[EVENT] - Collection Map
OSINT-046 Event Threat & Risk Assessment - collection workspace. Central topic = the event under assessment. Branches = data-point categories for the threat picture. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-046.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §18 Overall Event Threat Rating & Recommendation, §25 Assessment & Recommendations.
PIR-1 - Event target profile & directed threat
→ §4 PIR-1, §6 Event Profile & Target Profile
- EEI: event type, format, and public visibility (high-profile vs. closed/private)
- EEI: host, organiser, and sponsor identity + known controversy or grievance history
- EEI: date/anniversary significance - symbolic value to any threat actor
- EEI: named VIP/high-profile attendees and their threat-attraction profile
- EEI: prior threats, incidents, or hostile attention directed at this event, similar events, or the venue
- EEI: social-media chatter, protest calls, and threat narratives targeting the event
PIR-2 - Venue & location threat environment
→ §4 PIR-2, §7 Venue & Location Assessment
- EEI: country/city/area threat level (crime, terrorism, civil unrest) - consumed from OSINT-031-country-risk-assessment / OSINT-026-country-regional-study
- EEI: venue type (indoor/outdoor/stadium/temporary structure), capacity, and layout character
- EEI: ingress/egress count, choke-points, and perimeter character
- EEI: surrounding area - transport links, observation positions, protest-assembly areas, parking
- EEI: known venue vulnerabilities from open-source reporting or prior incidents
PIR-3 - Mass-casualty & active threat
→ §4 PIR-3, §10 Mass-Casualty / Active Threat Risk
- EEI: applicable terrorist groups, lone-actor history, or conflict-zone indirect-fire exposure at the location
- EEI: vehicle-attack risk given venue perimeter / crowd-approach design
- EEI: armed-attacker / IED / knife-attack history and capability in the area
- EEI: structural collapse or crowd-driven mass-casualty exposure
PIR-4 - Crowd safety & crush
→ §4 PIR-4, §11 Crowd Safety, Crush & Trampling Risk
- EEI: expected attendance vs. venue stated capacity
- EEI: crowd composition and behaviour profile (general public / ticketed / invite-only / mixed)
- EEI: ingress/egress ratio and pinch-point geometry
- EEI: steward-to-attendee ratio and crowd-flow management plan (if known)
- EEI: prior crowd-safety incidents at this venue or at comparable events
PIR-5 - Protest, disruption & civil disorder
→ §4 PIR-5, §12 Protest, Disruption & Civil-Disorder Risk
- EEI: active protest groups targeting the event, host, organiser, or sponsors
- EEI: protest permits applied for or announced in the vicinity
- EEI: prior civil-disorder incidents near the venue or at comparable events
- EEI: counter-protest or factional-confrontation risk
PIR-6 - Hostile surveillance, pre-attack reconnaissance & drone
→ §4 PIR-6, §13 Hostile Surveillance, Pre-Attack Reconnaissance & Drone Risk
- EEI: indicators of hostile reconnaissance or suspicious activity at/near the venue
- EEI: drone threat environment at the location (capability, prior incidents, airspace restrictions)
- EEI: venue OPSEC exposure (published schedules, floor plans, VIP movements publicly known)
- EEI: risk of pre-positioning of personnel, devices, or equipment
PIR-7 - Cyber, digital & information threat
→ §4 PIR-7, §14 Cyber, Digital & Information-Environment Threat
- EEI: known hacktivist or threat-actor interest in the event, organiser, or host
- EEI: event’s digital footprint (ticketing system, credentialling, live-stream, payment, network)
- EEI: disinformation campaigns, false threat narratives, or protest calls in the information environment
- EEI: doxxing risk for named organisers or high-profile attendees
PIR-8 - Weather, environmental & health
→ §4 PIR-8, §15 Weather, Environmental & Health Risk
- EEI: weather forecast and seasonal exposure for the event window
- EEI: natural-hazard baseline for the location (seismic, flood, wildfire, etc.)
- EEI: venue resilience to weather (indoor/outdoor/temporary structures)
- EEI: local medical-system capacity for mass-casualty response
- EEI: disease, food/water safety, or health advisories in force
PIR-9 - Trajectory & inflection indicators
→ §4 PIR-9, §20 Threat-Escalation & Early-Warning Indicators, §18 Trajectory
- EEI: pre-event indicators that could step the rating up or down before event day
- EEI: in-event tripwires that would trigger a phase cancellation or venue evacuation
- EEI: trajectory of the threat environment across the event window (improving/stable/deteriorating)
Collection gaps / RFIs (running)
- [Venue Security Survey commissioned? If not, flag gap → §24 RFI]
- [Protective Advance Survey & Recce commissioned for any VIP? If not, flag gap → §24 RFI]
- [Attendee list completeness - VIP names and travel patterns obtained? → §24 RFI]
- [open item] → route to [product]
01 · Principal / Protectee or Event Detail
Core identity of the event and client role. All downstream scoring is anchored to this node. → feeds §2 Executive Summary & Scope, §6 Event Profile & Target Profile, §9 Event Timeline & Phases.
Event identity
- Event name / title:
- Event type & format: [public concert / corporate conference / diplomatic summit / sporting fixture / festival / private gala / other]
- Event date(s) / core operating days:
- Event window (setup through teardown):
- Venue / location:
- Expected attendance / composition:
- Client name / role: [Organiser / Host / Security contractor / Principal attendee / Insurer / Sponsor]
- Engagement purpose:
- Engagement reference:
Host, organiser & sponsor profile
- [host/organiser/sponsor name - e.g. ACME Events Ltd]
- Known controversy or grievance history:
- Prior threats or protests directed at them:
- Political / ideological / commercial associations:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (OpenCorporates, Companies House, news search, social-media search)
- [host 2]
VIP / high-profile attendee register
Clone the block per named attendee. Each name is a targeting variable. → §8 Attendee Profile & Exposure, §6 Target Profile.
- [VIP name - e.g. SURNAME, Firstname]
- Role / title at event:
- Security posture (known detail, advance completed):
- Threat-attraction profile (political / corporate / celebrity / controversial):
- Travel route / arrival timing (known):
- Protective Advance Survey commissioned: [Y / N / In progress]
- Notes / tool output:
- [VIP 2]
Date / anniversary significance
- [date - e.g. YYYY-MM-DD]
- Significance to threat actors (political / religious / ideological / historical):
- Known prior incidents on or near this date:
- Source grade:
02 · Venue & Geography
Site, layout, ingress/egress, surrounding area - the physical threat frame. Consume Venue Security Survey findings if available; flag gaps where not yet commissioned. → feeds §7 Venue & Location Assessment, §9 Event Timeline & Phases, §16 Phase-by-Phase Threat Profile.
Venue identity
- Venue name:
- Venue type: [indoor arena / outdoor stadium / conference centre / temporary structure / historic site / other]
- Address / coordinates:
- Stated capacity:
- Expected fill level:
- Venue Security Survey commissioned: [Y / N - if N, flag gap → §24 RFI]
- Notes / tool output: ← (Google Maps, OpenStreetMap, venue official site, prior event reports)
Layout & access control
- [access zone - e.g. Main Gate / VIP Entrance / Staff/Service Entry]
- Location within venue:
- Screening / credentialling in place:
- Chokepoint / congestion risk:
- Notes:
- [zone 2]
Ingress / egress routes
Clone the block per route leg. → §16 Phase profile (P2 arrival, P6 departure - highest-seam phases).
- [route leg - e.g. Approach from North on Main Street]
- Vehicle / pedestrian / mixed:
- Choke-points / pinch-points:
- Protest-assembly area nearby:
- Observation / overlook positions:
- Notes / tool output: ← (OpenStreetMap, satellite imagery, Wikimapia)
- [route 2]
Surrounding area
- [area element - e.g. Adjacent parking structure / Public thoroughfare / Metro station]
- Threat relevance: [vehicle approach / protest assembly / observation / pre-positioning]
- Distance from venue perimeter:
- Notes:
Venue vulnerabilities (open-source)
- [vulnerability - e.g. Open perimeter on east side / Single-exit corridor at capacity]
- Basis / source:
- Phase affected:
- Source grade:
03 · Routes & Movement
Movement of attendees, VIPs, staff, and vehicles across all event phases - predictability aids targeting. → feeds §9 Event Timeline & Phases, §13 Hostile Surveillance & Drone Risk, §16 Phase-by-Phase Threat Profile.
Event phase timeline
Clone the block per phase. This feeds the P1–P7 phase-by-phase profile in §16.
- [phase - e.g. P2 · Attendee arrival / access / ingress]
- Date / time window:
- Activity description:
- Location(s) / zone(s):
- Expected crowd density:
- Key personnel / attendees present:
- Known security measures:
- Predictability / schedule exposure note:
- Notes:
- [P3 · Main event opening]
- [P4 · Core sessions]
- [P5 · Peak / featured moment]
- [P6 · Departure / egress]
VIP / principal movement legs
Clone per VIP or movement leg. → §13 Surveillance risk, §21 Protective Posture.
- [leg - e.g. Airport → hotel → venue]
- Mode of transport:
- Timing (published / known):
- Protective Advance Survey status:
- Surveillance exposure:
- Notes / tool output:
- [leg 2]
Staff, contractor & vendor access patterns
- [access category - e.g. Catering vendor / AV crew / Security contractor]
- Credentialling risk:
- Backstage / service access scope:
- Insider-threat flag:
- Notes:
04 · Threat Actors & Persons of Interest
Entities with intent or history of hostility toward the event, host, organisers, venue, or VIP attendees. Each is a clonable block graded for capability, intent, and proximity. → feeds §6 Event Profile & Target Profile, §10 Mass-Casualty Risk, §12 Protest & Disorder Risk, §13 Surveillance Risk.
Terrorist / extremist groups
- [group - e.g. [Group name or type - e.g. right-wing extremist network / jihadist affiliate]]
- Ideological driver / grievance:
- Prior attacks in the area or at comparable events:
- Capability (weapons, operational reach):
- Intent indicators toward this event:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (ACLED, TRAC, GTD, Jihadoscope, state advisory)
- [group 2]
Protest organisations & activists
- [organisation - e.g. [Group name / campaign]]
- Grievance target (host / sponsor / attendee / policy):
- Tactics profile (peaceful / disruptive / history of violence):
- Permit or public call-to-action issued:
- Expected turnout scale:
- Social-media presence / mobilisation:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (Twitter/X search, Telegram monitoring, local event permit records)
- [organisation 2]
Lone actors / grievance actors
- [individual or type - e.g. Disgruntled former employee / fixated individual targeting VIP]
- Target of grievance:
- Prior threat indicators:
- Capability:
- Notes:
Criminal actors
- [actor type - e.g. Pickpocket networks / ticket fraud / organised theft targeting event]
- Relevance to event:
- Notes:
05 · Threat Landscape
Historical incidents, analogous events, current chatter, and the broader threat environment at and around the venue that sets the ambient threat level. → feeds §7 Venue & Location Assessment, §10–§15 threat category sections, §17 Consolidated Threat Register.
Prior incidents at this venue
- [incident - e.g. [Date: brief description]]
- Incident type:
- Outcome / casualty count:
- Source grade:
- Relevance to current event:
Analogous event incidents (comparable events globally)
- [incident - e.g. [Event, date, location]]
- Threat type / modality:
- Lessons for this event:
- Source grade:
Current threat advisories
- [advisory - e.g. [FCDO / US DOS / OSAC / local authority advisory]]
- Threat level / band stated:
- Date issued:
- Self-interest / reliability caveat:
- Source grade:
Online chatter & social-media threat monitoring
- [platform / channel - e.g. Twitter/X hashtag / Telegram channel / dark-web forum]
- Threat type (protest call / specific threat / disinformation):
- Credibility assessment:
- Date observed:
- Notes / tool output: ← (TweetDeck, Maltego, Mention, OSINT social search)
Country / area threat environment
Consumed from inputs; summarise the salient findings here as they apply to this event.
- Country risk rating (from OSINT-031-country-risk-assessment):
- Country / regional study baseline (from OSINT-026-country-regional-study):
- Specific threat categories elevated at location:
- Source grade:
06 · Vulnerabilities & Attack Surface
Weaknesses that enable threats to materialise - venue design, event profile, digital exposure, and security-posture gaps identified through open-source collection. → feeds §17 Consolidated Threat Register & Heat Map, §21 Protective Posture & Mitigation Options, §24 Collection Gaps & RFIs.
Physical / venue vulnerabilities
- [vulnerability - e.g. Open vehicle access to crowd zone / Single egress corridor at capacity]
- Phase affected:
- Inherent score estimate (L×I):
- Existing mitigation (known):
- Residual estimate:
- Source grade:
Crowd-safety vulnerabilities
- [vulnerability - e.g. Ingress pinch-point at Gate B / Elevated capacity vs. steward ratio]
- Phase affected:
- Inherent score estimate (L×I):
- Existing mitigation (known):
- Residual estimate:
Cyber / digital attack surface
- [system - e.g. Ticketing platform / Credentialling app / Live-stream infrastructure]
- Vendor / provider (if known):
- Known prior breaches or vulnerabilities:
- Hacktivist interest in system or organiser:
- Notes / tool output: ← (Shodan, crt.sh, HaveIBeenPwned org lookup, whois)
- [system 2]
OPSEC / information-environment exposure
- [exposure - e.g. Full event schedule published publicly / VIP travel itinerary leaked / Floor plan available online]
- Threat relevance:
- Source:
07 · Local Environment
Security, medical, law-enforcement, and infrastructure context at the venue location that determines response adequacy and environmental resilience. → feeds §7 Venue & Location Assessment, §15 Weather, Environmental & Health Risk, §25 Assessment & Recommendations.
Law enforcement presence & capacity
- Local police / authority:
- Response time estimate:
- Coordination with event security:
- Source grade:
Medical & emergency services
- Nearest trauma centre / hospital:
- Distance / travel time:
- Mass-casualty capacity:
- On-site medical provision (planned):
- Source grade:
Critical infrastructure resilience
- [infrastructure - e.g. Power supply / Communication networks / Water]
- Known vulnerabilities / past failures:
- Impact on event if disrupted:
Weather & environmental baseline
- Forecast source(s) / service:
- Seasonal exposure: [extreme heat / cold / storm / flood / lightning / wildfire / other]
- Venue weather resilience: [fully indoor / outdoor exposed / mixed / temporary structure]
- Natural hazard baseline (seismic / flood zone / etc.):
- Air quality / wildfire smoke risk:
Health & sanitation
- Active health advisories in force:
- Food & water safety assessment:
- Disease risk level at location:
08 · Digital & Social Signals
Open-source digital collection feeding the cyber/information-environment threat picture and the protest/disruption early-warning function. → feeds §14 Cyber, Digital & Information-Environment Threat, §12 Protest & Disorder Risk, §20 Threat-Escalation & Early-Warning Indicators.
Social-media monitoring - threat narratives
Clone per platform / campaign / hashtag.
- [platform + keyword/hashtag - e.g. Twitter/X EventName / Telegram channel]
- Threat type observed (protest call / specific threat / false narrative / doxxing):
- Volume / reach estimate:
- Credibility assessment:
- Date range observed:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (TweetDeck, Brandwatch, Mention, Maltego)
- [channel 2]
Event digital footprint
- Official event website:
- Published schedule / floor plan / VIP list exposure:
- Ticketing platform / vendor:
- Credentialling system:
Organiser / host digital exposure
- [domain / email pattern - e.g. events.acme.com]
- WHOIS / registrant:
- Hosting / IP:
- Prior breach/paste appearance:
- Notes / tool output: ← (whois, crt.sh, HaveIBeenPwned, Shodan)
- [domain 2]
Disinformation & narrative tracking
- [narrative - e.g. “Event is a cover for [X]” / False bomb threat spreading on platform Y]
- Platform(s):
- Origin / amplification:
- Credibility / plausibility:
- Date observed:
09 · Indicators & Warnings
Observable events or signals that would change a phase or category threat rating, or trigger a recommendation change. Populated from §20 of the deliverable. → feeds §20 Threat-Escalation & Early-Warning Indicators, §3 Key Judgments (change indicators), §18 Trajectory.
Pre-event tripwires (would change go/no-go recommendation)
Clone per indicator. Severity: Critical = changes recommendation to CANCEL/RELOCATE/POSTPONE.
- [indicator - e.g. Specific/credible threat intelligence directed at the event issued by a state advisory]
- Phase: [Pre-event]
- Threat / section:
- Change signalled:
- Severity: [Critical / High / Medium / Low]
- Current status: [Not present / Emerging / Present]
- Disposition: [Watch / Notify client / Re-rate / Cancel / Route to security ops]
- Notes:
- [indicator 2]
In-event tripwires (would trigger posture change, phase cancellation, or evacuation)
- [indicator - e.g. Hostile drone detected over venue airspace]
- Phase: [In-event - P#]
- Threat / section:
- Change signalled:
- Severity: [Critical / High / Medium / Low]
- Current status:
- Disposition:
- Notes:
- [indicator 2]
Positive de-escalation indicators (rating improvement)
- [indicator - e.g. Protest group withdraws call-to-action / Threat advisory downgraded]
- Phase:
- Effect on rating:
- Current status:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail and gap log behind it.
Source register
Every material datum traceable to a graded source (Admiralty two-axis: A–F reliability / 1–6 credibility).
- [S-1 - source name / title]
- Type: [Official advisory / Open-source dataset / News / Social media / Venue-provided / Country product / Human source]
- Reliability (A–F) / Credibility (1–6):
- Self-interest / reliability caveat:
- Date accessed:
- Coverage scope:
- [S-2 - source]
- Type:
- Reliability (A–F) / Credibility (1–6):
- Date accessed:
- [S-3 - Country Risk Assessment OSINT-031-country-risk-assessment consumed]
- Reliability (A–F) / Credibility (1–6):
- Date accessed:
- [S-4 - Country / Regional Study OSINT-026-country-regional-study consumed]
- Reliability (A–F) / Credibility (1–6):
- Date accessed:
Evidence archive
- [screenshot / capture ref + hash + URL + timestamp]:
- [venue layout / map capture ref]:
- [social-media threat post capture ref]:
Sibling-product tracking
- Venue Security Survey commissioned: [Y / N]
- Status / ref:
- Gap flag for §24:
- Protective Advance Survey & Recce commissioned: [Y / N]
- Status / ref:
- Gap flag for §24:
- Country Risk Assessment consumed: [Y / N - OSINT-031-country-risk-assessment]
- Country / Regional Study consumed: [Y / N - OSINT-026-country-regional-study]
- Downstream products to feed: OSINT-047-real-time-event-monitoring / OSINT-048-post-event-after-action-report
Open gaps / RFIs
- [Venue Security Survey - not yet commissioned - gap per §24]
- [Protective Advance Survey & Recce - not yet commissioned - gap per §24]
- [Attendee list completeness - VIP section incomplete - gap per §24]
- [item submitted, not yet returned]