How Signals Intelligence Actually Works: Intercepting, Locating, and Analysing RF Emissions

Every time a radio transmitter keys up, it announces itself to anyone with the right antenna and receiver. Military radios, civilian phones, radar systems, satellite uplinks, even the unintentional electromagnetic leakage from a computer monitor: they all radiate energy into the spectrum, and that energy propagates outward at the speed of light. Signals intelligence is the discipline of collecting, locating, and extracting useful information from those emissions. It has been a decisive factor in every major conflict since the Second World War, and its importance has only grown as the world has become saturated with radio-frequency communications.

SIGINT is not one thing. It is a family of related disciplines, each targeting a different type of emission, using different equipment and different analytical techniques. Understanding how it works requires understanding radio propagation, receiver design, geolocation mathematics, and the surprisingly powerful art of traffic analysis. This post covers all of that, with real systems, real numbers, and the physics that makes it possible.

1. The Three Branches of SIGINT

Signals intelligence divides into three principal categories, each defined by the type of signal being intercepted.

COMINT (Communications Intelligence) targets human communications. Phone calls, radio transmissions, email, chat messages, fax, teletype: if two humans are exchanging information over an electromagnetic channel, intercepting that exchange is COMINT. During the Cold War, this meant monitoring Soviet military radio nets, tapping undersea cables, and intercepting microwave trunk links. In a modern context, it means intercepting cellular calls in a conflict zone, monitoring satellite phone traffic, or collecting internet communications transiting a fibre-optic cable. COMINT is what most people think of when they hear "signals intelligence."

ELINT (Electronic Intelligence) targets non-communication electromagnetic emissions, primarily radar. Every radar system has a characteristic signature: its operating frequency, pulse repetition interval (PRI), pulse width, scan rate, and antenna pattern. Intercepting and cataloguing these parameters tells you what radar systems an adversary operates, where they are, and (by extension) what weapon systems they possess. An S-300 air defence system uses specific radar types with known parameters. Detect those parameters, and you know there is an S-300 battery at that location without ever seeing it visually. ELINT is the foundation of electronic warfare and suppression of enemy air defences (SEAD).

FISINT (Foreign Instrumentation Signals Intelligence) is the most specialised branch. It targets telemetry and instrumentation signals from foreign weapons tests: the data streams transmitted by a ballistic missile during a test flight, the telemetry from an aircraft under evaluation, or the command signals sent to a satellite. During the Cold War, the United States and Soviet Union both invested heavily in FISINT to monitor each other's missile programmes. Ground stations in Turkey and Iran (before the 1979 revolution) intercepted Soviet missile telemetry from test ranges in Kazakhstan. The data provided insight into missile accuracy, warhead design, and guidance system performance. FISINT remains important for monitoring ballistic missile development in countries like North Korea and Iran.

These three branches overlap. A military radio network is COMINT. The radar on the same military vehicle is ELINT. The telemetry link sending test data from a new radar prototype back to the manufacturer is FISINT. The intelligence value comes from combining all three.

2. The Intelligence Cycle: From Requirement to Report

SIGINT does not happen spontaneously. It follows a structured cycle that connects a commander's need to an analyst's product.

Tasking begins with an intelligence requirement. A NATO commander preparing for operations needs to know the disposition of adversary air defence systems in a given region. That requirement is translated into specific SIGINT collection tasks: monitor these frequency bands, look for these radar types, track communications on these networks.

Collection is the physical act of intercepting signals. A ground station tunes its receivers to the specified bands. An airborne platform flies along a border to collect emissions from the other side. A satellite repositions to cover the target area. The collection assets capture raw signal data: digitised RF samples, recorded audio, intercepted data packets.

Processing converts raw intercepts into something usable. This means demodulating the signal (extracting the information from the carrier wave), decoding it (converting from whatever protocol or format is in use), decrypting it (if possible), and transcribing or translating it (for voice communications in foreign languages). For ELINT, processing means measuring pulse parameters and matching them against known emitter databases. Processing is where most of the computational work happens, and where modern DSP hardware has transformed the field.

Exploitation and Analysis is where trained analysts extract intelligence from the processed material. An analyst might combine intercepted communications mentioning a unit movement, ELINT showing radar activity at a new location, and imagery confirming vehicle tracks to build a coherent picture. The product is not raw intercepts; it is assessed intelligence.

Dissemination delivers the finished product to the consumers who need it. That might be a classified report to a military commander, a tip to a tactical unit, or a contribution to a national intelligence estimate. The entire cycle, from requirement to report, can take weeks for strategic intelligence or minutes for tactical support in an active conflict.

The cycle is iterative. Analysis often reveals gaps that generate new collection requirements, starting the process again.

3. Collection Platforms

SIGINT collection happens from four domains: ground, air, space, and sea. Each has distinct advantages defined by physics and geometry.

Ground Stations

Ground-based SIGINT is the oldest form. Large antenna farms, often covering tens of hectares, intercept signals across the HF, VHF, UHF, and microwave bands. The advantage of a ground station is that it can house enormous antennas (critical for sensitivity at lower frequencies), run power-hungry receivers continuously, and store vast amounts of collected data with no weight or power constraints.

Europe has been home to major SIGINT ground stations since the early Cold War. RAF Menwith Hill in Yorkshire, operated jointly by the UK's GCHQ and the US NSA, is one of the largest SIGINT stations in the world, with its distinctive radomes (the white golf-ball structures that shelter satellite dish antennas from weather and hide their orientation from observers). The station's primary mission has been the interception of satellite communications.

Cyprus has been a strategic SIGINT location for decades. RAF Akrotiri and the installations at Ayios Nikolaos on the eastern end of the island provide coverage of the Middle East and eastern Mediterranean. The island's geography places it within line-of-sight or near-line-of-sight of transmissions from Lebanon, Syria, Israel, and Turkey. For HF collection, which propagates via ionospheric reflection and does not require line-of-sight, Cyprus provides excellent coverage of a much wider area.

Germany hosted major SIGINT facilities during the Cold War, positioned to intercept Warsaw Pact communications just across the inner German border. The Teufelsberg station in West Berlin, built on an artificial hill made from Second World War rubble, was ideally positioned to intercept VHF and UHF communications from East Berlin and East Germany. After reunification, many of these stations were repurposed or closed, but Germany remains a significant SIGINT node.

HF direction finding (DF) from ground stations uses antenna arrays to determine the bearing to a transmitter. The classic AN/FLR-9 "Elephant Cage" array, with its circular arrangement of antenna elements spanning over 300 metres in diameter, was deployed at several European locations including Augsburg, Germany, and San Vito dei Normanni in southern Italy. These arrays measure the phase difference of an arriving wavefront across multiple antenna elements to compute a bearing. A single station gives you a line of bearing; two or more stations, widely separated, give you a fix where the bearings cross.

Airborne Platforms

Aircraft are the most flexible SIGINT collection platforms. Their altitude extends the radio horizon dramatically, allowing collection of signals that a ground station, blocked by terrain, could never detect. The radio horizon distance from an aircraft is approximately:

d = √(2 × h × R_earth)

Where d is the horizon distance, h is the aircraft altitude, and R_earth is the Earth's radius (approximately 6,371 km). For an aircraft at 10,000 metres:

d = √(2 × 10 × 6,371)
d = √(127,420)
d ≈ 357 km

At 10 km altitude, the radio horizon extends roughly 357 kilometres in every direction. A VHF or UHF transmitter within that radius, operating in line-of-sight propagation, can be intercepted. Compare this to a ground station where the horizon might be only 20 to 40 kilometres depending on local terrain.

The RC-135V/W Rivet Joint is the most well-known Western SIGINT aircraft. Operated by the US Air Force and the Royal Air Force (the UK purchased three RC-135W Airseeker aircraft from Boeing as a Rivet Joint equivalent), it carries a suite of receivers, antennas, and onboard processing systems. The aircraft has antenna blisters along the fuselage, "cheek" antennas on either side of the forward fuselage, and additional antennas integrated into the wing and tail structure. A crew of over 30 includes electronic warfare officers, cryptologic linguists, and intelligence analysts who process intercepts in flight. The aircraft can orbit for hours at altitudes around 10,000 to 12,000 metres, collecting signals across a wide frequency range.

Israel operates specialised SIGINT aircraft based on the Gulfstream G550 airframe, known as the Eitam (for AEW) and Shavit (for SIGINT) variants. The SIGINT variant carries conformal antenna arrays along the fuselage and a suite of ELINT and COMINT receivers produced by Elta Systems, a subsidiary of Israel Aerospace Industries. Israel's small geographic size makes airborne SIGINT collection strategically important: an aircraft orbiting over the Negev can collect signals from most of the eastern Mediterranean and the Levant.

Sweden's Saab GlobalEye is a multi-role surveillance aircraft based on the Bombardier Global 6000 airframe. While primarily marketed as an AEW&C (airborne early warning and control) platform, it includes a SIGINT capability integrated with its radar and identification systems. Sweden's tradition of sophisticated SIGINT is well established; the National Defence Radio Establishment (FRA) has operated signals intelligence since 1942.

Spaceborne SIGINT

Satellites provide persistent, wide-area SIGINT coverage that no other platform can match. There are two principal orbital regimes for SIGINT satellites.

Geosynchronous (GEO) SIGINT satellites orbit at approximately 35,786 km altitude, remaining stationary relative to a point on the ground. The US operates large GEO SIGINT satellites in the Mentor/Orion class, widely reported to carry deployable mesh antennas with diameters exceeding 100 metres. An antenna of that size, operating at UHF frequencies (around 300 MHz to 3 GHz), provides the gain needed to intercept relatively weak signals from geostationary orbit. The physics are straightforward: the gain of a parabolic antenna is:

G = (π × D / λ)² × η

Where D is the antenna diameter, λ is the wavelength, and η is the aperture efficiency (typically 0.55 to 0.65). For a 100-metre antenna at 1 GHz (λ = 0.3 m):

G = (π × 100 / 0.3)² × 0.6
G = (1,047)² × 0.6
G ≈ 658,000 (≈ 58 dBi)

That is an enormous amount of antenna gain, enough to detect individual cellular handset emissions from geosynchronous orbit in some scenarios. The trade-off is that these satellites are hugely expensive, are visible to adversaries (their orbital positions are tracked and published), and their fixed position means they cover one hemisphere permanently but cannot be repositioned quickly.

Low Earth Orbit (LEO) SIGINT satellites operate at altitudes between 300 and 1,000 km. They have much shorter collection windows over any given target (a typical LEO pass might last 8 to 12 minutes) but are much closer to the emitters, requiring smaller antennas for equivalent sensitivity. LEO satellites are used for tactical collection: mapping radar emitters, monitoring specific communications during a crisis, or collecting signals that require higher resolution than GEO can provide. The US NOSS (Naval Ocean Surveillance System) satellites, which flew in clusters of three or four to enable TDOA geolocation of ship-based emitters, are a publicly known example.

France operates the CERES (Capacite de Renseignement Electromagnétique Spatiale) system, a constellation of three satellites launched in 2021 specifically for ELINT and COMINT from LEO. The three-satellite architecture enables geolocation through TDOA measurements between the platforms.

Naval SIGINT

Ships and submarines carry SIGINT equipment for maritime collection. Surface ships typically mount antenna arrays on masts and superstructures, with receivers and processing equipment below decks. The advantage of a ship is persistence: it can remain on station for weeks or months, continuously collecting signals from a coastal area or shipping lane.

Submarine SIGINT is particularly valuable because a submarine can approach a coastline undetected and collect signals at close range. At periscope depth, a submarine extends a specialised antenna mast (often called an ESM mast, for Electronic Support Measures) above the surface. The mast carries wideband receivers that scan the spectrum for radar and communication emissions. The submarine's stealth means it can collect from locations where any other platform would be detected and either avoided or targeted. During the Cold War, US and British submarines routinely operated in Soviet territorial waters for SIGINT collection, a practice that involved considerable risk and several known incidents.

4. RF Interception Mechanics

Intercepting a signal requires capturing it with an antenna, amplifying it, and digitising it. The engineering challenges are considerable when the target frequencies, bandwidths, and signal types are unknown in advance.

Wideband Receivers

A SIGINT receiver must cover a very broad frequency range. A military COMINT receiver might need to cover 2 MHz to 30 GHz or more. No single receiver architecture covers that entire range optimally, so practical systems use multiple parallel receiver channels, each covering a sub-band, with the outputs combined in software.

Modern SIGINT receivers use a superheterodyne architecture with digitisation at an intermediate frequency (IF). The incoming RF is mixed with a local oscillator (LO) to produce an IF signal, which is then digitised by a high-speed analogue-to-digital converter (ADC). The instantaneous bandwidth of the receiver is limited by the ADC's sampling rate and the analogue bandwidth of the IF chain.

By the Nyquist theorem, an ADC must sample at least twice the bandwidth of the signal to avoid aliasing:

f_sample ≥ 2 × BW

A receiver with 500 MHz of instantaneous bandwidth requires an ADC sampling at a minimum of 1 GHz (1 billion samples per second). At 12-bit resolution (common for high-performance SIGINT receivers), that produces 12 gigabits per second of raw data from a single channel. Real systems often use 14 or 16-bit ADCs and multiple parallel channels.

Companies like Rohde & Schwarz (Munich), BAE Systems, and L3Harris manufacture wideband digital receivers for SIGINT applications. The Rohde & Schwarz RAMON family of receivers covers frequencies from 8 kHz to 8 GHz (and beyond, with different models) with instantaneous bandwidths up to 120 MHz. L3Harris produces tactical SIGINT receivers that fit in aircraft pods or ground vehicles, offering similar capabilities in smaller packages.

Channelisation

Once the wideband IF signal is digitised, it must be split into individual channels corresponding to individual signals of interest. A military VHF radio channel might be 25 kHz wide. A cellular GSM channel is 200 kHz. A satellite transponder might be 36 MHz. The process of splitting the wideband digital stream into narrowband channels is called channelisation, and it is typically implemented with polyphase filter banks or FFT-based techniques running on FPGAs.

A 500 MHz instantaneous bandwidth contains 20,000 channels at 25 kHz each. The channeliser must process all of them simultaneously, in real time. This is why SIGINT systems rely heavily on FPGA hardware (from Xilinx/AMD or Intel/Altera): the parallelism of an FPGA can implement thousands of filter channels simultaneously, something a general-purpose CPU cannot achieve at the required data rates.

The Dynamic Range Problem

A SIGINT receiver faces an extreme dynamic range challenge. The signal of interest might be a low-power handheld radio at 200 km range, arriving at the antenna at -120 dBm. Simultaneously, a high-power radar transmitter 5 km away might produce a signal at -10 dBm at the same antenna. That is a 110 dB difference in power, a ratio of 100 billion to one. The ADC and analogue front-end must handle both without the strong signal saturating the receiver and drowning out the weak one.

The spurious-free dynamic range (SFDR) of the ADC is the critical parameter. For a 14-bit ADC, the theoretical SFDR is approximately:

SFDR ≈ 6.02 × N + 1.76 dB
SFDR ≈ 6.02 × 14 + 1.76
SFDR ≈ 86 dB

That 86 dB is not enough to handle the 110 dB scenario described above. Practical SIGINT receivers use techniques like automatic gain control (AGC), switchable attenuators, notch filters to reject known strong interferers, and multiple receiver channels with different gain settings to extend the effective dynamic range.

5. Geolocation Techniques

Intercepting a signal tells you what was said (or what type of emitter is active). Geolocating the transmitter tells you where it is. This is often the most valuable intelligence product: knowing the location of an adversary's command post, air defence radar, or communications node.

TDOA (Time Difference of Arrival)

TDOA is the most widely used passive geolocation technique. It requires two or more receivers at known locations, with precisely synchronised clocks. Each receiver records the exact time a signal arrives. The difference in arrival times between two receivers defines a hyperbola on which the transmitter must lie. Two time differences (requiring three receivers) produce two hyperbolas whose intersection is the transmitter location.

The mathematics are direct. Consider two receivers at positions R1 and R2, and a transmitter at unknown position T. The signal arrives at R1 at time t1 and at R2 at time t2. The time difference is:

Δt = t2 - t1

This corresponds to a range difference:

Δd = c × Δt

Where c is the speed of light (299,792,458 m/s). The locus of all points where the range difference from R1 and R2 equals Δd is a hyperbola with foci at R1 and R2:

|d(T, R1) - d(T, R2)| = c × Δt

Where d(T, Ri) is the Euclidean distance from the transmitter to receiver i. In two dimensions, with R1 at the origin and R2 at position (b, 0):

√(x² + y²) - √((x-b)² + y²) = c × Δt

This is the equation of a hyperbola with foci at (0,0) and (b,0), and semi-transverse axis a = c × Δt / 2.

With three receivers (three time differences, though only two are independent), you get two hyperbolas. The intersection gives the 2D position. With four receivers, you can solve for 3D position (latitude, longitude, altitude), useful for airborne emitters.

The accuracy of TDOA depends on three factors:

1. Clock synchronisation: A 1 nanosecond timing error corresponds to 0.3 metres of range error (c × 1 ns = 0.3 m). Achieving sub-microsecond synchronisation across platforms separated by hundreds of kilometres requires GPS-disciplined atomic clocks. Caesium or rubidium oscillators, locked to GPS time, provide timing accuracy better than 100 nanoseconds, corresponding to 30 metres of range error.

2. Receiver separation (baseline): Longer baselines produce sharper hyperbolic intersections and better accuracy. Two receivers 100 km apart will produce much better accuracy than two receivers 1 km apart.

3. Signal bandwidth: The time of arrival is estimated by cross-correlating the signal received at each station. The precision of this estimate is inversely proportional to the signal bandwidth. A narrowband signal (say, a 25 kHz military radio channel) produces a broader correlation peak and poorer timing precision than a wideband signal (say, a 5 MHz radar pulse).

The French CERES satellite system uses TDOA between its three satellites (separated by tens of kilometres in orbit) to geolocate ground-based emitters from space.

FDOA (Frequency Difference of Arrival)

FDOA exploits the Doppler effect. A receiver moving relative to a stationary transmitter observes a frequency shift proportional to the relative velocity along the line of sight:

Δf = f₀ × v_r / c

Where f₀ is the transmitted frequency, v_r is the radial velocity (component of relative velocity along the line connecting transmitter and receiver), and c is the speed of light. For a SIGINT aircraft flying at 250 m/s (approximately 900 km/h, a typical patrol speed), the Doppler shift for a 1 GHz signal is:

Δf = 1 × 10⁹ × 250 / (3 × 10⁸)
Δf ≈ 833 Hz

Two receivers moving on different trajectories (or one receiver at two different points along its trajectory) will observe different Doppler shifts from the same transmitter. The frequency difference defines an iso-Doppler contour on the ground, analogous to the hyperbola in TDOA. The transmitter lies somewhere on this contour.

A single aircraft can perform FDOA geolocation by measuring the Doppler shift at two points along its flight path, effectively using its own motion to create a synthetic baseline. This is slower than a simultaneous multi-receiver measurement but requires only one platform, which is operationally simpler.

The sensitivity of FDOA to position depends on the geometry. If the aircraft is flying directly toward or away from the transmitter, the Doppler shift is maximised but changes slowly with lateral position, giving poor cross-track accuracy. If the aircraft is flying perpendicular to the transmitter bearing, the Doppler shift changes rapidly with small position changes, giving good accuracy. Optimal FDOA geometry has the aircraft flying at roughly 45 degrees relative to the transmitter bearing.

AOA (Angle of Arrival)

AOA uses the direction from which a signal arrives at the receiver to establish a line of bearing to the transmitter. Two or more AOA measurements from different locations produce bearing lines whose intersection is the transmitter position.

Interferometric direction finding is the most common technique for precision AOA. An array of antenna elements, spaced at known distances, measures the phase difference of the arriving wavefront between element pairs. For two elements separated by distance d, the phase difference for a signal arriving at angle θ from broadside is:

Δφ = 2π × d × sin(θ) / λ

Solving for θ:

θ = arcsin(λ × Δφ / (2π × d))

Multiple element pairs at different spacings resolve the ambiguity inherent in a single pair (since Δφ repeats every 2π) and improve accuracy. A well-designed interferometer array can achieve bearing accuracy of 1 to 2 degrees RMS at VHF/UHF frequencies, and better than 0.5 degrees at microwave frequencies.

The Watson-Watt technique, named after the radar pioneer, uses two orthogonal antenna pairs (typically Adcock antenna elements) to measure the signal's angle of arrival. Each pair produces a voltage proportional to the cosine of the angle between the signal direction and the pair's axis. The ratio of the two voltages gives the tangent of the bearing. Watson-Watt DF is simple and fast but less accurate than interferometric methods, with typical bearing errors of 2 to 5 degrees. It remains widely used for HF direction finding where simplicity and rapid measurement matter more than precision.

Adcock arrays use vertically polarised antenna elements arranged in a square or other geometric pattern. They are specifically designed to reject horizontally polarised signals and skywave interference (signals arriving at steep angles after ionospheric reflection). This makes them well-suited for HF ground-wave direction finding, where skywave contamination is the primary source of bearing error.

Combined TDOA/FDOA

The real power of these techniques emerges when they are combined. A single satellite pass over a target area can collect both TDOA (using onboard time references) and FDOA (using its known orbital velocity) measurements simultaneously. The TDOA hyperbola and the FDOA iso-Doppler contour intersect at a point, providing a geolocation from a single platform in a single pass. This is the principle behind several classified satellite SIGINT systems.

The combined accuracy is significantly better than either technique alone. TDOA provides good accuracy along the baseline direction but poor accuracy perpendicular to it. FDOA, conversely, provides good accuracy in the direction of platform motion. When combined, the complementary geometries produce a tight error ellipse rather than an elongated one.

For a LEO satellite at 500 km altitude, moving at approximately 7.6 km/s, the Doppler shift on a 10 GHz signal changes at a rate of several kilohertz per second as the satellite passes overhead. This rapid rate of change provides excellent FDOA sensitivity.

6. Signal Processing and Analysis

Once a signal has been intercepted and geolocated, the content (or at least the metadata) must be extracted. This is the domain of signals analysis, where DSP, cryptanalysis, and linguistic expertise converge.

Demodulation

The first step is demodulation: recovering the baseband information from the modulated carrier. For analogue signals (AM or FM voice), this is straightforward. For digital signals, the demodulator must identify the modulation scheme (BPSK, QPSK, 8-PSK, QAM, OFDM, and many others), synchronise to the symbol timing, and extract the bit stream. Modern SIGINT systems use automatic modulation recognition (AMR) algorithms that analyse the statistical properties of the signal (constellation shape, cyclostationary features, spectral symmetry) to identify the modulation without prior knowledge.

Decryption

Encrypted signals are the norm for military communications. Breaking modern encryption (AES-256, for instance) through brute force is computationally infeasible with current technology. 2^256 possible keys is a number so large that checking them all would require more energy than the Sun will produce in its remaining lifetime. SIGINT agencies do not rely on brute force. They exploit implementation weaknesses: poor key management, side-channel leakage, protocol vulnerabilities, compromised key distribution systems, or (historically) mathematical weaknesses in the cipher.

The Enigma machine used by Germany in the Second World War was broken not because the cipher was trivial, but because of operational errors: repeated message keys, stereotyped message openings ("Weather report for..."), and the fundamental weakness that no letter could encrypt to itself. British codebreakers at Bletchley Park, including Alan Turing, exploited these weaknesses with electromechanical "bombes" and later the Colossus computer.

Modern cryptanalysis in the SIGINT context is largely classified, but public knowledge includes the exploitation of weak random number generators (the Dual_EC_DRBG controversy), compromised implementations (Heartbleed exposed memory contents that could include private keys), and the deliberate weakening of cryptographic standards. The Snowden documents revealed that the NSA had invested billions in programmes to defeat encryption, including efforts to influence cryptographic standards, exploit implementation bugs, and maintain access to communications through cooperation with (or compulsion of) technology companies.

When decryption is not possible, and it usually is not for well-implemented modern encryption, the focus shifts entirely to metadata.

Protocol Analysis

Even encrypted signals leak information through their protocol structure. A burst of encrypted satellite phone traffic can reveal the terminal type (Iridium, Thuraya, Inmarsat) from the signal structure, even without decrypting the content. The access protocol, channel assignment scheme, and timing patterns are often unencrypted or only lightly protected. For cellular communications, the signalling channels (used for call setup, location updates, and handovers) transmit identifying information, including the IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity), which can be intercepted even when the voice channel is encrypted.

Voice and Language Processing

For intercepted voice communications that can be demodulated (whether unencrypted or successfully decrypted), SIGINT agencies employ speaker recognition (identifying specific individuals by voice characteristics), automatic speech recognition (transcribing speech to text), machine translation, and keyword spotting (flagging communications that contain specific words or phrases). A linguist fluent in the target language reviews and refines the machine output. The demand for linguists in specific languages (Arabic, Farsi, Mandarin, Korean, Pashto) has historically been one of the bottleneck resources in SIGINT organisations.

7. Metadata Analysis and Traffic Analysis

Metadata, the information about communications rather than the content of communications, has become the most important product of modern SIGINT. When encryption is strong, which it increasingly is, the content of a message may be inaccessible. But the fact that a message was sent, by whom, to whom, when, from where, and how long it lasted: that information is almost always available, and it is extraordinarily revealing.

What Metadata Contains

A single intercepted mobile phone call yields:

• The IMSI of both parties (identifying the SIM cards)
• The IMEI of both handsets (identifying the physical devices)
• The cell tower each handset connected to (approximate location, accuracy 100 metres to several kilometres depending on cell density)
• The time the call started and ended
• The duration
• Whether it was a voice call or data session
• The network operator

An intercepted email (at the network level, from tapping a fibre) yields:

• Source and destination IP addresses
• Email addresses in headers (From, To, CC)
• Timestamp
• Message size
• Subject line (often unencrypted even when the body is encrypted)

Traffic Analysis

Traffic analysis is the discipline of extracting intelligence from patterns in communications metadata without accessing the content. It is one of the oldest techniques in SIGINT. During the Second World War, British analysts at Bletchley Park conducted extensive traffic analysis of German military radio networks, identifying unit headquarters by their call signs, tracking unit movements by changes in radio frequency and location, and detecting preparations for operations by increases in radio traffic volume, all without decrypting a single message.

Modern traffic analysis operates at vastly greater scale but follows the same principles. The core techniques include:

Network graph analysis: Mapping who communicates with whom creates a social network graph. Nodes are individuals (or phone numbers, or email addresses). Edges are communications events. The structure of the graph reveals organisational hierarchies. A node that communicates with many other nodes but is rarely called by outsiders might be a commander. A node that bridges two otherwise disconnected clusters might be a courier or liaison.

Pattern-of-life analysis: Tracking the daily routine of a target through their communications and location data. A person who calls a specific number every morning at 07:00, travels from location A to location B every weekday, and sends a burst of messages every Friday afternoon has a pattern of life that can be mapped, predicted, and exploited. Deviations from the pattern are intelligence indicators: a missed routine call might signal an operation is underway.

Contact chaining: Starting from a known target, analysts map outward through their contacts to identify associates, co-conspirators, or network members. First-degree contacts are people the target communicates with directly. Second-degree contacts are people those first-degree contacts communicate with. The challenge is that second-degree analysis on a well-connected target can encompass thousands of people, most of whom are irrelevant.

Call detail records (CDRs): Telecommunications operators generate CDRs for every call and data session for billing purposes. These records contain all the metadata described above. Access to CDRs, whether through legal process, secret court orders, or clandestine collection, provides a complete picture of a target's communications patterns. The Snowden revelations in 2013 disclosed that the NSA's Section 215 programme collected CDRs in bulk from major US telecommunications carriers, not targeting specific individuals but collecting metadata on millions of calls to enable retrospective analysis. In Europe, the EU Data Retention Directive (struck down by the Court of Justice of the European Union in 2014 in the Digital Rights Ireland case) had required member states to mandate data retention by telecommunications providers for periods of 6 to 24 months.

Why Metadata Reveals More Than Content

Former NSA and CIA director Michael Hayden publicly stated: "We kill people based on metadata." This is not hyperbole. Metadata analysis can reveal:

• The structure and membership of a clandestine organisation
• The location of individuals at specific times
• The relationships between individuals
• Changes in behaviour that signal operational activity
• The identity of a person using a new phone (through contact pattern matching)

A person can encrypt the content of every message they send and still be identified, located, and tracked through metadata alone. The pattern of communications is itself the intelligence.

8. ELINT: Intercepting Radar Emissions

ELINT is a distinct discipline within SIGINT, focused on non-communication emitters. Radar systems are the primary target, and intercepting them serves both intelligence and electronic warfare purposes.

Pulse Parameter Measurement

Every radar has a signature defined by measurable parameters:

• Frequency: The carrier frequency, typically between 100 MHz and 40 GHz for military radars. An S-band fire control radar operates around 2 to 4 GHz; an X-band weapon-tracking radar around 8 to 12 GHz.
• Pulse Repetition Interval (PRI): The time between consecutive pulses. A long-range surveillance radar might have a PRI of 2,000 microseconds (PRF of 500 Hz). A fire control radar tracking a target might use a PRI of 100 microseconds (PRF of 10,000 Hz).
• Pulse Width (PW): The duration of each pulse. Surveillance radars typically use pulse widths of 1 to 50 microseconds. Short-range tracking radars might use sub-microsecond pulses.
• Scan Pattern: How the radar beam moves. A rotating surveillance radar sweeps 360 degrees at a constant rate (typically 6 to 15 RPM). A phased array radar can electronically steer its beam in arbitrary patterns.
• Intrapulse modulation: Many modern radars use pulse compression, modulating each pulse with a chirp (linear frequency modulation) or phase code to achieve fine range resolution while maintaining high average power. The specific modulation characteristics are a strong identifier.

An ELINT receiver measures all of these parameters from intercepted pulses. The measurement is typically done by a dedicated ESM (Electronic Support Measures) system with wideband receivers and fast pulse analysers, often implemented on FPGAs that can process individual pulses in real time.

Electronic Order of Battle

The collected pulse parameters are compared against a database of known emitter types. This database, maintained by each nation's intelligence agencies, maps parameter sets to specific radar models and, by extension, to specific weapon systems. For example:

• PRI of 1,500 μs, frequency 2.8 GHz, scan rate 6 RPM → matches the parameters of a P-18 "Spoon Rest" early warning radar, associated with older Soviet-era air defence systems
• PRI jittering between 50 and 200 μs, frequency 5.5 GHz, monopulse tracking → might match the parameters of a 30N6 "Flap Lid" engagement radar, the fire control radar for the S-300PMU air defence system

The catalogue of identified emitters, their locations, and their associated weapon systems constitutes the Electronic Order of Battle (EOB). Building and maintaining the EOB is a continuous peacetime activity. ELINT aircraft routinely fly along the borders of potential adversary nations, provoking radar activity (the adversary's air defence radars activate to track the aircraft) and collecting the resulting emissions. This practice has continued since the 1950s and has occasionally resulted in incidents, including the shoot-down of aircraft that strayed too close to or across borders.

ELINT Databases

NATO maintains shared emitter databases that standardise radar parameter reporting. Each emitter type receives a NATO reporting name (the "Flap Lid" and "Spoon Rest" examples above are NATO names for Soviet-era systems). Commercial companies like Janes (formerly IHS Janes, headquartered in London) publish unclassified versions of these databases, and defence companies like BAE Systems, Thales, and Saab integrate classified databases into their ESM and electronic warfare systems.

The value of ELINT extends beyond mapping radar locations. By analysing the specific parameters of a radar emission, including subtle variations in PRI stability, frequency drift, and sidelobe patterns, it is sometimes possible to identify not just the type of radar but the specific individual unit. Two radars of the same model will have slightly different characteristics due to manufacturing variations, component aging, and calibration differences. This "specific emitter identification" (SEI) allows tracking individual units as they move.

9. Israeli SIGINT Capabilities

Israel operates one of the most capable SIGINT establishments in the world, driven by geographic necessity. The country's small size (roughly 22,000 km² within the pre-1967 borders), combined with the proximity of multiple potential adversaries, makes SIGINT a critical national security function.

Unit 8200

The Israeli Defence Forces' Unit 8200 (Yehida Shmoneh-Matayim) is the SIGINT and cyber intelligence unit. It is publicly acknowledged and has been the subject of extensive open-source reporting. Unit 8200 is one of the largest units in the IDF, with thousands of personnel, and is frequently described as the Israeli equivalent of the NSA or GCHQ.

Unit 8200's capabilities span the full SIGINT spectrum: COMINT, ELINT, and cyber intelligence. The unit operates ground stations within Israel, maintains the systems aboard Israel's SIGINT aircraft, and is reported to have access to satellite SIGINT capabilities. Israel's geographic position provides inherent advantages: ground-based or airborne collectors within Israel can intercept signals from Lebanon, Syria, Jordan, and the Palestinian territories without leaving Israeli-controlled airspace.

The unit has played a documented role in several recent conflicts. During the 2006 Lebanon War, SIGINT from Unit 8200 was used to target Hezbollah command and control nodes, although operational difficulties highlighted the limits of SIGINT in a dispersed, disciplined adversary force. During operations in Gaza, intercepted communications have been used for targeting, force protection (providing early warning of planned attacks), and battle damage assessment.

Technology Ecosystem

Unit 8200's alumni have created a significant portion of Israel's technology sector, particularly in cybersecurity and intelligence technology. Companies founded by 8200 veterans include NSO Group (known for the Pegasus spyware), Check Point Software, and numerous others. This creates a technology ecosystem where military SIGINT experience feeds directly into the development of commercial surveillance and cybersecurity products, and in some cases those commercial products feed capabilities back to the intelligence community.

Israeli defence companies produce SIGINT systems for export. Elbit Systems (Haifa) manufactures COMINT and ELINT systems including the SAGE (SIGINT Automated Geo-location and Exploitation) family. Elta Systems (a subsidiary of IAI) produces airborne SIGINT suites installed on Israel's own aircraft and exported to several countries. Rafael Advanced Defense Systems develops electronic warfare systems that include SIGINT receiver capabilities.

Partnerships

Israel's SIGINT capabilities are enhanced by intelligence-sharing partnerships. The relationship with the United States is the most significant, with extensive sharing of SIGINT product, though the Snowden documents revealed tensions (including NSA monitoring of Israeli targets, and Israeli provision of raw SIGINT to NSA that included intercepts of US persons). Israel also maintains intelligence relationships with several European nations and has developed closer ties with Gulf Arab states, particularly the UAE and Bahrain, following the Abraham Accords.

10. Countermeasures: The Attacker-Defender Dynamic

For every SIGINT technique, there are countermeasures. The competition between signals collection and signals denial is continuous and has driven much of the evolution of both fields.

Frequency Hopping

Instead of transmitting on a fixed frequency, a frequency-hopping radio changes frequency many times per second according to a pseudo-random sequence known to both transmitter and receiver. A SIGINT receiver monitoring any single frequency will capture only brief fragments of the transmission, too short to demodulate. The US SINCGARS radio system hops at 100 hops per second across a 30 to 88 MHz band. More modern systems hop at thousands of hops per second.

A SIGINT system can counter frequency hopping with wideband receivers that capture the entire hopping band simultaneously, then reassemble the hopped signal by identifying and following the hopping pattern. This requires significant processing power and very wide instantaneous bandwidth. The detection of the hopping pattern itself can be a useful intelligence indicator, even if the content cannot be recovered. A specific hopping pattern might be associated with a specific radio type or military unit.

Spread Spectrum

Spread spectrum techniques distribute the signal energy across a much wider bandwidth than the information requires. Direct Sequence Spread Spectrum (DSSS) multiplies the data signal by a high-rate pseudo-random code, spreading the energy. The resulting signal appears as low-level noise spread across a wide band. Without knowledge of the spreading code, a SIGINT receiver cannot de-spread the signal and may not even detect its presence.

The processing gain of a spread spectrum system is the ratio of the spread bandwidth to the data bandwidth:

G_p = BW_spread / BW_data

A signal with a data rate of 9,600 bps spread to 10 MHz has a processing gain of:

G_p = 10,000,000 / 9,600 ≈ 1,042 (≈ 30 dB)

This means the signal is 30 dB below the noise floor of a narrowband receiver matched to the data rate. Detecting it requires either a matched receiver with the correct spreading code, or energy detection techniques with very long integration times and precise knowledge of where to look in the spectrum.

Burst Transmission

A burst transmitter compresses a message, buffers it, and transmits it in a very short burst, sometimes only milliseconds long. The brief transmission duration makes it difficult for SIGINT receivers to detect the signal, determine its bearing (DF systems need time to measure bearing), or capture enough of the signal for analysis. Military burst communication systems can transmit a pre-composed message in under 100 milliseconds.

Low Probability of Intercept (LPI) Communications

LPI combines several techniques: spread spectrum, power control (using the minimum transmit power necessary), directional antennas (concentrating energy toward the intended receiver rather than radiating omnidirectionally), and burst transmission. The goal is to make the signal difficult to distinguish from background noise at the SIGINT receiver.

Modern LPI waveforms are highly effective against conventional SIGINT receivers. Detecting them requires either very sensitive, very wideband receivers with sophisticated signal detection algorithms, or positioning the SIGINT collector between the transmitter and intended receiver (to intercept the main beam of a directional antenna).

Encryption

Strong encryption does not prevent interception but denies the interceptor access to message content. As discussed in the metadata section, this shifts the intelligence value from content to context. The widespread deployment of end-to-end encryption in civilian communications (Signal, WhatsApp, iMessage) has had a profound effect on COMINT. It has made bulk content collection largely futile against encrypted channels and has forced intelligence agencies to focus on metadata, endpoint exploitation (hacking the phone itself rather than intercepting the transmission), and legal/cooperative access to communications.

Emission Control (EMCON)

The most effective countermeasure against SIGINT is silence. Emission control, or EMCON, means simply not transmitting. A military unit maintaining strict EMCON produces no emissions for a SIGINT system to collect. Naval forces frequently impose EMCON during transit to avoid detection: no radar transmissions, no radio communications, no satellite uplinks. Communications are handled by line-of-sight laser links (which produce no RF emission) or by physical courier.

The limitation of EMCON is obvious: you cannot communicate effectively while maintaining radio silence. Modern military doctrine balances the need for communications with the risk of SIGINT exploitation, using encrypted, frequency-hopping, LPI communications for routine traffic and EMCON for critical tactical situations.

The Dynamic

The attacker-defender relationship in SIGINT is asymmetric in a specific way. The defender (the communicator) must protect every transmission, every time. The attacker (the SIGINT collector) only needs to succeed once. A single intercepted unencrypted transmission, a single failure of EMCON discipline, a single use of a compromised phone, can reveal a location, a plan, or an identity. This asymmetry favours the collector and explains why SIGINT has been productive since its inception despite steady improvements in communications security.

Conversely, the sheer volume of modern communications has created a different problem for the collector: not the difficulty of interception, but the difficulty of finding the relevant signals among billions of irrelevant ones. The challenge has shifted from "can we intercept the signal?" to "can we find the signal that matters?" Processing, filtering, and analysis have become the bottleneck, which is why SIGINT organisations invest so heavily in automated processing, machine learning for signal classification, and metadata analysis tools that can identify patterns across millions of communications events.

11. The Spectrum as a Battlefield

SIGINT does not exist in isolation. It is one component of a broader electromagnetic spectrum operations (EMSO) framework that includes electronic warfare (jamming and deception), electronic protection (hardening your own systems against EW), and spectrum management (ensuring your own forces can communicate without interfering with each other).

The electromagnetic spectrum is a contested domain, as real as land, sea, air, or space. Every military operation depends on spectrum access for communications, navigation, radar, and data links. Denying an adversary's spectrum access through jamming while protecting your own access through LPI techniques and frequency management is a core competency for modern armed forces.

SIGINT feeds electronic warfare directly. You must know the frequency, location, and type of an adversary's emitters before you can jam or deceive them. The ELINT database that maps radar parameters to weapon systems also provides the targeting data for anti-radiation missiles (missiles that home on radar emissions, like the AGM-88 HARM). The COMINT that reveals an adversary's communication frequencies enables targeted communications jamming.

European defence forces are investing heavily in this area. The German Bundeswehr's PEGASUS (Persistent German Airborne Surveillance System) programme seeks a manned SIGINT aircraft to replace aging platforms. France's CERES satellite system provides sovereign ELINT capability from space. The UK's Airseeker fleet (RC-135W) operates regularly from RAF Waddington, conducting collection missions along NATO's eastern and southern flanks. Sweden's FRA continues to expand its capabilities, particularly in the cyber domain where SIGINT and cyber operations increasingly overlap.

The underlying physics has not changed since Heinrich Hertz demonstrated radio wave propagation in 1887. Electromagnetic energy propagates at the speed of light, and any emission can be intercepted by a sufficiently sensitive receiver at the right location. What has changed is the scale, the sophistication of the processing, the volume of signals to be analysed, and the encryption that denies content access. SIGINT in 2026 is less about listening to radio conversations and more about processing vast streams of metadata, locating emitters with sub-kilometre precision from orbital platforms, and characterising radar systems down to the individual serial number.

The signals are always there. The question is always whether you have the antenna, the receiver, the processing power, and the analytical skill to extract intelligence from them.