A field-tested playbook for rooftops, airspace, and forensics at open-air events
Contributed by Jim Brigham, LCG VP of Risk Management, Former Operations Chief, State of Vermont, Office of Safety & Security
Series context. This series translates lessons from the Utah Valley University shooting into practical guidance for campuses, venues, and public agencies, integrating risk management, physical security, airspace awareness, and digital forensics into a comprehensive, defensible program. [1]
What changed on September 10, and where the case stands now
On September 10, 2025, a video captured a figure moving across a Utah Valley University rooftop moments after the fatal shooting, with officials indicating the shot likely came from that direction. [2] By the morning of September 12, Utah Governor Spencer Cox announced that Tyler Robinson, 22, was in custody after a family friend alerted law enforcement that Robinson had implied he committed the killing. Authorities say he was arrested around 4:00 a.m. local time and booked into Utah County Jail; officials added he is not a UVU student. [3][4]
Investigators recovered a Mauser-style bolt-action rifle with a scope along the escape path and described inscriptions on casings at the scene. Officials said the tip was corroborated by chat messages reportedly shared by a roommate, which referenced retrieving and stashing the rifle. [3][5] As of Friday, authorities indicated Robinson likely acted alone, while cautioning that the investigation remains active. [5]
LCG perspective. For decades, we trained to watch doors, hands, and approach angles. Today, if you do not own rooftops, service access, and the airspace above your venue, you are running yesterday’s playbook. Outdated access controls create the illusion of safety and fail under stress. [1]
Immediate changes for campuses and public event organizers
- Own elevated vantage points before showtime. Lock and alarm roof doors and hatches, control windows and ladders, assign overwatch where appropriate, and bake these checks into the event operations plan. Use special-event frameworks that emphasize worst-case planning and attendee experience in balance. [6]
- Treat the sky like another perimeter. Most organizers cannot intercept drones, but you can plan to detect and document. Add Remote ID awareness, correlate air and ground views, and script a rapid handoff to authorized partners. Record time, location, and identifiers in the incident log. [7][8]
- Rehearse information discipline. Prewrite hold statements, define an approval path, and train staff not to amplify unverified clips. Expect rumors and be prepared to correct with facts.
- Be forensics-ready from minute one. Preserve CCTV, access logs, RF or Remote ID data, and witness submissions with validated tools, hashing, and a first-hour evidence matrix. Convenience exports and ad-hoc workflows fracture the chain of custody and invite challenge later. [9][10]
Rooftops and airspace as perimeters, pitfalls, and mitigations
Open-air venues create long sightlines and elevated angles of attack. In your site overlay, mark and control every vantage that provides a line of fire to the stage and egress corridors. Treat service areas like front doors during load-in and live operations, because attackers exploit the gap between daily posture and event posture. [6]
Airspace risk is operational now. 14 CFR Part 89 requires most unmanned aircraft to broadcast identification and location information. Planners should integrate Remote ID monitoring into the event stack, correlate tracks with camera views, and log the data with cryptographic hashes. The objective is rapid coordination with authorities and a defensible evidence trail, not do-it-yourself interdiction. [7][8][10]
LCG perspective. Remote ID can be part of your forensic spine. If you capture, hash, and correlate it with time and camera angles, you shorten investigative timelines and reduce the need for re-collection later. [9][10]
Finally, upgrade aging access-control infrastructure that adversaries can bypass with commodity tools. Multiple campus walk-throughs in recent months have shown keypads and maglocks that still function, yet no longer protect, which is why adversary-emulation tests belong in your pre-event cycle. [1]
Quick Checklist
- Control rooftops and windows with locks, alarms, and assigned responsibility. [6]
- Add Remote ID awareness and logging to your kit, with a pre-arranged escalation pathway. [7][8]
- Use validated forensic processes with hash-verified logs and a first-hour evidence matrix. [9][10]
Final thought
Security is a chain, and the weak links usually fail first. The way to prevent repeats is not a bigger show of force; it is a tighter plan: own the elevated angles, extend your perimeter into the sky, and make your first hour forensically defensible so investigators can move fast without re-collecting later. [1][9]
Next in the series (Part 2): Behavioral Threat Assessment and Protective Intelligence
Part 2 shifts from venue design to behavior over time. It demonstrates how to establish a multidisciplinary Threat Assessment and Management Team.
References (endnotes)
[1] Brigham, J., From 1989 to Today: Why Integrated Security Cannot Be Ignored (field note, on legacy systems and rooftop control).
[2] The Washington Post, Video shows person running on roof immediately after Kirk shooting (Sept. 11, 2025). (The Washington Post)
[3] Reuters, Utah man suspected in Charlie Kirk murder taken into custody; Gov. Cox: “We got him” and custody confirmed, arrest details, rifle recovered, inscriptions on casings (Sept. 12, 2025). (Reuters)
[4] The Washington Post, Live updates: Suspect turned in by family friend, arrested about 4 a.m., booking underway; not a UVU student (Sept. 12, 2025). (The Washington Post)
[5] Associated Press, Suspect in Charlie Kirk killing had become more political and likely acted alone; arrest confirmed, evidence detail, 7,000 tips (Sept. 12, 2025). (AP News)
[6] DOJ COPS Office, Planning and Managing Security for Major Special Events: Guidelines for Law Enforcement (frameworks for venue planning). (GovInfo)
[7] FAA, Remote Identification of Drones (overview of RID purpose and use). (FAA)
[8] eCFR, 14 CFR Part 89, Remote Identification of Unmanned Aircraft (operating requirements). (eCFR)
[9] NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (hashing, chain of custody, validated process). (NIST Publications)
[10] NIST SP 800-101 Rev. 1, Guidelines on Mobile Device Forensics (collection, validation, reporting). (NIST Publications)
This article is for general information and does not constitute legal advice.
