[RESIDENTIAL ASSET] - Collection Map
OSINT-045 Continuous Residential Threat Monitoring - collection workspace. Central topic = the monitored residential asset (primary residence, secondary property, or estate). Branches = watch-item categories and operational data-point lanes. Drop each collected value as a child node; expand with where it was found and when. Paste raw tool output into node Notes. → feeds deliverable OSINT-045. NOTE: Seeded by OSINT-043 baseline assessment; this workspace tracks ongoing watch, not the one-off baseline.
00 · Collection Plan - PIRs & EEIs
The questions this standing watch must answer + the essential elements of information (EEI) for each. Tick as satisfied on each collection cycle. → drives §1 Scope & Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, §5 Service Levels.
PIR-1 - Threat Actor Activity: are any known or emergent threat actors targeting or surveilling the residential asset?
- EEI: threat actor names / handles from baseline watch list (OSINT-043) re-observed in new contexts
- EEI: new actors or groups referencing the property, address, or principal
- EEI: physical surveillance indicators (vehicles, foot traffic anomalies) reported via open sources
- EEI: online chatter or dark-web discussion referencing the address or principal’s residence
PIR-2 - Address / PII Exposure: has the residential address or principal’s PII surfaced on new data-broker or public-record sources?
- EEI: address appears on newly indexed data-broker listings
- EEI: address appears in breach/paste dumps
- EEI: satellite or street-view imagery updated and now reveals security features
- EEI: property records / title filings expose the principal’s name + address
PIR-3 - Online Threat Signals: is there adverse content, threat language, or targeting chatter directed at the principal tied to the residential location?
- EEI: social media posts referencing principal’s home neighbourhood, address, or routines
- EEI: forum / dark-web posts expressing intent or sharing location intelligence
- EEI: adverse-media articles that disclose the address or identify the residence
- EEI: photo / video content geotagged to the property or immediate vicinity
PIR-4 - Physical-Environment Change: has the local threat or vulnerability environment around the property changed materially?
- EEI: crime incidents within defined radius (public police logs / blotter / Nixle)
- EEI: protest / civil unrest events in the locality
- EEI: construction / infrastructure changes affecting ingress/egress routes
- EEI: new commercial tenants / vacant properties adjacent that alter the exposure profile
PIR-5 - Service Health: are all collection lanes operating within SLA?
- EEI: each §2 collection lane checked and producing signal within cadence window
- EEI: source-grade degradation noted for any standing source
- EEI: any collection gap or access interruption logged and escalated
Collection gaps / RFIs (running)
- [open item] → route to §6 Review & Renewal / watch-list change-control
- [open item]
00b · Monitoring Cadence & Triggers
Continuous/retained service - cadence and tripwire registry. → drives §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, §4 Escalation & Notification Triggers.
Watch-item registry (active)
One sub-block per §1 watch item. Clone per item. Risk score = Likelihood (1–5) × Impact (1–5).
- [Watch item - e.g. new address data-broker listing]
- Observable indicator:
- Tripwire threshold:
- Likelihood (1–5):
- Impact (1–5):
- L×I score:
- Severity tier: [Critical / High / Elevated / Moderate / Low]
- Assigned escalation route (→ §4):
- Notes / tool output:
- [Watch item 2]
Refresh cadence by lane
- Continuous (real-time / near-real-time):
- Hourly:
- Daily:
- Weekly:
- Monthly / ad hoc:
Alert thresholds (L×I bands)
- Critical (21–25): immediate escalation, page primary contact
- High (16–20): alert within defined SLA window
- Elevated (11–15): include in next scheduled product cycle
- Moderate / Low (1–10): log in routine periodic summary
Escalation path
- Tier 1 - Critical:
- Tier 2 - High:
- Tier 3 - Elevated:
- Tier 4 - Routine:
Alert-delivery SLA targets
- Critical alert delivery time:
- High alert delivery time:
- Routine product delivery schedule:
01 · Principal / Protectee & Residential Asset Detail
Anchor nodes for the monitored asset and the principal(s) whose safety it serves. → feeds §1 Scope & Watch Criteria/Tripwires (watch-item rows) and Document Control.
Residential asset
- Property address (full / redacted):
- Property type: [primary residence / secondary / estate / other]
- Ownership / title entity:
- Occupancy status: [full-time / part-time / seasonal]
- Staff / household members on site:
- Seeding baseline reference (OSINT-043):
Principal(s) / protectee(s)
- [Principal name / code name]
- Role: [e.g. client / family member / VIP]
- Primary residence confirmed:
- Digital selectors on watch (→ §08):
- Known travel pattern affecting occupancy:
- Notes:
- [Principal 2]
Service metadata
- Engagement authority / consent reference:
- Term / period of performance:
- Service owner / operator:
02 · Venue & Geography - Property & Perimeter
Physical and geospatial data for the monitored property. → feeds §1 Watch Criteria (perimeter/ingress watch items), §4 Escalation.
Property footprint
- Plot / parcel reference:
- Lot boundaries / fencing / walls:
- Neighbouring properties (immediate):
- Street address visible from public way: [Yes / No / Partially]
Ingress & egress points
- [entry/exit - e.g. main gate, service entrance, side pedestrian gate]
- Type:
- Public visibility:
- OSINT-observable security feature (if any):
- Notes:
- [entry/exit 2]
Satellite / aerial imagery baseline
- [image capture ref]
- Source / date:
- Coverage / resolution:
- Changes noted vs. prior capture:
- Notes / tool output: ← (Google Maps, Bing, Sentinel Hub, Maxar public layer)
Geospatial exposure
- Street-view indexed: [Yes / No / Partial]
- Geotagged social content at property: [Yes / No - count]
- Adjacent public surveillance / CCTV visible:
03 · Routes & Movement
Principal movement patterns and routes observable via open sources. → feeds §1 Watch Criteria (route / pattern-of-life watch items), §4 Escalation.
Habitual commute / movement legs
Clone per leg. OSINT only - no physical surveillance.
- [leg - e.g. residence → workplace]
- Route (public-source basis):
- Frequency:
- Observable timing:
- Public-transit / vehicle dependency:
- Exposure windows noted:
- Notes / tool output:
- [leg 2]
Ingress / egress chokepoints
- [chokepoint location]
- Type:
- Dwell time observable:
- Threat relevance:
Travel / occupancy calendar (OSINT-observable)
- [observed absence / travel indicator]
- Source:
- Date range:
- Occupancy impact:
Anomalies / deviations from baseline
- [deviation from known pattern]:
04 · Threat Actors & Persons of Interest
Individuals or groups posing or potentially posing a threat to the residential asset or principal. Clone per actor. → feeds §1 Watch Criteria (threat-actor rows), §4 Escalation.
Threat actor / person of interest (POI)
Clone the block per actor. Source every attribution.
- [Actor name / handle / description]
- Actor type: [stalker / ex-partner / protest organiser / criminal / unknown]
- Threat basis (source + date):
- Known selectors (handles / emails / phones):
- Last observed activity (date + source):
- Geographic proximity to asset:
- Severity tier assigned (→ §4):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (social media search, court records, people-search - Spokeo/BeenVerified/public records)
- [Actor 2]
Watch-list additions / removals (log)
- [actor added / retired]
- Date:
- Reason:
- Authorised by:
05 · Threat Landscape - Incidents, History & Online Chatter
Observed threat signals and historical incident data for the residential area and principal. → feeds §1 Watch Criteria (chatter / incident watch items), §3 Reporting, §4 Escalation.
Local incident log (area crime / civil unrest)
Clone per incident. Radius to be defined in §1.
- [incident - e.g. vehicle break-in, protest event, harassment report]
- Date / time:
- Location relative to property:
- Source (public police log / Nixle / news):
- Relevance to asset:
- Escalated: [Yes / No]
- Notes / tool output: ← (local PD blotter, Nixle/Citizen/Nextdoor public feeds, local news)
- [incident 2]
Online chatter & social media signals
- [signal - e.g. post referencing address or principal]
- Platform:
- Handle / account:
- Date observed:
- Content summary:
- Tripwire fired: [Yes / No - which]
- Notes / tool output: ← (Twitter/X advanced search, Google dork, Reddit search, Telegram public channels)
- [signal 2]
Dark-web & forum mentions
- [mention]
- Source (forum / market / paste site):
- Date observed:
- Content summary:
- Severity assessment:
- Notes / tool output: ← (Ahmia, dark-web monitors, DarkOwl-tier sources if subscribed)
- [mention 2]
Historical threat events (from OSINT-043 baseline)
- [prior incident]
- Date:
- Type:
- Resolution / outcome:
06 · Vulnerabilities & Attack Surface
Open-source visible vulnerabilities of the property and the principal’s OSINT exposure that feed watch items. → feeds §1 Watch Criteria (exposure/vulnerability rows), §6 Review & Renewal.
Address / PII exposure
- [exposure vector - e.g. data-broker listing]
- Source:
- Date first observed:
- Date last confirmed:
- Suppression action taken: [Yes / No / Pending]
- Notes / tool output: ← (Spokeo, Whitepages, BeenVerified, FastPeopleSearch, PeopleFinder, Intelius)
- [exposure vector 2]
Property record / title exposure
- [record type - e.g. county assessor, deeds]
- Jurisdiction:
- Principal name exposed: [Yes / No]
- Ownership structure visible:
- Notes / tool output:
Imagery exposure
- [platform - e.g. Google Street View, Zillow listing, news photo]
- Date indexed / published:
- Features revealed:
- Update frequency / last update:
Social media property references
- [post / account]
- Platform:
- Handle:
- Content:
- Geotagged: [Yes / No]
- Date:
07 · Local Environment - Security, Medical & Infrastructure
Local support environment relevant to the asset’s protection posture. → feeds §1 Watch Criteria (environment-change rows), §4 Escalation (notify targets).
Law enforcement / emergency services
- Nearest police precinct / station:
- Estimated response time:
- Non-emergency contact:
- Recent LE advisories / alerts in area:
Medical facilities
- Nearest hospital / trauma centre:
- Nearest urgent care:
- Distance / estimated travel time:
Infrastructure / utility
- Known outage / construction affecting access routes:
- Critical utility dependencies (power / water):
Community / neighbourhood environment
- Neighbourhood watch / community alert programmes:
- Changes in adjacent occupancy (vacant properties / new businesses):
- Local protest / event schedule (public calendar):
08 · Digital & Social Signals
Ongoing monitoring of the principal’s and the asset’s digital footprint for exposure signals. → feeds PIR-2 (PII exposure), PIR-3 (online threat signals), §1 Watch Criteria, §3 Reporting.
Email / credential monitoring
Clone per email selector.
- [email - e.g. principal@domain.com]
- Breach / paste appearances (new since last cycle):
- Date detected:
- Source:
- Tripwire fired: [Yes / No]
- Notes / tool output: ← (holehe, h8mail, HaveIBeenPwned API)
- [email 2]
Username / handle monitoring
Clone per handle.
- [handle - e.g. principal_username]
- Platform:
- New activity / content (date + summary):
- Mentions by others:
- Geotagged posts: [Yes / No]
- Tripwire fired: [Yes / No]
- Notes / tool output: ← (social-search, twitonomy, whatsmyname, idcrawl)
- [handle 2]
Domain / infrastructure exposure
- [domain / subdomain]
- WHOIS / registrant change detected:
- Certificate transparency (crt.sh) - new issue:
- Notes / tool output: ← (whois, crt.sh, SecurityTrails)
- [domain 2]
Data-broker / public-record sweep (cycle log)
- [broker - e.g. Spokeo, Whitepages, BeenVerified, FastPeopleSearch]
- Last sweep date:
- Result - address present: [Yes / No]
- Suppression status:
- Notes:
- [broker 2]
09 · Indicators & Warnings
The running I&W log: each fired or near-fired tripwire from §1. Clone per indicator observation. → feeds §3 Reporting (routine product + tripwire alert), §4 Escalation.
Indicator / warning entry
Clone per observation per cycle.
- [I&W entry - e.g. new data-broker address listing detected 2026-06-19]
- Watch item triggered (§1 ref):
- Tripwire threshold crossed: [Yes / No / Near-miss]
- Date / time observed:
- Source / lane:
- L×I score at observation:
- Severity tier: [Critical / High / Elevated / Moderate / Low]
- Alert issued: [Yes / No - product ref]
- Disposition / resolution:
- Notes / tool output:
- [I&W entry 2]
Indicators cleared / resolved
- [indicator]
- Date cleared:
- Clearing basis:
Persistent / unresolved indicators
- [open indicator - route to §6 Review & Renewal or escalate]
99 · Collection Admin
Working register - audit trail behind each deliverable. → backs Annex A Source & Watch-List Register and Annex B Onboarding/Offboarding Checklist in the deliverable.
Source register
Every material datum traceable to a graded source. Admiralty scale reproduced below. Reliability A–F: A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Cannot be judged. Credibility 1–6: 1 Confirmed · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Cannot be judged.
- [S-1 - source name / lane description]
- Type: [Primary / Secondary / Tertiary]
- Lane (→ §2):
- Reliability (A–F):
- Credibility (1–6):
- Grade: [e.g. B2]
- Date last verified:
- Notes:
- [S-2]
Evidence archive
- [capture ref - screenshot / export / hash + URL + timestamp]:
Onboarding / offboarding status (Annex B)
- Authority / consent captured + scope signed off
- OSINT-043 baseline ingested and watch list seeded
- Collection lanes and tripwires stood up
- Data retention / destruction schedule confirmed
- Offboarding + data return / purge procedure documented
Open gaps / verification pending
- [item submitted, not yet returned - route to §6 Review & Renewal if persistent]
RFIs (requests for information)
- [RFI text - date raised - owner - due date]