[SITE / LOCATION / ROUTE] - Collection Map

OSINT-049 Reconnaissance / Recce Report - collection workspace. Central topic = the site, facility, or route being recceed. Branches = physical-intelligence data categories aligned to the OCOKA-based analytic framework. Drop each collected observation as a child node; expand it with vantage point, timestamp, and source. Paste raw tool output or field notes into the node’s Notes. → feeds deliverable OSINT-049.

00 · Collection Plan - PIRs & EEIs

The questions this recce collection must answer. Tick each EEI as satisfied. Maps directly to the PIR register in §4 and the Key Judgments in §3.

PIR-1 - Route & Access Viability

→ §7 Route & Movement Analysis

  • EEI: primary route driven and assessed (road condition, lanes, chokepoints)
  • EEI: alternate route(s) driven and assessed
  • EEI: travel times logged (best-case / worst-case / most-likely)
  • EEI: divert and escape-route options identified per leg
  • EEI: ambush-favourable segments identified (slow zones, blind approaches)
  • EEI: security-force checkpoints on route (type, density, shift pattern)

PIR-2 - Site Perimeter & Access Control

→ §9 Perimeter, Access & Egress Points

  • EEI: perimeter boundary mapped (fencing type/height, walls, gates, barriers)
  • EEI: all entry/exit points inventoried and scored
  • EEI: access-control methods observed (guards, locks, card readers, intercoms)
  • EEI: CCTV/surveillance coverage arcs and blind spots identified
  • EEI: lighting levels and dark zones logged per perimeter segment

PIR-3 - Egress & Emergency Exit

→ §9 Perimeter, Access & Egress Points; §10 Internal Layout & Key Zones

  • EEI: vehicle egress routes from site confirmed (obstructed / clear / conditional)
  • EEI: foot-egress paths from building interior to perimeter confirmed
  • EEI: emergency exits present, accessible, and unobstructed
  • EEI: alternative egress confirmed if primary is blocked

PIR-4 - Observation & Overwatch

→ §11 Observation, Cover & Concealment

  • EEI: all vantage positions overlooking site and approaches inventoried
  • EEI: each position assessed for exploitability by hostile observer
  • EEI: client control of dominant vantage positions assessed
  • EEI: public vs. private vs. restricted status of each overwatch position noted

PIR-5 - Cover, Concealment & Defilade

→ §11 Observation, Cover & Concealment

  • EEI: cover/concealment on all approach directions mapped
  • EEI: concealed approach routes for a hostile actor identified
  • EEI: defilade positions available to client’s security team logged

PIR-6 - Communications & Technical Environment

→ §12 Communications & Technical Environment

  • EEI: cellular coverage by carrier and signal strength at key zones
  • EEI: Wi-Fi networks visible and SIGINT exposure assessed
  • EEI: GPS/GNSS reception quality (especially inside building and urban canyon)
  • EEI: backup power observed (generator / UPS / visible fuel)
  • EEI: any signs of jamming, intercept, or technical surveillance equipment

PIR-7 - Security Forces, Personnel & Local Population

→ §13 Security Forces, Personnel & Local Population Patterns

  • EEI: private security type, density, posture, shift timing observed
  • EEI: police/military presence, patrol pattern, checkpoint locations noted
  • EEI: local population density, activity pattern, and attitude assessed
  • EEI: emergency services accessibility and reliability assessed
  • EEI: known protest/crime/disorder hotspots in AOI identified

PIR-8 - Internal Layout & Key Zones

→ §10 Internal Layout & Key Zones

  • EEI: room/zone inventory (access level, floor, function) logged
  • EEI: communications dead zones inside building confirmed
  • EEI: safe rooms / secure areas / command-comms rooms located
  • EEI: emergency egress paths per floor/zone confirmed
  • EEI: visual and acoustic privacy of key meeting/command zones assessed

PIR-9 - Threat & Risk Factors at Location

→ §14 Threat / Risk Factors at the Recce Location

  • EEI: violent/acquisitive crime incidents at or near site (recent history)
  • EEI: terrorism/extremist activity indicators at or near site
  • EEI: civil unrest/protest flashpoints within AOI distance
  • EEI: natural/seasonal hazards affecting access and egress
  • EEI: health/environmental hazards (industrial, CBRN, disease) observable

Collection gaps / RFIs (running)

Route to §20 Collection Gaps & RFIs in the deliverable.

  • [open item] → route to [additional recce pass / interior access / night recce / imagery update / HUMINT]
  • [open item]

01 · Principal / Protectee or Event Detail

The operational context anchor - who or what this recce is supporting. Without this context, OCOKA has no threat lens. → feeds §2 Executive Summary & Scope; §5 Recce Framing, Taxonomy & Methodology.

Operational context

  • Mission / operation type:
  • Planned operational date(s):
  • Principal / protectee (if protective advance):
  • Event or activity supported:
  • Client threat / risk lens:
  • Recce objective (one sentence):

Scope boundaries

Recce execution log

  • Recce type: [Overt / Discreet / Remote/Imagery-only / Mixed]
  • Recce date(s) and time(s):
  • Number of passes:
  • Vantage points occupied:
  • Interior access achieved: [Y / N / Partial - specify]
  • Weather and visibility conditions:
  • Recce team composition:

02 · Venue & Geography - Area / Location Overview

Broad environmental context of the AOI - urban character, land use, road network, pedestrian patterns. Collected from the AOI sweep and geospatial sources. → feeds §6 Area / Location Overview.

AOI definition

  • AOI name / geographic descriptor:
  • AOI boundary (coordinates or street boundary):
  • AO / site address + coordinates:
  • Buffer zone assessed (radius from site):

Urban character

Sources: Google Maps/Street View, OpenStreetMap, satellite imagery (Google Earth / Sentinel / Maxar), local planning portals.

  • Urban density & land use:
  • Building typology (heights, materials, setbacks):
  • Road network pattern:
  • Traffic density (peak / off-peak):
  • Pedestrian & street-level activity patterns:
  • Lighting & visibility (day / night):
  • Vegetation / green cover (seasonal change):
  • Distinctive features (water, rail, elevation, construction):

Area baseline imagery record

Log each imagery source with as-of date and resolution - age is operationally significant.

  • [imagery source - e.g. Google Earth historical]
    • As-of date:
    • Resolution / provider:
    • Coverage gaps:
    • Notes / tool output:
  • [imagery source 2]

03 · Routes & Movement

Per-leg assessment of all movement corridors. Clone the route-leg block per leg. → feeds §7 Route & Movement Analysis; Appendix C.

Route legs

Sources: Google Maps / Apple Maps routing, OpenStreetMap, Waze, local mapping portals, satellite/street imagery, driven observation.

  • [Route leg - e.g. R1: Hotel → Site primary]
    • From → To:
    • Distance / estimated time (best / worst / likely):
    • Road surface and condition:
    • Lane width and shoulder:
    • Traffic pattern (peak / off-peak congestion):
    • Chokepoints (bridges / tunnels / roundabouts / market areas / narrow):
    • Security-force posts / checkpoints on leg:
    • Ambush-favourable segments (slow zones, limited cover, no divert):
    • Divert and escape-route options:
    • OCOKA route factors (obs/fields of fire / cover / obstacles / key terrain / avenues of approach):
    • Viability: [FAVOURABLE / CONDITIONAL / UNFAVOURABLE]
    • Confidence: [H / M / L]
    • Notes / tool output:
  • [Route leg R2 - alternate]
  • [Route leg R3 - emergency divert]

Chokepoints register

Seed one block per chokepoint; clone per instance. Tool hint: Google Maps traffic layer, Waze live, local OSM data.

  • [chokepoint - e.g. CP1: bridge at X Street]
    • Coordinates:
    • Chokepoint type: [bridge / tunnel / market / checkpoint / narrow / roundabout]
    • Mitigation / divert option:
    • Severity to movement plan: [Crit / High / Mod / Low]
    • Notes / tool output:
  • [chokepoint CP2]

04 · Threat Actors & Persons of Interest

Specific threat actors, hostile-intent indicators, and known POIs relevant to this site or route. Distinct from the broader threat landscape (§05). → feeds §14 Threat / Risk Factors at the Recce Location; §17 Red Flag / Notable Observations.

Threat actors (site-specific)

Sources: local media, social media monitoring, country risk products (OSINT-031-country-risk-assessment), law enforcement liaison (where available), HUMINT.

  • [threat actor or group - e.g. TA1: local criminal gang operating in the AOI]
    • Actor type: [criminal / extremist / protest group / hostile state actor / corrupt official / other]
    • Known area of operation:
    • MO relevant to this site/route:
    • Recent activity / incidents:
    • Targeting indicators:
    • Confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [threat actor TA2]

Persons of interest observed during recce

Any individual whose behaviour during the recce warranted note.

  • [POI-1 - e.g. person photographing perimeter during recce]
    • Description:
    • Location / time:
    • Behaviour observed:
    • Assessment: [Hostile / Suspicious / Ambiguous / Benign]
    • Disposition:
    • Notes / tool output:
  • [POI-2]

05 · Threat Landscape - Incidents, History & Online Chatter

Dynamic threat and risk factors for this specific site, neighbourhood, and AOI - the local expression of country-level threats. Not a repetition of the Country Risk Assessment but a localisation of it. → feeds §14 Threat / Risk Factors at the Recce Location; §3 Key Judgments.

Incident history at / near site

Sources: local news search (Google News, local media), ACLED, GDELT, OSM notes, social media, country risk products.

  • [incident - e.g. armed robbery at adjacent ATM, 2024-11]
    • Incident type: [crime / terrorism / protest / civil unrest / natural hazard / health]
    • Date / frequency:
    • Location relative to site:
    • Impact on operational plan:
    • Source grade (A–F / 1–6):
    • Notes / tool output:
  • [incident 2]

Online chatter / social media signals

Sources: Twitter/X search (location-tagged), Telegram local channels, Facebook groups, Reddit, local forums.

  • [signal - e.g. protest planned near site on operational date]
    • Platform / source:
    • Date observed:
    • Credibility assessment:
    • Notes / tool output:
  • [signal 2]

Threat / risk factor matrix (collection placeholder)

Rate each factor after collection; carry completed ratings into §14.

  • Crime (violent/acquisitive in immediate area): likelihood / impact
  • Terrorism / extremist activity (local targeting): likelihood / impact
  • Civil unrest / protest / disorder (proximity to flashpoints): likelihood / impact
  • Conflict spillover / crossfire (if near contested zone): likelihood / impact
  • Natural hazard / seasonal (flood/storm/heat affecting access): likelihood / impact
  • Health / environmental hazard (industrial/CBRN/disease): likelihood / impact

06 · Vulnerabilities & Attack Surface

Physical vulnerabilities at the site and on routes - the synthesis of perimeter, access, observation, and concealment observations into an operationally ranked finding set. Feeds the §15 Consolidated Findings Register and §16 Key Findings Summary. Clone the finding block per observation.

Perimeter & access-point vulnerabilities

→ §9 Perimeter, Access & Egress Points; Appendix D.

  • [access point - e.g. A1: main vehicle gate, north side]
    • Location / coordinates:
    • Type: [main gate / vehicle entrance / pedestrian door / service door / emergency exit / rooftop / tunnel / other]
    • Physical barrier:
    • Access-control method:
    • Surveillance coverage:
    • Lighting level:
    • Vulnerability scores - forced entry (1–5):
    • Vulnerability scores - covert/unobserved approach (1–5):
    • Vulnerability scores - social-engineering/impersonation (1–5):
    • Vulnerability scores - denial/blocking of egress (1–5):
    • Overwatch / observation from (which O position):
    • Severity: [Crit / High / Mod / Low / Info]
    • Confidence: [H / M / L]
    • Notes / tool output:
  • [access point A2]

Observation & overwatch vulnerabilities

→ §11 Observation, Cover & Concealment; Appendix E.

  • [observation position - e.g. O1: rooftop at 42 X Street, 80 m north]
    • Position type: [rooftop / window / balcony / park / vehicle / elevated ground / other]
    • Coordinates / location:
    • Vantage of which site points:
    • Distance from site:
    • Public / Private / Restricted:
    • Client-controlled: [Y / N / Unknown]
    • Exploitability for hostile observer:
    • Cover/concealment quality for observer:
    • Severity: [Crit / High / Mod / Low / Info]
    • Confidence: [H / M / L]
    • Notes / tool output:
  • [observation position O2]

Cover & concealment on approaches

  • [approach direction - e.g. north approach via X Street]
    • Cover/concealment for approaching person:
    • Cover/concealment for approaching vehicle:
    • Overlooked from which O positions:
    • Client’s ability to observe the approach:
    • Assessment:
    • Confidence: [H / M / L]
    • Notes / tool output:
  • [approach direction 2]

07 · Local Environment - Security, Medical & Infrastructure

The human and physical support environment - what can be relied on locally for response, medical, utilities, and logistics. → feeds §12 Communications & Technical Environment; §13 Security Forces, Personnel & Local Population Patterns; §21 Recommendations.

Security forces & checkpoints

Sources: overt observation during recce, local media, country risk products, OSINT on unit deployments.

  • [security element - e.g. SE1: police post, 200 m south on X Street]
    • Type: [private security / police / military / traffic police / neighbourhood watch]
    • Location:
    • Density / pattern:
    • Shift change timing (observed):
    • Professionalism / alertness assessment:
    • Operational relevance:
    • Confidence: [H / M / L]
    • Notes / tool output:
  • [security element SE2]

Emergency services

  • Police response (nearest station, estimated response time):
  • Ambulance / medical (nearest facility, estimated response time):
  • Fire service (nearest station, estimated response time):
  • Hospital / trauma centre (distance / capability level):
  • Medical dead zones / access constraints:

Communications & technical environment

Sources: field signal test (carriers), Opensignal/GSMA coverage maps, WiGLE (Wi-Fi), local infrastructure assessments.

  • Cellular coverage (carriers / signal / 4G/5G per zone):
  • Wi-Fi / visible networks (SIGINT exposure):
  • Landline / fixed connectivity:
  • VHF/UHF radio environment (if relevant):
  • GPS/GNSS reception quality:
  • Backup power observed (generator / UPS / visible fuel):
  • Signs of technical surveillance / jamming equipment:
  • Mains power reliability (known outages / brownouts):

Utility & infrastructure resilience

  • Power supply reliability:
  • Water supply:
  • Road passability in adverse conditions:
  • Seasonal / weather constraints on access:

08 · Digital & Social Signals

Open-source digital signals relevant to the site, its surroundings, or the operational window - social media, local chatter, imagery currency, geospatial intelligence, and any technical-environment indicators detectable from open sources. → feeds §12 Communications & Technical Environment; §14 Threat / Risk Factors; §5 Recce Framing.

Geospatial & imagery sources

Seed one block per source; clone per additional layer.

  • [geospatial source - e.g. Sentinel-2 satellite imagery]
    • Provider / layer:
    • As-of date:
    • Resolution:
    • What it reveals:
    • Coverage gaps:
    • Notes / tool output: ← Google Earth, Maxar, Planet Labs, Sentinel Hub, OpenAerialMap
  • [geospatial source 2]

Social media monitoring (location-tagged)

Tool hint: Twitter/X advanced search (geocode), Telegram OSINT bots, CrowdTangle, Google Alerts.

  • [platform + search query - e.g. Twitter/X geocode search within 1 km of site]
    • Query used:
    • Date range sampled:
    • Relevant signals found:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [platform 2]

Domain / infrastructure signals (if site has digital presence)

Tool hint: whois, crt.sh, Shodan, Censys, SecurityTrails.

  • [domain or IP associated with site / entity]
    • Registrant / WHOIS:
    • Hosting / IP:
    • Certificates / subdomains:
    • Notes / tool output: ← whois, crt.sh, Shodan, Censys
  • [domain 2]

09 · Indicators & Warnings

Specific observable indicators that would signal a change in the physical environment, security posture, or threat level before or during the operational window. Distinct from the broader threat landscape - these are the tripwires. → feeds §17 Red Flag / Notable Observations; §19 Key Assumptions Check; §21 Recommendations.

Environmental change indicators

What changes in the physical environment would invalidate this recce’s findings?

  • [indicator - e.g. construction commences at site perimeter]
    • Indicator type: [construction / renovation / security-posture change / access denial / route closure / seasonal change]
    • Observable via: [imagery re-check / local media / social media / physical re-pass]
    • Threshold / trigger:
    • Action if triggered: [re-commission recce / update §9 / escalate to client]
    • Notes / tool output:
  • [indicator 2]

Threat escalation indicators

What signals would indicate the threat level at the site has changed?

  • [indicator - e.g. protest activity observed within 500 m of site on operational day]
    • Indicator type: [crime spike / extremist communique / protest announcement / conflict escalation / hostile surveillance detected]
    • Observable via:
    • Threshold / trigger:
    • Action if triggered:
    • Notes / tool output:
  • [indicator 2]

Red flag observations (from recce)

Any observation that warrants immediate attention - safety, hostile activity, legal/crime-in-progress, data-privacy. → §17 Red Flag / Notable Observations.

  • [red flag - e.g. person photographing perimeter from concealed position]
    • Flag type: [Safety / Hostile activity / Legal / Data-privacy / Other]
    • Location / time:
    • Severity: [Crit / High / Mod]
    • Evidentiary basis:
    • Disposition taken:
    • Status: [Open / Closed / Referred]
    • Notes / tool output:
  • [red flag 2]

ACH / KAC collection needs

Items needed to complete the §18 ACH and §19 KAC.

  • Competing hypothesis 1 (site viable as planned) - evidence required:
  • Competing hypothesis 2 (site requires material change) - evidence required:
  • Linchpin assumption to validate (physical environment unchanged between recce and operational date):
  • Linchpin assumption (recce not detected / attributed to client):

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind it. → feeds §22 Annex A Sources & Methodology; §23 Annex B (Appendices A, C–K).

Source register

Every material datum traceable to a graded source. Admiralty two-axis: Reliability A–F / Credibility 1–6.

  • [S-1 - source name / type]
    • Type: [Primary overt physical / Imagery / Geospatial / OSINT open-web / Local media / Country risk product / HUMINT / Technical survey]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed / recce date:
    • Coverage scope:
    • Limitations / caveats:
  • [S-2]
  • [S-3]

Evidence archive

Each captured item: reference, hash, URL or file path, timestamp, chain of custody.

  • [E-1 - screenshot / photograph / video / file ref]
    • Hash (SHA-256):
    • Source URL or file path:
    • Timestamp:
    • Linked finding / section:
  • [E-2]

Appendix cross-reference

  • Appendix A - Recce Plan & Execution Log: [complete / pending]
  • Appendix B - Photographic & Video Baseline: [complete / pending]
  • Appendix C - Route Analysis & Profiles: [complete / pending]
  • Appendix D - Perimeter & Access Point Register: [complete / pending]
  • Appendix E - Observation / Overwatch Position Register: [complete / pending]
  • Appendix F - Internal Layout Diagrams: [complete / pending / not accessed]
  • Appendix G - Communications Survey Log: [complete / pending]
  • Appendix H - Security Forces & Population Observation Log: [complete / pending]
  • Appendix I - Consolidated Findings Register: [complete / pending]
  • Appendix J - Map Overlays & Geospatial Data: [complete / pending]
  • Appendix K - Full Source Register: [complete / pending]

Open gaps / verification pending

Mirror §20 Collection Gaps & RFIs in the deliverable.

  • [gap - area or vantage not accessed] - impact: - recommended collection: - priority: [H/M/L]
  • [gap - route leg not driven] - impact: - recommended collection: - priority: [H/M/L]
  • [gap - interior not entered] - impact: - recommended collection: - priority: [H/M/L]
  • [gap - night / off-hours pass not conducted] - impact: - recommended collection: - priority: [H/M/L]
  • [gap - security-force shift change not confirmed] - impact: - recommended collection: - priority: [H/M/L]

Downstream product routing