk environment. A logistics hub is selected because of its proximity to a container terminal. The terminal expands. HGV volume on the access routes increases by 60%. Congestion exposure — a scored indicator in VIGIL's Accessibility domain — transforms the site's operational viability within five years of commissioning.
Location was assessed. Environment was not. Supply chain site assessments focus on what the site has — port proximity, road access, racking capacity, floor loading. They do not systematically assess what is happening around the site — the adjacent hazards, the labour relations in the district, the trajectory of the access route congestion, the flood reclassification trend.
Cargo crime was treated as a country risk, not a route risk. Country-level crime indices do not capture route-specific cargo theft patterns. The difference between a site with a 12-minute access route across an industrial corridor and a site with a 4-minute access route on a controlled highway is significant — and is not visible in the aggregate data used in most assessments.
The lifecycle was not considered. A twenty-year lease is a twenty-year commitment to the risk environment around a site. The assessment reflected the environment on the day it was conducted. Port expansion plans, road infrastructure investment programmes, flood reclassification trajectories, and grid capacity additions were all in published data. None of them were assessed.
VIGIL's D4 Security domain scores Theft & Cargo Crime Risk using freight operator incident data and route-specific patterns — not aggregate country crime indices. The difference between MSI 82 and MSI 74 on this indicator is the difference between a site with controlled access and one with three high-risk HGV ambush points on the approach route.
Single-Point Dependency Exposure is a scored indicator in D3. The number of mission-critical dependencies with a single provider and no backup is counted — not inferred. A cold chain facility with one grid operator, one water provider, and one access route has a fundamentally different risk profile from one with confirmed redundancy across all three. VIGIL makes that difference visible at site selection, not at year three.
MRI Component LRE scores water stress trajectory and extreme weather frequency trends against published climate data. A site in a tidal flood zone with a deteriorating 20-year trajectory receives an Adverse MRI component — flagged before commitment, not after reclassification. The insurance brief, the structural specification, and the drainage design are all informed by the trajectory, not just the current classification.
Congestion Exposure is monitored continuously through the VIGIL intelligence pipeline. When port expansion is announced, when road infrastructure funding is confirmed or withdrawn, when HGV volume trends change on key access routes — the operational risk register is updated. The site manager does not find out from the driver. VIGIL flags it first.
"Supply chain disruption rarely comes from the supply chain. It comes from the environment the supply chain operates in. And that environment was never assessed."The pattern. Repeated across markets.
Critical infrastructure — power generation, water treatment, telecommunications backbone, transport hubs — operates in a risk environment unlike any other mission type. The threats are not incidental. They are deliberate, adaptive, and directed. And they are changing in ways that a point-in-time assessment cannot capture.
Critical infrastructure receives more security investment than almost any other asset class. It is assessed regularly. It has dedicated security teams, government engagement, and regulatory oversight. And yet the pattern of failure is consistent: the assessment reflects the threat environment at the time it was conducted. The threat environment moves. The assessment does not.
Drone threat not in the design brief. A power generation facility was designed and secured against a threat actor profile that did not include commercial drone platforms as attack vectors. Five years after commissioning, the threat has changed. The physical security design has not. The vulnerability exists in the gap between the design basis and the current threat — a gap that is not visible without a continuous trajectory assessment.
Cascading failure exposure created by portfolio expansion. A telecommunications operator adds a new data relay station to its network. The station is assessed in isolation: low crime area, adequate standoff, competent security. What is not assessed is that the new station, combined with two existing assets, creates a geographic cluster where a single attack event could simultaneously degrade three nodes of the national network. The interdependency is invisible at the individual asset level.
Insider threat not assessed as a vector. A critical infrastructure facility with strong perimeter security and a well-trained response team experiences a significant incident involving an insider with legitimate access. The TVRA that was conducted two years previously assessed external threat vectors thoroughly. The insider threat pathway — access controls, vetting currency, privileged access mapping — was noted as a future consideration. It remained a future consideration.
Political risk trajectory not captured in national security classification. An asset is classified as critical infrastructure under the national security framework. The classification drives the protection level. What it does not drive is a continuous assessment of whether the geopolitical environment around the asset is improving or deteriorating. Threat actor interest in the sector increases. The protection level does not respond until an incident occurs.
Dependency concentration invisible at asset level. A water treatment facility relies on a single power provider, a single chemical supplier, and a single access road. Each dependency is assessed as acceptable in isolation. The combination — which means that a single disruption event affecting the access road also prevents chemical deliveries and exposes the power connection — is never assessed. The single point of failure is structural. It was always there. Nobody looked for it from the right angle.
The assessment was correct. The environment moved. CI assessments are typically rigorous at the moment they are conducted. The problem is not the quality of the assessment — it is the shelf life. A TVRA conducted in 2021 reflected the threat landscape of 2021. The drone threat profile, the state-sponsored targeting patterns, the geopolitical trajectory of the relevant threat actors — all of these have changed. The assessment has not.
Portfolio interdependencies were never assessed. Individual asset assessments do not reveal portfolio-level vulnerabilities. An asset that is individually acceptable may create an unacceptable concentration risk when combined with existing assets. This requires a portfolio-level assessment methodology — which almost no organisation has, and almost no point-in-time assessment provides.
The trajectory question was never asked. Standard security assessments ask: what is the threat level now? VIGIL asks an additional question that no other platform asks: where is the threat environment heading? The answer — captured in the MRI Inherited Threat Trajectory component — determines whether the current design basis will remain adequate or will be overtaken by the threat environment within the asset lifecycle.
Drone Threat Exposure is a scored indicator in D4 Hostile Attack Vectors. Proximity to restricted airspace, counter-UAS coverage availability, and line-of-sight exposure are all assessed. The finding enters the design brief as a C-UAS specification requirement — not as a post-commissioning retrofit. The threat trajectory is assessed at site evaluation stage, before the security design is fixed.
Critical Infrastructure Clustering is a scored indicator in D4 Hazardous Adjacencies. When a new asset is evaluated for portfolio inclusion, VIGIL maps its relationship to existing assets and scores the concentration risk created by the combination. A new asset that creates a geographic cluster where a single attack could degrade three nodes of a national network is identified before commitment — not after the incident.
MRI Component ITT (Inherited Threat Trajectory) scores the direction of the threat environment over the 20-year asset lifecycle. When ACLED data shows increasing conflict events within 50km, when OSINT signals a new threat actor targeting the sector, when geopolitical indices shift — the ITT score moves. The design basis review is triggered by data, not by incident.
External Dependency Concentration (EDC) is an MRI component that scores how dependent mission success is on entities outside the site's control — and whether that concentration is changing. A water treatment facility with single-provider power, single chemical supplier, and single access road scores EDC 0.10 — the most adverse band. The structural vulnerability is visible. It can be addressed in the next capital planning cycle, not after a disruption event.
"The threat was known. It was in the data. It was in the trajectory. The question was never structured correctly — and the assessment never ran long enough to find the answer."The pattern. Repeated across sectors.
Structure the question correctly. Collect the evidence. Score it against a standard that holds. VIGIL does this for every site, every mission, every decision.