[SITE / PRINCIPAL / OPERATION] - Collection Map
OSINT-050 Hostile Surveillance Vulnerability Assessment - collection workspace. Central topic = the asset under assessment (site, principal, or operation). Branches = data-point categories for each surveillance domain. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-050.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §12 Vulnerability Register, §13 Verified Findings, §17 Collection Gaps.
PIR-1 - Static Exposure: What are the most accessible, least observable surveillance positions from which to observe the asset?
- EEI: all public vantage points with sightlines to asset perimeter or principal access/egress
- EEI: vehicular/pedestrian concealment opportunities at each observation position
- EEI: duration feasibility and access/egress risk for each identified position
- EEI: coverage percentage of asset observable from each position
PIR-2 - Movement Predictability: What predictable, exploitable movement patterns (temporal, route, behavioural) does the asset exhibit?
- EEI: all routine routes (origin, destination, mode, frequency, timing)
- EEI: choke points, predictable slow-down points, and single-access segments per route
- EEI: timing predictability for each route / movement pattern
- EEI: ability of the asset to conduct surveillance-detection routes (SDR / dry-cleaning)
PIR-3 - Digital Footprint: What information about the asset (location, routine, security posture) is discoverable from open sources?
- EEI: address / location discoverability via property records, social media, open web
- EEI: routine / schedule / calendar indicators discoverable from OSINT
- EEI: vehicle(s), staff, household members identifiable from open sources
- EEI: security posture indicators discoverable (CCTV visible, guard force visible, physical barriers)
PIR-4 - Technical Surface: What RF/communications, GPS-tracking, and aerial surveillance vectors exist?
- EEI: wireless signals detectable from public space (Wi-Fi SSIDs, Bluetooth beacons, cellular)
- EEI: vehicle tracker placement points and access difficulty
- EEI: airspace restrictions (no-fly zones) and drone detection capability
- EEI: asset vertical-aspect exposure (roof / open courtyard / unshielded approaches)
PIR-5 - Human / Insider: What access population presents a co-optable insider surveillance vector?
- EEI: all categories with unescorted or 24/7 access (staff, vendors, building management)
- EEI: vetting / background-screening status per access category
- EEI: leverage-risk indicators per access category (financial stress, ideological, coercible)
PIR-6 - Counter-Surveillance Readiness: What are the existing counter-surveillance measures and their effectiveness?
- EEI: dedicated countersurveillance team / function present and trained?
- EEI: CCTV / analytics configured for surveillance detection (not just access control)
- EEI: TSCM programme cadence and currency
- EEI: suspicious-activity incident-reporting protocol in place?
Collection gaps / RFIs (running)
- [open item] → route to [product / method]
- [open item]
01 · Principal / Protectee or Asset Detail
Establish the identity and characterisation of the asset under assessment - site, principal, or operation. Baseline used throughout all domain branches. → feeds §5 Asset Characterisation & Protective Posture Baseline, §2 Executive Summary (Asset Overview).
Asset identification
- Asset name / designation:
- Asset type: [Fixed site / residence / event / principal-movement / operation]
- Location / address / coordinates:
- Surrounding environment: [Urban high / Urban medium / Suburban / Rural / Industrial / Mixed]
- Public-access proximity (nearest public right-of-way, metres):
- Hours of operation / occupancy window:
- Assessment trigger / purpose: [Periodic review / event preparation / threat-received / insurance / due diligence]
Principal / protectee (if applicable)
- Principal name / designation:
- Role / status:
- Residence type:
- Movement profile (predictability): [High / Medium / Low]
- Security detail presence: [Yes / No / Partial]
- Prior surveillance / security incidents:
- Notes / background:
Protective posture baseline
- Perimeter security: [Fence / wall / bollards / natural barriers / none identified]
- Access control: [Gate / guard / electronic / key-card / biometric / none]
- Surveillance detection (technical): [CCTV / analytics / radar / LPR / none]
- Surveillance detection (human): [Guard force / CP / countersurveillance / none]
- Lighting: [Perimeter / motion-activated / IR / blind spots:]
- COMSEC / OPSEC posture:
- Personnel security / insider controls: [Vetting / access logging / separation-of-duties / none]
- Digital footprint management: [Address opacity / social-media discipline / none]
Historical surveillance / reconnaissance incidents
- [incident - date + description]:
- Relation to current assessment:
- Source grade:
02 · Venue & Geography - Site, Layout, Ingress / Egress
Physical environment of the asset - structure, perimeter, sightlines, surrounding land use. Feeds the observation-position survey and vulnerability analysis. → feeds §5 Asset Characterisation, §6 Physical / Static-Position Surveillance Vulnerability, Annex B Site Diagram.
Site / property characterisation
- Property footprint / dimensions:
- Building configuration / floor plan (unclassified):
- Perimeter type and integrity:
- Entry / exit points (count + control level):
- Blind spots or dead-ground areas:
Surrounding land-use survey
- [land parcel / adjacent property - e.g. parking structure north]
- Land use: [commercial / residential / public / vacant / transport]
- Distance to asset (metres):
- Sightline quality to asset: [Direct / Partial / None]
- Public accessibility: [Open / restricted / private]
- Notes:
- [parcel 2]
Satellite / aerial imagery analysis
- [imagery source - e.g. Google Earth, Bing Maps, Maxar]
- Date of imagery:
- Coverage: [Full perimeter / partial]
- Roof / vertical-aspect exposure: [Open / partially covered / screened]
- Notes / tool output: ← Google Earth Pro, SentinelHub, Maxar SecureWatch
Ingress / egress points
- [entry point - e.g. Main gate / rear service entrance]
- Control level: [Guarded / electronic / open]
- Visibility from public space: [High / Medium / Low]
- Chokepoint risk: [Yes / No]
03 · Routes & Movement
Catalog predictable movements of the asset. Each route is its own clonable block - duplicate per route. → feeds §7 Movement & Route Surveillance Vulnerability, Annex C Route Diagram.
Routes / movement legs
- [Route ID - e.g. R-1: Residence → Primary Office]
- Origin:
- Destination:
- Frequency:
- Typical duration:
- Timing predictability: [High / Medium / Low]
- Mode(s) of transport: [Vehicle / foot / air / mixed]
- Choke points / predictable segments:
- Counter-surveillance route (alternate available): [Yes / No]
- Notes / tool output: ← Google Maps route analysis, street-view survey, mapping tools
- [Route ID - R-2]
Route-segment vulnerability (per route)
- [Route R-1 - Departure segment]
- Observable from public space: [Y / N]
- Observation positions (static / mobile):
- Concealment for mobile surveillance:
- Counter-surveillance difficulty: [Low / Med / High]
- Source grade:
- [Route R-1 - Transit segment A]
- Observable from public space:
- Observation positions:
- Concealment for mobile surveillance:
- Counter-surveillance difficulty:
- Source grade:
- [Route R-1 - Arrival segment]
Mobile-surveillance detection environment
- Traffic density on route: [Heavy / Moderate / Light / Variable]
- Route complexity / alternates available:
- Ability to conduct SDR / dry-cleaning:
- Typical vehicle mix / anonymity:
- Aerial / drone surveillance risk along route:
04 · Threat Actors & Persons of Interest
Entities that could realistically conduct hostile surveillance against this asset - adversary types, not specific named actors (unless a named actor context exists from a related OSINT-052 TAM). Feeds the threat-assumption layer for PIRs and ACH. → feeds §3 Key Judgments (threat-capability assumption), §15 ACH, §16 Key Assumptions.
Adversary-type inventory
- [adversary type - e.g. corporate competitor / organised crime / intimate partner / activist group]
- Generic surveillance capability assumed: [Basic / Intermediate / Advanced]
- Most plausible surveillance method: [Static / Mobile / Technical / Human / Digital]
- Motivation to target this asset: [High / Med / Low]
- Source grade:
- Notes / tool output: ← prior reporting, OSINT-052 TAM, client disclosure
- [adversary type 2]
Persons of concern (if any - from prior reporting or client disclosure)
- [name or designation]:
- Basis for concern:
- Known surveillance tradecraft / history:
- Source grade:
Threat-capability assumptions (Key Assumptions §16)
- Operator assumed to have: [generic static + mobile + technical surveillance tradecraft]
- Operator assumed resource level: [individual / small team / professional service]
- Operator assumed persistence / investment: [opportunistic / sustained / professional]
05 · Threat Landscape - Incidents, History, Online Chatter
Area security environment and any prior events or open-source chatter that contextualise surveillance risk for this asset. → feeds §2 Executive Summary (Assessment Trigger), §5 Asset Characterisation & Protective Posture Baseline (Known Historical Incidents), §14 Hostile Surveillance Indicators & Warning Matrix.
Area security environment
- Crime rate / security environment (locale):
- Known prior incidents at or near asset (publicly reported):
- Local news / open-source reporting on asset (adverse / security-related):
- Protest / demonstration activity in area:
Online chatter / social-media threat signals
- [platform / source - e.g. X, Telegram, local forum]
- Content / threat signal:
- Date observed:
- Credibility: [A–F / 1–6]
- Action taken:
- Notes / tool output: ← Social Search, CrowdTangle archives, Telegram monitoring tools
Prior hostile surveillance / reconnaissance incidents
- [incident]:
- Date:
- Method observed: [Static / Mobile / Technical / Human]
- Outcome:
- Relation to current assessment:
06 · Vulnerabilities & Attack Surface
Synthesised vulnerability findings across all domains - observation positions, route segments, technical surfaces, access population. This branch collects the raw findings that feed §12 Vulnerability Register & Risk Scoring. → feeds §6 Static, §7 Movement, §8 Technical, §9 Human, §10 Digital, §12 Vulnerability Register, §13 Verified Findings.
Observation-position survey (static vulnerability)
- [OP-ID - e.g. OP-1: Café terrace, 45 m north]
- Distance to asset (metres):
- Field of view (asset coverage %):
- Concealment type: [Natural / Structural / Vehicular / None]
- Duration feasibility: [Unattended / Short / Sustained]
- Access & egress detection risk: [Low / Med / High]
- Overall vulnerability: [Low / Med / High]
- Source grade:
- Notes:
- [OP-2]
Covert positioning / dump-site candidates
- [dump site - e.g. DS-1: electricity cabinet, perimeter wall]
- Concealment quality: [Low / Med / High]
- Access difficulty: [Low / Med / High]
- Device types suitable: [Camera / tracker / audio / data-skimmer / UGS]
- Detection risk: [Low / Med / High]
- Notes:
- [DS-2]
Technical / electronic intercept surface
- [signal type - e.g. Wi-Fi 2.4GHz SSID visible from street]
- Detectability from public space: [Y / N]
- Encryption / protection:
- Intercept difficulty: [Low / Med / High]
- Notes / tool output: ← Wigle.net (passive Wi-Fi mapping), OSINT RF enumeration
- [signal type 2]
GPS / tracker placement vulnerabilities
- [target - e.g. Primary vehicle]
- Placement points: [Exterior / undercarriage / interior / OBD port / fuel cap]
- Accessibility (unattended, public space):
- Detection difficulty (search posture):
- Notes:
- [target 2]
Drone / aerial exposure
- Airspace restrictions / no-fly zones: [None / restricted / prohibited]
- Drone detection / C-UAS capability: [None / passive / active]
- Typical civilian drone traffic (anonymity): [None / Low / Moderate / High]
- Asset exposure from vertical aspect: [Open / Partially covered / Fully covered]
Per-domain risk scoring (→ §12)
- [domain - e.g. Static-position surveillance]
- Vulnerability description:
- Likelihood (1–5):
- Impact (1–5):
- Score (L×I):
- Band: [Low / Moderate / Elevated / High / Critical]
- Priority:
- [domain - Movement / route]
- [domain - Technical / electronic]
- [domain - Human / insider]
- [domain - Digital footprint / information exposure]
07 · Local Environment - Security, Medical, LE, Infrastructure
The area-level environment that constrains or enables hostile surveillance and the asset’s response capability. → feeds §7 Mobile-Surveillance Detection Environment, §11 Counter-Surveillance Capability & Readiness, §18 Recommendations.
Law-enforcement / emergency services
- Nearest police station / response time (estimated):
- Nearest emergency services:
- Typical patrol density / visibility in area:
- Non-emergency reporting mechanisms / contacts:
Local surveillance / security infrastructure
- Public CCTV / ANPR coverage in immediate vicinity:
- Private CCTV visible on adjacent properties:
- Traffic camera / transport monitoring at key nodes:
Physical access / environmental factors
- Public transport nodes near asset:
- Parking / standing capacity near observation positions:
- Pedestrian traffic density (cover for static surveillance):
- Lighting conditions (night-time observation feasibility):
- Seasonal / weather factors affecting observation:
Medical / crisis support (for protective operations context)
- Nearest trauma-capable medical facility:
- Safe locations / refuge points on routes:
08 · Digital & Social Signals
Open-source information about the asset discoverable without physical presence - the digital-footprint vulnerability surface. → feeds §10 Digital-Footprint & Information-Exposure Vulnerability, Annex D Digital-Footprint Discovery Record.
Address / location discoverability
- [source - e.g. property records, Companies House, Google Maps street view]
- Information found:
- Surveillance value: [Direct targeting / Pattern-of-life baseline / Low]
- Mitigation in place:
- Source grade:
- Notes / tool output: ← WHOIS, OpenCorporates, local property registries, Google Maps
Routine / schedule / calendar exposure
- [source - e.g. principal’s social media, event listings, public calendar]
- Information found:
- Surveillance value:
- Notes / tool output: ← X/Twitter, Instagram, LinkedIn, Facebook, Google search
Vehicle / plate / asset exposure
- [source - e.g. social media photos, press coverage, vehicle registry / FOIA records]
- Vehicle description / plate (partial):
- Surveillance value:
- Notes / tool output:
Principal / family / staff exposure
- [source - e.g. LinkedIn, corporate website, social media]
- Information found (names, photos, roles):
- Surveillance value:
- Notes / tool output: ← LinkedIn, corporate bio pages, pipl.com, public records
Security posture indicators (visible)
- [source - e.g. Google Street View, social media photos, news imagery]
- Visible security measures (CCTV, guards, barriers):
- Surveillance value to adversary (map security gaps):
- Notes: ← Google Street View historical layers, Bing streetside
Real estate / property record exposure
- [source - e.g. land registry, county assessor, Zillow / Rightmove]
- Information found (ownership, layout imagery, floor plan):
- Surveillance value:
- Notes / tool output: ← HM Land Registry, county assessor, Zillow, CoStar
Social-media / open-web monitoring (ongoing collection)
- [platform / search term]
- Observation:
- Date:
- Relevance:
09 · Indicators & Warnings
Observable indicators that hostile surveillance may be underway or being prepared. Seeded from §14 I&W Matrix of the deliverable. Each indicator is a clonable block - duplicate per domain observation. → feeds §14 Hostile Surveillance Indicators & Warning Matrix, §11 Counter-Surveillance Readiness, §3 Key Judgments (change indicators).
Static-observation indicators
- [indicator - e.g. unknown vehicle parked at OP-1 with extended dwell time]
- Detection method:
- Potential false-flag / benign explanation:
- Action if confirmed:
- Date / time observed:
- Source grade:
- Notes / tool output:
- [indicator 2]
Mobile-surveillance indicators
- [indicator - e.g. same vehicle appears on multiple route legs (unlinked)]
- Detection method:
- Potential false-flag:
- Action if confirmed:
- Date / time observed:
- Notes / tool output:
- [indicator 2]
Technical-surveillance indicators
- [indicator - e.g. unknown Wi-Fi probe / rogue AP detected near perimeter]
- Detection method:
- Potential false-flag:
- Action if confirmed:
- Notes / tool output:
- [indicator 2]
Human / insider indicators
- [indicator - e.g. staff member photographing interior without authorisation]
- Detection method:
- Potential false-flag:
- Action if confirmed:
- Notes / tool output:
- [indicator 2]
Digital indicators
- [indicator - e.g. unusual volume of OSINT queries targeting principal’s name]
- Detection method:
- Potential false-flag:
- Action if confirmed:
- Notes / tool output: ← Google Alerts, mention.com, talkwalker alerts
Indicator cluster / escalation logic
- Single-domain indicator (ambiguous): [no immediate action - monitor]
- Two-domain concurrent indicators: [heightened awareness - log and review]
- Three or more domains concurrent: [alert security officer - initiate response protocol]
- Confirmed active surveillance (any domain): [contact designated security officer / LE immediately]
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind it. → feeds §19 Annex A Sources, §17 Collection Gaps & RFIs.
Source register
Every material datum traceable to a graded source. Reliability A–F (Admiralty); Credibility 1–6. New sources default to F6.
- [S-1 - source name / description]
- Type: [Primary / Secondary / Authoritative / Non-authoritative]
- Collection method: [Site survey / OSINT / Imagery / Interview / Review of security documentation]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- Notes:
- [S-2]
Evidence archive
- [capture ref - screenshot / export / imagery filename + hash + URL + timestamp]:
- [Annex B site diagram reference]:
- [Annex C route diagram reference]:
- [Annex D digital-footprint discovery record]:
Collection OPSEC / managed attribution log
- Egress posture used:
- Non-attribution steps taken (no login pivots, footprint-minimisation):
- Site-survey permissions obtained: [Y / N / N-A]
- Any incidental discovery of active surveillance (trigger for immediate notification): [Y / N]
Open gaps / verification pending
- [item - domain - impact on assessment] → [routed product / method / RFI#]
- [item]
Reassessment triggers & cadence note
- Reassessment trigger events: [change in threat environment / principal routine change / physical-posture upgrade / new incident]
- Review cadence: [quarterly / bi-annual / annual / event-triggered]
- Program owner: