[PRINCIPAL / CASE] - Collection Map

OSINT-052 Threat Case Assessment & Management (TAM) - collection workspace. Central topic = the principal (protectee) and the active threat case surrounding them. Branches = data-point categories for tracking threat actors, management actions, and risk evolution. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-052.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Findings Summary, §16 Collection Gaps & Intelligence Requirements.

PIR-1 - Pathway Escalation: Has any threat node escalated along the pathway to violence since the last assessment?

  • EEI: current pathway stage (grievance / ideation / research / planning / preparation / probing / attack) per active node
  • EEI: new warning behaviors or leakage indicators since last version date
  • EEI: changes in node communications - content, frequency, tone, target specificity
  • EEI: acquisition of weapons, materials, or capability relevant to the assessed threat modality
  • EEI: approach or probing behavior at principal locations, routes, or workplace

PIR-2 - Management Effectiveness: Are current management actions having a measurable effect on any node’s behavior?

  • EEI: observed behavioral change per node since management action(s) applied
  • EEI: legal-remedy status (TRO / restraining order in effect? violations?)
  • EEI: law-enforcement referral status and outcome
  • EEI: relationship-management / de-escalation actions - node’s response observable in open sources

PIR-3 - Network Change: Has any new actor entered the threat network or has any existing node changed its relationship to the principal?

  • EEI: new individuals communicating threats or expressing fixation on the principal
  • EEI: existing nodes’ stated relationships or grievance vectors - any shift?
  • EEI: insider-threat indicators among staff, household, or close-access personnel
  • EEI: alliances or coordination signals between nodes (shared posts, co-signatories, known associates)

PIR-4 - Opportunity & Access Windows: Do any threat nodes have current access or opportunity to approach the principal?

  • EEI: node’s known proximity to principal locations (home / office / travel routes)
  • EEI: public-calendar or media-exposure windows that advertise principal location in advance
  • EEI: changes in principal protective posture that could open access

PIR-5 - Tripwires: Have any pre-defined escalation or de-escalation tripwires (§10) been triggered?

  • EEI: observable indicators listed in §10 Escalation / De-Escalation Criteria checked against current intelligence
  • EEI: case-closure criteria assessed - any criteria met?

Collection gaps / RFIs (running)

  • [open item - e.g., identity of anonymous message sender] → route to analyst / §16
  • [open item - e.g., node current address unconfirmed] → route to §16

01 · Principal / Protectee & Case Identity

Who the principal is and the governing parameters of the case. Anchors the case file. → feeds §2 Executive Summary (Case Origin), §5 Case Overview & Chronology, Document Control table.

Principal identity

  • Full name / role:
  • Known public profile (public figure / HNW individual / executive / other):
  • Primary location(s) (home / work):
  • Known public-calendar footprint:
  • Source of public-facing exposure (social media / press / corporate comms):

Case parameters

  • Case reference:
  • Case opened (date + triggering event):
  • Governing assessments consumed (PIA ref / HSVA ref):
  • Case owner / threat manager:
  • Case status at this version: [Active / Monitoring / Closed]
  • Current case risk level: [Minimal / Low / Moderate / High / Imminent]
  • Next scheduled review:

Case history snapshot

  • Days since last significant event:
  • Primary grievance vector (shared driver across threat network):
  • Insider-threat nexus present: [Y / N]
  • Number of active management nodes:
  • Number of monitored nodes:

02 · Venue & Geography - Principal’s Environment

Physical and geographic picture of the principal’s environment: home, workplace, frequented locations, travel patterns. → feeds §5 Case Overview (Chronology), §10 Escalation/De-escalation Criteria (access/opportunity), Annex B Network Link Chart.

Principal locations

  • [location - e.g., primary residence]
    • Address / area (non-specific):
    • Ingress / egress points (public knowledge):
    • Publicly visible from street / accessible: [Y / N / Partial]
    • Security posture (observable):
    • Known to which nodes: [Node IDs]
    • Notes / tool output:
  • [location - e.g., workplace / office]
    • Address / area:
    • Ingress / egress (public knowledge):
    • Publicly visible / accessible: [Y / N / Partial]
    • Known to which nodes: [Node IDs]
    • Notes / tool output:

Public-facing calendar / events

  • [event - e.g., public appearance / conference / known travel]
    • Date / time window:
    • Location:
    • Advance notice in public domain (Y / N, source):
    • Risk relevance (which nodes may have knowledge):
    • Notes:

Geographic overlap with threat nodes

  • [node ID - proximity assessment]
    • Node’s known location relative to principal:
    • Distance / access time estimate:
    • Source:

03 · Routes & Movement

Principal’s known movement patterns - commute, travel, routine. Seed one block per route/leg; clone per leg. → feeds §9 Dynamic Risk Register (access/opportunity scoring), §10 Escalation/De-Escalation Criteria.

[Route / leg - e.g., home-to-office commute]

  • Mode(s): [Vehicle / foot / transit]
  • Timing window (observable from open sources):
  • Chokepoints / fixed points:
  • Publicly predictable: [Y / N / Partially]
  • Known to which nodes: [Node IDs]
  • Observable advance notice (posted / social / news):
  • Notes / tool output:

[Route / leg 2 - e.g., frequent travel destination]

  • Mode(s):
  • Timing window:
  • Chokepoints / fixed points:
  • Publicly predictable: [Y / N / Partially]
  • Known to which nodes:
  • Notes:

Travel / mobility anomalies

  • [observed departure from routine]:
  • Advance-notice exposure in open source:

04 · Threat-Actor Register - Nodes

Every threat actor in the case. Seed one block per node; clone per node. Drawn from the governing PIA and updated with new intelligence each version. → feeds §6 Threat-Actor Register, §7 Management-Action Log, §8 Management-Effectiveness Assessment, §9 Dynamic Risk Register, Annex C Behavioral Timeline.

[Node ID - e.g., N-1 - Actor name / handle]

  • Actor full name / AKA / handle:
  • Relationship to principal:
  • Primary grievance / driver:
  • Current pathway stage: [Grievance / Ideation / Research / Planning / Preparation / Probing / Attack]
  • Current threat level: [Minimal / Low / Moderate / High / Imminent]
  • Management lane: [Active management / Monitoring / Inactive]
  • Selectors confirmed: [email / phone / username / social media - list]
    • [email - e.g., actor@domain.com]
      • Linked accounts (acct discovery):
      • Breach / paste appearances:
      • Where found (source + URL):
      • Attribution confidence: [Confirmed / Probable / Possible]
      • Notes / tool output: ← holehe, h8mail, hunter.io
    • [username / handle]
      • Platforms / where found (URL):
      • Linked email(s):
      • Other accounts reusing it:
      • Attribution confidence: [Confirmed / Probable / Possible]
      • Notes / tool output: ← idcrawl, sherlock, whatsmyname
    • [phone number]
      • Type / carrier: [mobile / VoIP / landline]
      • Linked apps / accounts:
      • Where found:
      • Notes / tool output: ← truecaller, carrier lookup
  • Known location / proximity to principal:
  • Most recent threat-related activity (date + description):
  • Warning behaviors observed (list, dated):
  • Capability indicators:
  • Access / opportunity to principal: [None confirmed / Limited / Significant]
  • Management actions applied (Action IDs):
  • Risk score (L × I):
  • Last updated:
  • Notes / tool output:

[Node ID - N-2]

  • Actor full name / AKA / handle:
  • Relationship to principal:
  • Primary grievance / driver:
  • Current pathway stage:
  • Current threat level:
  • Management lane:
  • Selectors confirmed:
  • Known location / proximity:
  • Most recent threat-related activity:
  • Warning behaviors observed:
  • Risk score (L × I):
  • Last updated:
  • Notes / tool output:

05 · Threat Landscape - Incident History & Online Chatter

Documented threat communications, approach attempts, significant incidents, and ambient online chatter directed at or relevant to the principal. → feeds §5 Case Overview & Chronology (Significant Events Timeline), §3 Key Judgments, §9 Dynamic Risk Register.

Threat communications log

  • [communication - e.g., letter / email / social-media post / voicemail]
    • Date received:
    • Channel:
    • Node attributed: [Node ID / Unknown]
    • Content summary (verbatim excerpt if short):
    • Intent specificity: [Expressive / Threatening / Instrumental / Specific target/plan]
    • Evidence preserved (Y / N, archive ref):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Source grade: [A–F / 1–8]
    • Notes:

Approach / probing incidents

  • [incident - e.g., node appeared at principal workplace]
    • Date:
    • Location:
    • Node: [Node ID]
    • Description:
    • Witnessed by / source:
    • Law-enforcement report: [Y / N, case #]
    • Source grade:
    • Notes:

Online chatter / open-source monitoring

→ feeds §4 PIR-1 (escalation), §10 Tripwires. Tools: Google alerts, social-media search, keyword monitoring.

  • [platform / source - e.g., X / Reddit / forum]
    • Search terms / keywords monitored:
    • Relevant posts / threads (URL + date):
    • Node(s) associated: [Node ID / Unknown]
    • Significance:
    • Notes / tool output:

Historical incidents (pre-case)

  • [prior incident]
    • Date:
    • Type:
    • Outcome / disposition:
    • Relevance to current case:

06 · Vulnerabilities & Attack Surface

Factors that increase the principal’s exposure to threat actors: access opportunities, predictable routines, digital exposure, insider-threat nexus. → feeds §9 Dynamic Risk Register (Impact scoring), §10 Escalation/De-escalation Criteria, §17 Recommendations.

Physical-access vulnerabilities

  • [vulnerability - e.g., unescorted public appearances]
    • Nature / mechanism:
    • Relevant nodes: [Node IDs]
    • Likelihood node exploits it (L/M/H):
    • Notes:

Digital / information-exposure vulnerabilities

  • [vulnerability - e.g., principal’s home address in public records / social media geotag]
    • Nature:
    • Source (data broker / social / news):
    • Remediation status: [Open / Mitigated / Closed]
    • Notes / tool output: ← data-broker search: spokeo, whitepages, fastpeoplesearch

Predictability / routine vulnerabilities

  • [vulnerability - e.g., publicly posted schedule]
    • Nature:
    • Where published / observable:
    • Relevant nodes:
    • Notes:

Insider-threat indicators

  • [indicator - e.g., staff member with expressed grievance / recent termination / unusual access]
    • Individual (codename / ref only):
    • Indicator type:
    • Basis / source:
    • Risk: [Low / Moderate / High]
    • Notes:

07 · Local Environment - Security, Medical & Law Enforcement

The security and emergency-response landscape around the principal’s primary locations and operational area. → feeds §11 Stakeholder Coordination & Communication Plan, §12 Resource Requirements, §17 Recommendations.

Law-enforcement contacts & relationships

  • [LE agency / liaison]
    • Jurisdiction:
    • Point of contact (role, not name here):
    • Active referrals / cases: [Y / N, case #]
    • Response-time estimate:
    • Notes:
  • [legal instrument - e.g., TRO / restraining order / stalking injunction]
    • Node covered: [Node ID]
    • Jurisdiction / case #:
    • Issued date / expiry:
    • Violations recorded: [Y / N, date + action]
    • Notes:

Medical / emergency resources

  • [resource - e.g., nearest trauma center / EMS response area]
    • Location / coverage:
    • Notes:

Physical-security measures in place (observable / known)

  • [measure - e.g., residential security system / access control / protective detail]
    • Status: [Active / Partial / Absent]
    • Gap:
    • Notes:

Stakeholders - coordination register

→ feeds §11 Stakeholder Coordination & Communication Plan.

  • [stakeholder - e.g., client / protective detail / legal counsel / household]
    • Role in case:
    • Information need:
    • Communication cadence:
    • Point of contact confirmed: [Y / N]
    • Notes:

08 · Digital & Social Signals

Open-source monitoring of threat actors and the principal’s digital exposure. Seeds recurring search tasks. → feeds §4 PIRs (escalation / network change), §5 Chronology, §9 Risk Register, §16 Collection Gaps.

Node digital footprint - per node

Clone block per node. Informs pathway-stage assessment and escalation indicators.

  • [Node ID - digital profile]
    • Social media accounts (platform + handle + URL):
      • Status: [Active / Dormant / Deleted]
      • Last post date:
      • Relevant content (escalation / fixation / leakage):
      • Notes / tool output: ← social-search: social-searcher.com, tweetdeck, Intelius
    • Forums / dark-web / fringe platforms:
      • Platform:
      • Handle:
      • Relevant posts:
      • Notes:
    • Domain / website:
      • Registrant / WHOIS: ← whois, whoisxmlapi.com, SecurityTrails
      • Hosting / IP:
      • Notes:
    • Breach / paste exposure:
      • Source:
      • Date observed:
      • Significance:

Principal digital-exposure monitoring

  • [principal’s data-broker / public-record exposure]
    • Sources checked: ← spokeo, whitepages, fastpeoplesearch, been-verified, Intelius
    • Sensitive data found (address / phone / associates):
    • Remediation request filed: [Y / N / In progress]
    • Notes:
  • [principal’s social media / press exposure]
    • Platforms with location-revealing content:
    • Scheduled-appearance announcements found:
    • Action taken:

Keyword / alert monitoring

  • [keyword / phrase - e.g., principal’s name + threat language]
    • Monitoring tool / method: ← Google Alerts, Mention, TalkWalker, social-searcher.com
    • Alert frequency:
    • Results since last version:
    • Notes:

09 · Indicators & Warnings

Pre-defined and emerging indicators that a threat node is advancing along the pathway or that a tripwire (§10) is approaching. Seed one block per indicator; clone per indicator as they emerge. → feeds §10 Escalation/De-escalation Criteria & Tripwires, §3 Key Judgments, §4 PIRs, §16 Collection Gaps.

[Indicator - e.g., weapon acquisition by node]

  • Indicator type: [Escalation / De-escalation / Tripwire / Opportunity window]
  • Node(s) implicated: [Node ID(s)]
  • Observable proxy (what to look for in OSINT):
  • Current status: [Not observed / Possible / Probable / Confirmed]
  • Date first observed:
  • Source grade: [A–F / 1–8]
  • Tripwire triggered (§10): [Y / N]
  • Required response if confirmed:
  • Notes / tool output:

[Indicator - e.g., node proximity escalation - approach to principal location]

  • Indicator type:
  • Node(s) implicated:
  • Observable proxy:
  • Current status:
  • Date first observed:
  • Source grade:
  • Tripwire triggered (§10): [Y / N]
  • Required response if confirmed:
  • Notes:

[Indicator - e.g., new violent / specific-target content in node communications]

  • Indicator type:
  • Node(s) implicated:
  • Observable proxy:
  • Current status:
  • Date first observed:
  • Source grade:
  • Tripwire triggered (§10): [Y / N]
  • Required response if confirmed:
  • Notes:
  • Indicator type: [De-escalation]
  • Node(s) implicated:
  • Observable proxy:
  • Current status:
  • Duration observed:
  • Source grade:
  • Management implication: [Consider downgrade to monitoring / de-escalation criteria met?]
  • Notes:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind every finding. → feeds §18 Annex A (Source Register & Source Evaluation), Annex E Source Index, Annex F Evidence Archive.

Source register

Every material datum traceable to a graded source. Admiralty A–F reliability / ATP 2-22.9 1–8 credibility.

  • [S-1 - source]
    • Type: [Primary / Secondary / Tertiary]
    • Role: [Authoritative / Non-authoritative]
    • Reliability (A–F):
    • Credibility (1–8):
    • Date accessed:
    • Notes:
  • [S-2 - source]
    • Type:
    • Reliability (A–F):
    • Credibility (1–8):
    • Date accessed:
    • Notes:

Evidence archive

Preserve every material item with hash, URL, and timestamp. → feeds §19 Annex F.

  • [item ref - e.g., screenshot of node social-media post]
    • Archive ref / filename:
    • SHA-256 hash:
    • URL / source:
    • Timestamp (UTC):
    • Chain of custody note:

Management-action log - collection tracking

Mirror of §7 pending actions requiring collection support.

  • [Action ID - collection task]
    • Action:
    • Node targeted: [Node ID]
    • Collection method:
    • Assigned to:
    • Due date:
    • Status: [Not started / In progress / Complete]

Open gaps / verification pending

Carry to §16 Collection Gaps & Intelligence Requirements in the deliverable.

  • [item - e.g., node N-2 current address unconfirmed] → §16 HIGH
  • [item - e.g., identity of anonymous message sender] → §16 HIGH
  • [item - e.g., node N-1 weapon-acquisition indicator - no corroborating source] → §16 MOD

Version / cadence log

  • Current version:
  • Last full update:
  • Next scheduled review:
  • Trigger events since last version:
  • Collection OPSEC posture: [Managed-attribution - non-attributed egress, no login pivots into private space]