[PRINCIPAL / PROTECTEE] - Collection Map
OSINT-051 Protective Intelligence Assessment - collection workspace. Central topic = the principal at risk + the threat network around them. Branches = the data-point categories for this protective-intelligence assessment, aligned to the deliverable’s sections. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into node Notes. → feeds deliverable OSINT-051. IMMINENT DANGER: if any collection reveals an imminent risk of harm, stop and contact law enforcement immediately - do not wait for the report.
00 · Collection Plan - PIRs & EEIs
The intelligence questions this collection must answer + essential elements of information (EEI) per PIR. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §15 Verified Findings Summary, §19 Collection Gaps & RFIs.
PIR-1 - Intent: does any actor in the network intend to harm the principal?
- EEI: explicit or implicit statements of intent (written, spoken, social-media)
- EEI: leakage (communication to third party of intent to harm)
- EEI: directed communications to or about the principal (tone, frequency, escalation)
- EEI: last-resort or desperation language / no-other-option framing
- EEI: murder-suicide / suicidality indicators in actor output
PIR-2 - Capability: does any actor have the means to act against the principal?
- EEI: weapons access or acquisition evidence
- EEI: relevant tactical / military / technical skills
- EEI: financial resources to travel or equip
- EEI: network facilitation - who supplies capability to the threat node
PIR-3 - Access / Opportunity: can a threat actor reach the principal?
- EEI: physical proximity to principal residence / work / habitual locations
- EEI: knowledge of principal routine, schedule, or patterns
- EEI: insider nexus - household / staff member with access bridging to a threat actor
- EEI: upcoming fixed-exposure events (appearances, travel, public venues)
- EEI: digital access channels (email, social DM, phone, dox exposure)
PIR-4 - Network Coordination / Insider Nexus: are threat actors linked, facilitated, or bridged to the principal?
- EEI: documented relationships between threat nodes (co-communication, co-location, shared resources)
- EEI: nexus / spanner nodes bridging friendly ↔ threat networks
- EEI: insider-threat bridge (trusted individual with principal access tied to threat actor)
- EEI: shared grievance or ideological driver across multiple nodes
PIR-5 - Pathway Progression: how far along the pathway to violence has any actor moved?
- EEI: grievance formation and articulation (Stage 1)
- EEI: ideation (Stage 2) - violence framed as a solution
- EEI: research / planning behavior (Stage 3) - target research, method research, surveillance indicators
- EEI: preparation (Stage 4) - acquisition, rehearsal, logistics
- EEI: breach / probing (Stage 5) - approach attempts, security testing, location visits
- EEI: warning-behavior clustering and acceleration across TRAP-18 proximal eight
Collection gaps / RFIs (running)
- [open item] → route to [product / collection technique]
- [open item]
00b · Monitoring Cadence & Triggers
This deliverable is one_time but produces feeds into OSINT-052 (Threat-Case Assessment & Management) and OSINT-053 (Daily/Periodic Protective Intelligence Brief), which are continuous. Capture watch items, refresh cadence, and escalation path here so handoff to those products is seamless. → drives §16 Escalation Indicators & Tripwires, §20 Protective-Intelligence Program Recommendations (Reassessment Triggers & Cadence).
Watch items (standing after assessment delivery)
- Actor [N-x] social-media / online output - keyword alerts set:
- Actor [N-x] court / legal filings (restraining order compliance / new filings):
- Principal exposure calendar - upcoming fixed-location events:
- Insider-threat node [N-x] behavioral changes:
- New communications to / about the principal:
- Weapons-acquisition indicators (any threat node):
Refresh cadence
- Routine reassessment interval:
- High-threat-level interval:
- Imminent-level interval: [immediately - trigger LE escalation, do not wait]
Alert thresholds
- Tripwire 1 (from §16): → escalate to:
- Tripwire 2: → escalate to:
- Tripwire 3: → escalate to:
Escalation path
- Level 1 (informational): notify program owner - [NAME]
- Level 2 (concern elevated): threat-management team convenes within [24h / 48h]
- Level 3 (imminent): law enforcement referral + protective detail upgrade - immediate
01 · Principal / Protectee Detail
Who is at risk. Baseline identity and exposure profile of the principal - the anchor the entire threat network is mapped against. → feeds §11 Protectee Exposure Surface & Nexus Layer, §2 Executive Summary.
Identity anchor
- Full name / designation:
- Role / title / public profile:
- Organization / household:
- Triggering event / referral that prompted this assessment:
- Assessment as-of date:
Protectee contact & selectors
Clone per selector. Used to map digital exposure surface and cross-ref against threat-actor communications. → feeds §11 Protectee Exposure Surface.
- [email - e.g. principal@domain.com]
- Linked accounts found:
- Breach / paste appearances:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (holehe, h8mail, hunter.io)
- [phone - e.g. +1 555-0100]
- Type / carrier: [mobile / landline / VoIP]
- Linked accounts / apps:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (truecaller, caller-ID lookups)
- [social handle - e.g. principal_name]
- Platforms / URLs:
- Linked email(s):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (sherlock, whatsmyname, idcrawl)
Prior protective / legal actions (principal’s existing posture)
- Existing restraining orders / TROs in place:
- Prior reports to law enforcement:
- Current protective-detail level:
- Known prior incidents / approaches:
02 · Venue & Geography - Fixed-Exposure Points
OAKOC analysis of the principal’s predictable, fixed-location exposure - the terrain a threat node would exploit to observe, approach, or act. Open-source terrain analysis only; no physical surveillance of the principal. → feeds §11 Protectee Exposure Surface & Nexus Layer (OAKOC table).
Venues / fixed-exposure points
Clone this block per venue. → feeds §11 OAKOC table.
- [venue - e.g. residence / workplace / regular venue]
- Address / location:
- Observation & fields of fire (open approaches, sight-lines):
- Avenues of approach (public access, ingress/egress points):
- Key terrain / chokepoints (bottlenecks a threat actor would exploit):
- Obstacles (barriers, access controls in place):
- Cover & concealment (where a threat actor could wait undetected):
- Linked threat node(s) with proximity or knowledge:
- Notes / satellite / mapping tool output: ← (Google Maps, OSM, Bing Birds Eye, Overpass Turbo)
- [venue 2]
Habitual routes
Clone per route leg. → feeds §11 Protectee Exposure Surface & Nexus Layer (OAKOC / movement corridors), §20 Protective & Mitigation Measures.
- [route leg - e.g. residence to office]
- Mode of transport:
- Departure / arrival times (pattern):
- Chokepoints / predictable stops:
- Known to any threat node: [Y/N/Unk]
- Notes:
Principal pattern of life (open-source observable only)
- [habitual schedule item]:
- [social-media geo-leak or check-in observed]:
- Anomalies / deviations noted:
03 · Routes & Movement
Predictable movement corridors and schedule-driven exposure windows - the attack surface in transit. → feeds §11 Protectee Exposure Surface, §20 Protective & Mitigation Measures.
Route legs
Clone per leg.
- [leg - e.g. home → office, weekday 08:00–08:30]
- Departure point:
- Destination:
- Mode:
- Typical timing:
- Chokepoints:
- Alternate routes identified:
- Threat-node knowledge of this route: [Y/N/Unk]
- Notes:
Upcoming travel / events (fixed-exposure windows)
- [event - e.g. public appearance / conference / travel leg]
- Date / time:
- Location / venue:
- Public / semi-public / private:
- Threat-node awareness: [Y/N/Unk]
- Notes:
04 · Threat Actors & Persons of Interest
Full inventory of all actors assessed - the node catalogue behind §5 Threat-Network Frame & Composition. Each threat actor also drives a per-actor block in §09 below. → feeds §5, §6, §7, §8, §9, §10, §13, §14.
Threat-network node inventory
One block per actor. Clone per node.
- [Node ID - e.g. N-1 / actor name or designation]
- Node type: [person / org / place / event / resource]
- Category: [threat / neutral / friendly / unknown]
- Role in network:
- Relationship to principal: [former employee / intimate / litigant / stranger-fixated / ideological / unknown]
- Source grade: [A–F / 1–8]
- Notes / raw data:
Persons of interest (not yet categorized)
- [name / designation]
- Why flagged:
- Category determination pending:
- Notes:
Actor selectors - identity resolution
Clone per actor selector. Run standard identity-resolution pivot. → feeds §5 node table, §9 per-actor blocks.
- [handle / email / phone - e.g. threat_handle_01]
- Actor node: [N-x]
- Platforms / where found (URL):
- Linked email(s):
- Linked phone(s):
- Other accounts reusing it:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (idcrawl, sherlock, whatsmyname, holehe, h8mail)
- [email - e.g. actor@domain.com]
- Actor node: [N-x]
- Linked accounts (acct discovery):
- Breach / paste appearances:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (holehe, h8mail, hunter.io)
Entity / org nodes
Clone per entity node.
- [entity name - e.g. org / group / page]
- Node ID: [N-x]
- Jurisdiction / registration:
- Registry check: ← (OpenCorporates, state/national registries)
- Domains / online presence: ← (whois, crt.sh)
- Links to threat actors:
- Notes:
05 · Threat Landscape - Incidents, History & Online Chatter
Background threat environment, prior incidents, and the online-chatter picture that contextualizes the network. → feeds §9 Per-Actor Threat Characterization (Warning Behaviors, Pathway), §16 Escalation Indicators & Tripwires.
Prior incidents / communications involving the principal
Clone per incident.
- [incident / communication - e.g. threatening letter received YYYY-MM-DD]
- Date:
- Nature / content:
- Actor attributed: [N-x / unknown]
- Source / evidence ref:
- Analytic confidence: [H/M/L]
- Notes:
Online chatter - social media monitoring
Monitor for keywords: principal name + variants, location, upcoming events, threat language. Tools: CrowdTangle (if available), manual search, Google Alerts, social-media search operators.
- [platform - e.g. X / Reddit / Telegram / Facebook Group / forum]
- Keywords monitored:
- Posts / threads found (URL + date):
- Actor attributed: [N-x / anonymous / unknown]
- Concern level: [High / Moderate / Low / None]
- Notes / screenshot ref:
Historical threat context
- Similar cases / precedents relevant to this principal type:
- Applicable threat environment (sector / geography / ideological):
- Notes:
06 · Vulnerabilities & Attack Surface
The gaps and exposures a threat actor could exploit - the CV column of the CFA. → feeds §10 Critical Factors Analysis (CC/CR/CV table), §11 Protectee Exposure Surface, §13 Engagement-Option Matrix.
Digital / information exposure
- Principal PII in data-broker records: ← (people-search engines: Spokeo, Whitepages, BeenVerified)
- Home address publicly accessible:
- Routine/schedule inferrable from social media:
- Vehicle / plate publicly linked to principal:
- Credential / breach exposure: ← (h8mail, HaveIBeenPwned, dehashed)
- Dark-web mentions / doxing: ← (OSINT-058 dark-web exposure feed)
Physical / access vulnerabilities
- Residence security posture:
- Workplace access controls:
- Predictable route / schedule exposure:
- Public appearance schedule publicly listed:
- Insider-access exposure (household / staff with threat-actor links):
CFA - Critical Factors (per threat node)
Clone per threat actor / node. → feeds §10 CFA table.
- [Node N-x]
- Objective:
- Critical Capability (CC):
- Critical Requirement (CR):
- Specific Activity:
- Critical Vulnerability (CV):
- Recommended lawful action (→ §13):
- Notes:
07 · Local Environment - Security, Medical, LE & Infrastructure
Third-party capabilities and resources at the principal’s fixed-exposure locations that inform protective planning. → feeds §11 Protectee Exposure Surface (residual exposure), §20 Protective & Mitigation Measures.
Law-enforcement resources
- [jurisdiction - e.g. city/county/federal]
- LE agency with jurisdiction:
- Response time estimate:
- Prior contact / coordination established: [Y/N]
- Notes:
Medical facilities
- [location - e.g. nearest trauma center to residence]
- Facility name / address:
- Level / capability:
- Distance / ETA:
- Notes:
Private security / venue security
- [venue or route segment]
- Security presence / type:
- Access-control measures in place:
- Gaps identified:
- Notes:
Infrastructure (communications, utilities at key locations)
- Communications redundancy at primary residence:
- Power / backup at primary location:
- Notes:
08 · Digital & Social Signals
Actor online behavior, communications to/about the principal, and social-media indicators that feed warning-behavior coding. → feeds §9 Per-Actor Threat Characterization (Behavioral Warning Indicators, Pathway), §16 Escalation Indicators & Tripwires.
Actor social-media accounts
Clone per actor account. Attribution is a judgment - grade it.
- [platform - e.g. X / Facebook / Telegram / Reddit / YouTube / TikTok]
- Actor node: [N-x]
- Handle / URL:
- Attribution confidence: [Confirmed / Probable / Possible]
- Status: [Active / Dormant]
- Relevant content summary (grievance / fixation / leakage / pathway indicators):
- Dates of relevant posts:
- Warning behaviors observed:
- Notes / screenshot refs: ← (manual search, Google cache, Wayback Machine, Maltego)
Direct communications to/about the principal
Clone per communication instance.
- [communication - e.g. threatening email received YYYY-MM-DD]
- Actor attributed: [N-x / unknown]
- Channel: [email / letter / DM / voicemail / in-person]
- Content summary:
- Tone / escalation vs. prior:
- Pathway stage indicated:
- Warning behaviors present:
- Evidence ref:
Actor-to-actor communications (network coordination signals)
- [pair: N-x ↔ N-y]
- Channel:
- Nature of communication:
- Source / evidence:
- Notes:
Dark-web / closed-forum signals
- Actor mentions / posts on dark-web forums: ← (→ OSINT-058 dark-web exposure feed)
- Dox posts targeting principal:
- Marketplace activity relevant to threat (weapons / logistics):
- Notes:
09 · Indicators & Warnings - Per-Actor Behavioral Assessment
The behavioral structured-professional-judgment data collection for each threat node. Maps directly to §9 Per-Actor Threat Characterization (Warning Behaviors, Pathway-to-Violence, Capability/Access, Intent, Threat Classification). Clone the full block per threat actor.
Actor [N-x] - Behavioral Data Collection
→ feeds §9 Per-Actor Threat Characterization. Clone this entire block per threat actor identified in §04.
Actor–Principal Nexus (collected evidence)
- Relationship to principal:
- Grievance - nature & origin:
- Fixation / preoccupation evidence:
- Identification indicators (warrior mentality / prior-attacker emulation / weapons affinity):
- Contact / communication history (frequency, tone, escalation):
- Prior protective / legal actions:
- Notes:
TRAP-18 Proximal Warning Behaviors (evidence collection)
For each behavior: Present / Absent / Unknown - record observed evidence and source grade. → feeds §9 Behavioral Warning Indicators table.
- Pathway (research, planning, preparation, attack-related behavior)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade: [A–F / 1–8]
- Fixation (increasing preoccupation with person/cause)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Identification (warrior / pseudo-commando / weapons affinity / prior-attacker emulation)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Novel aggression (unrelated act of violence to test capacity)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Energy burst (increase in activity related to target)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Leakage (communication to third party of intent to harm)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Last resort (violent action / time imperative / no other option)
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Directly communicated threat
- Status: [Present / Absent / Unknown]
- Observed evidence:
- Source grade:
- Warning-behavior summary (clustering, recency, acceleration):
Pathway-to-Violence Stage Evidence
Locate the actor on the pathway. → feeds §9 Pathway-to-Violence table.
- Stage 1 - Grievance
- Behavioral evidence:
- Observed: [Y/N/Unk]
- Source grade:
- Stage 2 - Ideation (violence as solution)
- Behavioral evidence:
- Observed: [Y/N/Unk]
- Source grade:
- Stage 3 - Research / planning (target, methods, surveillance)
- Behavioral evidence:
- Observed: [Y/N/Unk]
- Source grade:
- Stage 4 - Preparation (acquisition, rehearsal, logistics)
- Behavioral evidence:
- Observed: [Y/N/Unk]
- Source grade:
- Stage 5 - Breach / probing (approach, security testing)
- Behavioral evidence:
- Observed: [Y/N/Unk]
- Source grade:
- Stage 6 - Attack
- Behavioral evidence:
- Observed: [Y/N/Unk]
- Source grade:
- Furthest stage evidenced:
- Direction / velocity of movement:
- Pathway assessment:
Capability, Access & Opportunity (collected evidence)
- Weapons access / acquisition:
- Relevant skills / training:
- Physical proximity / access to principal:
- Knowledge of principal patterns / locations:
- Opportunity (upcoming events / exposure windows):
Intent, Motivation & Grievance (collected evidence)
- Stated intent (explicit / implicit):
- Instrumental vs. expressive characterization:
- Motivation / driver (revenge / ideology / intimacy / notoriety / despair):
- Last-resort / desperation indicators:
- Suicidality / murder-suicide indicators:
Network Role - Link Analysis Data (for §6)
→ feeds §6 Link Analysis & Association Matrix, §7 SNA / Key-Node Ranking, §8 Critical & Nexus Nodes.
- [link: N-x → [relationship / activity] → N-y or connecting event/place/resource]
- Strength: [Known / Suspected]
- Source grade:
- Notes:
- Centrality estimate (degree / betweenness / closeness):
- Key-node designation: [hub / broker / peripheral / nexus-spanner]
Threat Classification - SPJ Determination (working notes)
- Poses vs. makes a threat (working judgment):
- Hunter vs. Howler:
- Working threat level: [Minimal / Low / Moderate / High / Imminent]
- Determination rationale notes:
- Notes / tool output:
99 · Collection Admin
Working register - the audit trail behind the deliverable. Not a deliverable section but the foundation for §21 Annex A Sources, Methodology & Doctrinal Basis and §22 Annexes (B–H).
Source register
Every material datum traceable to a graded source. Admiralty A–F reliability / ATP 2-22.9 1–8 credibility. New sources default F/8.
- [S-1 - source name / description]
- Type: [Primary / Secondary / Authoritative / Non-auth.]
- Reliability (A–F):
- Credibility (1–8):
- Date accessed:
- URL / reference:
Evidence archive
Capture ref, hash, URL, and timestamp for every preserved screenshot or document. → feeds §22 Annex F.
- [capture ref + hash + URL + timestamp]:
Network link chart data (for Annex B draw.io)
- [node pair: N-x ↔ N-y - relationship - solid/dashed]:
Behavioral timeline (per actor - for Annex C)
Chronological log of grievance, communications, warning behaviors - dated and graded. → feeds §22 Annex C.
- [N-x - YYYY-MM-DD - event / behavior / communication]:
Open gaps / verification pending
Carry open items forward to §19 Collection Gaps & RFIs in the deliverable.
- [item - description and impact on assessment if unresolved]