[SITE / PRINCIPAL / OPERATION] - Collection Map

OSINT-050 Hostile Surveillance Vulnerability Assessment - collection workspace. Central topic = the asset under assessment (site, principal, or operation). Branches = data-point categories for each surveillance domain. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-050.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §12 Vulnerability Register, §13 Verified Findings, §17 Collection Gaps.

PIR-1 - Static Exposure: What are the most accessible, least observable surveillance positions from which to observe the asset?

  • EEI: all public vantage points with sightlines to asset perimeter or principal access/egress
  • EEI: vehicular/pedestrian concealment opportunities at each observation position
  • EEI: duration feasibility and access/egress risk for each identified position
  • EEI: coverage percentage of asset observable from each position

PIR-2 - Movement Predictability: What predictable, exploitable movement patterns (temporal, route, behavioural) does the asset exhibit?

  • EEI: all routine routes (origin, destination, mode, frequency, timing)
  • EEI: choke points, predictable slow-down points, and single-access segments per route
  • EEI: timing predictability for each route / movement pattern
  • EEI: ability of the asset to conduct surveillance-detection routes (SDR / dry-cleaning)

PIR-3 - Digital Footprint: What information about the asset (location, routine, security posture) is discoverable from open sources?

  • EEI: address / location discoverability via property records, social media, open web
  • EEI: routine / schedule / calendar indicators discoverable from OSINT
  • EEI: vehicle(s), staff, household members identifiable from open sources
  • EEI: security posture indicators discoverable (CCTV visible, guard force visible, physical barriers)

PIR-4 - Technical Surface: What RF/communications, GPS-tracking, and aerial surveillance vectors exist?

  • EEI: wireless signals detectable from public space (Wi-Fi SSIDs, Bluetooth beacons, cellular)
  • EEI: vehicle tracker placement points and access difficulty
  • EEI: airspace restrictions (no-fly zones) and drone detection capability
  • EEI: asset vertical-aspect exposure (roof / open courtyard / unshielded approaches)

PIR-5 - Human / Insider: What access population presents a co-optable insider surveillance vector?

  • EEI: all categories with unescorted or 24/7 access (staff, vendors, building management)
  • EEI: vetting / background-screening status per access category
  • EEI: leverage-risk indicators per access category (financial stress, ideological, coercible)

PIR-6 - Counter-Surveillance Readiness: What are the existing counter-surveillance measures and their effectiveness?

  • EEI: dedicated countersurveillance team / function present and trained?
  • EEI: CCTV / analytics configured for surveillance detection (not just access control)
  • EEI: TSCM programme cadence and currency
  • EEI: suspicious-activity incident-reporting protocol in place?

Collection gaps / RFIs (running)

  • [open item] → route to [product / method]
  • [open item]

01 · Principal / Protectee or Asset Detail

Establish the identity and characterisation of the asset under assessment - site, principal, or operation. Baseline used throughout all domain branches. → feeds §5 Asset Characterisation & Protective Posture Baseline, §2 Executive Summary (Asset Overview).

Asset identification

  • Asset name / designation:
  • Asset type: [Fixed site / residence / event / principal-movement / operation]
  • Location / address / coordinates:
  • Surrounding environment: [Urban high / Urban medium / Suburban / Rural / Industrial / Mixed]
  • Public-access proximity (nearest public right-of-way, metres):
  • Hours of operation / occupancy window:
  • Assessment trigger / purpose: [Periodic review / event preparation / threat-received / insurance / due diligence]

Principal / protectee (if applicable)

  • Principal name / designation:
  • Role / status:
  • Residence type:
  • Movement profile (predictability): [High / Medium / Low]
  • Security detail presence: [Yes / No / Partial]
  • Prior surveillance / security incidents:
  • Notes / background:

Protective posture baseline

  • Perimeter security: [Fence / wall / bollards / natural barriers / none identified]
  • Access control: [Gate / guard / electronic / key-card / biometric / none]
  • Surveillance detection (technical): [CCTV / analytics / radar / LPR / none]
  • Surveillance detection (human): [Guard force / CP / countersurveillance / none]
  • Lighting: [Perimeter / motion-activated / IR / blind spots:]
  • COMSEC / OPSEC posture:
  • Personnel security / insider controls: [Vetting / access logging / separation-of-duties / none]
  • Digital footprint management: [Address opacity / social-media discipline / none]

Historical surveillance / reconnaissance incidents

  • [incident - date + description]:
    • Relation to current assessment:
    • Source grade:

02 · Venue & Geography - Site, Layout, Ingress / Egress

Physical environment of the asset - structure, perimeter, sightlines, surrounding land use. Feeds the observation-position survey and vulnerability analysis. → feeds §5 Asset Characterisation, §6 Physical / Static-Position Surveillance Vulnerability, Annex B Site Diagram.

Site / property characterisation

  • Property footprint / dimensions:
  • Building configuration / floor plan (unclassified):
  • Perimeter type and integrity:
  • Entry / exit points (count + control level):
  • Blind spots or dead-ground areas:

Surrounding land-use survey

  • [land parcel / adjacent property - e.g. parking structure north]
    • Land use: [commercial / residential / public / vacant / transport]
    • Distance to asset (metres):
    • Sightline quality to asset: [Direct / Partial / None]
    • Public accessibility: [Open / restricted / private]
    • Notes:
  • [parcel 2]

Satellite / aerial imagery analysis

  • [imagery source - e.g. Google Earth, Bing Maps, Maxar]
    • Date of imagery:
    • Coverage: [Full perimeter / partial]
    • Roof / vertical-aspect exposure: [Open / partially covered / screened]
    • Notes / tool output: ← Google Earth Pro, SentinelHub, Maxar SecureWatch

Ingress / egress points

  • [entry point - e.g. Main gate / rear service entrance]
    • Control level: [Guarded / electronic / open]
    • Visibility from public space: [High / Medium / Low]
    • Chokepoint risk: [Yes / No]

03 · Routes & Movement

Catalog predictable movements of the asset. Each route is its own clonable block - duplicate per route. → feeds §7 Movement & Route Surveillance Vulnerability, Annex C Route Diagram.

Routes / movement legs

  • [Route ID - e.g. R-1: Residence → Primary Office]
    • Origin:
    • Destination:
    • Frequency:
    • Typical duration:
    • Timing predictability: [High / Medium / Low]
    • Mode(s) of transport: [Vehicle / foot / air / mixed]
    • Choke points / predictable segments:
    • Counter-surveillance route (alternate available): [Yes / No]
    • Notes / tool output: ← Google Maps route analysis, street-view survey, mapping tools
  • [Route ID - R-2]

Route-segment vulnerability (per route)

  • [Route R-1 - Departure segment]
    • Observable from public space: [Y / N]
    • Observation positions (static / mobile):
    • Concealment for mobile surveillance:
    • Counter-surveillance difficulty: [Low / Med / High]
    • Source grade:
  • [Route R-1 - Transit segment A]
    • Observable from public space:
    • Observation positions:
    • Concealment for mobile surveillance:
    • Counter-surveillance difficulty:
    • Source grade:
  • [Route R-1 - Arrival segment]

Mobile-surveillance detection environment

  • Traffic density on route: [Heavy / Moderate / Light / Variable]
  • Route complexity / alternates available:
  • Ability to conduct SDR / dry-cleaning:
  • Typical vehicle mix / anonymity:
  • Aerial / drone surveillance risk along route:

04 · Threat Actors & Persons of Interest

Entities that could realistically conduct hostile surveillance against this asset - adversary types, not specific named actors (unless a named actor context exists from a related OSINT-052 TAM). Feeds the threat-assumption layer for PIRs and ACH. → feeds §3 Key Judgments (threat-capability assumption), §15 ACH, §16 Key Assumptions.

Adversary-type inventory

  • [adversary type - e.g. corporate competitor / organised crime / intimate partner / activist group]
    • Generic surveillance capability assumed: [Basic / Intermediate / Advanced]
    • Most plausible surveillance method: [Static / Mobile / Technical / Human / Digital]
    • Motivation to target this asset: [High / Med / Low]
    • Source grade:
    • Notes / tool output: ← prior reporting, OSINT-052 TAM, client disclosure
  • [adversary type 2]

Persons of concern (if any - from prior reporting or client disclosure)

  • [name or designation]:
    • Basis for concern:
    • Known surveillance tradecraft / history:
    • Source grade:

Threat-capability assumptions (Key Assumptions §16)

  • Operator assumed to have: [generic static + mobile + technical surveillance tradecraft]
  • Operator assumed resource level: [individual / small team / professional service]
  • Operator assumed persistence / investment: [opportunistic / sustained / professional]

05 · Threat Landscape - Incidents, History, Online Chatter

Area security environment and any prior events or open-source chatter that contextualise surveillance risk for this asset. → feeds §2 Executive Summary (Assessment Trigger), §5 Asset Characterisation & Protective Posture Baseline (Known Historical Incidents), §14 Hostile Surveillance Indicators & Warning Matrix.

Area security environment

  • Crime rate / security environment (locale):
  • Known prior incidents at or near asset (publicly reported):
  • Local news / open-source reporting on asset (adverse / security-related):
  • Protest / demonstration activity in area:

Online chatter / social-media threat signals

  • [platform / source - e.g. X, Telegram, local forum]
    • Content / threat signal:
    • Date observed:
    • Credibility: [A–F / 1–6]
    • Action taken:
    • Notes / tool output: ← Social Search, CrowdTangle archives, Telegram monitoring tools

Prior hostile surveillance / reconnaissance incidents

  • [incident]:
    • Date:
    • Method observed: [Static / Mobile / Technical / Human]
    • Outcome:
    • Relation to current assessment:

06 · Vulnerabilities & Attack Surface

Synthesised vulnerability findings across all domains - observation positions, route segments, technical surfaces, access population. This branch collects the raw findings that feed §12 Vulnerability Register & Risk Scoring. → feeds §6 Static, §7 Movement, §8 Technical, §9 Human, §10 Digital, §12 Vulnerability Register, §13 Verified Findings.

Observation-position survey (static vulnerability)

  • [OP-ID - e.g. OP-1: Café terrace, 45 m north]
    • Distance to asset (metres):
    • Field of view (asset coverage %):
    • Concealment type: [Natural / Structural / Vehicular / None]
    • Duration feasibility: [Unattended / Short / Sustained]
    • Access & egress detection risk: [Low / Med / High]
    • Overall vulnerability: [Low / Med / High]
    • Source grade:
    • Notes:
  • [OP-2]

Covert positioning / dump-site candidates

  • [dump site - e.g. DS-1: electricity cabinet, perimeter wall]
    • Concealment quality: [Low / Med / High]
    • Access difficulty: [Low / Med / High]
    • Device types suitable: [Camera / tracker / audio / data-skimmer / UGS]
    • Detection risk: [Low / Med / High]
    • Notes:
  • [DS-2]

Technical / electronic intercept surface

  • [signal type - e.g. Wi-Fi 2.4GHz SSID visible from street]
    • Detectability from public space: [Y / N]
    • Encryption / protection:
    • Intercept difficulty: [Low / Med / High]
    • Notes / tool output: ← Wigle.net (passive Wi-Fi mapping), OSINT RF enumeration
  • [signal type 2]

GPS / tracker placement vulnerabilities

  • [target - e.g. Primary vehicle]
    • Placement points: [Exterior / undercarriage / interior / OBD port / fuel cap]
    • Accessibility (unattended, public space):
    • Detection difficulty (search posture):
    • Notes:
  • [target 2]

Drone / aerial exposure

  • Airspace restrictions / no-fly zones: [None / restricted / prohibited]
  • Drone detection / C-UAS capability: [None / passive / active]
  • Typical civilian drone traffic (anonymity): [None / Low / Moderate / High]
  • Asset exposure from vertical aspect: [Open / Partially covered / Fully covered]

Per-domain risk scoring (→ §12)

  • [domain - e.g. Static-position surveillance]
    • Vulnerability description:
    • Likelihood (1–5):
    • Impact (1–5):
    • Score (L×I):
    • Band: [Low / Moderate / Elevated / High / Critical]
    • Priority:
  • [domain - Movement / route]
  • [domain - Technical / electronic]
  • [domain - Human / insider]
  • [domain - Digital footprint / information exposure]

07 · Local Environment - Security, Medical, LE, Infrastructure

The area-level environment that constrains or enables hostile surveillance and the asset’s response capability. → feeds §7 Mobile-Surveillance Detection Environment, §11 Counter-Surveillance Capability & Readiness, §18 Recommendations.

Law-enforcement / emergency services

  • Nearest police station / response time (estimated):
  • Nearest emergency services:
  • Typical patrol density / visibility in area:
  • Non-emergency reporting mechanisms / contacts:

Local surveillance / security infrastructure

  • Public CCTV / ANPR coverage in immediate vicinity:
  • Private CCTV visible on adjacent properties:
  • Traffic camera / transport monitoring at key nodes:

Physical access / environmental factors

  • Public transport nodes near asset:
  • Parking / standing capacity near observation positions:
  • Pedestrian traffic density (cover for static surveillance):
  • Lighting conditions (night-time observation feasibility):
  • Seasonal / weather factors affecting observation:

Medical / crisis support (for protective operations context)

  • Nearest trauma-capable medical facility:
  • Safe locations / refuge points on routes:

08 · Digital & Social Signals

Open-source information about the asset discoverable without physical presence - the digital-footprint vulnerability surface. → feeds §10 Digital-Footprint & Information-Exposure Vulnerability, Annex D Digital-Footprint Discovery Record.

Address / location discoverability

  • [source - e.g. property records, Companies House, Google Maps street view]
    • Information found:
    • Surveillance value: [Direct targeting / Pattern-of-life baseline / Low]
    • Mitigation in place:
    • Source grade:
    • Notes / tool output: ← WHOIS, OpenCorporates, local property registries, Google Maps

Routine / schedule / calendar exposure

  • [source - e.g. principal’s social media, event listings, public calendar]
    • Information found:
    • Surveillance value:
    • Notes / tool output: ← X/Twitter, Instagram, LinkedIn, Facebook, Google search

Vehicle / plate / asset exposure

  • [source - e.g. social media photos, press coverage, vehicle registry / FOIA records]
    • Vehicle description / plate (partial):
    • Surveillance value:
    • Notes / tool output:

Principal / family / staff exposure

  • [source - e.g. LinkedIn, corporate website, social media]
    • Information found (names, photos, roles):
    • Surveillance value:
    • Notes / tool output: ← LinkedIn, corporate bio pages, pipl.com, public records

Security posture indicators (visible)

  • [source - e.g. Google Street View, social media photos, news imagery]
    • Visible security measures (CCTV, guards, barriers):
    • Surveillance value to adversary (map security gaps):
    • Notes: ← Google Street View historical layers, Bing streetside

Real estate / property record exposure

  • [source - e.g. land registry, county assessor, Zillow / Rightmove]
    • Information found (ownership, layout imagery, floor plan):
    • Surveillance value:
    • Notes / tool output: ← HM Land Registry, county assessor, Zillow, CoStar

Social-media / open-web monitoring (ongoing collection)

  • [platform / search term]
    • Observation:
    • Date:
    • Relevance:

09 · Indicators & Warnings

Observable indicators that hostile surveillance may be underway or being prepared. Seeded from §14 I&W Matrix of the deliverable. Each indicator is a clonable block - duplicate per domain observation. → feeds §14 Hostile Surveillance Indicators & Warning Matrix, §11 Counter-Surveillance Readiness, §3 Key Judgments (change indicators).

Static-observation indicators

  • [indicator - e.g. unknown vehicle parked at OP-1 with extended dwell time]
    • Detection method:
    • Potential false-flag / benign explanation:
    • Action if confirmed:
    • Date / time observed:
    • Source grade:
    • Notes / tool output:
  • [indicator 2]

Mobile-surveillance indicators

  • [indicator - e.g. same vehicle appears on multiple route legs (unlinked)]
    • Detection method:
    • Potential false-flag:
    • Action if confirmed:
    • Date / time observed:
    • Notes / tool output:
  • [indicator 2]

Technical-surveillance indicators

  • [indicator - e.g. unknown Wi-Fi probe / rogue AP detected near perimeter]
    • Detection method:
    • Potential false-flag:
    • Action if confirmed:
    • Notes / tool output:
  • [indicator 2]

Human / insider indicators

  • [indicator - e.g. staff member photographing interior without authorisation]
    • Detection method:
    • Potential false-flag:
    • Action if confirmed:
    • Notes / tool output:
  • [indicator 2]

Digital indicators

  • [indicator - e.g. unusual volume of OSINT queries targeting principal’s name]
    • Detection method:
    • Potential false-flag:
    • Action if confirmed:
    • Notes / tool output: ← Google Alerts, mention.com, talkwalker alerts

Indicator cluster / escalation logic

  • Single-domain indicator (ambiguous): [no immediate action - monitor]
  • Two-domain concurrent indicators: [heightened awareness - log and review]
  • Three or more domains concurrent: [alert security officer - initiate response protocol]
  • Confirmed active surveillance (any domain): [contact designated security officer / LE immediately]

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind it. → feeds §19 Annex A Sources, §17 Collection Gaps & RFIs.

Source register

Every material datum traceable to a graded source. Reliability A–F (Admiralty); Credibility 1–6. New sources default to F6.

  • [S-1 - source name / description]
    • Type: [Primary / Secondary / Authoritative / Non-authoritative]
    • Collection method: [Site survey / OSINT / Imagery / Interview / Review of security documentation]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • Notes:
  • [S-2]

Evidence archive

  • [capture ref - screenshot / export / imagery filename + hash + URL + timestamp]:
  • [Annex B site diagram reference]:
  • [Annex C route diagram reference]:
  • [Annex D digital-footprint discovery record]:

Collection OPSEC / managed attribution log

  • Egress posture used:
  • Non-attribution steps taken (no login pivots, footprint-minimisation):
  • Site-survey permissions obtained: [Y / N / N-A]
  • Any incidental discovery of active surveillance (trigger for immediate notification): [Y / N]

Open gaps / verification pending

  • [item - domain - impact on assessment] → [routed product / method / RFI#]
  • [item]

Reassessment triggers & cadence note

  • Reassessment trigger events: [change in threat environment / principal routine change / physical-posture upgrade / new incident]
  • Review cadence: [quarterly / bi-annual / annual / event-triggered]
  • Program owner: