[SUBJECT] - Collection Map

OSINT-012 Continuous Re-Vetting & Insider-Threat Monitoring - collection workspace. Central topic = the monitored subject (employee / contractor / access-holder). This is a standing subscription workspace: branches are persistent watch lanes, not one-off data-point dumps. Each collected value is a child node; expand it with source, date observed, and significance. Paste raw tool output into the node’s Notes field. → feeds deliverable OSINT-012. Seeding product: OSINT-007 pre-employment screening baseline (or OSINT-008/009 as applicable).

00 · Collection Plan - PIRs & EEIs

The questions this re-vetting subscription must answer on a continuous basis. Tick when satisfied at each refresh cycle; re-open on any new signal. → drives §1 Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, and each periodic reporting product (§3).

  • EEI: criminal court records checked in all relevant jurisdictions → §1 Watch item #1
  • EEI: civil litigation (plaintiff / defendant / judgment) → §1 Watch item #1
  • EEI: regulatory or professional-conduct action → §1 Watch item #1
  • EEI: sanctions / watchlist status change (OFAC, EU, UK, UN, Interpol) → §1 Watch item #1; 08 · Legal & Derogatory

PIR-2 - Credential & Cyber Exposure: is the subject’s digital identity compromised or newly exposed?

  • EEI: email / username appearing in breach or paste dumps → §1 Watch item #2
  • EEI: dark-web credential listing or access-sale chatter → §1 Watch item #2
  • EEI: new account creation or handle changes post-baseline → §1 Watch item #2; 04 · Digital Footprint

PIR-3 - Financial Integrity: are there indicators of financial distress, unexplained enrichment, or coercive vulnerability?

  • EEI: public bankruptcy, foreclosure, or lien filing → §1 Watch item #3
  • EEI: sudden asset acquisition or lifestyle shift misaligned with declared income → §1 Watch item #7
  • EEI: corporate / directorship changes (new entities, officer roles) → §1 Watch item #7; 07 · Financial & Lifestyle Indicators
  • EEI: extremist, violence-sympathetic, or insider-threat-indicative social media posts → §1 Watch item #5
  • EEI: organisational grievance expression or disaffection signals → §1 Watch item #5
  • EEI: new associations with high-risk actors or organisations → §1 Watch item #5; 05 · Network & Associations

PIR-5 - Employment & Access Status: has the subject’s employment, credentials, or access footprint changed?

  • EEI: employment status (termination, resignation, role change) → §1 Watch item #6
  • EEI: professional licence / clearance revocation → §1 Watch item #6; 06 · Employment, Education & Affiliations
  • EEI: unauthorised or unreported secondary employment or directorship → §1 Watch item #6; 06 · Employment, Education & Affiliations

PIR-6 - Travel & Geopolitical Exposure: has the subject travelled to or established contact with sanctioned / hostile areas?

  • EEI: international travel to sanctioned, hostile, or restricted-country destinations → §1 Watch item #4
  • EEI: travel pattern anomalies vs. declared itinerary → §1 Watch item #4; 10 · Pattern of Life
  • EEI: contact with persons of interest linked to hostile state actors → §1 Watch item #4; 05 · Network & Associations

Collection gaps / RFIs (running)

  • [open item] → route to [product]
  • [open item]

00b · Monitoring Cadence & Triggers

This is a retained continuous service. This branch defines the standing watch posture, refresh intervals, and escalation thresholds. Operators update this branch at service review (→ §6 Review & Renewal) and whenever a watch item is added or retired via change-control.

Watch items - standing list

Mirror §1 of the deliverable. Each row is a live watch item; clone per subject in the population.

  • [Watch item - e.g. Criminal records / new charges]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:
  • [Watch item - e.g. Credential / breach exposure]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:
  • [Watch item - e.g. Adverse media / financial distress]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:
  • [Watch item - e.g. Travel anomalies / high-risk destination]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:
  • [Watch item - e.g. Social media red flags]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:
  • [Watch item - e.g. Employment / access status change]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:
  • [Watch item - e.g. Financial irregularity / unexplained enrichment]
    • Tripwire threshold:
    • Severity tier (L×I band):
    • Collection lane (→ §2):
    • Last checked:
    • Current status: [Clear / Flagged / Pending]
    • Notes:

Refresh cadence schedule

  • Criminal / legal lane cadence: ← e.g. monthly
  • Credential / breach lane cadence: ← e.g. real-time + weekly digest
  • Adverse media lane cadence: ← e.g. daily / weekly
  • Travel / sanctions lane cadence: ← e.g. monthly
  • Social media lane cadence: ← e.g. continuous + daily review
  • Employment / corporate lane cadence: ← e.g. quarterly
  • Financial indicators lane cadence: ← e.g. quarterly / semi-annual

Alert thresholds (risk scoring: L×I; 1–25)

Risk scoring key (verbatim from §4): Likelihood (1–5) × Impact (1–5) = 1–25; 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

  • Critical (21–25): ← immediate phone + secure email; ack within 1 hour
  • High (16–20): ← secure email + follow-up call within 4 hours; ack within 24 hours
  • Elevated (11–15): ← secure email + daily check-in; ack within 48 hours
  • Moderate / Low (1–10): ← weekly summary / included in periodic report; ack within 7 days

Escalation path

→ §4 Escalation & Notification Triggers

  • Tier 1 - Critical: Notify [contact name / role]:
  • Tier 2 - High: Notify [contact name / role]:
  • Tier 3 - Elevated: Notify [contact name / role]:
  • Tier 4 - Moderate/Low: Notify [contact name / role]:
  • Escalation to sibling products:
    • OSINT-005 Detailed Subject Investigation (on tripwire fire requiring deep-dive)
    • OSINT-051 Protective Intelligence Assessment (on threat-actor or protective concern)
    • → HR / Legal partner:

Periodic product schedule

  • Quarterly re-vetting summary due:
  • Semi-annual / annual full re-screen due:
  • Service health / SLA report due:
  • Formal service review (→ §6) due:

01 · Identity & Biographic

Baseline identity anchors from seeding product (OSINT-007/008/009). Refresh only when a change signal fires. → feeds §1 Watch Criteria (identity verification) and onboarding checklist (Annex B).

Names

  • Full legal name:
  • Middle name / initial:
  • Maiden / former name:
  • AKA / aliases:
  • Transliterations / native script:

Birth & nationality

  • DOB / YOB:
  • Place of birth:
  • Nationality / citizenship(s):
  • Government / national ID (partial/redacted):

Physical description

  • Description:
  • Distinguishing features:
  • Languages spoken:

Baseline verification status

  • Seeding product (DID + date):
  • Baseline confirmed by:
  • Next mandatory full re-screen date:

02 · Contact & Selectors

Pivot core for continuous monitoring. Each selector is a standing watch item - changes or new selectors are tripwire signals. Clone the sub-block per value. → feeds §1 Watch item #2 (credential/breach), §2 Collection Cadence, §4 Digital Footprint lane.

Phone numbers

→ PIR-2 credential exposure; check against caller-ID and leak databases at each cadence.

  • [number - e.g. +1 555-0142]
    • Type / carrier: [mobile / landline / VoIP]
    • Linked accounts / apps:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Last verified:
    • Change since baseline: [No change / Changed - detail below]
    • Notes / tool output: ← truecaller, sync.me, carrier lookup
  • [number 2]

Email addresses

→ PIR-2; breach-monitor at each cadence cycle.

  • [email]
    • Linked accounts (acct discovery):
    • Breach / paste appearances:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Last breach-checked:
    • Change since baseline: [No change / New / Retired]
    • Notes / tool output: ← holehe, h8mail, hunter.io, HaveIBeenPwned
  • [email 2]

Usernames / handles

→ PIR-2, PIR-4; platform-sweep at each social media cadence cycle.

  • [handle - e.g. csmith200]
    • Platforms / where found (URL):
    • Linked email(s):
    • Linked phone(s):
    • Other accounts reusing it:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Last swept:
    • Change since baseline: [No change / New / Retired / Renamed]
    • Notes / tool output: ← idcrawl, sherlock, whatsmyname
  • [handle 2]

03 · Addresses & Locations

→ feeds §1 Watch item #4 (travel anomalies), §10 Pattern of Life. Address changes are a re-vetting signal; flag if inconsistent with declared residence.

Current address

  • [address]
    • Dates associated:
    • Basis / source:
    • Confidence: [H/M/L]
    • Change since baseline: [No change / Changed]

Previous addresses

  • [address]
    • Dates:
    • Source:

Other associated locations

  • [location - work / frequented / travel hub]
    • Type:
    • Basis:

04 · Digital Footprint

→ feeds PIR-2 (credential/breach exposure), PIR-4 (behavioural signals), §2 Collection Cadence (social media lane). New accounts or handle retirements are change signals; content is scanned for insider-threat indicators.

Social media accounts

Clone per platform. Flag any new account or content anomaly immediately.

  • [platform - Facebook / X / Instagram / LinkedIn / TikTok / Telegram / other]
    • Handle / URL:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Status: [Active / Dormant / New since baseline / Deleted]
    • Content flags (ideological / threat / grievance signals):
    • Last reviewed:
    • Notes:

Websites / domains

  • [domain]
    • Registrant / WHOIS:
    • Hosting / IP:
    • Change since baseline:
    • Notes:

Forums / communities

  • [site + handle]:

Breach / paste / dark-web credential exposure

→ PIR-2; continuous lane. New hit = tripwire fire (§1 Watch item #2).

  • [indicator - e.g. email:password in breach corpus]
    • Source / corpus:
    • Date observed:
    • Severity assessment:
    • Escalated: [Yes / No / Pending]
    • Notes / tool output: ← HaveIBeenPwned, h8mail, IntelX, dehashed

Data-broker / public-records exposure

  • [indicator]
    • Source:
    • Date observed:
    • Significance:

05 · Network & Associations

→ feeds PIR-4 (behavioural), PIR-6 (hostile-actor contact). New or changed associations with PEPs, sanctioned entities, or known hostile-actor adjacent individuals are immediate tripwire signals. → §4 Escalation & Notification Triggers; Network & Associations section of seeding product (OSINT-007/008/009).

Family & household

  • [name]
    • Relationship:
    • Basis / source:
    • Confidence: [H/M/L]
    • Change since baseline: [No change / New / Changed]

Business / professional associates

→ flag any new association with sanctioned parties, PEPs, or entities in hostile jurisdictions.

  • [name]
    • Relationship:
    • Basis:
    • Sanctions / PEP status: [Clear / Flagged]
    • Change since baseline: [No change / New / Changed]

Social / other

  • [name]
    • Relationship:
    • Risk signal:

Hostile-actor / insider-threat-relevant contacts

New entry = high-priority tripwire. → §4 Tier Critical/High escalation.

  • [name or entity]
    • Nature of contact:
    • Source / evidence:
    • Escalation status:

06 · Employment, Education & Affiliations

→ feeds PIR-5 (employment / access status). Employment status change, unreported secondary employment, or credential/licence revocation = tripwire. → §1 Watch item #6, §2 Employment/corporate lane, Annex B onboarding/offboarding.

Current employment (monitored role)

  • Employer:
    • Role / title:
    • Access level / clearance:
    • Start date:
    • Status: [Active / On leave / Terminated / Resigned]
    • Change since baseline: [No change / Changed - detail below]

Secondary employment / directorships

Unreported secondary roles = PIR-5 tripwire.

  • [employer / entity]
    • Role / stake:
    • Declared to employer: [Yes / No / Unknown]
    • Source:

Education & credentials

  • [institution]
    • Credential / dates:
    • Verified / claimed:

Professional licences / memberships

  • [licence / body]
    • Status: [Active / Lapsed / Revoked]
    • Last verified:
    • Notes:

Military / government / security-service history

07 · Financial & Lifestyle Indicators

OSINT-visible indicators only. → feeds PIR-3 (financial integrity), §1 Watch items #3 and #7. New property, sudden asset acquisition, or adverse filings = tripwire.

Real property

→ check property registry at each quarterly / semi-annual cadence.

  • [property]
    • Basis / record:
    • Date recorded:
    • Change since baseline: [No change / New / Disposed]
    • Confidence: [H/M/L]

Corporate / business interests

→ check company registries (OpenCorporates, national registries) at each cadence.

  • [entity]
    • Role / stake:
    • Registry source:
    • Change since baseline: [No change / New / Changed / Dissolved]

Vehicles

  • [vehicle]
    • VIN:
    • Make / model:
    • Plate:
    • Change since baseline:

Public filings / observable lifestyle

  • [indicator]:
    • Source:
    • Significance:

Financial-stress / adverse indicators

→ PIR-3; bankruptcy/lien filings = §1 Watch item #3 tripwire.

  • [lien / judgment / bankruptcy (public)]
    • Jurisdiction / filing date:
    • Status:
    • Source:
    • Escalated: [Yes / No]

Sudden-enrichment indicators

→ PIR-3; misalignment with declared income = §1 Watch item #7 tripwire.

  • [indicator - e.g. luxury acquisition, overseas transfer visible in public data]
    • Source:
    • Date observed:
    • L×I assessment:

→ feeds PIR-1 (criminal/legal), §1 Watch item #1. All new matters are tripwire fires; grade each and escalate per §4. → Legal & Derogatory section of seeding product (OSINT-007/008/009); Annex A Source Register.

Criminal / court records

Check in all relevant jurisdictions at monthly cadence (→ §2 Criminal lane).

  • [matter]
    • Jurisdiction / case #:
    • Charge / conviction:
    • Status / disposition:
    • Date observed:
    • Source grade (Admiralty):
    • Escalated: [Yes / No / Pending]

Civil litigation

  • [case]
    • Role (plaintiff / defendant):
    • Status / summary:
    • Date observed:

Regulatory / professional actions

Sanctions / PEP / watchlist screening

→ check at each cadence cycle; new hit = immediate Critical/High escalation.

  • OFAC SDN / Consolidated: [Clear / Hit / Near-match]
  • EU / UK / UN / Interpol Red Notice:
  • PEP databases:
  • Last screened:

Adverse media

→ §2 Adverse media lane (daily/weekly cadence).

  • [outlet + date]
    • Substance:
    • Reliability (A–F) / Credibility (1–6):
    • Insider-threat relevance:
    • Escalated: [Yes / No]

09 · Media & Imagery

→ feeds §2 Social media lane; imagery used for identity re-verification at each re-screen cycle and for flagging imposture or identity theft.

Photos of subject

  • [image ref]
    • Source / URL:
    • Date captured:
    • Change since baseline (new images found):
    • Metadata (EXIF):

Avatar / profile picture

  • [image]
    • Reverse-image locations used:
    • New location(s) found:

Video / audio

  • [file]
    • Source / metadata:

10 · Pattern of Life

Open-source only. → feeds PIR-6 (travel/geopolitical), PIR-4 (behavioural anomalies), §1 Watch item #4. Deviations from established pattern are monitoring signals, not findings in themselves - document and flag for analyst review.

Routine & temporal patterns

  • [observed cadence]:

Geographic footprint

  • [habitual location]:

Travel & mobility

→ flag international travel to sanctioned/hostile destinations immediately (§1 Watch item #4).

  • [observed travel - destination / dates]
    • Source:
    • Anomaly vs. pattern: [None / Flag - detail below]
    • Sanctioned / hostile destination: [Yes / No]
    • Escalated: [Yes / No]

Social media pattern anomalies

→ PIR-4; sudden content shift, account deletion, or volume spike = re-vetting signal.

  • [anomaly]:

Anomalies / deviations

  • [departure from established pattern]
    • Date observed:
    • Significance:
    • Analyst note:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind all re-vetting activity. → drives Annex A Source & Watch-List Register and Annex B Onboarding / Offboarding checklist in the deliverable.

Source register

Every material datum traceable to a graded source. Use two-character Admiralty code (e.g. B2).

  • [S-1 - source]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F) / Credibility (1–6):
    • Grade:
    • Date accessed:

Collection lane log

Record each cadence-cycle run per lane (→ §2 deliverable).

  • [Lane - e.g. Criminal records]
    • Last run date:
    • Next due:
    • Result: [Clear / Flagged / Source unavailable]
    • Notes:

Tripwire fires log

Every alert generated under this subscription, with disposition.

  • [TW-001 - date / watch item]
    • Severity tier:
    • Notified party:
    • Notification timestamp:
    • Acknowledgement received:
    • Disposition / outcome:

Evidence archive

  • [screenshot / capture ref + hash + URL + timestamp]:

SLA performance log

Track against §5 Service Levels targets.

  • [Metric]
    • Reporting period:
    • Target:
    • Actual:
    • Miss / remedy:

Open gaps / verification pending

  • [item submitted, not yet returned]

Onboarding / offboarding status

Mirror Annex B of deliverable.

  • Authority/consent + scope sign-off captured:
  • Baseline pre-employment screening ingested (OSINT-007/008/009):
  • Collection lanes stood up + tripwire thresholds set:
  • Escalation paths + contact tree established:
  • Data retention / destruction schedule confirmed:
  • Offboarding / data-purge completed (if applicable):