[PRINCIPAL / CASE] - Collection Map
OSINT-052 Threat Case Assessment & Management (TAM) - collection workspace. Central topic = the principal (protectee) and the active threat case surrounding them. Branches = data-point categories for tracking threat actors, management actions, and risk evolution. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-052.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Findings Summary, §16 Collection Gaps & Intelligence Requirements.
PIR-1 - Pathway Escalation: Has any threat node escalated along the pathway to violence since the last assessment?
- EEI: current pathway stage (grievance / ideation / research / planning / preparation / probing / attack) per active node
- EEI: new warning behaviors or leakage indicators since last version date
- EEI: changes in node communications - content, frequency, tone, target specificity
- EEI: acquisition of weapons, materials, or capability relevant to the assessed threat modality
- EEI: approach or probing behavior at principal locations, routes, or workplace
PIR-2 - Management Effectiveness: Are current management actions having a measurable effect on any node’s behavior?
- EEI: observed behavioral change per node since management action(s) applied
- EEI: legal-remedy status (TRO / restraining order in effect? violations?)
- EEI: law-enforcement referral status and outcome
- EEI: relationship-management / de-escalation actions - node’s response observable in open sources
PIR-3 - Network Change: Has any new actor entered the threat network or has any existing node changed its relationship to the principal?
- EEI: new individuals communicating threats or expressing fixation on the principal
- EEI: existing nodes’ stated relationships or grievance vectors - any shift?
- EEI: insider-threat indicators among staff, household, or close-access personnel
- EEI: alliances or coordination signals between nodes (shared posts, co-signatories, known associates)
PIR-4 - Opportunity & Access Windows: Do any threat nodes have current access or opportunity to approach the principal?
- EEI: node’s known proximity to principal locations (home / office / travel routes)
- EEI: public-calendar or media-exposure windows that advertise principal location in advance
- EEI: changes in principal protective posture that could open access
PIR-5 - Tripwires: Have any pre-defined escalation or de-escalation tripwires (§10) been triggered?
- EEI: observable indicators listed in §10 Escalation / De-Escalation Criteria checked against current intelligence
- EEI: case-closure criteria assessed - any criteria met?
Collection gaps / RFIs (running)
- [open item - e.g., identity of anonymous message sender] → route to analyst / §16
- [open item - e.g., node current address unconfirmed] → route to §16
01 · Principal / Protectee & Case Identity
Who the principal is and the governing parameters of the case. Anchors the case file. → feeds §2 Executive Summary (Case Origin), §5 Case Overview & Chronology, Document Control table.
Principal identity
- Full name / role:
- Known public profile (public figure / HNW individual / executive / other):
- Primary location(s) (home / work):
- Known public-calendar footprint:
- Source of public-facing exposure (social media / press / corporate comms):
Case parameters
- Case reference:
- Case opened (date + triggering event):
- Governing assessments consumed (PIA ref / HSVA ref):
- Case owner / threat manager:
- Case status at this version: [Active / Monitoring / Closed]
- Current case risk level: [Minimal / Low / Moderate / High / Imminent]
- Next scheduled review:
Case history snapshot
- Days since last significant event:
- Primary grievance vector (shared driver across threat network):
- Insider-threat nexus present: [Y / N]
- Number of active management nodes:
- Number of monitored nodes:
02 · Venue & Geography - Principal’s Environment
Physical and geographic picture of the principal’s environment: home, workplace, frequented locations, travel patterns. → feeds §5 Case Overview (Chronology), §10 Escalation/De-escalation Criteria (access/opportunity), Annex B Network Link Chart.
Principal locations
- [location - e.g., primary residence]
- Address / area (non-specific):
- Ingress / egress points (public knowledge):
- Publicly visible from street / accessible: [Y / N / Partial]
- Security posture (observable):
- Known to which nodes: [Node IDs]
- Notes / tool output:
- [location - e.g., workplace / office]
- Address / area:
- Ingress / egress (public knowledge):
- Publicly visible / accessible: [Y / N / Partial]
- Known to which nodes: [Node IDs]
- Notes / tool output:
Public-facing calendar / events
- [event - e.g., public appearance / conference / known travel]
- Date / time window:
- Location:
- Advance notice in public domain (Y / N, source):
- Risk relevance (which nodes may have knowledge):
- Notes:
Geographic overlap with threat nodes
- [node ID - proximity assessment]
- Node’s known location relative to principal:
- Distance / access time estimate:
- Source:
03 · Routes & Movement
Principal’s known movement patterns - commute, travel, routine. Seed one block per route/leg; clone per leg. → feeds §9 Dynamic Risk Register (access/opportunity scoring), §10 Escalation/De-Escalation Criteria.
[Route / leg - e.g., home-to-office commute]
- Mode(s): [Vehicle / foot / transit]
- Timing window (observable from open sources):
- Chokepoints / fixed points:
- Publicly predictable: [Y / N / Partially]
- Known to which nodes: [Node IDs]
- Observable advance notice (posted / social / news):
- Notes / tool output:
[Route / leg 2 - e.g., frequent travel destination]
- Mode(s):
- Timing window:
- Chokepoints / fixed points:
- Publicly predictable: [Y / N / Partially]
- Known to which nodes:
- Notes:
Travel / mobility anomalies
- [observed departure from routine]:
- Advance-notice exposure in open source:
04 · Threat-Actor Register - Nodes
Every threat actor in the case. Seed one block per node; clone per node. Drawn from the governing PIA and updated with new intelligence each version. → feeds §6 Threat-Actor Register, §7 Management-Action Log, §8 Management-Effectiveness Assessment, §9 Dynamic Risk Register, Annex C Behavioral Timeline.
[Node ID - e.g., N-1 - Actor name / handle]
- Actor full name / AKA / handle:
- Relationship to principal:
- Primary grievance / driver:
- Current pathway stage: [Grievance / Ideation / Research / Planning / Preparation / Probing / Attack]
- Current threat level: [Minimal / Low / Moderate / High / Imminent]
- Management lane: [Active management / Monitoring / Inactive]
- Selectors confirmed: [email / phone / username / social media - list]
- [email - e.g., actor@domain.com]
- Linked accounts (acct discovery):
- Breach / paste appearances:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← holehe, h8mail, hunter.io
- [username / handle]
- Platforms / where found (URL):
- Linked email(s):
- Other accounts reusing it:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← idcrawl, sherlock, whatsmyname
- [phone number]
- Type / carrier: [mobile / VoIP / landline]
- Linked apps / accounts:
- Where found:
- Notes / tool output: ← truecaller, carrier lookup
- [email - e.g., actor@domain.com]
- Known location / proximity to principal:
- Most recent threat-related activity (date + description):
- Warning behaviors observed (list, dated):
- Capability indicators:
- Access / opportunity to principal: [None confirmed / Limited / Significant]
- Management actions applied (Action IDs):
- Risk score (L × I):
- Last updated:
- Notes / tool output:
[Node ID - N-2]
- Actor full name / AKA / handle:
- Relationship to principal:
- Primary grievance / driver:
- Current pathway stage:
- Current threat level:
- Management lane:
- Selectors confirmed:
- Known location / proximity:
- Most recent threat-related activity:
- Warning behaviors observed:
- Risk score (L × I):
- Last updated:
- Notes / tool output:
05 · Threat Landscape - Incident History & Online Chatter
Documented threat communications, approach attempts, significant incidents, and ambient online chatter directed at or relevant to the principal. → feeds §5 Case Overview & Chronology (Significant Events Timeline), §3 Key Judgments, §9 Dynamic Risk Register.
Threat communications log
- [communication - e.g., letter / email / social-media post / voicemail]
- Date received:
- Channel:
- Node attributed: [Node ID / Unknown]
- Content summary (verbatim excerpt if short):
- Intent specificity: [Expressive / Threatening / Instrumental / Specific target/plan]
- Evidence preserved (Y / N, archive ref):
- Attribution confidence: [Confirmed / Probable / Possible]
- Source grade: [A–F / 1–8]
- Notes:
Approach / probing incidents
- [incident - e.g., node appeared at principal workplace]
- Date:
- Location:
- Node: [Node ID]
- Description:
- Witnessed by / source:
- Law-enforcement report: [Y / N, case #]
- Source grade:
- Notes:
Online chatter / open-source monitoring
→ feeds §4 PIR-1 (escalation), §10 Tripwires. Tools: Google alerts, social-media search, keyword monitoring.
- [platform / source - e.g., X / Reddit / forum]
- Search terms / keywords monitored:
- Relevant posts / threads (URL + date):
- Node(s) associated: [Node ID / Unknown]
- Significance:
- Notes / tool output:
Historical incidents (pre-case)
- [prior incident]
- Date:
- Type:
- Outcome / disposition:
- Relevance to current case:
06 · Vulnerabilities & Attack Surface
Factors that increase the principal’s exposure to threat actors: access opportunities, predictable routines, digital exposure, insider-threat nexus. → feeds §9 Dynamic Risk Register (Impact scoring), §10 Escalation/De-escalation Criteria, §17 Recommendations.
Physical-access vulnerabilities
- [vulnerability - e.g., unescorted public appearances]
- Nature / mechanism:
- Relevant nodes: [Node IDs]
- Likelihood node exploits it (L/M/H):
- Notes:
Digital / information-exposure vulnerabilities
- [vulnerability - e.g., principal’s home address in public records / social media geotag]
- Nature:
- Source (data broker / social / news):
- Remediation status: [Open / Mitigated / Closed]
- Notes / tool output: ← data-broker search: spokeo, whitepages, fastpeoplesearch
Predictability / routine vulnerabilities
- [vulnerability - e.g., publicly posted schedule]
- Nature:
- Where published / observable:
- Relevant nodes:
- Notes:
Insider-threat indicators
- [indicator - e.g., staff member with expressed grievance / recent termination / unusual access]
- Individual (codename / ref only):
- Indicator type:
- Basis / source:
- Risk: [Low / Moderate / High]
- Notes:
07 · Local Environment - Security, Medical & Law Enforcement
The security and emergency-response landscape around the principal’s primary locations and operational area. → feeds §11 Stakeholder Coordination & Communication Plan, §12 Resource Requirements, §17 Recommendations.
Law-enforcement contacts & relationships
- [LE agency / liaison]
- Jurisdiction:
- Point of contact (role, not name here):
- Active referrals / cases: [Y / N, case #]
- Response-time estimate:
- Notes:
Legal remedies in effect
- [legal instrument - e.g., TRO / restraining order / stalking injunction]
- Node covered: [Node ID]
- Jurisdiction / case #:
- Issued date / expiry:
- Violations recorded: [Y / N, date + action]
- Notes:
Medical / emergency resources
- [resource - e.g., nearest trauma center / EMS response area]
- Location / coverage:
- Notes:
Physical-security measures in place (observable / known)
- [measure - e.g., residential security system / access control / protective detail]
- Status: [Active / Partial / Absent]
- Gap:
- Notes:
Stakeholders - coordination register
→ feeds §11 Stakeholder Coordination & Communication Plan.
- [stakeholder - e.g., client / protective detail / legal counsel / household]
- Role in case:
- Information need:
- Communication cadence:
- Point of contact confirmed: [Y / N]
- Notes:
08 · Digital & Social Signals
Open-source monitoring of threat actors and the principal’s digital exposure. Seeds recurring search tasks. → feeds §4 PIRs (escalation / network change), §5 Chronology, §9 Risk Register, §16 Collection Gaps.
Node digital footprint - per node
Clone block per node. Informs pathway-stage assessment and escalation indicators.
- [Node ID - digital profile]
- Social media accounts (platform + handle + URL):
- Status: [Active / Dormant / Deleted]
- Last post date:
- Relevant content (escalation / fixation / leakage):
- Notes / tool output: ← social-search: social-searcher.com, tweetdeck, Intelius
- Forums / dark-web / fringe platforms:
- Platform:
- Handle:
- Relevant posts:
- Notes:
- Domain / website:
- Registrant / WHOIS: ← whois, whoisxmlapi.com, SecurityTrails
- Hosting / IP:
- Notes:
- Breach / paste exposure:
- Source:
- Date observed:
- Significance:
- Social media accounts (platform + handle + URL):
Principal digital-exposure monitoring
- [principal’s data-broker / public-record exposure]
- Sources checked: ← spokeo, whitepages, fastpeoplesearch, been-verified, Intelius
- Sensitive data found (address / phone / associates):
- Remediation request filed: [Y / N / In progress]
- Notes:
- [principal’s social media / press exposure]
- Platforms with location-revealing content:
- Scheduled-appearance announcements found:
- Action taken:
Keyword / alert monitoring
- [keyword / phrase - e.g., principal’s name + threat language]
- Monitoring tool / method: ← Google Alerts, Mention, TalkWalker, social-searcher.com
- Alert frequency:
- Results since last version:
- Notes:
09 · Indicators & Warnings
Pre-defined and emerging indicators that a threat node is advancing along the pathway or that a tripwire (§10) is approaching. Seed one block per indicator; clone per indicator as they emerge. → feeds §10 Escalation/De-escalation Criteria & Tripwires, §3 Key Judgments, §4 PIRs, §16 Collection Gaps.
[Indicator - e.g., weapon acquisition by node]
- Indicator type: [Escalation / De-escalation / Tripwire / Opportunity window]
- Node(s) implicated: [Node ID(s)]
- Observable proxy (what to look for in OSINT):
- Current status: [Not observed / Possible / Probable / Confirmed]
- Date first observed:
- Source grade: [A–F / 1–8]
- Tripwire triggered (§10): [Y / N]
- Required response if confirmed:
- Notes / tool output:
[Indicator - e.g., node proximity escalation - approach to principal location]
- Indicator type:
- Node(s) implicated:
- Observable proxy:
- Current status:
- Date first observed:
- Source grade:
- Tripwire triggered (§10): [Y / N]
- Required response if confirmed:
- Notes:
[Indicator - e.g., new violent / specific-target content in node communications]
- Indicator type:
- Node(s) implicated:
- Observable proxy:
- Current status:
- Date first observed:
- Source grade:
- Tripwire triggered (§10): [Y / N]
- Required response if confirmed:
- Notes:
[Indicator - e.g., de-escalation - sustained period of no threat-related activity]
- Indicator type: [De-escalation]
- Node(s) implicated:
- Observable proxy:
- Current status:
- Duration observed:
- Source grade:
- Management implication: [Consider downgrade to monitoring / de-escalation criteria met?]
- Notes:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind every finding. → feeds §18 Annex A (Source Register & Source Evaluation), Annex E Source Index, Annex F Evidence Archive.
Source register
Every material datum traceable to a graded source. Admiralty A–F reliability / ATP 2-22.9 1–8 credibility.
- [S-1 - source]
- Type: [Primary / Secondary / Tertiary]
- Role: [Authoritative / Non-authoritative]
- Reliability (A–F):
- Credibility (1–8):
- Date accessed:
- Notes:
- [S-2 - source]
- Type:
- Reliability (A–F):
- Credibility (1–8):
- Date accessed:
- Notes:
Evidence archive
Preserve every material item with hash, URL, and timestamp. → feeds §19 Annex F.
- [item ref - e.g., screenshot of node social-media post]
- Archive ref / filename:
- SHA-256 hash:
- URL / source:
- Timestamp (UTC):
- Chain of custody note:
Management-action log - collection tracking
Mirror of §7 pending actions requiring collection support.
- [Action ID - collection task]
- Action:
- Node targeted: [Node ID]
- Collection method:
- Assigned to:
- Due date:
- Status: [Not started / In progress / Complete]
Open gaps / verification pending
Carry to §16 Collection Gaps & Intelligence Requirements in the deliverable.
- [item - e.g., node N-2 current address unconfirmed] → §16 HIGH
- [item - e.g., identity of anonymous message sender] → §16 HIGH
- [item - e.g., node N-1 weapon-acquisition indicator - no corroborating source] → §16 MOD
Version / cadence log
- Current version:
- Last full update:
- Next scheduled review:
- Trigger events since last version:
- Collection OPSEC posture: [Managed-attribution - non-attributed egress, no login pivots into private space]