[PRINCIPAL / PROTECTEE] - Collection Map

OSINT-051 Protective Intelligence Assessment - collection workspace. Central topic = the principal at risk + the threat network around them. Branches = the data-point categories for this protective-intelligence assessment, aligned to the deliverable’s sections. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into node Notes. → feeds deliverable OSINT-051. IMMINENT DANGER: if any collection reveals an imminent risk of harm, stop and contact law enforcement immediately - do not wait for the report.

00 · Collection Plan - PIRs & EEIs

The intelligence questions this collection must answer + essential elements of information (EEI) per PIR. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §15 Verified Findings Summary, §19 Collection Gaps & RFIs.

PIR-1 - Intent: does any actor in the network intend to harm the principal?

  • EEI: explicit or implicit statements of intent (written, spoken, social-media)
  • EEI: leakage (communication to third party of intent to harm)
  • EEI: directed communications to or about the principal (tone, frequency, escalation)
  • EEI: last-resort or desperation language / no-other-option framing
  • EEI: murder-suicide / suicidality indicators in actor output

PIR-2 - Capability: does any actor have the means to act against the principal?

  • EEI: weapons access or acquisition evidence
  • EEI: relevant tactical / military / technical skills
  • EEI: financial resources to travel or equip
  • EEI: network facilitation - who supplies capability to the threat node

PIR-3 - Access / Opportunity: can a threat actor reach the principal?

  • EEI: physical proximity to principal residence / work / habitual locations
  • EEI: knowledge of principal routine, schedule, or patterns
  • EEI: insider nexus - household / staff member with access bridging to a threat actor
  • EEI: upcoming fixed-exposure events (appearances, travel, public venues)
  • EEI: digital access channels (email, social DM, phone, dox exposure)

PIR-4 - Network Coordination / Insider Nexus: are threat actors linked, facilitated, or bridged to the principal?

  • EEI: documented relationships between threat nodes (co-communication, co-location, shared resources)
  • EEI: nexus / spanner nodes bridging friendly ↔ threat networks
  • EEI: insider-threat bridge (trusted individual with principal access tied to threat actor)
  • EEI: shared grievance or ideological driver across multiple nodes

PIR-5 - Pathway Progression: how far along the pathway to violence has any actor moved?

  • EEI: grievance formation and articulation (Stage 1)
  • EEI: ideation (Stage 2) - violence framed as a solution
  • EEI: research / planning behavior (Stage 3) - target research, method research, surveillance indicators
  • EEI: preparation (Stage 4) - acquisition, rehearsal, logistics
  • EEI: breach / probing (Stage 5) - approach attempts, security testing, location visits
  • EEI: warning-behavior clustering and acceleration across TRAP-18 proximal eight

Collection gaps / RFIs (running)

  • [open item] → route to [product / collection technique]
  • [open item]

00b · Monitoring Cadence & Triggers

This deliverable is one_time but produces feeds into OSINT-052 (Threat-Case Assessment & Management) and OSINT-053 (Daily/Periodic Protective Intelligence Brief), which are continuous. Capture watch items, refresh cadence, and escalation path here so handoff to those products is seamless. → drives §16 Escalation Indicators & Tripwires, §20 Protective-Intelligence Program Recommendations (Reassessment Triggers & Cadence).

Watch items (standing after assessment delivery)

  • Actor [N-x] social-media / online output - keyword alerts set:
  • Actor [N-x] court / legal filings (restraining order compliance / new filings):
  • Principal exposure calendar - upcoming fixed-location events:
  • Insider-threat node [N-x] behavioral changes:
  • New communications to / about the principal:
  • Weapons-acquisition indicators (any threat node):

Refresh cadence

  • Routine reassessment interval:
  • High-threat-level interval:
  • Imminent-level interval: [immediately - trigger LE escalation, do not wait]

Alert thresholds

  • Tripwire 1 (from §16): → escalate to:
  • Tripwire 2: → escalate to:
  • Tripwire 3: → escalate to:

Escalation path

  • Level 1 (informational): notify program owner - [NAME]
  • Level 2 (concern elevated): threat-management team convenes within [24h / 48h]
  • Level 3 (imminent): law enforcement referral + protective detail upgrade - immediate

01 · Principal / Protectee Detail

Who is at risk. Baseline identity and exposure profile of the principal - the anchor the entire threat network is mapped against. → feeds §11 Protectee Exposure Surface & Nexus Layer, §2 Executive Summary.

Identity anchor

  • Full name / designation:
  • Role / title / public profile:
  • Organization / household:
  • Triggering event / referral that prompted this assessment:
  • Assessment as-of date:

Protectee contact & selectors

Clone per selector. Used to map digital exposure surface and cross-ref against threat-actor communications. → feeds §11 Protectee Exposure Surface.

  • [email - e.g. principal@domain.com]
    • Linked accounts found:
    • Breach / paste appearances:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (holehe, h8mail, hunter.io)
  • [phone - e.g. +1 555-0100]
    • Type / carrier: [mobile / landline / VoIP]
    • Linked accounts / apps:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (truecaller, caller-ID lookups)
  • [social handle - e.g. principal_name]
    • Platforms / URLs:
    • Linked email(s):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (sherlock, whatsmyname, idcrawl)
  • Existing restraining orders / TROs in place:
  • Prior reports to law enforcement:
  • Current protective-detail level:
  • Known prior incidents / approaches:

02 · Venue & Geography - Fixed-Exposure Points

OAKOC analysis of the principal’s predictable, fixed-location exposure - the terrain a threat node would exploit to observe, approach, or act. Open-source terrain analysis only; no physical surveillance of the principal. → feeds §11 Protectee Exposure Surface & Nexus Layer (OAKOC table).

Venues / fixed-exposure points

Clone this block per venue. → feeds §11 OAKOC table.

  • [venue - e.g. residence / workplace / regular venue]
    • Address / location:
    • Observation & fields of fire (open approaches, sight-lines):
    • Avenues of approach (public access, ingress/egress points):
    • Key terrain / chokepoints (bottlenecks a threat actor would exploit):
    • Obstacles (barriers, access controls in place):
    • Cover & concealment (where a threat actor could wait undetected):
    • Linked threat node(s) with proximity or knowledge:
    • Notes / satellite / mapping tool output: ← (Google Maps, OSM, Bing Birds Eye, Overpass Turbo)
  • [venue 2]

Habitual routes

Clone per route leg. → feeds §11 Protectee Exposure Surface & Nexus Layer (OAKOC / movement corridors), §20 Protective & Mitigation Measures.

  • [route leg - e.g. residence to office]
    • Mode of transport:
    • Departure / arrival times (pattern):
    • Chokepoints / predictable stops:
    • Known to any threat node: [Y/N/Unk]
    • Notes:

Principal pattern of life (open-source observable only)

  • [habitual schedule item]:
  • [social-media geo-leak or check-in observed]:
  • Anomalies / deviations noted:

03 · Routes & Movement

Predictable movement corridors and schedule-driven exposure windows - the attack surface in transit. → feeds §11 Protectee Exposure Surface, §20 Protective & Mitigation Measures.

Route legs

Clone per leg.

  • [leg - e.g. home → office, weekday 08:00–08:30]
    • Departure point:
    • Destination:
    • Mode:
    • Typical timing:
    • Chokepoints:
    • Alternate routes identified:
    • Threat-node knowledge of this route: [Y/N/Unk]
    • Notes:

Upcoming travel / events (fixed-exposure windows)

  • [event - e.g. public appearance / conference / travel leg]
    • Date / time:
    • Location / venue:
    • Public / semi-public / private:
    • Threat-node awareness: [Y/N/Unk]
    • Notes:

04 · Threat Actors & Persons of Interest

Full inventory of all actors assessed - the node catalogue behind §5 Threat-Network Frame & Composition. Each threat actor also drives a per-actor block in §09 below. → feeds §5, §6, §7, §8, §9, §10, §13, §14.

Threat-network node inventory

One block per actor. Clone per node.

  • [Node ID - e.g. N-1 / actor name or designation]
    • Node type: [person / org / place / event / resource]
    • Category: [threat / neutral / friendly / unknown]
    • Role in network:
    • Relationship to principal: [former employee / intimate / litigant / stranger-fixated / ideological / unknown]
    • Source grade: [A–F / 1–8]
    • Notes / raw data:

Persons of interest (not yet categorized)

  • [name / designation]
    • Why flagged:
    • Category determination pending:
    • Notes:

Actor selectors - identity resolution

Clone per actor selector. Run standard identity-resolution pivot. → feeds §5 node table, §9 per-actor blocks.

  • [handle / email / phone - e.g. threat_handle_01]
    • Actor node: [N-x]
    • Platforms / where found (URL):
    • Linked email(s):
    • Linked phone(s):
    • Other accounts reusing it:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (idcrawl, sherlock, whatsmyname, holehe, h8mail)
  • [email - e.g. actor@domain.com]
    • Actor node: [N-x]
    • Linked accounts (acct discovery):
    • Breach / paste appearances:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (holehe, h8mail, hunter.io)

Entity / org nodes

Clone per entity node.

  • [entity name - e.g. org / group / page]
    • Node ID: [N-x]
    • Jurisdiction / registration:
    • Registry check: ← (OpenCorporates, state/national registries)
    • Domains / online presence: ← (whois, crt.sh)
    • Links to threat actors:
    • Notes:

05 · Threat Landscape - Incidents, History & Online Chatter

Background threat environment, prior incidents, and the online-chatter picture that contextualizes the network. → feeds §9 Per-Actor Threat Characterization (Warning Behaviors, Pathway), §16 Escalation Indicators & Tripwires.

Prior incidents / communications involving the principal

Clone per incident.

  • [incident / communication - e.g. threatening letter received YYYY-MM-DD]
    • Date:
    • Nature / content:
    • Actor attributed: [N-x / unknown]
    • Source / evidence ref:
    • Analytic confidence: [H/M/L]
    • Notes:

Online chatter - social media monitoring

Monitor for keywords: principal name + variants, location, upcoming events, threat language. Tools: CrowdTangle (if available), manual search, Google Alerts, social-media search operators.

  • [platform - e.g. X / Reddit / Telegram / Facebook Group / forum]
    • Keywords monitored:
    • Posts / threads found (URL + date):
    • Actor attributed: [N-x / anonymous / unknown]
    • Concern level: [High / Moderate / Low / None]
    • Notes / screenshot ref:

Historical threat context

  • Similar cases / precedents relevant to this principal type:
  • Applicable threat environment (sector / geography / ideological):
  • Notes:

06 · Vulnerabilities & Attack Surface

The gaps and exposures a threat actor could exploit - the CV column of the CFA. → feeds §10 Critical Factors Analysis (CC/CR/CV table), §11 Protectee Exposure Surface, §13 Engagement-Option Matrix.

Digital / information exposure

  • Principal PII in data-broker records: ← (people-search engines: Spokeo, Whitepages, BeenVerified)
  • Home address publicly accessible:
  • Routine/schedule inferrable from social media:
  • Vehicle / plate publicly linked to principal:
  • Credential / breach exposure: ← (h8mail, HaveIBeenPwned, dehashed)
  • Dark-web mentions / doxing: ← (OSINT-058 dark-web exposure feed)

Physical / access vulnerabilities

  • Residence security posture:
  • Workplace access controls:
  • Predictable route / schedule exposure:
  • Public appearance schedule publicly listed:
  • Insider-access exposure (household / staff with threat-actor links):

CFA - Critical Factors (per threat node)

Clone per threat actor / node. → feeds §10 CFA table.

  • [Node N-x]
    • Objective:
    • Critical Capability (CC):
    • Critical Requirement (CR):
    • Specific Activity:
    • Critical Vulnerability (CV):
    • Recommended lawful action (→ §13):
    • Notes:

07 · Local Environment - Security, Medical, LE & Infrastructure

Third-party capabilities and resources at the principal’s fixed-exposure locations that inform protective planning. → feeds §11 Protectee Exposure Surface (residual exposure), §20 Protective & Mitigation Measures.

Law-enforcement resources

  • [jurisdiction - e.g. city/county/federal]
    • LE agency with jurisdiction:
    • Response time estimate:
    • Prior contact / coordination established: [Y/N]
    • Notes:

Medical facilities

  • [location - e.g. nearest trauma center to residence]
    • Facility name / address:
    • Level / capability:
    • Distance / ETA:
    • Notes:

Private security / venue security

  • [venue or route segment]
    • Security presence / type:
    • Access-control measures in place:
    • Gaps identified:
    • Notes:

Infrastructure (communications, utilities at key locations)

  • Communications redundancy at primary residence:
  • Power / backup at primary location:
  • Notes:

08 · Digital & Social Signals

Actor online behavior, communications to/about the principal, and social-media indicators that feed warning-behavior coding. → feeds §9 Per-Actor Threat Characterization (Behavioral Warning Indicators, Pathway), §16 Escalation Indicators & Tripwires.

Actor social-media accounts

Clone per actor account. Attribution is a judgment - grade it.

  • [platform - e.g. X / Facebook / Telegram / Reddit / YouTube / TikTok]
    • Actor node: [N-x]
    • Handle / URL:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Status: [Active / Dormant]
    • Relevant content summary (grievance / fixation / leakage / pathway indicators):
    • Dates of relevant posts:
    • Warning behaviors observed:
    • Notes / screenshot refs: ← (manual search, Google cache, Wayback Machine, Maltego)

Direct communications to/about the principal

Clone per communication instance.

  • [communication - e.g. threatening email received YYYY-MM-DD]
    • Actor attributed: [N-x / unknown]
    • Channel: [email / letter / DM / voicemail / in-person]
    • Content summary:
    • Tone / escalation vs. prior:
    • Pathway stage indicated:
    • Warning behaviors present:
    • Evidence ref:

Actor-to-actor communications (network coordination signals)

  • [pair: N-x ↔ N-y]
    • Channel:
    • Nature of communication:
    • Source / evidence:
    • Notes:

Dark-web / closed-forum signals

  • Actor mentions / posts on dark-web forums: ← (→ OSINT-058 dark-web exposure feed)
  • Dox posts targeting principal:
  • Marketplace activity relevant to threat (weapons / logistics):
  • Notes:

09 · Indicators & Warnings - Per-Actor Behavioral Assessment

The behavioral structured-professional-judgment data collection for each threat node. Maps directly to §9 Per-Actor Threat Characterization (Warning Behaviors, Pathway-to-Violence, Capability/Access, Intent, Threat Classification). Clone the full block per threat actor.

Actor [N-x] - Behavioral Data Collection

→ feeds §9 Per-Actor Threat Characterization. Clone this entire block per threat actor identified in §04.

Actor–Principal Nexus (collected evidence)

  • Relationship to principal:
  • Grievance - nature & origin:
  • Fixation / preoccupation evidence:
  • Identification indicators (warrior mentality / prior-attacker emulation / weapons affinity):
  • Contact / communication history (frequency, tone, escalation):
  • Prior protective / legal actions:
  • Notes:

TRAP-18 Proximal Warning Behaviors (evidence collection)

For each behavior: Present / Absent / Unknown - record observed evidence and source grade. → feeds §9 Behavioral Warning Indicators table.

  • Pathway (research, planning, preparation, attack-related behavior)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade: [A–F / 1–8]
  • Fixation (increasing preoccupation with person/cause)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Identification (warrior / pseudo-commando / weapons affinity / prior-attacker emulation)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Novel aggression (unrelated act of violence to test capacity)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Energy burst (increase in activity related to target)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Leakage (communication to third party of intent to harm)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Last resort (violent action / time imperative / no other option)
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Directly communicated threat
    • Status: [Present / Absent / Unknown]
    • Observed evidence:
    • Source grade:
  • Warning-behavior summary (clustering, recency, acceleration):

Pathway-to-Violence Stage Evidence

Locate the actor on the pathway. → feeds §9 Pathway-to-Violence table.

  • Stage 1 - Grievance
    • Behavioral evidence:
    • Observed: [Y/N/Unk]
    • Source grade:
  • Stage 2 - Ideation (violence as solution)
    • Behavioral evidence:
    • Observed: [Y/N/Unk]
    • Source grade:
  • Stage 3 - Research / planning (target, methods, surveillance)
    • Behavioral evidence:
    • Observed: [Y/N/Unk]
    • Source grade:
  • Stage 4 - Preparation (acquisition, rehearsal, logistics)
    • Behavioral evidence:
    • Observed: [Y/N/Unk]
    • Source grade:
  • Stage 5 - Breach / probing (approach, security testing)
    • Behavioral evidence:
    • Observed: [Y/N/Unk]
    • Source grade:
  • Stage 6 - Attack
    • Behavioral evidence:
    • Observed: [Y/N/Unk]
    • Source grade:
  • Furthest stage evidenced:
  • Direction / velocity of movement:
  • Pathway assessment:

Capability, Access & Opportunity (collected evidence)

  • Weapons access / acquisition:
  • Relevant skills / training:
  • Physical proximity / access to principal:
  • Knowledge of principal patterns / locations:
  • Opportunity (upcoming events / exposure windows):

Intent, Motivation & Grievance (collected evidence)

  • Stated intent (explicit / implicit):
  • Instrumental vs. expressive characterization:
  • Motivation / driver (revenge / ideology / intimacy / notoriety / despair):
  • Last-resort / desperation indicators:
  • Suicidality / murder-suicide indicators:

→ feeds §6 Link Analysis & Association Matrix, §7 SNA / Key-Node Ranking, §8 Critical & Nexus Nodes.

  • [link: N-x → [relationship / activity] → N-y or connecting event/place/resource]
    • Strength: [Known / Suspected]
    • Source grade:
    • Notes:
  • Centrality estimate (degree / betweenness / closeness):
  • Key-node designation: [hub / broker / peripheral / nexus-spanner]

Threat Classification - SPJ Determination (working notes)

  • Poses vs. makes a threat (working judgment):
  • Hunter vs. Howler:
  • Working threat level: [Minimal / Low / Moderate / High / Imminent]
  • Determination rationale notes:
  • Notes / tool output:

99 · Collection Admin

Working register - the audit trail behind the deliverable. Not a deliverable section but the foundation for §21 Annex A Sources, Methodology & Doctrinal Basis and §22 Annexes (B–H).

Source register

Every material datum traceable to a graded source. Admiralty A–F reliability / ATP 2-22.9 1–8 credibility. New sources default F/8.

  • [S-1 - source name / description]
    • Type: [Primary / Secondary / Authoritative / Non-auth.]
    • Reliability (A–F):
    • Credibility (1–8):
    • Date accessed:
    • URL / reference:

Evidence archive

Capture ref, hash, URL, and timestamp for every preserved screenshot or document. → feeds §22 Annex F.

  • [capture ref + hash + URL + timestamp]:
  • [node pair: N-x ↔ N-y - relationship - solid/dashed]:

Behavioral timeline (per actor - for Annex C)

Chronological log of grievance, communications, warning behaviors - dated and graded. → feeds §22 Annex C.

  • [N-x - YYYY-MM-DD - event / behavior / communication]:

Open gaps / verification pending

Carry open items forward to §19 Collection Gaps & RFIs in the deliverable.

  • [item - description and impact on assessment if unresolved]

Running RFIs