Online radicalisation no longer unfolds over months or years. In some cases, it now happens in days, often inside environments that are difficult to monitor and easy to fragment across.
In response, Australia is establishing a Counter Terrorism Online Centre (CTOC), led by ASIO and the AFP, to detect and disrupt online violent extremism. This includes a focus on youth targeting in gaming platforms and private chat environments.
The core intelligence challenge is not access to data. Instead, it is fragmented cross-platform visibility, identity ambiguity, and slow, manual triage that delays early intervention.
Investigations therefore require structured and defensible workflows. These must connect signals, preserve context, and support proportionate action. Fivecast ONYX supports structured discovery, targeted collection, and analysis across open-source environments.
What is the problem?
Online radicalisation refers to the process by which individuals are influenced, groomed and mobilised through digital environments. It can occur rapidly inside high volume, low visibility spaces such as gaming ecosystems and private chat groups, where signals are scattered across platforms, aliases and formats.
Why does it matter?
When warning signs are primarily online, delayed triage and fragmented visibility increase the likelihood of missed escalation, late intervention and weak evidentiary continuity.
What do investigators do today?
Most teams work from platform reports, referrals and manual open source checks, supplemented by case by case collection. This often creates duplication, context loss and slow linkage across identities and networks.
Australia’s counter terrorism posture is adapting to a structural shift in the threat environment. In May 2026, the Commonwealth announced funding to establish the Counter Terrorism Online Centre. This is a national capability jointly led by the Australian Security Intelligence Organisation and the Australian Federal Police, focused on detecting and disrupting online violent extremism and terrorism. This includes early stage indicators such as ideological grooming, mobilisation narratives, facilitation behaviours, and movement into private or less moderated spaces.
This analysis is intended for intelligence practitioners, investigators and policy stakeholders responsible for detecting, assessing and responding to online threats, particularly in environments where online activity is the primary source of visibility.
This shift reflects a growing operational reality. As AFP Commissioner Krissy Barrett noted,
“It used to take months or years to radicalise an individual, but now, in some cases, it is happening within days.”
The changing dynamics of radicalisation and response
The CTOC formalises what practitioners have been experiencing for several years. Radicalisation pathways are increasingly digital, often fast moving, and frequently visible only inside online spaces such as forums, gaming ecosystems and private chat environments. The strategic intent is to move earlier, before online mobilisation translates into offline harm.
This shift is occurring against a backdrop of heightened scrutiny of Australia’s counter terrorism posture. Recent events, including the Bondi attack, have intensified focus on how individuals move from online exposure to real world harm. At the same time, ongoing national inquiries and reviews have highlighted challenges in intelligence sharing, coordination and early intervention across agencies.
In this context, the establishment of the CTOC reflects a recognition that existing processes must evolve, not only to monitor threats, but to connect fragmented signals early enough to act.
What signals investigators look for
In operational terms, this includes identifying patterns such as:
- Shifts in language indicating ideological alignment or grievance escalation
- Attempts to normalise or justify violence
- Movement from public platforms into smaller, private or invitation only groups
- Early stage facilitation behaviours, including sharing tactics, tools or reconnaissance discussions
These indicators are rarely decisive in isolation. Their value emerges when connected across time, platforms and identities.
1) Problem analysis: why current approaches break down
For investigators and analysts, online radicalisation is rarely observable through a single platform or indicator. It presents as a pattern of behaviour emerging across social media, messaging applications, gaming communities, niche forums and, at times, the dark web.
The primary intelligence challenge is not access to data, but the ability to connect fragmented signals across platforms, resolve identity ambiguity, and triage risk early enough to intervene.
Fragmented visibility across platforms
Individuals may appear under different identifiers across systems. A game handle in one space, an alias in a private channel, and a separate account amplifying narratives elsewhere. Without cross platform visibility, it becomes difficult to connect identity, infer intent and assess escalation in time to intervene.
Scale outpaces manual triage
High volumes of content, referrals and platform reports do not equate to intelligence value on their own. Analysts must separate credible risk from noise rapidly and defensibly.
Context loss undermines decision making
Online content is transient. Accounts change names, posts are deleted, servers go private and conversations migrate. When operational workflows fail to preserve context, link analysis weakens and decision making confidence erodes.
2) Insight led reframing: from more data to better intelligence
The CTOC signals a shift in emphasis from broad monitoring toward defensible intelligence workflows that support early warning and proportionate response.
In practice, this reframing centres on three discipline areas:
Discovery with purpose
Starting from investigative hypotheses and mapping digital footprints across relevant environments
Linkage and validation
Resolving identities, connecting aliases and corroborating signals
Triage and escalation
Assessing intent, capability and targets with documented reasoning
Gaming ecosystems as a case study
Gaming ecosystems illustrate this challenge well. This includes not only in game interaction, but adjacent environments such as:
- Voice communication platforms used alongside gameplay
- Private or invitation only community servers
- Companion apps and forums where users coordinate outside the game itself
While official statements refer broadly to gaming platforms, forums and private chat groups, research and law enforcement reporting provide clearer insight into how these ecosystems function in practice.
Studies from organisations such as the Global Network on Extremism and Technology and academic research published in Frontiers in Psychology consistently identify gaming adjacent platforms such as Discord, Twitch and Steam communities as key parts of this environment. These platforms act as community hubs, communication layers and, in some cases, recruitment pathways.
These environments enable persistent interaction, pseudonymous identity use, and the creation of private or invitation only spaces where visibility is reduced.
Research also shows that activity does not remain confined to a single platform. Individuals are often introduced to narratives in more visible environments before interactions are deliberately moved into smaller, less moderated spaces, a process sometimes described as funnelling.
This transition reduces visibility, fragments context and makes early intervention more difficult.
From an investigative perspective, these environments are not static. Platforms, features and user behaviours shift rapidly, as communities migrate, rebrand or fragment across services. Maintaining visibility requires continuous monitoring of how these ecosystems evolve over time, not just where activity is currently visible, but how and where it is moving next.
3) Implications for investigators and analysts
Day to day work becomes ecosystem focused
Teams will increasingly need repeatable methods to:
- Pivot from one identifier to many
- Capture and preserve context early
- Identify network structure and influence pathways
- Detect escalation signals beyond traditional categories
- The cost of not adapting is late intervention
Where online activity is the primary visibility layer, fragmented context and slow linkage increase the likelihood that intervention occurs later, when fewer options remain.
What good looks like operationally
A defensible model includes:
- Consistent triage criteria
- Auditable decision pathways
- Repeatable, context rich collection
- Coordination across investigative, safeguarding and disruption teams
4) Where Fivecast ONYX fits
The establishment of the CTOC underscores a growing need for tools that support structured discovery, targeted collection and large scale analysis of publicly available information.
Fivecast ONYX supports this workflow by enabling teams to:
- Discover and compare results across diverse open source data environments
- Run targeted, auditable collection aligned to investigative scope
- Apply analysis across text, images and video
- Maintain traceability so analytical judgements can be reviewed and explained
Used appropriately, this capability does not replace professional judgement. It reduces analytical friction, allowing practitioners to move from fragmented signals to validated intelligence more efficiently, particularly in environments where activity is distributed, pseudonymous and prone to rapid deletion or migration.
This becomes especially important in an environment where platforms, identities and communities are constantly shifting, requiring persistent visibility rather than point in time collection.
From fragmented signals to defensible intelligence
Australia’s Counter Terrorism Online Centre reflects a broader reality. Early indicators of violent mobilisation are increasingly embedded in everyday digital spaces.
The operational challenge is no longer access to information, but the ability to connect, contextualise and assess it quickly and defensively.
For teams reviewing how they approach online triage, identity resolution and cross platform linkage, this moment provides an opportunity to reassess end to end workflows, from discovery through to decision.
FAQs
What is the Counter Terrorism Online Centre (CTOC)?
The Counter Terrorism Online Centre (CTOC) is a national capability led by the Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police (AFP). It focuses on detecting and disrupting online violent extremism and terrorism, particularly in digital environments such as gaming platforms, forums, and private chat applications.
Why is online radicalisation harder to detect?
Online radicalisation is difficult to detect because activity is distributed across multiple platforms and identities. Individuals often use aliases, move between environments, and shift conversations into private or invitation-only spaces. This reduces visibility and fragments the intelligence picture.
What are early warning signs of online radicalisation?
Early warning signs of online radicalisation include:
- Changes in language linked to ideology or grievance
- Attempts to justify or normalise violence
- Movement into smaller or private online communities
- Sharing of tools, tactics, or operational discussions
- These indicators are rarely decisive on their own and must be assessed in context.
How do investigators track activity across multiple platforms?
Investigators track activity across platforms by linking identifiers, analysing behavioural patterns, and connecting signals over time. This requires structured workflows that support identity resolution, context preservation, and cross-platform analysis, tools such as Fivecast ONYX.
