A serious drone risk assessment is not a glorified RF audit. It connects three dimensions: the threat (who? with what? for what purpose?), the vulnerability (what are we protecting and how?) and the impact (what does an event cost us?). Here is the method we use on audit missions.
Map your critical assets
Start with a list of assets sensitive to overflights: people (VIPs, crowds), imagery (VIP visits, classified sites, production lines), physical infrastructure (transformers, storage, tank walls), and operational capabilities (business continuity, live broadcasting).
For each asset, assign a criticality level (low, medium, high, vital) and the feared event (imagery capture, physical intrusion, delivery, sabotage, disruption).
Profile the threats
A practical approach is to reason by operator profile: curious amateur, paparazzi/journalist, activist, organised crime, state actor. For each profile, estimate motivation, technical capability, access to modified drones and recurrence probability.
Not every site has the same dominant profile: a tourist site mostly faces amateurs, an energy site activists or criminals, a critical infrastructure operator the full spectrum including state actors.
Assess existing vulnerabilities
Ask yourself: what would I have seen if such an overflight had happened yesterday? Would my team have been alerted? Could we have built a court-ready file? Would we have coordinated with the police?
The gap between the theoretical response (existing SOP) and the real response (on the day, with the on-call team) is often where the real risk hides.
Choose a proportionate response
The response should follow a layered logic: detection (knowing a drone is around), identification (cooperative through Remote ID, or not), verification (human or camera), notification (internal team and authorities), reaction (internal SOP, physical denial, law enforcement intervention).
A common mistake is to invest heavily in detection without preparing the decision and notification chain — the sensor then produces alerts no one acts on.
Recommended operational toolset
For most civilian sites, a passive Remote ID detector (DECTYR RX-5) coupled with a VMS over ONVIF, paired with clear procedures and a signed PDF report for traceability, is the reference equipment level.
For critical infrastructure or defence sites, a radar and electro-optical layer is generally added for non-cooperative drones, integrated via a hypervision such as DECTYR Hub.
FAQ
How long does a drone risk assessment take?
From a half-day directed workshop for a simple site to several weeks for a critical infrastructure operator. Actionable first results can be obtained in one to two weeks.
Do I need a formal assessment to buy a detector?
No — but without one, you risk buying the wrong sensor or the wrong number of sensors. A mini-assessment workshop (2-3 hours) is enough to frame a proof-of-concept.
Which public stakeholders should I consult?
In France, your prefectural security advisor (CSI), the DGAC for the aviation angle, and law enforcement (gendarmerie/police) for local lessons learned. The SGDSN publishes a generic guide for sensitive sites.