[EVENT / OPERATION NAME] - Collection Map

OSINT-048 Post-Event After-Action Report - collection workspace. Central topic = the protective event or operation under review. Branches = data-point categories for reconstruction and evaluation. Drop each collected value as a child node; expand it with where it was found and the source record type. Paste raw tool output or record excerpts into the node’s Notes. → feeds deliverable OSINT-048.

00 · Collection Plan - PIRs & EEIs

The questions this after-action review must answer to reconstruct and evaluate the operation. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Reconstruction Summary, §17 Reconstruction Gaps & RFIs.

PIR-1 - Sequence & Timing: What was the actual sequence and timing of the principal’s movements versus the planned schedule?

  • EEI: movement logs and escort comms records (timestamped)
  • EEI: venue access/egress records - entry/exit times per leg
  • EEI: divergences from the route and schedule plan-of-record (§6)
  • EEI: decision-point records - who decided, when, and on what basis

PIR-2 - Function Performance: How did each protective function perform against the plan?

  • EEI: advance/site-preparation debrief notes and check-lists
  • EEI: access-control and screening logs (screening records, badge/pass audits)
  • EEI: close-protection detail debrief / shift notes
  • EEI: transport/vehicle logs and route documentation
  • EEI: comms logs (radio/push-to-talk records, call logs)
  • EEI: medical standby and emergency-response records
  • EEI: liaison feedback - LE/venue/partner agencies

PIR-3 - Incidents & Deviations: What incidents, near-misses, and plan deviations occurred?

  • EEI: incident reports (written, timestamped) per event
  • EEI: near-miss reports or informal after-action notes from detail members
  • EEI: footage / CCTV clips corroborating or contradicting written accounts
  • EEI: deviation trigger and response - what prompted the deviation and what action followed

PIR-4 - Root Causes: What systemic factors drove material deficiencies?

  • EEI: process documentation - were written procedures in place and followed?
  • EEI: training records - were personnel trained for the specific contingency?
  • EEI: equipment serviceability records
  • EEI: coordination and information-flow records between functions
  • EEI: any recurring deviation pattern (same failure in prior events?)

PIR-5 - Sustainments: What capabilities and decisions performed well and should be codified?

  • EEI: positive-outcome records - where functions performed above baseline
  • EEI: improvised effective measures that are not yet codified
  • EEI: principal/client feedback on positive experience

PIR-6 - Corrective Actions: What changes are required and who owns them?

  • EEI: agreed corrective-action items with named owners and target dates (§18)
  • EEI: verification-of-closure mechanism for each action

Collection gaps / RFIs (running)

  • [open item] → route to [§17 Reconstruction Gaps & RFIs]
  • Missing footage / un-interviewed personnel → flag as gap, note impact on evaluation

01 · Principal / Protectee & Event Detail

Who and what is being reviewed. Factual baseline for the entire evaluation. → feeds §5 Event Overview & Operating Parameters, §6 Objectives & Plan-of-Record.

Principal / Protected Party

  • Full name / designation:
  • Role / status:
  • Threat tier at time of event:
  • Party composition (number, composition of travelling party):
  • Special requirements noted pre-event:

Event Identity

  • Event name / operation reference:
  • Type (conference / visit / motorcade / private function / public appearance / mixed):
  • Scale (number of attendees, public/private profile):
  • Date(s) & duration:
  • Location(s) / venue name:
  • Protective objective stated in the plan-of-record:

Operational Authority

  • Client / sponsor:
  • Requesting party:
  • Approving officer:
  • Report reference (REF-YYYY-###):

02 · Venue & Geography

Physical environment as it existed on the day - plan vs. reality. → feeds §5 Event Overview, §7 Timeline, §8 Execution Assessment (Advance & Site Preparation).

Venue Profile

  • [venue name - e.g. Grand Hyatt Conference Centre]
    • Address / coordinates:
    • Venue type (hotel / arena / office / outdoor / mixed):
    • Capacity / scale relevant to operation:
    • Advance survey source (pre-event assessment ref):
    • Actual vs. surveyed condition: [Match / Deviation - describe]
    • Notes / tool output:

Ingress & Egress Points

  • [access point - e.g. VIP entrance, north service bay]
    • Plan-of-record designation:
    • Actually used: [Yes / No / Modified]
    • Control measures in place:
    • Deviation or incident ref:
    • Notes:

Restricted / Secure Zones

  • [zone name]
    • Plan designation:
    • Actual perimeter as established:
    • Breach / deviation:
    • Notes:

Geospatial Records

  • Map / site-plan reference:
  • Drone / aerial imagery (pre-event):
  • Google Maps / satellite imagery capture:
    • Capture date / URL / hash:

03 · Routes & Movement

Every leg of the principal’s movement reconstructed against the plan. Clone the block per leg. → feeds §7 Timeline, §8 Execution Assessment (Movement & Transport), §9 Incidents & Deviations Register.

Route / Movement Leg

Clone this block per leg. → §7 Timeline, §8 Movement & Transport.

  • [Leg ID - e.g. Leg-1: Hotel → Venue main entrance]
    • Planned departure time:
    • Actual departure time:
    • Planned arrival time:
    • Actual arrival time:
    • Variance (minutes):
    • Route taken (road names / waypoints):
    • Planned vs. actual route: [On-plan / Deviation - describe]
    • Vehicle / transport used:
    • Escort composition:
    • Deviation trigger (if any):
    • Incident cross-ref (§9):
    • Source basis (vehicle log / GPS data / comms):
    • Notes / tool output:
  • [Leg-2]

Transport Assets Used

  • [vehicle ID / registration]
    • Type / spec:
    • Serviceability record:
    • Driver:
    • Issues noted:

Movement Control Documentation

  • Advance route survey ref:
  • Alternate routes documented: [Yes / No]
  • Route deviation trigger was:

04 · Threat Actors & Persons of Interest

Individuals who materialised as threats, disruptions, or persons of concern during the event. Clone per individual. → feeds §9 Incidents & Deviations Register, §14 Red Flag / Systemic-Risk Indicators.

Threat Individual / POI

Clone this block per individual identified. → §9, §14.

  • [POI identifier - e.g. Male in grey jacket, timestamp 14:32]
    • Observed behaviour:
    • Location at time of observation:
    • Confirmed / assessed threat level:
    • Action taken by detail:
    • Footage / imagery ref:
    • Reported to LE / venue security: [Yes / No]
    • Outcome / disposition:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [POI-2]

Pre-event Threat Warnings (materialised)

  • [warning ref from OSINT-046 pre-event assessment]
    • Assessed level pre-event:
    • Did it materialise: [Yes / No / Partial]
    • How it manifested:
    • Notes:

05 · Threat Landscape - Prior Incidents & Context

Historical event incidents and online intelligence that contextualise the threats in effect. → feeds §5 Event Overview & Operating Parameters (Threat Context), §14 Red Flag / Systemic-Risk Indicators.

Relevant Prior Incidents (same principal / similar events)

  • [incident ref]
    • Date / location:
    • Nature:
    • Relevance to current after-action:
    • Source grade:

Threat Context Active During Event

  • Threat level (from pre-event assessment OSINT-046):
  • Known threat actors relevant to principal:
  • Open-source chatter / social-media monitoring active: [Yes / No]
    • Tool / platform used:
    • Findings:
    • Notes:

Pre-Event Intelligence Product

  • OSINT-046 Event Threat & Risk Assessment ref:
    • Assessed risk level:
    • Key threat scenarios identified pre-event:
    • Which materialised:
    • Which did not:

06 · Vulnerabilities & Attack Surface (Observed During Event)

Gaps in the protective posture observed during the operation - feeding deficiencies register and root-cause analysis. → feeds §11 Deficiencies & Gaps, §12 Root-Cause Analysis, §14 Red Flag / Systemic-Risk Indicators.

Observed Vulnerabilities

Clone per observed gap. → §11, §12.

  • [vulnerability ref - e.g. V-1: unscreened service entrance used by catering staff]
    • Function affected (§8 category):
    • Observed at (time / location):
    • How it was identified:
    • Consequence (actual or potential):
    • Was it flagged in pre-event assessment: [Yes / No / Partial]
    • Deficiency cross-ref (§11):
    • Notes:
  • [V-2]

Silent / Masked Control Failures

  • [control that appeared to function but was actually ineffective]:
    • Detection method:
    • Evidence basis:

Systemic vs One-Off Assessment

  • [item]: Systemic / One-off / Undetermined
    • Basis:

07 · Local Environment - Security, Medical & Infrastructure

External partners, local authority engagement, venue infrastructure, and medical posture as executed. → feeds §5 Event Overview, §8 Execution Assessment (Medical & Emergency / Liaison).

Law-Enforcement Liaison

  • [LE agency / contact]
    • Pre-event coordination:
    • On-day presence: [Yes / No / Partial]
    • Response to incidents:
    • Assessment: [Effective / Effective-with-exceptions / Deficient]
    • Notes:

Venue Security Coordination

  • [venue security contact]
    • Pre-event briefing provided: [Yes / No]
    • Cooperation on day:
    • Issues / deviations:
    • Notes:

Medical / Emergency Readiness

  • Medical cover type (standby medic / hospital route / first-aider only):
  • Medical assets on site:
  • Hospital route pre-identified: [Yes / No / Address:]
  • Medical activation required: [Yes / No - if yes, describe:]
  • Medical records / debrief:

Venue Infrastructure

  • Communications infrastructure (radio coverage, dead zones):
  • Power / lighting contingency:
  • Evacuation route confirmed and used: [Yes / No]

Vendors / Third Parties

  • [vendor / third party]
    • Service provided:
    • Vetted pre-event: [Yes / No]
    • Performance:
    • Issues:

08 · Digital & Social Signals

Open-source digital intelligence active before, during, and immediately after the event - chatter, leaks, coverage. → feeds §5 Threat Context, §14 Red Flag / Systemic-Risk Indicators.

Social Media - Pre-Event & During-Event Chatter

  • [platform - e.g. X / Telegram / Instagram]
    • Monitoring tool used:
    • Keywords / accounts monitored:
    • Relevant posts / signals found:
    • Timestamp range:
    • Assessment:
    • Notes / screenshots:

Event Photography / Live Coverage Exposure

  • [platform / outlet]
    • Principal visible: [Yes / No]
    • Location / timing revealed:
    • Coverage source (official / media / attendee):
    • Risk implication:

Email / Communications Security (Operational)

  • Operational comms channel used:
  • Known interception risk or breach:
  • Notes:

Threat-Relevant Open-Source Indicators

Clone per indicator. → §14 Red Flag / Systemic-Risk Indicators.

  • [indicator - e.g. threatening post / leaked itinerary / doxxing attempt]
    • Platform:
    • Timestamp:
    • Credibility assessed:
    • Action taken:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:

09 · Indicators & Warnings - Observed & Retrospective

Retrospective I&W: signals that were available before or during the event and which, with hindsight, should have triggered a response. → feeds §14 Red Flag / Systemic-Risk Indicators, §15 ACH, §12 Root-Cause Analysis.

Indicators Observed (and acted on)

Clone per indicator. → §14.

  • [indicator ref - e.g. IW-1]
    • Nature of signal:
    • When observed:
    • Who observed / reported:
    • Action taken:
    • Outcome:
    • Notes:
  • [IW-2]

Indicators Missed or Underweighted

  • [indicator ref - e.g. IW-M1]
    • Nature of signal:
    • When available:
    • Why not acted on (assessment):
    • Root-cause category (people / process / equipment / information / coordination):
    • Deficiency cross-ref (§11):
    • Notes:

Warning Thresholds - Retrospective Assessment

  • Were escalation thresholds documented pre-event: [Yes / No]
  • Were thresholds triggered during event: [Yes / No / Should have been but were not]
  • Gap identified:

10 · Sustainments - What Worked

Evidence base for §10 Sustainments. Collect positive-outcome records and enabling factors before the evaluation synthesis. → feeds §10 Sustainments (What Worked).

Sustainment Record

Clone per sustainment item. → §10.

  • [sustainment ref - e.g. S-1: advance team established secure holding area 90 minutes before arrival]
    • Function / phase:
    • Enabling factor (why it worked):
    • Evidence basis (log / footage / debrief):
    • How to institutionalise:
    • Source grade:
    • Notes:
  • [S-2]

Principal / Client Positive Feedback

  • [feedback item]
    • Source (verbal / written):
    • Date captured:

11 · Deficiencies & Corrective-Action Collection

Evidence base for §11 Deficiencies, §12 Root-Cause Analysis, and §18 Corrective-Action Plan. Collect raw records before the evaluation synthesis.

Deficiency Record

Clone per deficiency. → §11, §12, §18.

  • [deficiency ref - e.g. D-1: access-control screening lane abandoned 12 minutes before principal arrival]
    • Function / phase:
    • Observed consequence (actual):
    • Potential consequence (worst-case):
    • Incident cross-ref (§9):
    • Evidence basis (footage ref / log / witness):
    • Root-cause category (people / process / equipment / information / coordination / external):
    • Was a written procedure in place: [Yes / No / Unclear]
    • Corrective action proposed:
    • Owner:
    • Target date:
    • Notes:
  • [D-2]

Corrective-Action Register (running)

Track items before they are formalised in §18.

  • [CA-1: corrective action item]
    • Linked deficiency:
    • Owner:
    • Target date:
    • Verification of closure:

12 · Reconstruction Evidence - Source Records

The primary evidentiary layer: records and interviews used to reconstruct the timeline. Every reconstructed fact in §13 must trace to a record here. → feeds §13 Verified Reconstruction Summary, §19 Annex A Sources & Methodology.

Footage & CCTV Records

  • [footage ref - e.g. CCTV-01: venue north entrance cam, 12:00–18:00]
    • Source / custodian:
    • Date / time range:
    • Lawful basis for access:
    • Chain of custody:
    • Key frames / timestamps of relevance:
    • Reliability (A–F):
    • Notes:

Radio / Comms Logs

  • [log ref]
    • System / channel:
    • Time range:
    • Custodian:
    • Key transmissions relevant to reconstruction:
    • Reliability (A–F):
    • Notes:

Written Logs & Shift Notes

  • [log ref]
    • Author / function:
    • Date / time range:
    • Completeness:
    • Discrepancies vs. other records:

Movement / Vehicle Logs

  • [log ref]
    • Vehicle ID:
    • Driver:
    • GPS data available: [Yes / No]
    • Timestamps:

Interviews / Debriefs

Clone per interviewee. All interviews under informed consent for after-action purposes.

  • [interviewee ref - e.g. INT-01: Team Leader, Close Protection]
    • Role:
    • Date of debrief:
    • Consent recorded: [Yes / No]
    • Key points:
    • Reliability (A–F):
    • Corroborated by:
    • Notes:
  • [INT-02]

Written Incident Reports

  • [report ref]
    • Author / function:
    • Incident ID cross-ref (§9):
    • Received: [Yes / No]
    • Notes:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail and administrative record behind the after-action report. → feeds §19 Annex A Sources & Methodology, Appendices C and D.

Source Register

Every material datum traceable to a graded source. Admiralty two-axis code.

  • [S-1 - source description]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed / received:
    • Custodian / location:
    • Notes:
  • [S-2]

Evidence Archive

Pointer to the evidence package held in Appendix D of the deliverable.

  • [exhibit ref - e.g. EX-001: screenshot / log extract / footage clip]
    • Hash (SHA-256):
    • URL / file path:
    • Timestamp of capture:
    • Lawful basis / data-protection note:

Chain-of-Custody Log

  • [record transferred / received]
    • From:
    • To:
    • Date:
    • Method:

Privilege / Work-Product Flag

  • Litigation / claim risk identified: [Yes / No]
    • If yes, flagged to counsel on:
    • Litigation-hold in place: [Yes / No]

Data-Protection & Retention

  • GDPR / CCPA applicability:
  • Retention period per client policy:
  • Scheduled destruction / anonymisation date:

Open Gaps / Verification Pending

  • [item - e.g. footage from venue NW camera not yet obtained] → §17 gap ref
  • [item - e.g. three detail members not yet interviewed]

RFI Log

  • [RFI-01: description]
    • Submitted to:
    • Date submitted:
    • Status: [Open / Answered / Closed]
    • Response:

Review & Version Control

  • Draft issued:
  • Reviewed by:
  • Approved by:
  • Distribution list: