[PRINCIPAL / SUBJECT NAME] - Collection Map
OSINT-056 Doxxing Vulnerability / Attack-Surface Assessment - collection workspace. Central topic = the principal under assessment. Branches = data-point categories for modeling doxxing vulnerability, adversary pathways, and defensive posture. Drop each collected value as a child node; expand it with where it was found and tool output. This workspace CONSUMES the Digital Footprint & Exposure Assessment (OSINT-055) by reference - do not re-enumerate the full baseline footprint here. Focus on doxxing-specific reanalysis. → feeds deliverable OSINT-056.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer and the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §9 Attack Pathway Modeling, §14 Doxxing Vulnerability Register, §19 Collection Gaps.
PIR-1 - What realistic attack pathways exist by which an adversary could compose and release the principal’s PII to a targeted audience?
- EEI: identity of the adversary tier(s) relevant to the principal’s profile (low / moderate / high)
- EEI: collection methods each adversary tier would use against this principal
- EEI: publication channels / venues each adversary tier prefers
- EEI: 3–5 distinct pathways modeled (differ in adversary profile, collection cost, or harm type)
- EEI: which single exposure item appears in the most pathways (highest-leverage remediation)
PIR-2 - What specific exposures are the critical enablers for each pathway, and which single remediation disrupts the most pathways?
- EEI: consumed exposure baseline (DF&A ref and as-of date confirmed)
- EEI: each DF&A exposure layer re-analyzed for weaponizability, composability, permanence, signal value
- EEI: cross-platform linkage graph as the adversary sees it
- EEI: physical-safety nexus items (home address, routine, vehicle, family identity)
- EEI: dry-run target package composition (content types, damage dimensions)
PIR-3 - How does the principal’s current defensive posture affect the adversary’s collection cost?
- EEI: privacy settings and account hardening status per platform
- EEI: credential hygiene and MFA coverage
- EEI: data-broker suppression / opt-out status
- EEI: behavioral OPSEC discipline (geotagging, oversharing, routine exposure)
- EEI: household / family awareness level
- EEI: content removeability and takedown readiness for high-harm items
Collection gaps / RFIs (running)
- Household / family member exposure not covered → route to OSINT-044 Family & Household Digital Exposure Assessment
- Dark-web forum mentions and breach corpus deep-dive → route to OSINT-058 Dark-Web Exposure Assessment
- Specific threat actor investigation → route to OSINT-004 Subject Threat Assessment / OSINT-051 Protective Intelligence Assessment
- [additional open item] → route to [product]
01 · Identity Anchor
Confirm who the principal is and the consumed exposure baseline this assessment models. Do NOT re-enumerate the full footprint - only confirm anchor and consumed product. → feeds §5 Assessment Scope, Profile & Collection Plan; §7 Consumed Exposure Baseline.
Principal identifiers (anchor only)
- Full name / role:
- Public-profile level: [e.g., private individual / public figure / semi-public - specify]
- Known threat context or prior targeting history:
- Employer sensitivity (triggers professional-harm pathway):
- Confirmed family/household members (name only - for scope boundary):
Consumed baseline product
- Product reference (DF&A product ref-###):
- Date / as-of date of consumed product:
- Headline exposure rating from DF&A:
- Caveats on completeness or aging:
- Layers confirmed consumed (tick each):
- Identity & selector inventory
- Surface-web footprint
- Social-media exposure
- Data-broker exposure
- Breach exposure
- Technical / infrastructure footprint
- Physical-nexus exposure
02 · Selectors & Accounts
The principal’s selectors as inventoried in the consumed DF&A. Here, focus on DOXXING UTILITY: how an adversary pivots on each selector to build a more complete dossier. Clone each block per selector. → feeds §8 Doxxing-Relevant Exposure Analysis; §10 Cross-Platform Linkage.
Email addresses
Primary adversary pivot: account discovery, breach lookup, identity confirmation. → feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage & Graph Exposure.
- [email - e.g. principal@domain.com]
- Platforms / accounts linked to this email:
- Breach / paste appearances (from consumed DF&A):
- Adversary weaponizability: [account-takeover vector / identity anchor / contact channel]
- Cross-platform confirmation value:
- Suppression / removal status:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← holehe, h8mail, hunter.io (run during DF&A; cite that output)
- [email 2]
Usernames / handles
Adversary pivots across platforms to build identity graph and confirm subject. → feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage & Graph Exposure.
- [handle - e.g. principalhandle]
- Platforms / where found (URL):
- Linked email(s):
- Linked phone(s):
- Other accounts reusing same handle:
- Cross-platform confirmation value:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← idcrawl, sherlock, whatsmyname (cite DF&A output)
- [handle 2]
Phone numbers
→ feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage.
- [number - e.g. +1 555-0142]
- Type / carrier: [mobile / landline / VoIP]
- Linked apps / accounts:
- Reverse-lookup exposure (carrier, name, location):
- Weaponizability: [direct-harassment vector / identity anchor / location-inference]
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← TrueCaller, caller-ID lookups (cite DF&A output)
- [number 2]
Physical address selectors
Highest-harm doxxing element - enables physical targeting. → feeds §8 Doxxing-Relevant Exposure Analysis, §11 Physical-Safety Nexus.
- [address - e.g. 123 Main St, City, State]
- Source (how accessible: broker / public record / social post / combined):
- Adversary collection cost to obtain: [low / medium / high]
- Physical-harm pathway enabled:
- Suppression / opt-out status:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes:
- [address 2]
03 · Credential & Breach Exposure
Credential exposures specifically relevant to doxxing pathways: account-takeover enabling dossier enrichment, or private data exposed in breach corpus used in composition. Consume from DF&A - flag which items are HIGH doxxing utility. → feeds §8 Doxxing-Relevant Exposure Analysis, §9 Attack Pathway Modeling.
Breach appearances (high doxxing utility)
Clone per breach event. Focus on those exposing PII useful for dossier composition.
- [breach name / data set - e.g. BigCo-2022 breach]
- Data exposed (types):
- PII elements included: [email / password / phone / DOB / address / other]
- Doxxing utility: [identity anchor / account-takeover enabler / PII enrichment]
- Still exploitable / credentials rotated?:
- Source (from consumed DF&A §):
- Notes / tool output: ← have_i_been_pwned results; cite DF&A output
- [breach 2]
Credential-reuse / account-takeover vectors
- [account at risk - e.g. primary email]
- Risk basis (password reuse / no MFA / exposed creds):
- Adversary pathway enabled if taken over:
- Current mitigation status:
- Notes:
Paste / leak appearances
- [paste site + URL]
- Content exposed:
- Date:
- Doxxing utility:
04 · Dark-Web Presence
Surface-level dark-web check for mentions, active doxxing content, or forum targeting relevant to this principal. Deep-dive is scoped to OSINT-058; record what was observed or routed. → feeds §8 Doxxing-Relevant Exposure Analysis, §16 Red Flag / Notable Indicators, §19 Collection Gaps.
Active doxxing content
Check paste sites, dedicated doxxing sites, and DW markets for existing releases on the principal.
- [site / forum / market - e.g. Doxbin]
- Content found: [none observed / partial / full dossier]
- Date of posting:
- Content elements:
- Damage already done / publication permanence:
- Notes:
- [site 2]
Forum targeting / call-to-action mentions
- [forum / community - e.g. Telegram channel / Kiwi Farms / 4chan /pol/]
- Nature of mention: [targeting call / general discussion / threat]
- Date observed:
- Adversary tier implied:
- Notes:
Sold / traded PII (dark-web markets)
- [market name]
- Data type observed:
- Price point / accessibility:
- Recency:
- Route to deeper investigation: [→ OSINT-058]
- Notes:
05 · Digital Footprint & PII Exposure (Doxxing Lens)
Reanalyze the principal’s surface-web and social exposure through the doxxing lens: not what is discoverable (that is the DF&A), but how an adversary would USE each item in a doxxing attack. Flag Weaponizability, Composability, Permanence, Signal Value per §8 analysis framework. → feeds §8 Doxxing-Relevant Exposure Analysis, §12 Target Package Assessment.
Data-broker exposure (doxxing utility reanalysis)
Brokers are the lowest-cost adversary collection pathway for addresses, phones, relatives.
- [broker / people-search site - e.g. Spokeo / Whitepages / BeenVerified / Intelius / FastPeopleSearch]
- PII elements listed:
- Opt-out / suppression status: [opted-out / pending / not attempted]
- Adversary collection cost: [very low - no registration required / low - free acct / medium - paid]
- Weaponizability: [home address enables physical / employer enables professional harm / both]
- Composability: [links to relatives, other addresses, phones]:
- Permanence (re-aggregation rate after opt-out):
- Notes:
- [broker 2]
Social media - overshare / PII leakage inventory
Clone per platform. Focus on what the adversary would screenshot and include in a package.
- [platform - e.g. Instagram / Twitter-X / Facebook / TikTok / LinkedIn]
- Handle / URL:
- PII leakage type: [location tags / workplace / home area / vehicle / family members / schedule]
- Specific items:
- Weaponizability:
- Privacy settings current state: [public / friends-only / private / mixed]
- Notes:
- [platform 2]
Public-record exposure
- [record type - e.g. voter registration / property deed / court filing / professional license]
- Source / jurisdiction:
- PII elements exposed:
- Adversary accessibility: [freely searchable / subscription / FOIA-required]
- Doxxing utility:
- Notes:
Imagery & media exposure
- [image / video - e.g. Google Images results / LinkedIn headshot / YouTube / news photo]
- Type / source:
- EXIF / metadata risk:
- Reverse-image discovery risk:
- Weaponizability: [identity confirmation / compromising context / location reveal]
- Notes:
06 · Infrastructure
The principal’s web / domain / technical footprint reanalyzed for doxxing vectors: WHOIS registration PII leakage, hosting, email headers, technical identifiers. → feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage.
Domains registered by / associated with principal
→ check WHOIS for PII leakage; check crt.sh for certificate subjects; correlate with social presence.
- [domain - e.g. principalwebsite.com]
- WHOIS registrant PII exposed: [name / address / email / phone / none - WHOIS-protected]
- Registration email (pivot):
- Hosting IP / provider:
- Certificate subject names (crt.sh):
- Linked accounts / cross-platform confirmation:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← whois, crt.sh, viewdns.info
- [domain 2]
Email header / metadata exposure
- [email system or personal domain]
- Header leakage (originating IP / real server):
- Doxxing utility:
- Notes:
Device / browser fingerprint exposure
- [observed or inferred]
- Exposure vector:
- Adversary utility:
07 · Attack Surface & Vulnerabilities (Pathway Modeling Inputs)
The pre-analysis workspace for §9 Attack Pathway Modeling. For each modeled pathway, record the adversary profile, collection method sequence, composition logic, and principal vulnerability factors before filling the deliverable’s pathway table. → feeds §6 Doxxing Threat Landscape & Adversary Modeling, §9 Attack Pathway Modeling, §14 Doxxing Vulnerability Register.
Adversary landscape (relevant tiers)
- [adversary tier - e.g. Low: unsophisticated individual]
- Typical motive (as relates to this principal):
- Typical collection methods:
- Typical publication channels:
- Relevance to principal’s profile: [highly relevant / somewhat relevant / low relevance]
- Notes:
- [tier 2 - e.g. Moderate: networked harassment group]
- Typical motive:
- Typical collection methods:
- Typical publication channels:
- Relevance:
- Notes:
- [tier 3 - e.g. High: skilled persistent adversary]
- Typical motive:
- Typical collection methods:
- Typical publication channels:
- Relevance:
- Notes:
Attack pathway drafts
Clone per modeled pathway (target 3–5). Fill in during analysis; transfer to §9 table.
- [PW-1 - e.g. Broker + social scrape → home address + employer dossier → Twitter/X release]
- Adversary profile (tier from above):
- Collection method sequence:
- Composition logic (how items confirm / amplify each other):
- Publication venue:
- Intended harm type: [physical / professional / reputational / financial / harassment]
- Likelihood: [almost no chance / remote / unlikely / roughly even / likely / very likely / almost certain]
- Principal vulnerability factors that enable this pathway:
- Notes:
- [PW-2]
- Adversary profile:
- Collection method sequence:
- Composition logic:
- Publication venue:
- Intended harm type:
- Likelihood:
- Principal vulnerability factors:
- Notes:
- [PW-3]
- Adversary profile:
- Collection method sequence:
- Composition logic:
- Publication venue:
- Intended harm type:
- Likelihood:
- Principal vulnerability factors:
- Notes:
Cross-platform linkage pivots
Map the identity graph as an adversary sees it - each pivot that confirms identity or reveals more.
- [pivot selector - e.g. Reddit handle]
- Linked platforms (URL):
- Confirmation value (what the link proves):
- Exposure amplification (what is newly revealed):
- Secondary-vector risk (contacts/followers reachable):
- Notes:
- [pivot 2]
Physical-safety nexus items
Items that chain to physical harm - home address, routine, vehicle, family identity.
- [nexus item - e.g. home address on broker + geotagged Instagram post]
- Enabled harm type: [stalking / in-person harassment / assault / family targeting]
- Collection pathway (which PWs rely on it):
- Enabling exposures (DF&A §):
- Disruptive protective measure:
- Urgency: [immediate / high / medium / low]
- Notes:
- [nexus 2]
08 · Attribution & Threat Actors
Note any known or suspected specific threat actors relevant to this principal’s doxxing risk. Full threat-actor investigation is out of scope - route to OSINT-004 / OSINT-051. Record only what is necessary to ground the adversary-tier modeling in §6 and §9. → feeds §6 Doxxing Threat Landscape & Adversary Modeling, §16 Red Flag / Notable Indicators.
Known / suspected threat actors or communities
- [actor or community - e.g. known harassment campaign / former associate / ideological group]
Prior doxxing incidents involving this principal
- [incident - e.g. partial address released on Telegram 2023]
- Date / venue:
- Content released:
- Outcome / harm:
- Current status (still live / taken down / archived):
- Notes:
Red flags / notable indicators observed during collection
- [flag - e.g. home address paired with known targeting community]
- Flag type: [physical-exposure / credential-exposure / linkability / irreversibility / adversary-signal]
- Basis (cross-ref to branch / §):
- Severity: [critical / high / medium / low]
- Notes:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind the assessment.
Consumed baseline register
Record the consumed DF&A product formally here for audit.
- Consumed product: [OSINT-055 Digital Footprint & Exposure Assessment]
- Reference / file:
- As-of date:
- Originating team / analyst:
- Caveats on completeness or aging affecting this assessment:
Source register
Every material datum obtained during this assessment (beyond the consumed DF&A) traceable to a graded source. Admiralty two-axis: Reliability A–F / Credibility 1–6.
- [S-1 - source name / URL]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- Notes:
- [S-2]
- Type:
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
Evidence archive
- [screenshot / capture ref + hash + URL + timestamp]:
- [pathway-modeling composition logic trace ref]:
- [adversary-landscape survey notes ref]:
Defensive posture workspace
Staging area for §13 Defensive Posture Assessment - record current state per defense layer.
- Privacy settings / account hardening - current state:
- Residual gap(s):
- Exploited by pathway(s):
- Priority hardening action:
- Credential hygiene / MFA - current state:
- Residual gap(s):
- Exploited by pathway(s):
- Priority hardening action:
- Data-broker suppression - current state:
- Residual gap(s):
- Exploited by pathway(s):
- Priority hardening action:
- Behavioral OPSEC discipline - current state:
- Residual gap(s):
- Exploited by pathway(s):
- Priority hardening action:
- Household / family awareness - current state:
- Residual gap(s):
- Exploited by pathway(s):
- Priority hardening action:
- Content removeability / takedown readiness - current state:
- Residual gap(s):
- Exploited by pathway(s):
- Priority hardening action: