The Center for Strategic and International Studies released a mid‑year snapshot that drew headlines by reporting that, through July 4, 2025, incidents coded as left‑wing attacks or plots in the United States outnumbered those coded as right‑wing. The dataset CSIS published compiles attacks and disrupted plots back to 1994 and shows a measurable uptick in left‑wing activity since 2016 alongside a sharp drop in recorded right‑wing incidents during the first half of 2025.

That finding is newsworthy, but the headline risk is bigger than the nuance. CSIS counts both completed attacks and disrupted plots and applies a specific terrorism definition that excludes many episodes other groups or outlets have highlighted. The mid‑year numbers are a narrow slice in time — through July 4 — and they sit on top of long‑running trends that still show much higher lethality from right‑wing and jihadist actors over multi‑year windows. In short, counts alone do not tell the whole risk story.

Why this matters for practitioners: resource decisions, operational posture, and public messaging are often driven by simple metrics. If agencies reallocate attention purely on incident counts without weighing lethality, organizational capacity, networked logistics, and the likelihood of escalation, they risk both under‑resourcing real threats and amplifying political narratives that can erode public trust. Several reporters and analysts have already noted how the CSIS snapshot was amplified in coverage and political rhetoric.

Methodological caveats to keep front of mind

  • Window bias. A short reporting window can flip comparative tallies when absolute numbers are small. CSIS explicitly uses data through July 4, 2025. That is a defensible cut, but it is not a prediction of year‑end outcomes.
  • Inclusion rules. CSIS includes both attacks and disrupted plots and applies a terrorism definition that excludes certain high‑profile property damage incidents. Those coding choices change which events appear in the dataset and how trends look.
  • Multiple metrics. Incidents, fatalities, disrupted plots, attack sophistication, and cross‑jurisdictional coordination are distinct signals. Treating any single metric as a proxy for overall risk is a mistake.

What security teams should do now — practical, non‑partisan steps

1) Move from single metric to risk matrix. Build or adopt threat matrices that weight incidents by lethality, logistical complexity, persistence, and community impact. Use incident counts as one input among many. This reduces the chance of knee‑jerk resource shifts driven by headlines.

2) Demand and publish coding transparency. If you rely on external datasets, insist the provider publish coding rules, exclusions, and raw entries (where safe and legal). Open methods let analysts reconcile differences between trackers and build composite indicators that are more robust than any single source. CSIS provided methodological notes; practitioners should ingest those notes and compare them with other long‑running datasets.

3) Preserve civil liberties while targeting real threats. Tactical adjustments should focus on actors who display intent and capacity for violence. That means investing in traditional investigative tradecraft, digital forensics, and evidence‑based disruption — not broad‑brush suppression of lawful organizing. Clear public communication about that distinction matters to maintain legitimacy.

4) Strengthen community prevention and de‑escalation. Many attacks and plots show local indicators: social isolation, grievance amplification online, and rapid radicalization around specific events. Fund community‑based programs, threat assessment teams that include mental health professionals, and partnerships with civil society to reduce the flow from grievance to violence.

5) Improve information sharing between local and federal partners. Short‑term shifts in the domestic threat mix magnify the need for timely, usable intelligence at the municipal level. That means standardizing incident reporting formats, enabling secure but rapid data exchange, and focusing federal assistance where local capacity is weakest.

6) Treat online ecosystems as operational terrain. The platforms where radicalization is amplified will remain a force multiplier. Support targeted takedowns of violent operational planning, invest in attribution and takedown capabilities, and balance those actions with due process. Technical capability to map networks and intervene early is now as important as boots on the ground.

How to avoid politicization

Data will be weaponized. Expect politicians and partisans to use any dataset that supports their narrative. Security professionals must be explicit about limits and uncertainties when briefing policymakers or talking to the press. Publish your assumptions, show counterfactuals, and present alternative scenarios. That level of candor reduces both misinformation and bad policy.

Bottom line

The CSIS mid‑year snapshot is a useful wake‑up call that should drive closer methodological scrutiny and smarter operational responses. It does not by itself overturn decades of evidence about which actors have caused the most harm. For practitioners, the right response is not to chase headlines. The right response is to adopt multi‑dimensional risk metrics, demand transparent methods, invest in prevention and local capacity, and keep civil liberties front and center while targeting those who actually plan and execute violence. That balanced, evidence‑driven posture protects communities better than panic‑driven reallocations or politically convenient narratives.