[PRINCIPAL / SUBJECT NAME] - Collection Map

OSINT-056 Doxxing Vulnerability / Attack-Surface Assessment - collection workspace. Central topic = the principal under assessment. Branches = data-point categories for modeling doxxing vulnerability, adversary pathways, and defensive posture. Drop each collected value as a child node; expand it with where it was found and tool output. This workspace CONSUMES the Digital Footprint & Exposure Assessment (OSINT-055) by reference - do not re-enumerate the full baseline footprint here. Focus on doxxing-specific reanalysis. → feeds deliverable OSINT-056.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer and the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §9 Attack Pathway Modeling, §14 Doxxing Vulnerability Register, §19 Collection Gaps.

PIR-1 - What realistic attack pathways exist by which an adversary could compose and release the principal’s PII to a targeted audience?

  • EEI: identity of the adversary tier(s) relevant to the principal’s profile (low / moderate / high)
  • EEI: collection methods each adversary tier would use against this principal
  • EEI: publication channels / venues each adversary tier prefers
  • EEI: 3–5 distinct pathways modeled (differ in adversary profile, collection cost, or harm type)
  • EEI: which single exposure item appears in the most pathways (highest-leverage remediation)

PIR-2 - What specific exposures are the critical enablers for each pathway, and which single remediation disrupts the most pathways?

  • EEI: consumed exposure baseline (DF&A ref and as-of date confirmed)
  • EEI: each DF&A exposure layer re-analyzed for weaponizability, composability, permanence, signal value
  • EEI: cross-platform linkage graph as the adversary sees it
  • EEI: physical-safety nexus items (home address, routine, vehicle, family identity)
  • EEI: dry-run target package composition (content types, damage dimensions)

PIR-3 - How does the principal’s current defensive posture affect the adversary’s collection cost?

  • EEI: privacy settings and account hardening status per platform
  • EEI: credential hygiene and MFA coverage
  • EEI: data-broker suppression / opt-out status
  • EEI: behavioral OPSEC discipline (geotagging, oversharing, routine exposure)
  • EEI: household / family awareness level
  • EEI: content removeability and takedown readiness for high-harm items

Collection gaps / RFIs (running)

  • Household / family member exposure not covered → route to OSINT-044 Family & Household Digital Exposure Assessment
  • Dark-web forum mentions and breach corpus deep-dive → route to OSINT-058 Dark-Web Exposure Assessment
  • Specific threat actor investigation → route to OSINT-004 Subject Threat Assessment / OSINT-051 Protective Intelligence Assessment
  • [additional open item] → route to [product]

01 · Identity Anchor

Confirm who the principal is and the consumed exposure baseline this assessment models. Do NOT re-enumerate the full footprint - only confirm anchor and consumed product. → feeds §5 Assessment Scope, Profile & Collection Plan; §7 Consumed Exposure Baseline.

Principal identifiers (anchor only)

  • Full name / role:
  • Public-profile level: [e.g., private individual / public figure / semi-public - specify]
  • Known threat context or prior targeting history:
  • Employer sensitivity (triggers professional-harm pathway):
  • Confirmed family/household members (name only - for scope boundary):

Consumed baseline product

  • Product reference (DF&A product ref-###):
  • Date / as-of date of consumed product:
  • Headline exposure rating from DF&A:
  • Caveats on completeness or aging:
  • Layers confirmed consumed (tick each):
    • Identity & selector inventory
    • Surface-web footprint
    • Social-media exposure
    • Data-broker exposure
    • Breach exposure
    • Technical / infrastructure footprint
    • Physical-nexus exposure

02 · Selectors & Accounts

The principal’s selectors as inventoried in the consumed DF&A. Here, focus on DOXXING UTILITY: how an adversary pivots on each selector to build a more complete dossier. Clone each block per selector. → feeds §8 Doxxing-Relevant Exposure Analysis; §10 Cross-Platform Linkage.

Email addresses

Primary adversary pivot: account discovery, breach lookup, identity confirmation. → feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage & Graph Exposure.

  • [email - e.g. principal@domain.com]
    • Platforms / accounts linked to this email:
    • Breach / paste appearances (from consumed DF&A):
    • Adversary weaponizability: [account-takeover vector / identity anchor / contact channel]
    • Cross-platform confirmation value:
    • Suppression / removal status:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← holehe, h8mail, hunter.io (run during DF&A; cite that output)
  • [email 2]

Usernames / handles

Adversary pivots across platforms to build identity graph and confirm subject. → feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage & Graph Exposure.

  • [handle - e.g. principalhandle]
    • Platforms / where found (URL):
    • Linked email(s):
    • Linked phone(s):
    • Other accounts reusing same handle:
    • Cross-platform confirmation value:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← idcrawl, sherlock, whatsmyname (cite DF&A output)
  • [handle 2]

Phone numbers

→ feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage.

  • [number - e.g. +1 555-0142]
    • Type / carrier: [mobile / landline / VoIP]
    • Linked apps / accounts:
    • Reverse-lookup exposure (carrier, name, location):
    • Weaponizability: [direct-harassment vector / identity anchor / location-inference]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← TrueCaller, caller-ID lookups (cite DF&A output)
  • [number 2]

Physical address selectors

Highest-harm doxxing element - enables physical targeting. → feeds §8 Doxxing-Relevant Exposure Analysis, §11 Physical-Safety Nexus.

  • [address - e.g. 123 Main St, City, State]
    • Source (how accessible: broker / public record / social post / combined):
    • Adversary collection cost to obtain: [low / medium / high]
    • Physical-harm pathway enabled:
    • Suppression / opt-out status:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes:
  • [address 2]

03 · Credential & Breach Exposure

Credential exposures specifically relevant to doxxing pathways: account-takeover enabling dossier enrichment, or private data exposed in breach corpus used in composition. Consume from DF&A - flag which items are HIGH doxxing utility. → feeds §8 Doxxing-Relevant Exposure Analysis, §9 Attack Pathway Modeling.

Breach appearances (high doxxing utility)

Clone per breach event. Focus on those exposing PII useful for dossier composition.

  • [breach name / data set - e.g. BigCo-2022 breach]
    • Data exposed (types):
    • PII elements included: [email / password / phone / DOB / address / other]
    • Doxxing utility: [identity anchor / account-takeover enabler / PII enrichment]
    • Still exploitable / credentials rotated?:
    • Source (from consumed DF&A §):
    • Notes / tool output: ← have_i_been_pwned results; cite DF&A output
  • [breach 2]

Credential-reuse / account-takeover vectors

  • [account at risk - e.g. primary email]
    • Risk basis (password reuse / no MFA / exposed creds):
    • Adversary pathway enabled if taken over:
    • Current mitigation status:
    • Notes:

Paste / leak appearances

  • [paste site + URL]
    • Content exposed:
    • Date:
    • Doxxing utility:

04 · Dark-Web Presence

Surface-level dark-web check for mentions, active doxxing content, or forum targeting relevant to this principal. Deep-dive is scoped to OSINT-058; record what was observed or routed. → feeds §8 Doxxing-Relevant Exposure Analysis, §16 Red Flag / Notable Indicators, §19 Collection Gaps.

Active doxxing content

Check paste sites, dedicated doxxing sites, and DW markets for existing releases on the principal.

  • [site / forum / market - e.g. Doxbin]
    • Content found: [none observed / partial / full dossier]
    • Date of posting:
    • Content elements:
    • Damage already done / publication permanence:
    • Notes:
  • [site 2]

Forum targeting / call-to-action mentions

  • [forum / community - e.g. Telegram channel / Kiwi Farms / 4chan /pol/]
    • Nature of mention: [targeting call / general discussion / threat]
    • Date observed:
    • Adversary tier implied:
    • Notes:

Sold / traded PII (dark-web markets)

  • [market name]
    • Data type observed:
    • Price point / accessibility:
    • Recency:
    • Route to deeper investigation: [→ OSINT-058]
    • Notes:

05 · Digital Footprint & PII Exposure (Doxxing Lens)

Reanalyze the principal’s surface-web and social exposure through the doxxing lens: not what is discoverable (that is the DF&A), but how an adversary would USE each item in a doxxing attack. Flag Weaponizability, Composability, Permanence, Signal Value per §8 analysis framework. → feeds §8 Doxxing-Relevant Exposure Analysis, §12 Target Package Assessment.

Data-broker exposure (doxxing utility reanalysis)

Brokers are the lowest-cost adversary collection pathway for addresses, phones, relatives.

  • [broker / people-search site - e.g. Spokeo / Whitepages / BeenVerified / Intelius / FastPeopleSearch]
    • PII elements listed:
    • Opt-out / suppression status: [opted-out / pending / not attempted]
    • Adversary collection cost: [very low - no registration required / low - free acct / medium - paid]
    • Weaponizability: [home address enables physical / employer enables professional harm / both]
    • Composability: [links to relatives, other addresses, phones]:
    • Permanence (re-aggregation rate after opt-out):
    • Notes:
  • [broker 2]

Social media - overshare / PII leakage inventory

Clone per platform. Focus on what the adversary would screenshot and include in a package.

  • [platform - e.g. Instagram / Twitter-X / Facebook / TikTok / LinkedIn]
    • Handle / URL:
    • PII leakage type: [location tags / workplace / home area / vehicle / family members / schedule]
    • Specific items:
    • Weaponizability:
    • Privacy settings current state: [public / friends-only / private / mixed]
    • Notes:
  • [platform 2]

Public-record exposure

  • [record type - e.g. voter registration / property deed / court filing / professional license]
    • Source / jurisdiction:
    • PII elements exposed:
    • Adversary accessibility: [freely searchable / subscription / FOIA-required]
    • Doxxing utility:
    • Notes:

Imagery & media exposure

  • [image / video - e.g. Google Images results / LinkedIn headshot / YouTube / news photo]
    • Type / source:
    • EXIF / metadata risk:
    • Reverse-image discovery risk:
    • Weaponizability: [identity confirmation / compromising context / location reveal]
    • Notes:

06 · Infrastructure

The principal’s web / domain / technical footprint reanalyzed for doxxing vectors: WHOIS registration PII leakage, hosting, email headers, technical identifiers. → feeds §8 Doxxing-Relevant Exposure Analysis, §10 Cross-Platform Linkage.

Domains registered by / associated with principal

→ check WHOIS for PII leakage; check crt.sh for certificate subjects; correlate with social presence.

  • [domain - e.g. principalwebsite.com]
    • WHOIS registrant PII exposed: [name / address / email / phone / none - WHOIS-protected]
    • Registration email (pivot):
    • Hosting IP / provider:
    • Certificate subject names (crt.sh):
    • Linked accounts / cross-platform confirmation:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← whois, crt.sh, viewdns.info
  • [domain 2]

Email header / metadata exposure

  • [email system or personal domain]
    • Header leakage (originating IP / real server):
    • Doxxing utility:
    • Notes:

Device / browser fingerprint exposure

  • [observed or inferred]
    • Exposure vector:
    • Adversary utility:

07 · Attack Surface & Vulnerabilities (Pathway Modeling Inputs)

The pre-analysis workspace for §9 Attack Pathway Modeling. For each modeled pathway, record the adversary profile, collection method sequence, composition logic, and principal vulnerability factors before filling the deliverable’s pathway table. → feeds §6 Doxxing Threat Landscape & Adversary Modeling, §9 Attack Pathway Modeling, §14 Doxxing Vulnerability Register.

Adversary landscape (relevant tiers)

  • [adversary tier - e.g. Low: unsophisticated individual]
    • Typical motive (as relates to this principal):
    • Typical collection methods:
    • Typical publication channels:
    • Relevance to principal’s profile: [highly relevant / somewhat relevant / low relevance]
    • Notes:
  • [tier 2 - e.g. Moderate: networked harassment group]
    • Typical motive:
    • Typical collection methods:
    • Typical publication channels:
    • Relevance:
    • Notes:
  • [tier 3 - e.g. High: skilled persistent adversary]
    • Typical motive:
    • Typical collection methods:
    • Typical publication channels:
    • Relevance:
    • Notes:

Attack pathway drafts

Clone per modeled pathway (target 3–5). Fill in during analysis; transfer to §9 table.

  • [PW-1 - e.g. Broker + social scrape → home address + employer dossier → Twitter/X release]
    • Adversary profile (tier from above):
    • Collection method sequence:
    • Composition logic (how items confirm / amplify each other):
    • Publication venue:
    • Intended harm type: [physical / professional / reputational / financial / harassment]
    • Likelihood: [almost no chance / remote / unlikely / roughly even / likely / very likely / almost certain]
    • Principal vulnerability factors that enable this pathway:
    • Notes:
  • [PW-2]
    • Adversary profile:
    • Collection method sequence:
    • Composition logic:
    • Publication venue:
    • Intended harm type:
    • Likelihood:
    • Principal vulnerability factors:
    • Notes:
  • [PW-3]
    • Adversary profile:
    • Collection method sequence:
    • Composition logic:
    • Publication venue:
    • Intended harm type:
    • Likelihood:
    • Principal vulnerability factors:
    • Notes:

Cross-platform linkage pivots

Map the identity graph as an adversary sees it - each pivot that confirms identity or reveals more.

  • [pivot selector - e.g. Reddit handle]
    • Linked platforms (URL):
    • Confirmation value (what the link proves):
    • Exposure amplification (what is newly revealed):
    • Secondary-vector risk (contacts/followers reachable):
    • Notes:
  • [pivot 2]

Physical-safety nexus items

Items that chain to physical harm - home address, routine, vehicle, family identity.

  • [nexus item - e.g. home address on broker + geotagged Instagram post]
    • Enabled harm type: [stalking / in-person harassment / assault / family targeting]
    • Collection pathway (which PWs rely on it):
    • Enabling exposures (DF&A §):
    • Disruptive protective measure:
    • Urgency: [immediate / high / medium / low]
    • Notes:
  • [nexus 2]

08 · Attribution & Threat Actors

Note any known or suspected specific threat actors relevant to this principal’s doxxing risk. Full threat-actor investigation is out of scope - route to OSINT-004 / OSINT-051. Record only what is necessary to ground the adversary-tier modeling in §6 and §9. → feeds §6 Doxxing Threat Landscape & Adversary Modeling, §16 Red Flag / Notable Indicators.

Known / suspected threat actors or communities

  • [actor or community - e.g. known harassment campaign / former associate / ideological group]
    • Basis for flag:
    • Capability tier assessed: [low / moderate / high]
    • Prior targeting evidence:
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Route to full investigation: [→ OSINT-004 / OSINT-051 as applicable]
    • Notes:

Prior doxxing incidents involving this principal

  • [incident - e.g. partial address released on Telegram 2023]
    • Date / venue:
    • Content released:
    • Outcome / harm:
    • Current status (still live / taken down / archived):
    • Notes:

Red flags / notable indicators observed during collection

  • [flag - e.g. home address paired with known targeting community]
    • Flag type: [physical-exposure / credential-exposure / linkability / irreversibility / adversary-signal]
    • Basis (cross-ref to branch / §):
    • Severity: [critical / high / medium / low]
    • Notes:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind the assessment.

Consumed baseline register

Record the consumed DF&A product formally here for audit.

  • Consumed product: [OSINT-055 Digital Footprint & Exposure Assessment]
    • Reference / file:
    • As-of date:
    • Originating team / analyst:
    • Caveats on completeness or aging affecting this assessment:

Source register

Every material datum obtained during this assessment (beyond the consumed DF&A) traceable to a graded source. Admiralty two-axis: Reliability A–F / Credibility 1–6.

  • [S-1 - source name / URL]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • Notes:
  • [S-2]
    • Type:
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:

Evidence archive

  • [screenshot / capture ref + hash + URL + timestamp]:
  • [pathway-modeling composition logic trace ref]:
  • [adversary-landscape survey notes ref]:

Defensive posture workspace

Staging area for §13 Defensive Posture Assessment - record current state per defense layer.

  • Privacy settings / account hardening - current state:
    • Residual gap(s):
    • Exploited by pathway(s):
    • Priority hardening action:
  • Credential hygiene / MFA - current state:
    • Residual gap(s):
    • Exploited by pathway(s):
    • Priority hardening action:
  • Data-broker suppression - current state:
    • Residual gap(s):
    • Exploited by pathway(s):
    • Priority hardening action:
  • Behavioral OPSEC discipline - current state:
    • Residual gap(s):
    • Exploited by pathway(s):
    • Priority hardening action:
  • Household / family awareness - current state:
    • Residual gap(s):
    • Exploited by pathway(s):
    • Priority hardening action:
  • Content removeability / takedown readiness - current state:
    • Residual gap(s):
    • Exploited by pathway(s):
    • Priority hardening action:

Open gaps / RFIs (working)

  • [gap item - impact on assessment - recommended collection - priority - route to sibling product]
  • Household/family exposure unassessed → route to OSINT-044
  • Dark-web forum deep-dive not performed → route to OSINT-058
  • Specific adversary not investigated → route to OSINT-004 / OSINT-051