essay 23 min read

OpSec 20/80: What Running Actually Costs in 2026

A Gray Man-flavored thought experiment. One operator, Prague to Sarajevo, 18 hours. Every beat of the classic spy novel run through the surveillance overlay it would actually face today. The romance is dead. Pattern of life beats every disguise.

opsecsecuritysurveillanceprivacytradecraft

Court Gentry is the Gray Man. Mark Greaney’s protagonist across a dozen novels: a former CIA asset running freelance, hunted by his own agency, surviving on tradecraft and a willingness to disappear. In the books, he crosses borders on forged passports. He pays cash. He sleeps in places that do not ask questions. He calls his handler on burner phones and destroys them after. He is very good at not being seen.

The premise: Gentry has 18 hours to cross from Prague to a contact in Sarajevo. He has a clean passport (forged), 4,000 euros in cash, a burner phone with one number stored, and a knife. The novel says this is enough. The novel was written in 2009.

Let’s see what 2026 thinks.

What this is (and isn’t)

This is not a how-to. It is not even particularly useful. It is a thought experiment about how thoroughly fiction has aged in seventeen years. Spy novels still work because the genre runs on tradecraft, and tradecraft has a romance to it: the forged passport, the dead drop, the gray man who blends into a crowd and disappears.

The 2026 surveillance overlay does not care about romance. It cares about biometrics, about pattern of life, about the math that connects a face at a border to a phone on a tower to a gait at a bus station 700 kilometers away.

If you want the practical version of operations security, the floor and the climb, that piece exists. This one is for the people who read the Gray Man novels and wondered what the other side of the screen looks like.

We are going to walk one operator through five beats: the border crossing, the hotel, the payment, the contact, and the exfil. Prague to Sarajevo. Each beat plays out the way the novels write it. Then the camera pulls back, and we show what the surveillance overlay actually sees.

Let’s walk him through it.

Beat 1: The border crossing

The Operator leaves Prague at 04:30. The city is dark and quiet. Tram lines glow amber under streetlights. He drives a rented Škoda Octavia, the most common car on Czech roads. Cash deposit at a counter in Smíchov the night before. The rental clerk barely looked at the forged Czech driving permit. The Octavia is silver. There are a hundred thousand silver Octavias in this country.

He takes the D3 motorway south, then the E55 toward Dolní Dvořiště, the Czech-Austrian border crossing. Two hours of flat Bohemian farmland in the dark. He keeps the speed legal. He does not stop for fuel. Schengen means no physical checkpoint at the border. No barrier. No uniformed officer waving him through. Just road.

He crosses at 05:40. The first light is a gray line on the horizon. The road is quiet. He allows himself one thought: clean.

He is wrong.

The overlay. The European Entry/Exit System went operational across all 29 Schengen states in spring 2026, after years of delays. EES captures four fingerprints and a facial image from every non-EU short-stay traveler at every external Schengen border. The data persists for three years from the last crossing, five if the traveler overstays. The clock resets on every entry or exit.

The Operator entered the Schengen zone weeks ago on the forged passport. That entry was biometrically enrolled. His face and prints are in the system. Every subsequent border interaction, even an internal one flagged by a random police check, can pull his biometric file in seconds.

But EES is the enrollment layer. The hunting layer is SIS.

The Schengen Information System holds 86 million records. It processes roughly 20 million queries per day. An alert entered by one country is queryable in real time by all participating states. The alert categories include refusal of entry, persons wanted for arrest, missing persons, and a category that matters here: Article 36 checks. A “discreet check” means observe only, do not stop. A “specific check” means stop, search the person and vehicle. An “inquiry check” means stop, interview the subject with questions provided by the issuing state.

If the Operator’s forged passport number matches a flagged document in SIS, the next police officer who runs it will know. Not in hours. In milliseconds.

The Škoda rolls past Dolní Dvořiště. No barrier. No officer. But the Operator’s face was captured at the Schengen external border on entry, and SIS has been running since before he got in the car. The absence of a visible checkpoint is not the absence of a system.

Then there are the cameras on the road. Belgium became the first EU state to link its national ANPR camera network to the ANPR@GPI platform in November 2025, enabling cross-border vehicle tracking via SIS. France’s Senate adopted a bill in 2025 to extend LAPI (their ALPR network) to all crimes punishable by five years or more, double the retention period, and make LAPI integration mandatory in all video-protection systems by 2028. The UK’s National ANPR network already processes 60 million reads per day across 12,700 cameras.

Austria’s ALPR deployment is thinner. Germany’s Federal Constitutional Court declared portions of Bavarian ALPR law partly unconstitutional in 2018, limiting mass-scan zones to a 30-kilometer border depth absent specific cause. The Czech-Austrian corridor is not London. But the Danish EU presidency proposed an EU working group in January 2026 on ANPR-based surveillance of car journeys at EU level. The direction is one way. The Operator is on the road. The road has opinions about him now.

Beat 2: The hotel

He reaches the outskirts of Vienna by midday. The A1 motorway is thick with trucks. Vienna is a capital. Capitals have cameras, police, embassies, intelligence stations. He does not stop. He does not even exit the motorway. He skirts the city on the S1 and continues south toward Graz.

From Graz, he crosses into Slovenia at Spielfeld. Still Schengen. Still no physical border. The Slovenian section is short: an hour on the A1 to the Croatian border at Obrežje. Croatia joined Schengen in January 2023. No checkpoint there either. He is three countries deep and has not spoken to a human being in uniform.

South of Zagreb, the road changes. The Croatian motorway gives way to two-lane roads. The countryside is green and hilly and empty. The Operator has been driving for ten hours. He has crossed four countries. He has not stopped except for fuel, once, at a self-service station where he paid cash at the pump and did not enter the building.

At the Bosnian border zone near Gradiška, finally, is an actual crossing. A line of trucks. A separate lane for cars. Bosnia and Herzegovina is not in the EU, not in Schengen, not in any of the integrated systems he has been ghosting through all day. A border guard checks the forged passport, stamps it, and waves him through. The whole interaction takes ninety seconds. The guard does not scan the passport electronically. He looks at the photo. He looks at the face. He stamps the page.

By evening he is in Banja Luka. He finds a small hotel on a side street off the Gospodska. A cash city. Off the grid. He pays 80 euros for one night. He shows the forged passport to the front desk. The clerk writes something in a ledger and hands him a key.

In the novel, this works.

The overlay. Bosnia and Herzegovina is not in Schengen and not in SIS. That is real. The data does not auto-propagate. The Operator chose his route well.

But Bosnia has its own registration requirements. Foreigners must register within 48 hours of arrival via a “white card” issued by the Service for Foreigners Affairs. Hotels register guests automatically. The front desk scans the passport, and the data goes to the Ministry of Security.

This is not SIS. It is slower, less integrated, and less automated. But it is a record. The forged passport number now exists in a Bosnian government database with a timestamp and a hotel address.

Inside Schengen, the picture is worse. In Italy, Spain, France, Germany, and Greece, passport details transmitted to police at check-in can trigger a SIS hit in seconds, because the check runs against the same Central System used at borders. In Austria, hotels keep a Gastenbuch for every stay. Modern check-in software submits guest data via medatec.at to local authorities for validation. In the Czech Republic, accommodation providers report foreign guests to the Foreign Police via the UbyPort system within three days. The same rules apply to Airbnb.

If the Operator had stopped for the night anywhere in Schengen, his forged passport would have been run against SIS from the hotel front desk. He is in Bosnia instead. He has traded system integration for bureaucratic inertia. It is a real advantage. It is not invisibility.

Then there is the money. The EU’s Anti-Money Laundering Regulation (2024/1624) imposes a hard cap of 10,000 euros on cash payments in professional contexts. Obliged entities must identify customers for cash transactions above 3,000 euros. The regulation is directly applicable from July 2027, but several states already enforce similar or stricter limits. Slovenia prohibits cash payments between subjects above 5,000 euros. Bosnia’s threshold is 30,000 convertible marks, roughly 15,300 euros.

The Operator paid 80 euros cash for one night. Under every threshold. But the pattern, a foreign passport paying cash at a hotel in a border region, is exactly the signature that financial-intelligence analysts are trained to notice. The AML system is not designed to catch individuals. It is designed to catch networks. A single hotel stay is noise. Two or three cash payments, in different cities, with a direction of travel, become a signal. The Operator has been disciplined: one hotel, one city, one night. But he is leaving a breadcrumb trail that, if queried, forms a line on a map. The line points southeast.

Beat 3: The payment

Morning. The Operator slept four hours. He checks the window: quiet street, no parked cars that were not there last night, no foot traffic that looks like it is waiting. He does not turn on the hotel television. He does not connect to the hotel Wi-Fi. He packed the burner phone last night with the battery removed, a habit from the novels, which in this case is actually correct.

He walks to the Čaršija, the old market district in Banja Luka’s center. He needs a fresh SIM card and food. A small kiosk sells prepaid BH Telecom SIMs for 5 convertible marks. No ID required. He buys one. He buys a burek from a window counter and eats it standing on the street, watching the foot traffic. An old man selling newspapers. Two women carrying bags of vegetables. A teenager on a phone. Nobody is watching him. Nobody has a reason to. He washes it down with a Bosnian coffee in a copper džezva, standing at a counter in a kafana where nobody makes eye contact. The kafana smells like tobacco smoke and old wood. It is the kind of place where you can be nobody for a while.

He inserts the SIM into the burner. Powers it on. Waits for the network icon.

In the novel, this is a paragraph. Clean, efficient, forgettable.

The overlay. The cash came from an ATM in Prague, two days ago. That ATM had a camera. The camera captured a face. The face is associated with a withdrawal amount, a timestamp, and a card, or in this case, no card, because the Operator used leftover Czech crowns from a prior exchange. The ATM still captured the face. Every ATM does. Whether anyone queries that footage depends on whether anyone is looking. Nobody is looking yet.

The SIM is the real problem.

The moment the Operator inserts the prepaid SIM and powers on the phone, the device registers with the nearest cell tower. That registration logs three things: the SIM’s IMSI (its identity on the network), the phone’s IMEI (its hardware identity), and the cell sector and timestamp. Bosnian mobile network operators retain these call detail records. They are available to law enforcement on request.

The Operator is using a burner phone. A phone that has never been seen on this network before. A phone whose IMEI has no history. In telecom parlance, this is a “phantom handset,” a new IMEI appearing on a SIM that was itself just activated. Mobile operators’ fraud-detection systems flag this pattern. Not always in real time. But the flag exists.

In denser surveillance environments, the problem compounds. Privacy International’s legal analysis found that IMSI catchers “remain unregulated” in many EU states, “often deployed in secret, without a clear legal basis.” France’s existing judicial framework already permits covert entry into private premises to deploy an IMSI catcher. Germany requires targets to be notified after an investigation closes, and intelligence services report to the Parliamentary Control Panel, but the tool is in active use. A 2025 academic paper at NDSS demonstrated passive detection of IMSI-catcher activity by analyzing baseband signaling, meaning the tools leave traces, but the targets almost never know.

The Operator is in Bosnia, not France. The telecom infrastructure is less surveilled. But the physics is the same everywhere: the phone talked to a tower, the tower logged it, and the IMEI is now in a database. The burner is no longer clean. It became dirty the moment it powered on.

Beat 4: The contact

Late afternoon. The Operator is back in the hotel room. He has scouted the bus station, confirmed tomorrow morning’s schedule to Sarajevo, and walked the blocks around the hotel twice. He knows two exits from the building and one route to the river that avoids the main road.

He inserts the SIM back into the burner. Powers it on. His thumb presses the plastic casing harder than it needs to. He dials the one number stored in the phone.

Two rings. Then a voice he has not heard in four months. Low, unhurried, a slight accent he cannot place. The handler gives a location in Sarajevo, a time, a recognition signal. The Operator says nothing back except “confirmed.” The handler says “confirmed” and the line goes dead. Ninety seconds total. The silence afterward is louder than the call.

The Operator powers the phone off. Removes the SIM. Removes the battery. His hands are steady but his pulse is not. He wraps the SIM in a tissue and puts it in his jacket pocket. Tomorrow he will drop it in a trash can on the way to the bus.

Ninety seconds. In the novel, this is operational discipline.

The overlay. The handler’s number is on a watch list. It has been for two years. Not because anyone identified the handler by name, but because the number appeared in the metadata of three prior operations that went wrong. Intelligence services collect phone numbers the way they collect everything else: in bulk, sorted later.

The moment the Operator’s burner dialed that number, the connection created a CDR, a call detail record, at the Bosnian carrier. The CDR contains the calling IMSI, the called number, the duration, and the cell sectors at both ends. That record is stored. If anyone queries the handler’s number against Bosnian carrier records (via mutual legal assistance, Interpol, or bilateral agreement), the Operator’s burner IMSI appears. From the IMSI, the IMEI. From the IMEI, the cell sector. From the cell sector, a location accurate to roughly 50 to 150 meters in an urban environment.

Ninety seconds is not short enough. There is no “short enough.” The CDR is created at call setup, not after some timer expires. One second or ninety, the record is identical.

Tower triangulation, using multiple cell towers to narrow the location, works in real time in dense urban areas. Banja Luka is not dense. The precision is lower. But the Operator is now associated with a geographic area, a time window, and a number that someone is watching. That is enough to begin correlating.

Voice fingerprinting adds another layer. Carrier-level voice analysis can match a speaker against a stored sample. The technology is not universal, and its accuracy varies. But intelligence agencies with a prior voice sample of the handler or the Operator can run a probabilistic match against intercepted calls. The match does not need to be certain. It needs to be interesting enough to escalate.

The Operator removed the SIM and powered off the phone. Good. But the phone’s IMEI was already logged. If he powers on a new SIM in the same handset, the IMEI links them. If he powers on the same SIM in a new handset, the IMSI links them. The only clean move is to destroy both and start over. The novel rarely mentions this. The logistics of burner rotation at operational tempo are unglamorous and expensive.

And the phone itself is not necessarily safe even powered off. Paragon’s “Graphite” zero-click iMessage exploit was used to hack Italian journalists in 2025. Citizen Lab named six likely government customers: Australia, Canada, Cyprus, Denmark, Israel, Singapore. The Barcelona court accepted a criminal investigation into NSO Group executives over Pegasus deployment against Catalan targets. Greece’s “Predatorgate” verdict handed down 126 years of prison time. The Intellexa Leaks revealed that the vendor retained remote access into its own customers’ systems. Apple’s Lockdown Mode has not been publicly broken. Citizen Lab and Apple both report no successful mercenary-spyware compromises of a Lockdown Mode-enabled device. That is the best defense available. It is also a concession: the best you can do is turn off features. The Operator’s burner is not an iPhone with Lockdown Mode. It is a cheap handset running whatever firmware the factory installed. Against a state-level adversary with spyware capability, the phone is a microphone with a screen.

Beat 5: The exfil

Next morning. The Operator drops the SIM in a trash can two blocks from the hotel. He walks to the bus station with the burner phone, battery removed, in his jacket. The phone itself he will drop in a different city.

The bus to Sarajevo departs at 09:15. Four hours through the Vrbas canyon, then southeast through Travnik and into the Sarajevo basin. He wears a dark beanie, a gray scarf, and an unremarkable jacket. Earth tones. Nothing with logos. Nothing with texture. He sits in the middle of the bus, window seat, on the side away from the station. He does not make eye contact. He does not use a phone. He does not read. He watches the road and the countryside like a man with nothing on his mind.

The bus smells like diesel and cleaning fluid. The window is smeared. An old woman across the aisle is asleep with a plastic bag of bread in her lap. The Operator has crossed five countries in 30 hours. He has spoken to four people: a rental clerk, a border guard, a hotel clerk, and a handler on a phone. He has left traces with all of them. He is thinking about the contact point in Sarajevo. He is not thinking about the seventeen databases that are thinking about him.

At the bus station in Sarajevo, he steps off with a cluster of other passengers. He does not walk fast. He does not walk slow. He matches the pace of the crowd. The hat stays on. The scarf stays up. He turns left, away from the taxi stand, toward Baščaršija, the old town. He is a gray man. He blends.

In the novel, this is the escape. The operator disappears into the crowd. The camera fades to black.

The overlay. The Sarajevo bus station has CCTV. Most transit hubs in the Western Balkans do. The cameras are not connected to facial-recognition databases in real time, not yet, not in Bosnia. But the footage is stored. It can be queried retroactively. If someone comes looking for a man who arrived on the 09:15 from Banja Luka, the footage exists.

The hat and scarf defeat casual facial recognition. They do not defeat gait recognition. Gait analysis identifies individuals by the biomechanics of how they walk: stride length, cadence, joint angles, asymmetries. A hat does not change your gait. A scarf does not change your gait. Gait recognition is still primarily a research capability in 2026, not widely deployed at transit hubs. But the UK, China, and Japan have operational deployments, and the EU’s Prüm II regulation (adopted March 2024) expands automated cross-border data exchange to include facial images, with a 48-hour disclosure deadline for data matches. The infrastructure is being built for the capability to drop into.

Above the bus station, the picture gets worse. Commercial satellite imagery from Maxar, Planet Labs, and Capella Space offers resolution sufficient to track individual vehicles and, in some cases, individual humans across time. Satellite tasking is expensive and usually reserved for high-value targets. But the cost has been falling for a decade, and the revisit rate keeps climbing. War on the Rocks reported that by 2028, European states will be in a “fairly decent position” on earth observation capabilities as more constellations come online. Open-source monitoring methods, including high-resolution satellite imagery, thermal infrared, and multispectral analysis, have advanced to the point that they provide credible and timely insights.

Pattern of life is the synthesis layer. It does not require any single system to be perfect. It requires several imperfect systems to overlap. Consider what the Operator left behind in 18 hours:

A biometric enrollment at the Schengen external border. A rental agreement in Prague tied to a forged driving permit. ALPR captures on the D3 motorway southbound. A vehicle crossing the Czech-Austrian border at 05:40. The same vehicle on the Austrian A1 skirting Vienna. A Slovenian toll record. A Croatian motorway exit. A Bosnian border stamp on the forged passport. A hotel registration in Banja Luka with a passport scan and a cash payment. A prepaid SIM purchased at a kiosk. A phantom IMEI registering on a BH Telecom tower. A 90-second call to a watched number. A CDR connecting the IMSI to a cell sector. A bus ticket purchased with cash. CCTV footage of a man in a beanie boarding the 09:15 to Sarajevo. CCTV footage of the same man stepping off at the Sarajevo bus station.

Seventeen data points. None conclusive alone. Together, they are a thread that runs from Prague to Sarajevo with timestamps and biometrics attached.

The thread does not need to be pulled in real time. It can be reconstructed days, weeks, or months later. An analyst starting from the handler’s phone number works backward through the CDR to the IMSI, through the IMSI to the cell sector in Banja Luka, through Banja Luka hotel records to the forged passport, through the passport to EES biometric enrollment, through the enrollment to every ALPR and border record attached to that identity. The reconstruction takes hours, not months. The data is already collected. It is sitting in databases across five countries, waiting for a query.

The system is patient. It remembers everything. The Operator is one person. The system is the aggregate of every camera, every tower, every database, every border he crossed.

The hat does not help.

The price of the romance

Court Gentry’s tradecraft was state of the art for 2009. The forged passport, the cash economy, the burner phone, the gray-man discipline. Every one of those tools still exists. None of them works the way the novels say they do.

The forged passport is biometrically enrolled and queryable across 29 countries in real time. The cash is tracked by AML systems designed to find exactly the pattern the operator produces. The burner phone is dirty the moment it powers on. The gray-man disguise fails against gait analysis and pattern-of-life correlation.

You can buy time. You cannot buy invisibility. That is the honest math of running from a modern surveillance state, or even from the polite, regulated, GDPR-compliant version that the European Union has built.

The honest nuance: the system is not as coordinated as this piece makes it sound. SIS queries are real-time, but hotel data in many states still moves in overnight batches. ALPR coverage outside the UK and France is uneven. Bosnian telecom records require a formal legal request that can take weeks. No single analyst is sitting in a room watching all of these feeds converge on one silver Octavia. The surveillance overlay is a capability, not a panopticon. It becomes a panopticon when someone starts pulling the thread, when the Operator’s forged passport hits a flag, or the handler’s number pops a match, and an analyst starts correlating backward. The system is dormant until it is not. And then it has everything.

The direction is one way. Every system described above is newer than the novel. Every system is getting cheaper, faster, and more integrated. The Prüm II framework automates what used to require phone calls between agencies. The EES replaces what used to be a stamp in a passport. The ANPR networks are growing. The satellite constellations are multiplying. An operator with real training, unlimited funding, and a backstopped identity embedded for years is a harder problem than our fictional Operator with his 18-hour timeline. But the distance between “harder problem” and “unsolvable problem” is shrinking every year.

Where this leaves you

This piece was for the romance. For the people who read the Gray Man novels and wondered how far the tradecraft would actually carry in 2026. The answer is: not as far as you think.

Mark Greaney’s One Minute Out (2020) is set partly in Mostar and Dubrovnik. He visited both cities for research. The tradecraft in that novel would look meaningfully different today. EES did not exist. Prüm II did not exist. Belgium’s cross-border ANPR integration did not exist. The SIS Recast had not added palmprints and inquiry checks. Every novel ages. Spy novels age faster, because the surveillance infrastructure evolves on a legislative and engineering timeline that no thriller can keep up with.

This piece is the last 20 percent. The part where graduated resilience runs out and you are just running. Almost nobody lives here. If you do, you already know it, and you are not reading this on a website.

For the rest of us: the system is real, it is growing, and the best response is not to outrun it. It is to understand what it sees, close the gap between your posture and your exposure, and stop pretending that privacy is something you either have or you do not.

Privacy is a posture. Graduate it.