[EVENT] - Collection Map

OSINT-046 Event Threat & Risk Assessment - collection workspace. Central topic = the event under assessment. Branches = data-point categories for the threat picture. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-046.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §18 Overall Event Threat Rating & Recommendation, §25 Assessment & Recommendations.

PIR-1 - Event target profile & directed threat

→ §4 PIR-1, §6 Event Profile & Target Profile

  • EEI: event type, format, and public visibility (high-profile vs. closed/private)
  • EEI: host, organiser, and sponsor identity + known controversy or grievance history
  • EEI: date/anniversary significance - symbolic value to any threat actor
  • EEI: named VIP/high-profile attendees and their threat-attraction profile
  • EEI: prior threats, incidents, or hostile attention directed at this event, similar events, or the venue
  • EEI: social-media chatter, protest calls, and threat narratives targeting the event

PIR-2 - Venue & location threat environment

→ §4 PIR-2, §7 Venue & Location Assessment

  • EEI: country/city/area threat level (crime, terrorism, civil unrest) - consumed from OSINT-031-country-risk-assessment / OSINT-026-country-regional-study
  • EEI: venue type (indoor/outdoor/stadium/temporary structure), capacity, and layout character
  • EEI: ingress/egress count, choke-points, and perimeter character
  • EEI: surrounding area - transport links, observation positions, protest-assembly areas, parking
  • EEI: known venue vulnerabilities from open-source reporting or prior incidents

PIR-3 - Mass-casualty & active threat

→ §4 PIR-3, §10 Mass-Casualty / Active Threat Risk

  • EEI: applicable terrorist groups, lone-actor history, or conflict-zone indirect-fire exposure at the location
  • EEI: vehicle-attack risk given venue perimeter / crowd-approach design
  • EEI: armed-attacker / IED / knife-attack history and capability in the area
  • EEI: structural collapse or crowd-driven mass-casualty exposure

PIR-4 - Crowd safety & crush

→ §4 PIR-4, §11 Crowd Safety, Crush & Trampling Risk

  • EEI: expected attendance vs. venue stated capacity
  • EEI: crowd composition and behaviour profile (general public / ticketed / invite-only / mixed)
  • EEI: ingress/egress ratio and pinch-point geometry
  • EEI: steward-to-attendee ratio and crowd-flow management plan (if known)
  • EEI: prior crowd-safety incidents at this venue or at comparable events

PIR-5 - Protest, disruption & civil disorder

→ §4 PIR-5, §12 Protest, Disruption & Civil-Disorder Risk

  • EEI: active protest groups targeting the event, host, organiser, or sponsors
  • EEI: protest permits applied for or announced in the vicinity
  • EEI: prior civil-disorder incidents near the venue or at comparable events
  • EEI: counter-protest or factional-confrontation risk

PIR-6 - Hostile surveillance, pre-attack reconnaissance & drone

→ §4 PIR-6, §13 Hostile Surveillance, Pre-Attack Reconnaissance & Drone Risk

  • EEI: indicators of hostile reconnaissance or suspicious activity at/near the venue
  • EEI: drone threat environment at the location (capability, prior incidents, airspace restrictions)
  • EEI: venue OPSEC exposure (published schedules, floor plans, VIP movements publicly known)
  • EEI: risk of pre-positioning of personnel, devices, or equipment

PIR-7 - Cyber, digital & information threat

→ §4 PIR-7, §14 Cyber, Digital & Information-Environment Threat

  • EEI: known hacktivist or threat-actor interest in the event, organiser, or host
  • EEI: event’s digital footprint (ticketing system, credentialling, live-stream, payment, network)
  • EEI: disinformation campaigns, false threat narratives, or protest calls in the information environment
  • EEI: doxxing risk for named organisers or high-profile attendees

PIR-8 - Weather, environmental & health

→ §4 PIR-8, §15 Weather, Environmental & Health Risk

  • EEI: weather forecast and seasonal exposure for the event window
  • EEI: natural-hazard baseline for the location (seismic, flood, wildfire, etc.)
  • EEI: venue resilience to weather (indoor/outdoor/temporary structures)
  • EEI: local medical-system capacity for mass-casualty response
  • EEI: disease, food/water safety, or health advisories in force

PIR-9 - Trajectory & inflection indicators

→ §4 PIR-9, §20 Threat-Escalation & Early-Warning Indicators, §18 Trajectory

  • EEI: pre-event indicators that could step the rating up or down before event day
  • EEI: in-event tripwires that would trigger a phase cancellation or venue evacuation
  • EEI: trajectory of the threat environment across the event window (improving/stable/deteriorating)

Collection gaps / RFIs (running)

  • [Venue Security Survey commissioned? If not, flag gap → §24 RFI]
  • [Protective Advance Survey & Recce commissioned for any VIP? If not, flag gap → §24 RFI]
  • [Attendee list completeness - VIP names and travel patterns obtained? → §24 RFI]
  • [open item] → route to [product]

01 · Principal / Protectee or Event Detail

Core identity of the event and client role. All downstream scoring is anchored to this node. → feeds §2 Executive Summary & Scope, §6 Event Profile & Target Profile, §9 Event Timeline & Phases.

Event identity

  • Event name / title:
  • Event type & format: [public concert / corporate conference / diplomatic summit / sporting fixture / festival / private gala / other]
  • Event date(s) / core operating days:
  • Event window (setup through teardown):
  • Venue / location:
  • Expected attendance / composition:
  • Client name / role: [Organiser / Host / Security contractor / Principal attendee / Insurer / Sponsor]
  • Engagement purpose:
  • Engagement reference:

Host, organiser & sponsor profile

  • [host/organiser/sponsor name - e.g. ACME Events Ltd]
    • Known controversy or grievance history:
    • Prior threats or protests directed at them:
    • Political / ideological / commercial associations:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (OpenCorporates, Companies House, news search, social-media search)
  • [host 2]

VIP / high-profile attendee register

Clone the block per named attendee. Each name is a targeting variable. → §8 Attendee Profile & Exposure, §6 Target Profile.

  • [VIP name - e.g. SURNAME, Firstname]
    • Role / title at event:
    • Security posture (known detail, advance completed):
    • Threat-attraction profile (political / corporate / celebrity / controversial):
    • Travel route / arrival timing (known):
    • Protective Advance Survey commissioned: [Y / N / In progress]
    • Notes / tool output:
  • [VIP 2]

Date / anniversary significance

  • [date - e.g. YYYY-MM-DD]
    • Significance to threat actors (political / religious / ideological / historical):
    • Known prior incidents on or near this date:
    • Source grade:

02 · Venue & Geography

Site, layout, ingress/egress, surrounding area - the physical threat frame. Consume Venue Security Survey findings if available; flag gaps where not yet commissioned. → feeds §7 Venue & Location Assessment, §9 Event Timeline & Phases, §16 Phase-by-Phase Threat Profile.

Venue identity

  • Venue name:
  • Venue type: [indoor arena / outdoor stadium / conference centre / temporary structure / historic site / other]
  • Address / coordinates:
  • Stated capacity:
  • Expected fill level:
  • Venue Security Survey commissioned: [Y / N - if N, flag gap → §24 RFI]
  • Notes / tool output: ← (Google Maps, OpenStreetMap, venue official site, prior event reports)

Layout & access control

  • [access zone - e.g. Main Gate / VIP Entrance / Staff/Service Entry]
    • Location within venue:
    • Screening / credentialling in place:
    • Chokepoint / congestion risk:
    • Notes:
  • [zone 2]

Ingress / egress routes

Clone the block per route leg. → §16 Phase profile (P2 arrival, P6 departure - highest-seam phases).

  • [route leg - e.g. Approach from North on Main Street]
    • Vehicle / pedestrian / mixed:
    • Choke-points / pinch-points:
    • Protest-assembly area nearby:
    • Observation / overlook positions:
    • Notes / tool output: ← (OpenStreetMap, satellite imagery, Wikimapia)
  • [route 2]

Surrounding area

  • [area element - e.g. Adjacent parking structure / Public thoroughfare / Metro station]
    • Threat relevance: [vehicle approach / protest assembly / observation / pre-positioning]
    • Distance from venue perimeter:
    • Notes:

Venue vulnerabilities (open-source)

  • [vulnerability - e.g. Open perimeter on east side / Single-exit corridor at capacity]
    • Basis / source:
    • Phase affected:
    • Source grade:

03 · Routes & Movement

Movement of attendees, VIPs, staff, and vehicles across all event phases - predictability aids targeting. → feeds §9 Event Timeline & Phases, §13 Hostile Surveillance & Drone Risk, §16 Phase-by-Phase Threat Profile.

Event phase timeline

Clone the block per phase. This feeds the P1–P7 phase-by-phase profile in §16.

  • [phase - e.g. P2 · Attendee arrival / access / ingress]
    • Date / time window:
    • Activity description:
    • Location(s) / zone(s):
    • Expected crowd density:
    • Key personnel / attendees present:
    • Known security measures:
    • Predictability / schedule exposure note:
    • Notes:
  • [P3 · Main event opening]
  • [P4 · Core sessions]
  • [P5 · Peak / featured moment]
  • [P6 · Departure / egress]

VIP / principal movement legs

Clone per VIP or movement leg. → §13 Surveillance risk, §21 Protective Posture.

  • [leg - e.g. Airport → hotel → venue]
    • Mode of transport:
    • Timing (published / known):
    • Protective Advance Survey status:
    • Surveillance exposure:
    • Notes / tool output:
  • [leg 2]

Staff, contractor & vendor access patterns

  • [access category - e.g. Catering vendor / AV crew / Security contractor]
    • Credentialling risk:
    • Backstage / service access scope:
    • Insider-threat flag:
    • Notes:

04 · Threat Actors & Persons of Interest

Entities with intent or history of hostility toward the event, host, organisers, venue, or VIP attendees. Each is a clonable block graded for capability, intent, and proximity. → feeds §6 Event Profile & Target Profile, §10 Mass-Casualty Risk, §12 Protest & Disorder Risk, §13 Surveillance Risk.

Terrorist / extremist groups

  • [group - e.g. [Group name or type - e.g. right-wing extremist network / jihadist affiliate]]
    • Ideological driver / grievance:
    • Prior attacks in the area or at comparable events:
    • Capability (weapons, operational reach):
    • Intent indicators toward this event:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (ACLED, TRAC, GTD, Jihadoscope, state advisory)
  • [group 2]

Protest organisations & activists

  • [organisation - e.g. [Group name / campaign]]
    • Grievance target (host / sponsor / attendee / policy):
    • Tactics profile (peaceful / disruptive / history of violence):
    • Permit or public call-to-action issued:
    • Expected turnout scale:
    • Social-media presence / mobilisation:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (Twitter/X search, Telegram monitoring, local event permit records)
  • [organisation 2]

Lone actors / grievance actors

  • [individual or type - e.g. Disgruntled former employee / fixated individual targeting VIP]
    • Target of grievance:
    • Prior threat indicators:
    • Capability:
    • Notes:

Criminal actors

  • [actor type - e.g. Pickpocket networks / ticket fraud / organised theft targeting event]
    • Relevance to event:
    • Notes:

05 · Threat Landscape

Historical incidents, analogous events, current chatter, and the broader threat environment at and around the venue that sets the ambient threat level. → feeds §7 Venue & Location Assessment, §10–§15 threat category sections, §17 Consolidated Threat Register.

Prior incidents at this venue

  • [incident - e.g. [Date: brief description]]
    • Incident type:
    • Outcome / casualty count:
    • Source grade:
    • Relevance to current event:

Analogous event incidents (comparable events globally)

  • [incident - e.g. [Event, date, location]]
    • Threat type / modality:
    • Lessons for this event:
    • Source grade:

Current threat advisories

  • [advisory - e.g. [FCDO / US DOS / OSAC / local authority advisory]]
    • Threat level / band stated:
    • Date issued:
    • Self-interest / reliability caveat:
    • Source grade:

Online chatter & social-media threat monitoring

  • [platform / channel - e.g. Twitter/X hashtag / Telegram channel / dark-web forum]
    • Threat type (protest call / specific threat / disinformation):
    • Credibility assessment:
    • Date observed:
    • Notes / tool output: ← (TweetDeck, Maltego, Mention, OSINT social search)

Country / area threat environment

Consumed from inputs; summarise the salient findings here as they apply to this event.

06 · Vulnerabilities & Attack Surface

Weaknesses that enable threats to materialise - venue design, event profile, digital exposure, and security-posture gaps identified through open-source collection. → feeds §17 Consolidated Threat Register & Heat Map, §21 Protective Posture & Mitigation Options, §24 Collection Gaps & RFIs.

Physical / venue vulnerabilities

  • [vulnerability - e.g. Open vehicle access to crowd zone / Single egress corridor at capacity]
    • Phase affected:
    • Inherent score estimate (L×I):
    • Existing mitigation (known):
    • Residual estimate:
    • Source grade:

Crowd-safety vulnerabilities

  • [vulnerability - e.g. Ingress pinch-point at Gate B / Elevated capacity vs. steward ratio]
    • Phase affected:
    • Inherent score estimate (L×I):
    • Existing mitigation (known):
    • Residual estimate:

Cyber / digital attack surface

  • [system - e.g. Ticketing platform / Credentialling app / Live-stream infrastructure]
    • Vendor / provider (if known):
    • Known prior breaches or vulnerabilities:
    • Hacktivist interest in system or organiser:
    • Notes / tool output: ← (Shodan, crt.sh, HaveIBeenPwned org lookup, whois)
  • [system 2]

OPSEC / information-environment exposure

  • [exposure - e.g. Full event schedule published publicly / VIP travel itinerary leaked / Floor plan available online]
    • Threat relevance:
    • Source:

07 · Local Environment

Security, medical, law-enforcement, and infrastructure context at the venue location that determines response adequacy and environmental resilience. → feeds §7 Venue & Location Assessment, §15 Weather, Environmental & Health Risk, §25 Assessment & Recommendations.

Law enforcement presence & capacity

  • Local police / authority:
    • Response time estimate:
    • Coordination with event security:
    • Source grade:

Medical & emergency services

  • Nearest trauma centre / hospital:
    • Distance / travel time:
    • Mass-casualty capacity:
    • On-site medical provision (planned):
    • Source grade:

Critical infrastructure resilience

  • [infrastructure - e.g. Power supply / Communication networks / Water]
    • Known vulnerabilities / past failures:
    • Impact on event if disrupted:

Weather & environmental baseline

  • Forecast source(s) / service:
  • Seasonal exposure: [extreme heat / cold / storm / flood / lightning / wildfire / other]
  • Venue weather resilience: [fully indoor / outdoor exposed / mixed / temporary structure]
  • Natural hazard baseline (seismic / flood zone / etc.):
  • Air quality / wildfire smoke risk:

Health & sanitation

  • Active health advisories in force:
  • Food & water safety assessment:
  • Disease risk level at location:

08 · Digital & Social Signals

Open-source digital collection feeding the cyber/information-environment threat picture and the protest/disruption early-warning function. → feeds §14 Cyber, Digital & Information-Environment Threat, §12 Protest & Disorder Risk, §20 Threat-Escalation & Early-Warning Indicators.

Social-media monitoring - threat narratives

Clone per platform / campaign / hashtag.

  • [platform + keyword/hashtag - e.g. Twitter/X EventName / Telegram channel]
    • Threat type observed (protest call / specific threat / false narrative / doxxing):
    • Volume / reach estimate:
    • Credibility assessment:
    • Date range observed:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (TweetDeck, Brandwatch, Mention, Maltego)
  • [channel 2]

Event digital footprint

  • Official event website:
    • Published schedule / floor plan / VIP list exposure:
    • Ticketing platform / vendor:
    • Credentialling system:

Organiser / host digital exposure

  • [domain / email pattern - e.g. events.acme.com]
    • WHOIS / registrant:
    • Hosting / IP:
    • Prior breach/paste appearance:
    • Notes / tool output: ← (whois, crt.sh, HaveIBeenPwned, Shodan)
  • [domain 2]

Disinformation & narrative tracking

  • [narrative - e.g. “Event is a cover for [X]” / False bomb threat spreading on platform Y]
    • Platform(s):
    • Origin / amplification:
    • Credibility / plausibility:
    • Date observed:

09 · Indicators & Warnings

Observable events or signals that would change a phase or category threat rating, or trigger a recommendation change. Populated from §20 of the deliverable. → feeds §20 Threat-Escalation & Early-Warning Indicators, §3 Key Judgments (change indicators), §18 Trajectory.

Pre-event tripwires (would change go/no-go recommendation)

Clone per indicator. Severity: Critical = changes recommendation to CANCEL/RELOCATE/POSTPONE.

  • [indicator - e.g. Specific/credible threat intelligence directed at the event issued by a state advisory]
    • Phase: [Pre-event]
    • Threat / section:
    • Change signalled:
    • Severity: [Critical / High / Medium / Low]
    • Current status: [Not present / Emerging / Present]
    • Disposition: [Watch / Notify client / Re-rate / Cancel / Route to security ops]
    • Notes:
  • [indicator 2]

In-event tripwires (would trigger posture change, phase cancellation, or evacuation)

  • [indicator - e.g. Hostile drone detected over venue airspace]
    • Phase: [In-event - P#]
    • Threat / section:
    • Change signalled:
    • Severity: [Critical / High / Medium / Low]
    • Current status:
    • Disposition:
    • Notes:
  • [indicator 2]

Positive de-escalation indicators (rating improvement)

  • [indicator - e.g. Protest group withdraws call-to-action / Threat advisory downgraded]
    • Phase:
    • Effect on rating:
    • Current status:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail and gap log behind it.

Source register

Every material datum traceable to a graded source (Admiralty two-axis: A–F reliability / 1–6 credibility).

  • [S-1 - source name / title]
    • Type: [Official advisory / Open-source dataset / News / Social media / Venue-provided / Country product / Human source]
    • Reliability (A–F) / Credibility (1–6):
    • Self-interest / reliability caveat:
    • Date accessed:
    • Coverage scope:
  • [S-2 - source]
    • Type:
    • Reliability (A–F) / Credibility (1–6):
    • Date accessed:
  • [S-3 - Country Risk Assessment OSINT-031-country-risk-assessment consumed]
    • Reliability (A–F) / Credibility (1–6):
    • Date accessed:
  • [S-4 - Country / Regional Study OSINT-026-country-regional-study consumed]
    • Reliability (A–F) / Credibility (1–6):
    • Date accessed:

Evidence archive

  • [screenshot / capture ref + hash + URL + timestamp]:
  • [venue layout / map capture ref]:
  • [social-media threat post capture ref]:

Sibling-product tracking

Open gaps / RFIs

  • [Venue Security Survey - not yet commissioned - gap per §24]
  • [Protective Advance Survey & Recce - not yet commissioned - gap per §24]
  • [Attendee list completeness - VIP section incomplete - gap per §24]
  • [item submitted, not yet returned]