[SUBJECT] - Collection Map
OSINT-012 Continuous Re-Vetting & Insider-Threat Monitoring - collection workspace. Central topic = the monitored subject (employee / contractor / access-holder). This is a standing subscription workspace: branches are persistent watch lanes, not one-off data-point dumps. Each collected value is a child node; expand it with source, date observed, and significance. Paste raw tool output into the node’s Notes field. → feeds deliverable OSINT-012. Seeding product: OSINT-007 pre-employment screening baseline (or OSINT-008/009 as applicable).
00 · Collection Plan - PIRs & EEIs
The questions this re-vetting subscription must answer on a continuous basis. Tick when satisfied at each refresh cycle; re-open on any new signal. → drives §1 Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, and each periodic reporting product (§3).
PIR-1 - Criminal & Legal: have any new charges, convictions, or civil actions emerged since baseline?
- EEI: criminal court records checked in all relevant jurisdictions → §1 Watch item #1
- EEI: civil litigation (plaintiff / defendant / judgment) → §1 Watch item #1
- EEI: regulatory or professional-conduct action → §1 Watch item #1
- EEI: sanctions / watchlist status change (OFAC, EU, UK, UN, Interpol) → §1 Watch item #1; 08 · Legal & Derogatory
PIR-2 - Credential & Cyber Exposure: is the subject’s digital identity compromised or newly exposed?
- EEI: email / username appearing in breach or paste dumps → §1 Watch item #2
- EEI: dark-web credential listing or access-sale chatter → §1 Watch item #2
- EEI: new account creation or handle changes post-baseline → §1 Watch item #2; 04 · Digital Footprint
PIR-3 - Financial Integrity: are there indicators of financial distress, unexplained enrichment, or coercive vulnerability?
- EEI: public bankruptcy, foreclosure, or lien filing → §1 Watch item #3
- EEI: sudden asset acquisition or lifestyle shift misaligned with declared income → §1 Watch item #7
- EEI: corporate / directorship changes (new entities, officer roles) → §1 Watch item #7; 07 · Financial & Lifestyle Indicators
PIR-4 - Behavioural & Social: has the subject publicly expressed ideological, security-relevant, or threat-related content?
- EEI: extremist, violence-sympathetic, or insider-threat-indicative social media posts → §1 Watch item #5
- EEI: organisational grievance expression or disaffection signals → §1 Watch item #5
- EEI: new associations with high-risk actors or organisations → §1 Watch item #5; 05 · Network & Associations
PIR-5 - Employment & Access Status: has the subject’s employment, credentials, or access footprint changed?
- EEI: employment status (termination, resignation, role change) → §1 Watch item #6
- EEI: professional licence / clearance revocation → §1 Watch item #6; 06 · Employment, Education & Affiliations
- EEI: unauthorised or unreported secondary employment or directorship → §1 Watch item #6; 06 · Employment, Education & Affiliations
PIR-6 - Travel & Geopolitical Exposure: has the subject travelled to or established contact with sanctioned / hostile areas?
- EEI: international travel to sanctioned, hostile, or restricted-country destinations → §1 Watch item #4
- EEI: travel pattern anomalies vs. declared itinerary → §1 Watch item #4; 10 · Pattern of Life
- EEI: contact with persons of interest linked to hostile state actors → §1 Watch item #4; 05 · Network & Associations
Collection gaps / RFIs (running)
- [open item] → route to [product]
- [open item]
00b · Monitoring Cadence & Triggers
This is a retained continuous service. This branch defines the standing watch posture, refresh intervals, and escalation thresholds. Operators update this branch at service review (→ §6 Review & Renewal) and whenever a watch item is added or retired via change-control.
Watch items - standing list
Mirror §1 of the deliverable. Each row is a live watch item; clone per subject in the population.
- [Watch item - e.g. Criminal records / new charges]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
- [Watch item - e.g. Credential / breach exposure]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
- [Watch item - e.g. Adverse media / financial distress]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
- [Watch item - e.g. Travel anomalies / high-risk destination]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
- [Watch item - e.g. Social media red flags]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
- [Watch item - e.g. Employment / access status change]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
- [Watch item - e.g. Financial irregularity / unexplained enrichment]
- Tripwire threshold:
- Severity tier (L×I band):
- Collection lane (→ §2):
- Last checked:
- Current status: [Clear / Flagged / Pending]
- Notes:
Refresh cadence schedule
- Criminal / legal lane cadence: ← e.g. monthly
- Credential / breach lane cadence: ← e.g. real-time + weekly digest
- Adverse media lane cadence: ← e.g. daily / weekly
- Travel / sanctions lane cadence: ← e.g. monthly
- Social media lane cadence: ← e.g. continuous + daily review
- Employment / corporate lane cadence: ← e.g. quarterly
- Financial indicators lane cadence: ← e.g. quarterly / semi-annual
Alert thresholds (risk scoring: L×I; 1–25)
Risk scoring key (verbatim from §4): Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
- Critical (21–25): ← immediate phone + secure email; ack within 1 hour
- High (16–20): ← secure email + follow-up call within 4 hours; ack within 24 hours
- Elevated (11–15): ← secure email + daily check-in; ack within 48 hours
- Moderate / Low (1–10): ← weekly summary / included in periodic report; ack within 7 days
Escalation path
→ §4 Escalation & Notification Triggers
- Tier 1 - Critical: Notify [contact name / role]:
- Tier 2 - High: Notify [contact name / role]:
- Tier 3 - Elevated: Notify [contact name / role]:
- Tier 4 - Moderate/Low: Notify [contact name / role]:
- Escalation to sibling products:
Periodic product schedule
- Quarterly re-vetting summary due:
- Semi-annual / annual full re-screen due:
- Service health / SLA report due:
- Formal service review (→ §6) due:
01 · Identity & Biographic
Baseline identity anchors from seeding product (OSINT-007/008/009). Refresh only when a change signal fires. → feeds §1 Watch Criteria (identity verification) and onboarding checklist (Annex B).
Names
- Full legal name:
- Middle name / initial:
- Maiden / former name:
- AKA / aliases:
- Transliterations / native script:
Birth & nationality
- DOB / YOB:
- Place of birth:
- Nationality / citizenship(s):
- Government / national ID (partial/redacted):
Physical description
- Description:
- Distinguishing features:
- Languages spoken:
Baseline verification status
- Seeding product (DID + date):
- Baseline confirmed by:
- Next mandatory full re-screen date:
02 · Contact & Selectors
Pivot core for continuous monitoring. Each selector is a standing watch item - changes or new selectors are tripwire signals. Clone the sub-block per value. → feeds §1 Watch item #2 (credential/breach), §2 Collection Cadence, §4 Digital Footprint lane.
Phone numbers
→ PIR-2 credential exposure; check against caller-ID and leak databases at each cadence.
- [number - e.g. +1 555-0142]
- Type / carrier: [mobile / landline / VoIP]
- Linked accounts / apps:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Last verified:
- Change since baseline: [No change / Changed - detail below]
- Notes / tool output: ← truecaller, sync.me, carrier lookup
- [number 2]
Email addresses
→ PIR-2; breach-monitor at each cadence cycle.
- [email]
- Linked accounts (acct discovery):
- Breach / paste appearances:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Last breach-checked:
- Change since baseline: [No change / New / Retired]
- Notes / tool output: ← holehe, h8mail, hunter.io, HaveIBeenPwned
- [email 2]
Usernames / handles
→ PIR-2, PIR-4; platform-sweep at each social media cadence cycle.
- [handle - e.g. csmith200]
- Platforms / where found (URL):
- Linked email(s):
- Linked phone(s):
- Other accounts reusing it:
- Attribution confidence: [Confirmed / Probable / Possible]
- Last swept:
- Change since baseline: [No change / New / Retired / Renamed]
- Notes / tool output: ← idcrawl, sherlock, whatsmyname
- [handle 2]
03 · Addresses & Locations
→ feeds §1 Watch item #4 (travel anomalies), §10 Pattern of Life. Address changes are a re-vetting signal; flag if inconsistent with declared residence.
Current address
- [address]
- Dates associated:
- Basis / source:
- Confidence: [H/M/L]
- Change since baseline: [No change / Changed]
Previous addresses
- [address]
- Dates:
- Source:
Other associated locations
- [location - work / frequented / travel hub]
- Type:
- Basis:
04 · Digital Footprint
→ feeds PIR-2 (credential/breach exposure), PIR-4 (behavioural signals), §2 Collection Cadence (social media lane). New accounts or handle retirements are change signals; content is scanned for insider-threat indicators.
Social media accounts
Clone per platform. Flag any new account or content anomaly immediately.
- [platform - Facebook / X / Instagram / LinkedIn / TikTok / Telegram / other]
- Handle / URL:
- Attribution confidence: [Confirmed / Probable / Possible]
- Status: [Active / Dormant / New since baseline / Deleted]
- Content flags (ideological / threat / grievance signals):
- Last reviewed:
- Notes:
Websites / domains
- [domain]
- Registrant / WHOIS:
- Hosting / IP:
- Change since baseline:
- Notes:
Forums / communities
- [site + handle]:
Breach / paste / dark-web credential exposure
→ PIR-2; continuous lane. New hit = tripwire fire (§1 Watch item #2).
- [indicator - e.g. email:password in breach corpus]
- Source / corpus:
- Date observed:
- Severity assessment:
- Escalated: [Yes / No / Pending]
- Notes / tool output: ← HaveIBeenPwned, h8mail, IntelX, dehashed
Data-broker / public-records exposure
- [indicator]
- Source:
- Date observed:
- Significance:
05 · Network & Associations
→ feeds PIR-4 (behavioural), PIR-6 (hostile-actor contact). New or changed associations with PEPs, sanctioned entities, or known hostile-actor adjacent individuals are immediate tripwire signals. → §4 Escalation & Notification Triggers; Network & Associations section of seeding product (OSINT-007/008/009).
Family & household
- [name]
- Relationship:
- Basis / source:
- Confidence: [H/M/L]
- Change since baseline: [No change / New / Changed]
Business / professional associates
→ flag any new association with sanctioned parties, PEPs, or entities in hostile jurisdictions.
- [name]
- Relationship:
- Basis:
- Sanctions / PEP status: [Clear / Flagged]
- Change since baseline: [No change / New / Changed]
Social / other
- [name]
- Relationship:
- Risk signal:
Hostile-actor / insider-threat-relevant contacts
New entry = high-priority tripwire. → §4 Tier Critical/High escalation.
- [name or entity]
- Nature of contact:
- Source / evidence:
- Escalation status:
06 · Employment, Education & Affiliations
→ feeds PIR-5 (employment / access status). Employment status change, unreported secondary employment, or credential/licence revocation = tripwire. → §1 Watch item #6, §2 Employment/corporate lane, Annex B onboarding/offboarding.
Current employment (monitored role)
- Employer:
- Role / title:
- Access level / clearance:
- Start date:
- Status: [Active / On leave / Terminated / Resigned]
- Change since baseline: [No change / Changed - detail below]
Secondary employment / directorships
Unreported secondary roles = PIR-5 tripwire.
- [employer / entity]
- Role / stake:
- Declared to employer: [Yes / No / Unknown]
- Source:
Education & credentials
- [institution]
- Credential / dates:
- Verified / claimed:
Professional licences / memberships
- [licence / body]
- Status: [Active / Lapsed / Revoked]
- Last verified:
- Notes:
Military / government / security-service history
07 · Financial & Lifestyle Indicators
OSINT-visible indicators only. → feeds PIR-3 (financial integrity), §1 Watch items #3 and #7. New property, sudden asset acquisition, or adverse filings = tripwire.
Real property
→ check property registry at each quarterly / semi-annual cadence.
- [property]
- Basis / record:
- Date recorded:
- Change since baseline: [No change / New / Disposed]
- Confidence: [H/M/L]
Corporate / business interests
→ check company registries (OpenCorporates, national registries) at each cadence.
- [entity]
- Role / stake:
- Registry source:
- Change since baseline: [No change / New / Changed / Dissolved]
Vehicles
- [vehicle]
- VIN:
- Make / model:
- Plate:
- Change since baseline:
Public filings / observable lifestyle
- [indicator]:
- Source:
- Significance:
Financial-stress / adverse indicators
→ PIR-3; bankruptcy/lien filings = §1 Watch item #3 tripwire.
- [lien / judgment / bankruptcy (public)]
- Jurisdiction / filing date:
- Status:
- Source:
- Escalated: [Yes / No]
Sudden-enrichment indicators
→ PIR-3; misalignment with declared income = §1 Watch item #7 tripwire.
- [indicator - e.g. luxury acquisition, overseas transfer visible in public data]
- Source:
- Date observed:
- L×I assessment:
08 · Legal & Derogatory
→ feeds PIR-1 (criminal/legal), §1 Watch item #1. All new matters are tripwire fires; grade each and escalate per §4. → Legal & Derogatory section of seeding product (OSINT-007/008/009); Annex A Source Register.
Criminal / court records
Check in all relevant jurisdictions at monthly cadence (→ §2 Criminal lane).
- [matter]
- Jurisdiction / case #:
- Charge / conviction:
- Status / disposition:
- Date observed:
- Source grade (Admiralty):
- Escalated: [Yes / No / Pending]
Civil litigation
- [case]
- Role (plaintiff / defendant):
- Status / summary:
- Date observed:
Regulatory / professional actions
Sanctions / PEP / watchlist screening
→ check at each cadence cycle; new hit = immediate Critical/High escalation.
- OFAC SDN / Consolidated: [Clear / Hit / Near-match]
- EU / UK / UN / Interpol Red Notice:
- PEP databases:
- Last screened:
Adverse media
→ §2 Adverse media lane (daily/weekly cadence).
- [outlet + date]
- Substance:
- Reliability (A–F) / Credibility (1–6):
- Insider-threat relevance:
- Escalated: [Yes / No]
09 · Media & Imagery
→ feeds §2 Social media lane; imagery used for identity re-verification at each re-screen cycle and for flagging imposture or identity theft.
Photos of subject
- [image ref]
- Source / URL:
- Date captured:
- Change since baseline (new images found):
- Metadata (EXIF):
Avatar / profile picture
- [image]
- Reverse-image locations used:
- New location(s) found:
Video / audio
- [file]
- Source / metadata:
10 · Pattern of Life
Open-source only. → feeds PIR-6 (travel/geopolitical), PIR-4 (behavioural anomalies), §1 Watch item #4. Deviations from established pattern are monitoring signals, not findings in themselves - document and flag for analyst review.
Routine & temporal patterns
- [observed cadence]:
Geographic footprint
- [habitual location]:
Travel & mobility
→ flag international travel to sanctioned/hostile destinations immediately (§1 Watch item #4).
- [observed travel - destination / dates]
- Source:
- Anomaly vs. pattern: [None / Flag - detail below]
- Sanctioned / hostile destination: [Yes / No]
- Escalated: [Yes / No]
Social media pattern anomalies
→ PIR-4; sudden content shift, account deletion, or volume spike = re-vetting signal.
- [anomaly]:
Anomalies / deviations
- [departure from established pattern]
- Date observed:
- Significance:
- Analyst note:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind all re-vetting activity. → drives Annex A Source & Watch-List Register and Annex B Onboarding / Offboarding checklist in the deliverable.
Source register
Every material datum traceable to a graded source. Use two-character Admiralty code (e.g. B2).
- [S-1 - source]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F) / Credibility (1–6):
- Grade:
- Date accessed:
Collection lane log
Record each cadence-cycle run per lane (→ §2 deliverable).
- [Lane - e.g. Criminal records]
- Last run date:
- Next due:
- Result: [Clear / Flagged / Source unavailable]
- Notes:
Tripwire fires log
Every alert generated under this subscription, with disposition.
- [TW-001 - date / watch item]
- Severity tier:
- Notified party:
- Notification timestamp:
- Acknowledgement received:
- Disposition / outcome:
Evidence archive
- [screenshot / capture ref + hash + URL + timestamp]:
SLA performance log
Track against §5 Service Levels targets.
- [Metric]
- Reporting period:
- Target:
- Actual:
- Miss / remedy:
Open gaps / verification pending
- [item submitted, not yet returned]
Onboarding / offboarding status
Mirror Annex B of deliverable.
- Authority/consent + scope sign-off captured:
- Baseline pre-employment screening ingested (OSINT-007/008/009):
- Collection lanes stood up + tripwire thresholds set:
- Escalation paths + contact tree established:
- Data retention / destruction schedule confirmed:
- Offboarding / data-purge completed (if applicable):