[EVENT / CRISIS INCIDENT] - Collection Map
OSINT-063 Post-Crisis After-Action Report - collection workspace. Central topic = the crisis event / emergency incident under review. Branches = data-point categories for reconstructing the crisis and evaluating the response. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-063.
00 · Collection Plan - PIRs & EEIs
The questions this after-action review must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §14 Verified Reconstruction Summary, §18 Reconstruction Gaps & RFIs.
PIR-1 - Sequence & Timing: What was the complete sequence and timing of the crisis from first indication to stabilisation/demobilisation?
- EEI: timestamped record of first warning sign or triggering event
- EEI: initiation event confirmed with source grade
- EEI: escalation milestones and inflection points logged
- EEI: stabilisation / demobilisation time confirmed
- EEI: duration calculated (onset → demobilisation)
PIR-2 - Activation & Command: When and how was the crisis management team / incident command activated, and was activation timely?
- EEI: detection-to-activation lag documented (planned vs. actual)
- EEI: who activated CMT / incident command, when, and by what authority
- EEI: command structure and span-of-control confirmed
- EEI: external emergency-service liaison timing and quality assessed
PIR-3 - Life Safety & Security Execution: What life-safety / security actions were taken, and were they executed in accordance with the crisis plan?
- EEI: evacuation / shelter-in-place / lockdown orders documented
- EEI: medical / first-aid / triage actions and resources confirmed
- EEI: access control and scene safety measures assessed
- EEI: deviations from plan identified and cross-referenced to §10
PIR-4 - Communications: What communication was issued internally and externally, and was it consistent with the crisis communication plan?
- EEI: internal notification timeline and channels documented
- EEI: external / media statements logged and accuracy assessed
- EEI: next-of-kin / family liaison actions confirmed
- EEI: communication failures or gaps logged to §12
Collection gaps / RFIs (running)
- [missing footage / footage not yet reviewed] → RFI to [evidence custodian]
- [un-interviewed personnel] → route to interview coordinator
- [call logs / incident reports not yet obtained] → route to [records holder]
- [concurrent investigation restriction] → confirm with counsel before collection
01 · Principal / Protectee or Event Detail
Core event identification - the crisis subject. → feeds §5 Crisis Overview & Operating Context, §7 Timeline.
Crisis / incident identity
- Crisis name / reference:
- Report reference (REF-YYYY-###):
- Crisis type: [natural disaster / security incident / facility-fire / medical mass-casualty / cyber / reputational / personnel emergency / mixed]
- Classification / handling:
Date, time, and location
- Crisis date(s):
- Onset time (first indication):
- Stabilisation / demobilisation time:
- Duration:
- Primary location:
- Secondary / affected locations:
People affected
- Total personnel on-site / exposed:
- Fatalities:
- Serious injuries:
- Minor injuries:
- Unaccounted / missing at peak:
Assets / infrastructure affected
- Physical assets:
- IT / data systems:
- Environmental impact:
Highest-priority corrective action (preliminary)
02 · Venue & Geography - Site, Layout, Ingress / Egress
Physical environment of the crisis: the site layout, access points, hazard zones, external-service access routes. → feeds §5 Crisis Overview & Operating Context, §7 Timeline, §9 Crisis Response - Execution Assessment.
Site description
- Facility / venue name and address:
- Type: [commercial / industrial / public / residential / campus / transport hub / outdoor / other]
- Layout summary (floors, wings, zones):
- Occupancy at time of crisis:
Ingress / egress points
- [access point - e.g. main entrance / fire exit A / loading bay]
- Status during crisis: [open / blocked / compromised]
- Used for evacuation: [yes / no / partial]
- Deviation noted:
- Notes / tool output:
- [access point 2]
Assembly points / muster stations
- [muster point]
- Designated in plan: [yes / no]
- Used / reached:
- Capacity vs. actual:
- Notes / tool output:
Hazard zones identified
- [zone or area]
- Hazard type:
- Controlled / cordoned: [yes / no]
- Notes / tool output:
External-service access
- Emergency vehicle access route:
- Staging area for emergency services:
- Distance from primary emergency services:
03 · Routes & Movement - Phases, Timings, Handovers
Reconstruction of how people, assets, and the incident itself moved through the crisis phases. Clone the block per timeline leg. → feeds §7 Timeline / Reconstructed Sequence of Events, §8 Crisis Response - Activation & Command.
Timeline leg / phase
Clone per discrete phase: pre-crisis / initiation / response / stabilisation / recovery / demobilisation.
- [phase - e.g. Initiation: alarm activation 14:23]
- Planned action / expected state:
- Actual action / observed state:
- On-plan or deviation: [on-plan / deviation / no-plan-applicable]
- Source basis (grade):
- Deviation ref (§10 ID):
- Notes / tool output:
- [phase 2]
Key decision points
- [decision - e.g. CMT activation authorised 14:31]
- Decision maker / role:
- Information available at time:
- Outcome:
- Assessment (timely / delayed / appropriate):
- Notes / tool output:
External-service handover / liaison
- Agency:
- Handover time:
- Handover quality:
- Notes:
04 · Threat Actors & Persons of Interest
People and roles involved in the crisis event and the response - both adverse actors (if applicable) and key response personnel. Clone per individual. → feeds §5 Crisis Overview & Operating Context, §13 Root-Cause Analysis, §16 ACH.
Adverse actors / crisis origin (if applicable)
Relevant when crisis was security-incident, intrusion, cyber-attack, etc.
- [actor / entity - e.g. unknown intruder / threat group / natural hazard source]
- Role in crisis:
- Identity (if known):
- Actions taken:
- Source basis (grade):
- Attribution confidence: [Confirmed / Probable / Possible / Unknown]
- Notes / tool output:
- [actor 2]
Key response personnel
Non-blaming; assess roles and decisions not individuals.
- [role - e.g. Crisis Manager / Incident Commander / First Aider]
- Decision(s) made:
- Timeliness:
- Aligned with plan: [yes / no / partial / no plan]
- Source basis:
- Notes / tool output:
- [role 2]
External agencies / responders
- [agency - e.g. Police / Fire / EMS / Utilities]
- Arrived:
- Actions taken:
- Assessment:
- Notes / tool output:
05 · Threat Landscape - Pre-Crisis History, Incidents, Chatter
What was known or knowable before this crisis: prior incidents, risk assessments, near-misses, threat intelligence, and open-source signals. → feeds §6 Pre-Crisis Baseline & Risk Posture, §15 Red Flag / Systemic-Risk Indicators.
Applicable risk assessments (pre-crisis)
- [assessment - e.g. Site Security Risk Assessment 2024]
- Date / version:
- Coverage of this crisis type: [yes / no / partial]
- Residual risk acceptance stated:
- Source:
- Notes / tool output:
Prior incidents (same type or same site)
- [incident - e.g. minor fire alarm Q1-2025]
- Date / location:
- Response outcome:
- Lesson documented at the time: [yes / no]
- Notes / tool output:
Near-misses / warning signs pre-crisis
- [warning sign or near-miss]:
- Date observed:
- Escalated: [yes / no]
- Notes / tool output:
Open-source signals pre-crisis (if applicable)
Relevant for security / reputational / cyber crises. Tool hints: social monitoring → Brandwatch/Mention; threat intel → threat feeds / dark-web forums.
- [signal - e.g. social media threat post / weather warning]
- Date / source:
- Actioned: [yes / no]
- Notes / tool output:
Training and exercise history
- [exercise - e.g. tabletop drill Nov-2024]
- Scope / crisis type:
- Outcomes / gaps documented:
- Source:
- Notes / tool output:
06 · Vulnerabilities & Attack Surface - Plan Gaps, Process Gaps, Resource Gaps
The pre-existing and response-revealed gaps that enabled or worsened the crisis or degraded the response. → feeds §12 Deficiencies & Gaps, §13 Root-Cause Analysis, §15 Red Flag / Systemic-Risk Indicators.
Plan gaps
- [gap - e.g. no mass-notification protocol for after-hours events]
- Plan affected (name/version):
- Consequence observed:
- Deficiency ref (§12 ID):
- Notes / tool output:
- [gap 2]
Training / exercise gaps
- [gap - e.g. first-aider ratio below required level]
- Root cause category: [people / process / equipment / training / resource / external]
- Deficiency ref (§12 ID):
- Notes / tool output:
Equipment / resource gaps
- [gap - e.g. AED not accessible from Zone B]
- Deficiency ref:
- Notes / tool output:
Communication system gaps
- [gap - e.g. radio dead-zone in basement]
- Deficiency ref:
- Notes / tool output:
Red flag / systemic-risk indicators
Indicators that a deficiency is recurring or systemic, not a one-off.
- [flag - e.g. same alarm-not-heard failure pattern as 2023 drill]
- Flag type: [recurring-failure / silent-control-failure / near-miss-masked / unescalated-warning]
- Severity: [Critical / High / Elevated / Moderate / Low]
- Basis (cross-ref §):
- Notes / tool output:
07 · Local Environment - Security / Medical / LE / Infrastructure
The supporting environment: what external resources were available, how they performed, and any environmental factors that shaped the crisis or response. → feeds §5 Crisis Overview & Operating Context, §9 Crisis Response - Execution Assessment, §7 Timeline.
Emergency services (local)
- Police response:
- ETA / arrival time:
- Actions taken:
- Assessment:
- Fire / rescue response:
- ETA / arrival time:
- Actions taken:
- Assessment:
- EMS / medical response:
- ETA / arrival time:
- Triage / treatment actions:
- Patients transported:
- Assessment:
Medical resources (on-site)
- First-aiders available:
- AED(s) accessible: [yes / no / not applicable]
- First-aid kit(s) stocked:
- Triage area designated: [yes / no]
Infrastructure factors
- Power: [maintained / partial loss / full loss]
- Communications (phones / radios): [maintained / degraded / failed]
- IT / data systems: [maintained / degraded / offline]
- CCTV / access control: [maintained / degraded / offline]
- Environmental factor (weather / utilities):
Business continuity / recovery environment
- Backup site / continuity plan activated: [yes / no / partial]
- Recovery time objective met: [yes / no]
- Business continuity contacts:
- Notes:
08 · Digital & Social Signals - Communications, Logs, Open-Source
All digital records and open-source signals relevant to the reconstruction: internal logs, call recordings, footage, and external social / media signals during and after the crisis. → feeds §7 Timeline, §8 Crisis Response - Activation & Command, §20 Annex A Sources & Methodology.
Internal digital records
Core evidence for timeline reconstruction.
- [record - e.g. CCTV footage Block A 14:00–16:00]
- Date / time range:
- Custody / location:
- Reviewed: [yes / no]
- Reliability grade:
- Notes / tool output:
- [record 2 - e.g. access-control system logs]
- [record 3 - e.g. call recordings - CMT hotline]
- [record 4 - e.g. incident management system entries]
- [record 5 - e.g. fire alarm / building-management system logs]
External communications issued
- [communication - e.g. staff SMS alert 14:35]
- Channel:
- Time sent:
- Accuracy / consistency with plan:
- Notes / tool output:
- [communication 2 - e.g. media statement]
Social media / open-source crisis signals
For real-time chatter, witness posts, reputational spread. Tool hints: social monitoring → CrowdTangle/Brandwatch/Mention/TweetDeck saved searches; people-search → public posts on X/Facebook/Instagram.
- [platform / search - e.g. X search: “[facility name] fire”]
- Signal found:
- Date / time:
- Significance:
- Notes / tool output:
Insurance / legal / regulatory notifications issued
- Notification to insurer: [yes / no / date]
- Notification to regulator: [yes / no / date]
- Litigation-hold confirmed: [yes / no]
- Notes:
09 · Indicators & Warnings - Sustainments, ACH Hypotheses, KAC Assumptions
The analytic layer: confirmed sustainments (what worked), competing hypotheses for contested events, and key assumptions underpinning the reconstruction. → feeds §11 Sustainments, §12 Deficiencies & Gaps, §16 ACH, §17 KAC.
Sustainments (What Worked)
Clone per sustainment.
- [sustainment - e.g. evacuation of Zone A completed within 4 minutes]
- Enabling factor:
- How to institutionalise:
- Cross-ref (§11 ID):
- Notes / tool output:
- [sustainment 2]
Deficiencies (What to Improve)
Clone per deficiency; root cause in §13.
- [deficiency - e.g. CMT activation delayed by 18 minutes]
- Observed / potential consequence:
- Function affected:
- Root cause category: [people / process / equipment / information / coordination / external / plan-gap / training-gap / resource-gap]
- Cross-ref (§12 ID / §13):
- Notes / tool output:
- [deficiency 2]
ACH - Competing Hypotheses (contested events)
Clone per contested fact or root-cause dispute.
- [contested event - e.g. failure to evacuate south wing]
- H1 (hypothesis 1):
- H2 (hypothesis 2):
- H3 (hypothesis 3):
- Most diagnostic evidence:
- Hypothesis assessment:
- Notes / tool output:
KAC - Key Assumptions
- [assumption - e.g. crisis plan in force was the current approved version]
- Basis:
- Confidence: [H / M / L]
- Impact if wrong:
- Notes:
- [assumption 2 - e.g. all material records were preserved and not destroyed]
- [assumption 3 - e.g. witness accounts are not shaped by litigation concern]
- [assumption 4 - e.g. this crisis is representative of the org’s preparedness posture]
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind the after-action report. Feeds §20 Annex A Sources & Methodology and Appendices B–G.
Source register
Every material datum traceable to a graded source. Admiralty A–F (reliability) / 1–6 (credibility).
- [S-1 - source / record name]
- Type: [CCTV / call recording / incident report / interview / log / alarm-system / public record / media / other]
- Reliability (A–F) / Credibility (1–6):
- Date of record:
- Date accessed / reviewed:
- Custodian / location:
- Litigation-hold applies: [yes / no / unknown]
- [S-2]
- [S-3 - interviews: note consent, role, date, interviewer]
Evidence archive
Hash + URL / file path + timestamp for each captured item. Chain-of-custody pointer → Appendix D.
- [screenshot / capture ref + hash + file path + timestamp]:
Personnel & role index
Non-blame; roles only. → Appendix B.
- [Role - e.g. Crisis Manager]
- Decisions / actions in scope:
- Interview conducted: [yes / no / pending]
Open gaps / RFIs (running)
- [gap - e.g. basement CCTV footage not yet recovered] → Priority: [H/M/L] → Recommended collection:
- [gap - e.g. interview with senior facilities manager pending consent]
- [gap - concurrent investigation restriction - confirm with counsel]
Concurrent processes (flag)
- Litigation-hold in effect: [yes / no / unknown]
- Insurance claim open: [yes / no]
- Regulatory / enforcement inquiry: [yes / no]
- Criminal investigation: [yes / no]
- Counsel coordinating: [yes / no]
Revision history
→ Appendix G.
- [v0.1 - date - initial collection open]: