[EVENT / OPERATION NAME] - Collection Map
OSINT-048 Post-Event After-Action Report - collection workspace. Central topic = the protective event or operation under review. Branches = data-point categories for reconstruction and evaluation. Drop each collected value as a child node; expand it with where it was found and the source record type. Paste raw tool output or record excerpts into the node’s Notes. → feeds deliverable OSINT-048.
00 · Collection Plan - PIRs & EEIs
The questions this after-action review must answer to reconstruct and evaluate the operation. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Reconstruction Summary, §17 Reconstruction Gaps & RFIs.
PIR-1 - Sequence & Timing: What was the actual sequence and timing of the principal’s movements versus the planned schedule?
- EEI: movement logs and escort comms records (timestamped)
- EEI: venue access/egress records - entry/exit times per leg
- EEI: divergences from the route and schedule plan-of-record (§6)
- EEI: decision-point records - who decided, when, and on what basis
PIR-2 - Function Performance: How did each protective function perform against the plan?
- EEI: advance/site-preparation debrief notes and check-lists
- EEI: access-control and screening logs (screening records, badge/pass audits)
- EEI: close-protection detail debrief / shift notes
- EEI: transport/vehicle logs and route documentation
- EEI: comms logs (radio/push-to-talk records, call logs)
- EEI: medical standby and emergency-response records
- EEI: liaison feedback - LE/venue/partner agencies
PIR-3 - Incidents & Deviations: What incidents, near-misses, and plan deviations occurred?
- EEI: incident reports (written, timestamped) per event
- EEI: near-miss reports or informal after-action notes from detail members
- EEI: footage / CCTV clips corroborating or contradicting written accounts
- EEI: deviation trigger and response - what prompted the deviation and what action followed
PIR-4 - Root Causes: What systemic factors drove material deficiencies?
- EEI: process documentation - were written procedures in place and followed?
- EEI: training records - were personnel trained for the specific contingency?
- EEI: equipment serviceability records
- EEI: coordination and information-flow records between functions
- EEI: any recurring deviation pattern (same failure in prior events?)
PIR-5 - Sustainments: What capabilities and decisions performed well and should be codified?
- EEI: positive-outcome records - where functions performed above baseline
- EEI: improvised effective measures that are not yet codified
- EEI: principal/client feedback on positive experience
PIR-6 - Corrective Actions: What changes are required and who owns them?
- EEI: agreed corrective-action items with named owners and target dates (§18)
- EEI: verification-of-closure mechanism for each action
Collection gaps / RFIs (running)
- [open item] → route to [§17 Reconstruction Gaps & RFIs]
- Missing footage / un-interviewed personnel → flag as gap, note impact on evaluation
01 · Principal / Protectee & Event Detail
Who and what is being reviewed. Factual baseline for the entire evaluation. → feeds §5 Event Overview & Operating Parameters, §6 Objectives & Plan-of-Record.
Principal / Protected Party
- Full name / designation:
- Role / status:
- Threat tier at time of event:
- Party composition (number, composition of travelling party):
- Special requirements noted pre-event:
Event Identity
- Event name / operation reference:
- Type (conference / visit / motorcade / private function / public appearance / mixed):
- Scale (number of attendees, public/private profile):
- Date(s) & duration:
- Location(s) / venue name:
- Protective objective stated in the plan-of-record:
Operational Authority
- Client / sponsor:
- Requesting party:
- Approving officer:
- Report reference (REF-YYYY-###):
02 · Venue & Geography
Physical environment as it existed on the day - plan vs. reality. → feeds §5 Event Overview, §7 Timeline, §8 Execution Assessment (Advance & Site Preparation).
Venue Profile
- [venue name - e.g. Grand Hyatt Conference Centre]
- Address / coordinates:
- Venue type (hotel / arena / office / outdoor / mixed):
- Capacity / scale relevant to operation:
- Advance survey source (pre-event assessment ref):
- Actual vs. surveyed condition: [Match / Deviation - describe]
- Notes / tool output:
Ingress & Egress Points
- [access point - e.g. VIP entrance, north service bay]
- Plan-of-record designation:
- Actually used: [Yes / No / Modified]
- Control measures in place:
- Deviation or incident ref:
- Notes:
Restricted / Secure Zones
- [zone name]
- Plan designation:
- Actual perimeter as established:
- Breach / deviation:
- Notes:
Geospatial Records
- Map / site-plan reference:
- Drone / aerial imagery (pre-event):
- Google Maps / satellite imagery capture:
- Capture date / URL / hash:
03 · Routes & Movement
Every leg of the principal’s movement reconstructed against the plan. Clone the block per leg. → feeds §7 Timeline, §8 Execution Assessment (Movement & Transport), §9 Incidents & Deviations Register.
Route / Movement Leg
Clone this block per leg. → §7 Timeline, §8 Movement & Transport.
- [Leg ID - e.g. Leg-1: Hotel → Venue main entrance]
- Planned departure time:
- Actual departure time:
- Planned arrival time:
- Actual arrival time:
- Variance (minutes):
- Route taken (road names / waypoints):
- Planned vs. actual route: [On-plan / Deviation - describe]
- Vehicle / transport used:
- Escort composition:
- Deviation trigger (if any):
- Incident cross-ref (§9):
- Source basis (vehicle log / GPS data / comms):
- Notes / tool output:
- [Leg-2]
Transport Assets Used
- [vehicle ID / registration]
- Type / spec:
- Serviceability record:
- Driver:
- Issues noted:
Movement Control Documentation
- Advance route survey ref:
- Alternate routes documented: [Yes / No]
- Route deviation trigger was:
04 · Threat Actors & Persons of Interest
Individuals who materialised as threats, disruptions, or persons of concern during the event. Clone per individual. → feeds §9 Incidents & Deviations Register, §14 Red Flag / Systemic-Risk Indicators.
Threat Individual / POI
Clone this block per individual identified. → §9, §14.
- [POI identifier - e.g. Male in grey jacket, timestamp 14:32]
- Observed behaviour:
- Location at time of observation:
- Confirmed / assessed threat level:
- Action taken by detail:
- Footage / imagery ref:
- Reported to LE / venue security: [Yes / No]
- Outcome / disposition:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [POI-2]
Pre-event Threat Warnings (materialised)
- [warning ref from OSINT-046 pre-event assessment]
- Assessed level pre-event:
- Did it materialise: [Yes / No / Partial]
- How it manifested:
- Notes:
05 · Threat Landscape - Prior Incidents & Context
Historical event incidents and online intelligence that contextualise the threats in effect. → feeds §5 Event Overview & Operating Parameters (Threat Context), §14 Red Flag / Systemic-Risk Indicators.
Relevant Prior Incidents (same principal / similar events)
- [incident ref]
- Date / location:
- Nature:
- Relevance to current after-action:
- Source grade:
Threat Context Active During Event
- Threat level (from pre-event assessment OSINT-046):
- Known threat actors relevant to principal:
- Open-source chatter / social-media monitoring active: [Yes / No]
- Tool / platform used:
- Findings:
- Notes:
Pre-Event Intelligence Product
- OSINT-046 Event Threat & Risk Assessment ref:
- Assessed risk level:
- Key threat scenarios identified pre-event:
- Which materialised:
- Which did not:
06 · Vulnerabilities & Attack Surface (Observed During Event)
Gaps in the protective posture observed during the operation - feeding deficiencies register and root-cause analysis. → feeds §11 Deficiencies & Gaps, §12 Root-Cause Analysis, §14 Red Flag / Systemic-Risk Indicators.
Observed Vulnerabilities
Clone per observed gap. → §11, §12.
- [vulnerability ref - e.g. V-1: unscreened service entrance used by catering staff]
- Function affected (§8 category):
- Observed at (time / location):
- How it was identified:
- Consequence (actual or potential):
- Was it flagged in pre-event assessment: [Yes / No / Partial]
- Deficiency cross-ref (§11):
- Notes:
- [V-2]
Silent / Masked Control Failures
- [control that appeared to function but was actually ineffective]:
- Detection method:
- Evidence basis:
Systemic vs One-Off Assessment
- [item]: Systemic / One-off / Undetermined
- Basis:
07 · Local Environment - Security, Medical & Infrastructure
External partners, local authority engagement, venue infrastructure, and medical posture as executed. → feeds §5 Event Overview, §8 Execution Assessment (Medical & Emergency / Liaison).
Law-Enforcement Liaison
- [LE agency / contact]
- Pre-event coordination:
- On-day presence: [Yes / No / Partial]
- Response to incidents:
- Assessment: [Effective / Effective-with-exceptions / Deficient]
- Notes:
Venue Security Coordination
- [venue security contact]
- Pre-event briefing provided: [Yes / No]
- Cooperation on day:
- Issues / deviations:
- Notes:
Medical / Emergency Readiness
- Medical cover type (standby medic / hospital route / first-aider only):
- Medical assets on site:
- Hospital route pre-identified: [Yes / No / Address:]
- Medical activation required: [Yes / No - if yes, describe:]
- Medical records / debrief:
Venue Infrastructure
- Communications infrastructure (radio coverage, dead zones):
- Power / lighting contingency:
- Evacuation route confirmed and used: [Yes / No]
Vendors / Third Parties
- [vendor / third party]
- Service provided:
- Vetted pre-event: [Yes / No]
- Performance:
- Issues:
08 · Digital & Social Signals
Open-source digital intelligence active before, during, and immediately after the event - chatter, leaks, coverage. → feeds §5 Threat Context, §14 Red Flag / Systemic-Risk Indicators.
Social Media - Pre-Event & During-Event Chatter
- [platform - e.g. X / Telegram / Instagram]
- Monitoring tool used:
- Keywords / accounts monitored:
- Relevant posts / signals found:
- Timestamp range:
- Assessment:
- Notes / screenshots:
Event Photography / Live Coverage Exposure
- [platform / outlet]
- Principal visible: [Yes / No]
- Location / timing revealed:
- Coverage source (official / media / attendee):
- Risk implication:
Email / Communications Security (Operational)
- Operational comms channel used:
- Known interception risk or breach:
- Notes:
Threat-Relevant Open-Source Indicators
Clone per indicator. → §14 Red Flag / Systemic-Risk Indicators.
- [indicator - e.g. threatening post / leaked itinerary / doxxing attempt]
- Platform:
- Timestamp:
- Credibility assessed:
- Action taken:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
09 · Indicators & Warnings - Observed & Retrospective
Retrospective I&W: signals that were available before or during the event and which, with hindsight, should have triggered a response. → feeds §14 Red Flag / Systemic-Risk Indicators, §15 ACH, §12 Root-Cause Analysis.
Indicators Observed (and acted on)
Clone per indicator. → §14.
- [indicator ref - e.g. IW-1]
- Nature of signal:
- When observed:
- Who observed / reported:
- Action taken:
- Outcome:
- Notes:
- [IW-2]
Indicators Missed or Underweighted
- [indicator ref - e.g. IW-M1]
- Nature of signal:
- When available:
- Why not acted on (assessment):
- Root-cause category (people / process / equipment / information / coordination):
- Deficiency cross-ref (§11):
- Notes:
Warning Thresholds - Retrospective Assessment
- Were escalation thresholds documented pre-event: [Yes / No]
- Were thresholds triggered during event: [Yes / No / Should have been but were not]
- Gap identified:
10 · Sustainments - What Worked
Evidence base for §10 Sustainments. Collect positive-outcome records and enabling factors before the evaluation synthesis. → feeds §10 Sustainments (What Worked).
Sustainment Record
Clone per sustainment item. → §10.
- [sustainment ref - e.g. S-1: advance team established secure holding area 90 minutes before arrival]
- Function / phase:
- Enabling factor (why it worked):
- Evidence basis (log / footage / debrief):
- How to institutionalise:
- Source grade:
- Notes:
- [S-2]
Principal / Client Positive Feedback
- [feedback item]
- Source (verbal / written):
- Date captured:
11 · Deficiencies & Corrective-Action Collection
Evidence base for §11 Deficiencies, §12 Root-Cause Analysis, and §18 Corrective-Action Plan. Collect raw records before the evaluation synthesis.
Deficiency Record
Clone per deficiency. → §11, §12, §18.
- [deficiency ref - e.g. D-1: access-control screening lane abandoned 12 minutes before principal arrival]
- Function / phase:
- Observed consequence (actual):
- Potential consequence (worst-case):
- Incident cross-ref (§9):
- Evidence basis (footage ref / log / witness):
- Root-cause category (people / process / equipment / information / coordination / external):
- Was a written procedure in place: [Yes / No / Unclear]
- Corrective action proposed:
- Owner:
- Target date:
- Notes:
- [D-2]
Corrective-Action Register (running)
Track items before they are formalised in §18.
- [CA-1: corrective action item]
- Linked deficiency:
- Owner:
- Target date:
- Verification of closure:
12 · Reconstruction Evidence - Source Records
The primary evidentiary layer: records and interviews used to reconstruct the timeline. Every reconstructed fact in §13 must trace to a record here. → feeds §13 Verified Reconstruction Summary, §19 Annex A Sources & Methodology.
Footage & CCTV Records
- [footage ref - e.g. CCTV-01: venue north entrance cam, 12:00–18:00]
- Source / custodian:
- Date / time range:
- Lawful basis for access:
- Chain of custody:
- Key frames / timestamps of relevance:
- Reliability (A–F):
- Notes:
Radio / Comms Logs
- [log ref]
- System / channel:
- Time range:
- Custodian:
- Key transmissions relevant to reconstruction:
- Reliability (A–F):
- Notes:
Written Logs & Shift Notes
- [log ref]
- Author / function:
- Date / time range:
- Completeness:
- Discrepancies vs. other records:
Movement / Vehicle Logs
- [log ref]
- Vehicle ID:
- Driver:
- GPS data available: [Yes / No]
- Timestamps:
Interviews / Debriefs
Clone per interviewee. All interviews under informed consent for after-action purposes.
- [interviewee ref - e.g. INT-01: Team Leader, Close Protection]
- Role:
- Date of debrief:
- Consent recorded: [Yes / No]
- Key points:
- Reliability (A–F):
- Corroborated by:
- Notes:
- [INT-02]
Written Incident Reports
- [report ref]
- Author / function:
- Incident ID cross-ref (§9):
- Received: [Yes / No]
- Notes:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail and administrative record behind the after-action report. → feeds §19 Annex A Sources & Methodology, Appendices C and D.
Source Register
Every material datum traceable to a graded source. Admiralty two-axis code.
- [S-1 - source description]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed / received:
- Custodian / location:
- Notes:
- [S-2]
Evidence Archive
Pointer to the evidence package held in Appendix D of the deliverable.
- [exhibit ref - e.g. EX-001: screenshot / log extract / footage clip]
- Hash (SHA-256):
- URL / file path:
- Timestamp of capture:
- Lawful basis / data-protection note:
Chain-of-Custody Log
- [record transferred / received]
- From:
- To:
- Date:
- Method:
Privilege / Work-Product Flag
- Litigation / claim risk identified: [Yes / No]
- If yes, flagged to counsel on:
- Litigation-hold in place: [Yes / No]
Data-Protection & Retention
- GDPR / CCPA applicability:
- Retention period per client policy:
- Scheduled destruction / anonymisation date:
Open Gaps / Verification Pending
- [item - e.g. footage from venue NW camera not yet obtained] → §17 gap ref
- [item - e.g. three detail members not yet interviewed]
RFI Log
- [RFI-01: description]
- Submitted to:
- Date submitted:
- Status: [Open / Answered / Closed]
- Response:
Review & Version Control
- Draft issued:
- Reviewed by:
- Approved by:
- Distribution list: