[EVENT / CRISIS INCIDENT] - Collection Map

OSINT-063 Post-Crisis After-Action Report - collection workspace. Central topic = the crisis event / emergency incident under review. Branches = data-point categories for reconstructing the crisis and evaluating the response. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-063.

00 · Collection Plan - PIRs & EEIs

The questions this after-action review must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §14 Verified Reconstruction Summary, §18 Reconstruction Gaps & RFIs.

PIR-1 - Sequence & Timing: What was the complete sequence and timing of the crisis from first indication to stabilisation/demobilisation?

  • EEI: timestamped record of first warning sign or triggering event
  • EEI: initiation event confirmed with source grade
  • EEI: escalation milestones and inflection points logged
  • EEI: stabilisation / demobilisation time confirmed
  • EEI: duration calculated (onset → demobilisation)

PIR-2 - Activation & Command: When and how was the crisis management team / incident command activated, and was activation timely?

  • EEI: detection-to-activation lag documented (planned vs. actual)
  • EEI: who activated CMT / incident command, when, and by what authority
  • EEI: command structure and span-of-control confirmed
  • EEI: external emergency-service liaison timing and quality assessed

PIR-3 - Life Safety & Security Execution: What life-safety / security actions were taken, and were they executed in accordance with the crisis plan?

  • EEI: evacuation / shelter-in-place / lockdown orders documented
  • EEI: medical / first-aid / triage actions and resources confirmed
  • EEI: access control and scene safety measures assessed
  • EEI: deviations from plan identified and cross-referenced to §10

PIR-4 - Communications: What communication was issued internally and externally, and was it consistent with the crisis communication plan?

  • EEI: internal notification timeline and channels documented
  • EEI: external / media statements logged and accuracy assessed
  • EEI: next-of-kin / family liaison actions confirmed
  • EEI: communication failures or gaps logged to §12

Collection gaps / RFIs (running)

  • [missing footage / footage not yet reviewed] → RFI to [evidence custodian]
  • [un-interviewed personnel] → route to interview coordinator
  • [call logs / incident reports not yet obtained] → route to [records holder]
  • [concurrent investigation restriction] → confirm with counsel before collection

01 · Principal / Protectee or Event Detail

Core event identification - the crisis subject. → feeds §5 Crisis Overview & Operating Context, §7 Timeline.

Crisis / incident identity

  • Crisis name / reference:
  • Report reference (REF-YYYY-###):
  • Crisis type: [natural disaster / security incident / facility-fire / medical mass-casualty / cyber / reputational / personnel emergency / mixed]
  • Classification / handling:

Date, time, and location

  • Crisis date(s):
  • Onset time (first indication):
  • Stabilisation / demobilisation time:
  • Duration:
  • Primary location:
  • Secondary / affected locations:

People affected

  • Total personnel on-site / exposed:
  • Fatalities:
  • Serious injuries:
  • Minor injuries:
  • Unaccounted / missing at peak:

Assets / infrastructure affected

  • Physical assets:
  • IT / data systems:
  • Environmental impact:

Highest-priority corrective action (preliminary)

02 · Venue & Geography - Site, Layout, Ingress / Egress

Physical environment of the crisis: the site layout, access points, hazard zones, external-service access routes. → feeds §5 Crisis Overview & Operating Context, §7 Timeline, §9 Crisis Response - Execution Assessment.

Site description

  • Facility / venue name and address:
  • Type: [commercial / industrial / public / residential / campus / transport hub / outdoor / other]
  • Layout summary (floors, wings, zones):
  • Occupancy at time of crisis:

Ingress / egress points

  • [access point - e.g. main entrance / fire exit A / loading bay]
    • Status during crisis: [open / blocked / compromised]
    • Used for evacuation: [yes / no / partial]
    • Deviation noted:
    • Notes / tool output:
  • [access point 2]

Assembly points / muster stations

  • [muster point]
    • Designated in plan: [yes / no]
    • Used / reached:
    • Capacity vs. actual:
    • Notes / tool output:

Hazard zones identified

  • [zone or area]
    • Hazard type:
    • Controlled / cordoned: [yes / no]
    • Notes / tool output:

External-service access

  • Emergency vehicle access route:
  • Staging area for emergency services:
  • Distance from primary emergency services:

03 · Routes & Movement - Phases, Timings, Handovers

Reconstruction of how people, assets, and the incident itself moved through the crisis phases. Clone the block per timeline leg. → feeds §7 Timeline / Reconstructed Sequence of Events, §8 Crisis Response - Activation & Command.

Timeline leg / phase

Clone per discrete phase: pre-crisis / initiation / response / stabilisation / recovery / demobilisation.

  • [phase - e.g. Initiation: alarm activation 14:23]
    • Planned action / expected state:
    • Actual action / observed state:
    • On-plan or deviation: [on-plan / deviation / no-plan-applicable]
    • Source basis (grade):
    • Deviation ref (§10 ID):
    • Notes / tool output:
  • [phase 2]

Key decision points

  • [decision - e.g. CMT activation authorised 14:31]
    • Decision maker / role:
    • Information available at time:
    • Outcome:
    • Assessment (timely / delayed / appropriate):
    • Notes / tool output:

External-service handover / liaison

  • Agency:
  • Handover time:
  • Handover quality:
  • Notes:

04 · Threat Actors & Persons of Interest

People and roles involved in the crisis event and the response - both adverse actors (if applicable) and key response personnel. Clone per individual. → feeds §5 Crisis Overview & Operating Context, §13 Root-Cause Analysis, §16 ACH.

Adverse actors / crisis origin (if applicable)

Relevant when crisis was security-incident, intrusion, cyber-attack, etc.

  • [actor / entity - e.g. unknown intruder / threat group / natural hazard source]
    • Role in crisis:
    • Identity (if known):
    • Actions taken:
    • Source basis (grade):
    • Attribution confidence: [Confirmed / Probable / Possible / Unknown]
    • Notes / tool output:
  • [actor 2]

Key response personnel

Non-blaming; assess roles and decisions not individuals.

  • [role - e.g. Crisis Manager / Incident Commander / First Aider]
    • Decision(s) made:
    • Timeliness:
    • Aligned with plan: [yes / no / partial / no plan]
    • Source basis:
    • Notes / tool output:
  • [role 2]

External agencies / responders

  • [agency - e.g. Police / Fire / EMS / Utilities]
    • Arrived:
    • Actions taken:
    • Assessment:
    • Notes / tool output:

05 · Threat Landscape - Pre-Crisis History, Incidents, Chatter

What was known or knowable before this crisis: prior incidents, risk assessments, near-misses, threat intelligence, and open-source signals. → feeds §6 Pre-Crisis Baseline & Risk Posture, §15 Red Flag / Systemic-Risk Indicators.

Applicable risk assessments (pre-crisis)

  • [assessment - e.g. Site Security Risk Assessment 2024]
    • Date / version:
    • Coverage of this crisis type: [yes / no / partial]
    • Residual risk acceptance stated:
    • Source:
    • Notes / tool output:

Prior incidents (same type or same site)

  • [incident - e.g. minor fire alarm Q1-2025]
    • Date / location:
    • Response outcome:
    • Lesson documented at the time: [yes / no]
    • Notes / tool output:

Near-misses / warning signs pre-crisis

  • [warning sign or near-miss]:
    • Date observed:
    • Escalated: [yes / no]
    • Notes / tool output:

Open-source signals pre-crisis (if applicable)

Relevant for security / reputational / cyber crises. Tool hints: social monitoring → Brandwatch/Mention; threat intel → threat feeds / dark-web forums.

  • [signal - e.g. social media threat post / weather warning]
    • Date / source:
    • Actioned: [yes / no]
    • Notes / tool output:

Training and exercise history

  • [exercise - e.g. tabletop drill Nov-2024]
    • Scope / crisis type:
    • Outcomes / gaps documented:
    • Source:
    • Notes / tool output:

06 · Vulnerabilities & Attack Surface - Plan Gaps, Process Gaps, Resource Gaps

The pre-existing and response-revealed gaps that enabled or worsened the crisis or degraded the response. → feeds §12 Deficiencies & Gaps, §13 Root-Cause Analysis, §15 Red Flag / Systemic-Risk Indicators.

Plan gaps

  • [gap - e.g. no mass-notification protocol for after-hours events]
    • Plan affected (name/version):
    • Consequence observed:
    • Deficiency ref (§12 ID):
    • Notes / tool output:
  • [gap 2]

Training / exercise gaps

  • [gap - e.g. first-aider ratio below required level]
    • Root cause category: [people / process / equipment / training / resource / external]
    • Deficiency ref (§12 ID):
    • Notes / tool output:

Equipment / resource gaps

  • [gap - e.g. AED not accessible from Zone B]
    • Deficiency ref:
    • Notes / tool output:

Communication system gaps

  • [gap - e.g. radio dead-zone in basement]
    • Deficiency ref:
    • Notes / tool output:

Red flag / systemic-risk indicators

Indicators that a deficiency is recurring or systemic, not a one-off.

  • [flag - e.g. same alarm-not-heard failure pattern as 2023 drill]
    • Flag type: [recurring-failure / silent-control-failure / near-miss-masked / unescalated-warning]
    • Severity: [Critical / High / Elevated / Moderate / Low]
    • Basis (cross-ref §):
    • Notes / tool output:

07 · Local Environment - Security / Medical / LE / Infrastructure

The supporting environment: what external resources were available, how they performed, and any environmental factors that shaped the crisis or response. → feeds §5 Crisis Overview & Operating Context, §9 Crisis Response - Execution Assessment, §7 Timeline.

Emergency services (local)

  • Police response:
    • ETA / arrival time:
    • Actions taken:
    • Assessment:
  • Fire / rescue response:
    • ETA / arrival time:
    • Actions taken:
    • Assessment:
  • EMS / medical response:
    • ETA / arrival time:
    • Triage / treatment actions:
    • Patients transported:
    • Assessment:

Medical resources (on-site)

  • First-aiders available:
  • AED(s) accessible: [yes / no / not applicable]
  • First-aid kit(s) stocked:
  • Triage area designated: [yes / no]

Infrastructure factors

  • Power: [maintained / partial loss / full loss]
  • Communications (phones / radios): [maintained / degraded / failed]
  • IT / data systems: [maintained / degraded / offline]
  • CCTV / access control: [maintained / degraded / offline]
  • Environmental factor (weather / utilities):

Business continuity / recovery environment

  • Backup site / continuity plan activated: [yes / no / partial]
  • Recovery time objective met: [yes / no]
  • Business continuity contacts:
  • Notes:

08 · Digital & Social Signals - Communications, Logs, Open-Source

All digital records and open-source signals relevant to the reconstruction: internal logs, call recordings, footage, and external social / media signals during and after the crisis. → feeds §7 Timeline, §8 Crisis Response - Activation & Command, §20 Annex A Sources & Methodology.

Internal digital records

Core evidence for timeline reconstruction.

  • [record - e.g. CCTV footage Block A 14:00–16:00]
    • Date / time range:
    • Custody / location:
    • Reviewed: [yes / no]
    • Reliability grade:
    • Notes / tool output:
  • [record 2 - e.g. access-control system logs]
  • [record 3 - e.g. call recordings - CMT hotline]
  • [record 4 - e.g. incident management system entries]
  • [record 5 - e.g. fire alarm / building-management system logs]

External communications issued

  • [communication - e.g. staff SMS alert 14:35]
    • Channel:
    • Time sent:
    • Accuracy / consistency with plan:
    • Notes / tool output:
  • [communication 2 - e.g. media statement]

Social media / open-source crisis signals

For real-time chatter, witness posts, reputational spread. Tool hints: social monitoring → CrowdTangle/Brandwatch/Mention/TweetDeck saved searches; people-search → public posts on X/Facebook/Instagram.

  • [platform / search - e.g. X search: “[facility name] fire”]
    • Signal found:
    • Date / time:
    • Significance:
    • Notes / tool output:
  • Notification to insurer: [yes / no / date]
  • Notification to regulator: [yes / no / date]
  • Litigation-hold confirmed: [yes / no]
  • Notes:

09 · Indicators & Warnings - Sustainments, ACH Hypotheses, KAC Assumptions

The analytic layer: confirmed sustainments (what worked), competing hypotheses for contested events, and key assumptions underpinning the reconstruction. → feeds §11 Sustainments, §12 Deficiencies & Gaps, §16 ACH, §17 KAC.

Sustainments (What Worked)

Clone per sustainment.

  • [sustainment - e.g. evacuation of Zone A completed within 4 minutes]
    • Enabling factor:
    • How to institutionalise:
    • Cross-ref (§11 ID):
    • Notes / tool output:
  • [sustainment 2]

Deficiencies (What to Improve)

Clone per deficiency; root cause in §13.

  • [deficiency - e.g. CMT activation delayed by 18 minutes]
    • Observed / potential consequence:
    • Function affected:
    • Root cause category: [people / process / equipment / information / coordination / external / plan-gap / training-gap / resource-gap]
    • Cross-ref (§12 ID / §13):
    • Notes / tool output:
  • [deficiency 2]

ACH - Competing Hypotheses (contested events)

Clone per contested fact or root-cause dispute.

  • [contested event - e.g. failure to evacuate south wing]
    • H1 (hypothesis 1):
    • H2 (hypothesis 2):
    • H3 (hypothesis 3):
    • Most diagnostic evidence:
    • Hypothesis assessment:
    • Notes / tool output:

KAC - Key Assumptions

  • [assumption - e.g. crisis plan in force was the current approved version]
    • Basis:
    • Confidence: [H / M / L]
    • Impact if wrong:
    • Notes:
  • [assumption 2 - e.g. all material records were preserved and not destroyed]
  • [assumption 3 - e.g. witness accounts are not shaped by litigation concern]
  • [assumption 4 - e.g. this crisis is representative of the org’s preparedness posture]

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind the after-action report. Feeds §20 Annex A Sources & Methodology and Appendices B–G.

Source register

Every material datum traceable to a graded source. Admiralty A–F (reliability) / 1–6 (credibility).

  • [S-1 - source / record name]
    • Type: [CCTV / call recording / incident report / interview / log / alarm-system / public record / media / other]
    • Reliability (A–F) / Credibility (1–6):
    • Date of record:
    • Date accessed / reviewed:
    • Custodian / location:
    • Litigation-hold applies: [yes / no / unknown]
  • [S-2]
  • [S-3 - interviews: note consent, role, date, interviewer]

Evidence archive

Hash + URL / file path + timestamp for each captured item. Chain-of-custody pointer → Appendix D.

  • [screenshot / capture ref + hash + file path + timestamp]:

Personnel & role index

Non-blame; roles only. → Appendix B.

  • [Role - e.g. Crisis Manager]
    • Decisions / actions in scope:
    • Interview conducted: [yes / no / pending]

Open gaps / RFIs (running)

  • [gap - e.g. basement CCTV footage not yet recovered] → Priority: [H/M/L] → Recommended collection:
  • [gap - e.g. interview with senior facilities manager pending consent]
  • [gap - concurrent investigation restriction - confirm with counsel]

Concurrent processes (flag)

  • Litigation-hold in effect: [yes / no / unknown]
  • Insurance claim open: [yes / no]
  • Regulatory / enforcement inquiry: [yes / no]
  • Criminal investigation: [yes / no]
  • Counsel coordinating: [yes / no]

Revision history

→ Appendix G.

  • [v0.1 - date - initial collection open]: