DHS Homeland Threat Assessment: Key Findings and Trends

The Department of Homeland Security publishes an annual threat assessment that consolidates intelligence from across federal, state, and local partners to characterize the most significant dangers facing the United States. This page explains the structure and scope of that assessment, how threat findings are developed and communicated, the categories of threats most frequently identified, and the criteria used to prioritize one threat category over another. Understanding the assessment's architecture is essential for policymakers, emergency managers, and researchers who rely on it to allocate resources and design protective measures.

Definition and scope

The DHS Annual Threat Assessment is an unclassified public document produced by the Office of Intelligence and Analysis (I&A) that synthesizes judgments about threats to the homeland across a defined 12-month horizon. It is distinct from classified intelligence products circulated within the federal government; its purpose is to enable state, local, tribal, and territorial governments, as well as private sector partners, to make informed security decisions without requiring security clearances.

The assessment spans five primary threat domains: terrorism (both foreign-directed and domestic), cyber threats, transnational criminal organizations, natural and biological hazards, and threats to critical infrastructure. Each domain is evaluated along two axes — probability of occurrence and potential impact — which together produce a prioritization of federal attention and funding. The full scope of DHS intelligence and analysis operations underpins the research methodology behind each published edition.

The document is not a policy directive. It does not mandate specific actions by state governments or private entities. Instead, it functions as a shared evidentiary baseline that informs decisions made under separate legal authorities.

How it works

The production of the annual threat assessment follows a structured, multi-agency intelligence cycle:

  1. Collection — Raw intelligence is gathered by DHS component agencies including the Cybersecurity and Infrastructure Security Agency (CISA), Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and the Coast Guard, as well as partner agencies such as the FBI and CIA.
  2. Analysis — Analysts within I&A synthesize collected intelligence against historical baseline data, identifying changes in threat actor capability, intent, and opportunity.
  3. Coordination — Draft findings are reviewed by interagency partners, including the Office of the Director of National Intelligence (ODNI), to ensure consistency with the broader National Intelligence Assessment framework.
  4. Classification review — Because the published version is unclassified, a formal declassification and sensitivity review removes operationally sensitive details while preserving analytic conclusions.
  5. Publication and dissemination — The final document is released publicly and transmitted to DHS fusion centers and state homeland security advisors for localized application.

The assessment explicitly distinguishes between strategic threats (long-term structural dangers such as foreign state cyber campaigns) and operational threats (near-term, actor-specific dangers such as lone-actor terrorism plots). This distinction governs how federal resources are staged: strategic threats drive investment in resilience programs, while operational threats drive immediate law enforcement and interdiction activity.

Common scenarios

Three recurring threat scenarios appear consistently across published DHS assessment cycles:

Domestic violent extremism (DVE) has been identified in multiple DHS reports as a leading terrorism concern within US borders. The DHS counterterrorism role encompasses both foreign-directed and domestically generated plots, with DVE actors motivated by racially or ethnically motivated violent extremism (RMVE) and anti-government violent extremism (AGVE) representing distinct subcategories with different target profiles.

Cyber intrusions against critical infrastructure represent a second persistent scenario. CISA has documented campaigns targeting 16 critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21). Intrusions against the energy sector and water systems have featured prominently in assessment findings, given that successful attacks on these sectors carry cascading consequences for civilian populations. The DHS cybersecurity mission and DHS critical infrastructure protection functions directly address this threat vector.

Transnational criminal organization (TCO) activity at the southern border constitutes a third recurring scenario. TCOs exploit legal ports of entry through document fraud, smuggling infrastructure, and corruption of transport networks. CBP border security operations and HSI investigations are the primary operational responses to this threat category.

Decision boundaries

The threat assessment operates within defined analytical boundaries that affect how findings should and should not be interpreted:

What the assessment does:
- Provide unclassified judgments about probability and impact across threat domains
- Identify trends in threat actor capability and intent based on observable intelligence
- Inform grant allocation decisions, including those made through DHS grants and programs and DHS preparedness programs

What the assessment does not do:
- Assign specific threat levels to geographic regions (that function belongs to the DHS Threat Advisory System)
- Direct law enforcement action or authorize surveillance
- Substitute for classified threat briefings provided to cleared stakeholders

A critical distinction exists between the annual threat assessment and the National Terrorism Advisory System (NTAS) bulletins. NTAS bulletins are event-specific and time-bounded, issued when a credible threat to a specific sector or location has been identified. The annual assessment, by contrast, is horizon-scanning and probabilistic. Conflating the two leads to misallocation of protective resources — a common error in state-level emergency management planning.

The assessment's unclassified format also creates an inherent limitation: analytic confidence levels expressed in the public document may be hedged more conservatively than in classified versions, because specific sourcing and collection methods cannot be disclosed. Practitioners accessing the document through the DHS Authority reference portal should treat probability language ("likely," "almost certainly") as conforming to ODNI's standardized probability terminology, where "likely" corresponds to a 55–80% probability range (ODNI, Intelligence Community Directive 203).

References

Read Next

DHS Homeland Threat Assessment: Key Findings and Trends This page explains the structure and scope of that assessment, how threat findings are developed and communicated, the... DHS Office of Intelligence and Analysis: Role and Functions Established under the Homeland Security Act of 2002 ( 6 U.S.C. DHS Fusion Centers: State and Local Intelligence Sharing This page covers how fusion centers are defined, how information flows through them, the operational scenarios they address,...