[RESIDENTIAL ASSET] - Collection Map

OSINT-045 Continuous Residential Threat Monitoring - collection workspace. Central topic = the monitored residential asset (primary residence, secondary property, or estate). Branches = watch-item categories and operational data-point lanes. Drop each collected value as a child node; expand with where it was found and when. Paste raw tool output into node Notes. → feeds deliverable OSINT-045. NOTE: Seeded by OSINT-043 baseline assessment; this workspace tracks ongoing watch, not the one-off baseline.

00 · Collection Plan - PIRs & EEIs

The questions this standing watch must answer + the essential elements of information (EEI) for each. Tick as satisfied on each collection cycle. → drives §1 Scope & Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, §5 Service Levels.

PIR-1 - Threat Actor Activity: are any known or emergent threat actors targeting or surveilling the residential asset?

  • EEI: threat actor names / handles from baseline watch list (OSINT-043) re-observed in new contexts
  • EEI: new actors or groups referencing the property, address, or principal
  • EEI: physical surveillance indicators (vehicles, foot traffic anomalies) reported via open sources
  • EEI: online chatter or dark-web discussion referencing the address or principal’s residence

PIR-2 - Address / PII Exposure: has the residential address or principal’s PII surfaced on new data-broker or public-record sources?

  • EEI: address appears on newly indexed data-broker listings
  • EEI: address appears in breach/paste dumps
  • EEI: satellite or street-view imagery updated and now reveals security features
  • EEI: property records / title filings expose the principal’s name + address

PIR-3 - Online Threat Signals: is there adverse content, threat language, or targeting chatter directed at the principal tied to the residential location?

  • EEI: social media posts referencing principal’s home neighbourhood, address, or routines
  • EEI: forum / dark-web posts expressing intent or sharing location intelligence
  • EEI: adverse-media articles that disclose the address or identify the residence
  • EEI: photo / video content geotagged to the property or immediate vicinity

PIR-4 - Physical-Environment Change: has the local threat or vulnerability environment around the property changed materially?

  • EEI: crime incidents within defined radius (public police logs / blotter / Nixle)
  • EEI: protest / civil unrest events in the locality
  • EEI: construction / infrastructure changes affecting ingress/egress routes
  • EEI: new commercial tenants / vacant properties adjacent that alter the exposure profile

PIR-5 - Service Health: are all collection lanes operating within SLA?

  • EEI: each §2 collection lane checked and producing signal within cadence window
  • EEI: source-grade degradation noted for any standing source
  • EEI: any collection gap or access interruption logged and escalated

Collection gaps / RFIs (running)

  • [open item] → route to §6 Review & Renewal / watch-list change-control
  • [open item]

00b · Monitoring Cadence & Triggers

Continuous/retained service - cadence and tripwire registry. → drives §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, §4 Escalation & Notification Triggers.

Watch-item registry (active)

One sub-block per §1 watch item. Clone per item. Risk score = Likelihood (1–5) × Impact (1–5).

  • [Watch item - e.g. new address data-broker listing]
    • Observable indicator:
    • Tripwire threshold:
    • Likelihood (1–5):
    • Impact (1–5):
    • L×I score:
    • Severity tier: [Critical / High / Elevated / Moderate / Low]
    • Assigned escalation route (→ §4):
    • Notes / tool output:
  • [Watch item 2]

Refresh cadence by lane

  • Continuous (real-time / near-real-time):
  • Hourly:
  • Daily:
  • Weekly:
  • Monthly / ad hoc:

Alert thresholds (L×I bands)

  • Critical (21–25): immediate escalation, page primary contact
  • High (16–20): alert within defined SLA window
  • Elevated (11–15): include in next scheduled product cycle
  • Moderate / Low (1–10): log in routine periodic summary

Escalation path

  • Tier 1 - Critical:
  • Tier 2 - High:
  • Tier 3 - Elevated:
  • Tier 4 - Routine:

Alert-delivery SLA targets

  • Critical alert delivery time:
  • High alert delivery time:
  • Routine product delivery schedule:

01 · Principal / Protectee & Residential Asset Detail

Anchor nodes for the monitored asset and the principal(s) whose safety it serves. → feeds §1 Scope & Watch Criteria/Tripwires (watch-item rows) and Document Control.

Residential asset

  • Property address (full / redacted):
  • Property type: [primary residence / secondary / estate / other]
  • Ownership / title entity:
  • Occupancy status: [full-time / part-time / seasonal]
  • Staff / household members on site:
  • Seeding baseline reference (OSINT-043):

Principal(s) / protectee(s)

  • [Principal name / code name]
    • Role: [e.g. client / family member / VIP]
    • Primary residence confirmed:
    • Digital selectors on watch (→ §08):
    • Known travel pattern affecting occupancy:
    • Notes:
  • [Principal 2]

Service metadata

  • Engagement authority / consent reference:
  • Term / period of performance:
  • Service owner / operator:

02 · Venue & Geography - Property & Perimeter

Physical and geospatial data for the monitored property. → feeds §1 Watch Criteria (perimeter/ingress watch items), §4 Escalation.

Property footprint

  • Plot / parcel reference:
  • Lot boundaries / fencing / walls:
  • Neighbouring properties (immediate):
  • Street address visible from public way: [Yes / No / Partially]

Ingress & egress points

  • [entry/exit - e.g. main gate, service entrance, side pedestrian gate]
    • Type:
    • Public visibility:
    • OSINT-observable security feature (if any):
    • Notes:
  • [entry/exit 2]

Satellite / aerial imagery baseline

  • [image capture ref]
    • Source / date:
    • Coverage / resolution:
    • Changes noted vs. prior capture:
    • Notes / tool output: ← (Google Maps, Bing, Sentinel Hub, Maxar public layer)

Geospatial exposure

  • Street-view indexed: [Yes / No / Partial]
  • Geotagged social content at property: [Yes / No - count]
  • Adjacent public surveillance / CCTV visible:

03 · Routes & Movement

Principal movement patterns and routes observable via open sources. → feeds §1 Watch Criteria (route / pattern-of-life watch items), §4 Escalation.

Habitual commute / movement legs

Clone per leg. OSINT only - no physical surveillance.

  • [leg - e.g. residence → workplace]
    • Route (public-source basis):
    • Frequency:
    • Observable timing:
    • Public-transit / vehicle dependency:
    • Exposure windows noted:
    • Notes / tool output:
  • [leg 2]

Ingress / egress chokepoints

  • [chokepoint location]
    • Type:
    • Dwell time observable:
    • Threat relevance:

Travel / occupancy calendar (OSINT-observable)

  • [observed absence / travel indicator]
    • Source:
    • Date range:
    • Occupancy impact:

Anomalies / deviations from baseline

  • [deviation from known pattern]:

04 · Threat Actors & Persons of Interest

Individuals or groups posing or potentially posing a threat to the residential asset or principal. Clone per actor. → feeds §1 Watch Criteria (threat-actor rows), §4 Escalation.

Threat actor / person of interest (POI)

Clone the block per actor. Source every attribution.

  • [Actor name / handle / description]
    • Actor type: [stalker / ex-partner / protest organiser / criminal / unknown]
    • Threat basis (source + date):
    • Known selectors (handles / emails / phones):
    • Last observed activity (date + source):
    • Geographic proximity to asset:
    • Severity tier assigned (→ §4):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (social media search, court records, people-search - Spokeo/BeenVerified/public records)
  • [Actor 2]

Watch-list additions / removals (log)

  • [actor added / retired]
    • Date:
    • Reason:
    • Authorised by:

05 · Threat Landscape - Incidents, History & Online Chatter

Observed threat signals and historical incident data for the residential area and principal. → feeds §1 Watch Criteria (chatter / incident watch items), §3 Reporting, §4 Escalation.

Local incident log (area crime / civil unrest)

Clone per incident. Radius to be defined in §1.

  • [incident - e.g. vehicle break-in, protest event, harassment report]
    • Date / time:
    • Location relative to property:
    • Source (public police log / Nixle / news):
    • Relevance to asset:
    • Escalated: [Yes / No]
    • Notes / tool output: ← (local PD blotter, Nixle/Citizen/Nextdoor public feeds, local news)
  • [incident 2]

Online chatter & social media signals

  • [signal - e.g. post referencing address or principal]
    • Platform:
    • Handle / account:
    • Date observed:
    • Content summary:
    • Tripwire fired: [Yes / No - which]
    • Notes / tool output: ← (Twitter/X advanced search, Google dork, Reddit search, Telegram public channels)
  • [signal 2]

Dark-web & forum mentions

  • [mention]
    • Source (forum / market / paste site):
    • Date observed:
    • Content summary:
    • Severity assessment:
    • Notes / tool output: ← (Ahmia, dark-web monitors, DarkOwl-tier sources if subscribed)
  • [mention 2]

Historical threat events (from OSINT-043 baseline)

  • [prior incident]
    • Date:
    • Type:
    • Resolution / outcome:

06 · Vulnerabilities & Attack Surface

Open-source visible vulnerabilities of the property and the principal’s OSINT exposure that feed watch items. → feeds §1 Watch Criteria (exposure/vulnerability rows), §6 Review & Renewal.

Address / PII exposure

  • [exposure vector - e.g. data-broker listing]
    • Source:
    • Date first observed:
    • Date last confirmed:
    • Suppression action taken: [Yes / No / Pending]
    • Notes / tool output: ← (Spokeo, Whitepages, BeenVerified, FastPeopleSearch, PeopleFinder, Intelius)
  • [exposure vector 2]

Property record / title exposure

  • [record type - e.g. county assessor, deeds]
    • Jurisdiction:
    • Principal name exposed: [Yes / No]
    • Ownership structure visible:
    • Notes / tool output:

Imagery exposure

  • [platform - e.g. Google Street View, Zillow listing, news photo]
    • Date indexed / published:
    • Features revealed:
    • Update frequency / last update:

Social media property references

  • [post / account]
    • Platform:
    • Handle:
    • Content:
    • Geotagged: [Yes / No]
    • Date:

07 · Local Environment - Security, Medical & Infrastructure

Local support environment relevant to the asset’s protection posture. → feeds §1 Watch Criteria (environment-change rows), §4 Escalation (notify targets).

Law enforcement / emergency services

  • Nearest police precinct / station:
  • Estimated response time:
  • Non-emergency contact:
  • Recent LE advisories / alerts in area:

Medical facilities

  • Nearest hospital / trauma centre:
  • Nearest urgent care:
  • Distance / estimated travel time:

Infrastructure / utility

  • Known outage / construction affecting access routes:
  • Critical utility dependencies (power / water):

Community / neighbourhood environment

  • Neighbourhood watch / community alert programmes:
  • Changes in adjacent occupancy (vacant properties / new businesses):
  • Local protest / event schedule (public calendar):

08 · Digital & Social Signals

Ongoing monitoring of the principal’s and the asset’s digital footprint for exposure signals. → feeds PIR-2 (PII exposure), PIR-3 (online threat signals), §1 Watch Criteria, §3 Reporting.

Email / credential monitoring

Clone per email selector.

  • [email - e.g. principal@domain.com]
    • Breach / paste appearances (new since last cycle):
    • Date detected:
    • Source:
    • Tripwire fired: [Yes / No]
    • Notes / tool output: ← (holehe, h8mail, HaveIBeenPwned API)
  • [email 2]

Username / handle monitoring

Clone per handle.

  • [handle - e.g. principal_username]
    • Platform:
    • New activity / content (date + summary):
    • Mentions by others:
    • Geotagged posts: [Yes / No]
    • Tripwire fired: [Yes / No]
    • Notes / tool output: ← (social-search, twitonomy, whatsmyname, idcrawl)
  • [handle 2]

Domain / infrastructure exposure

  • [domain / subdomain]
    • WHOIS / registrant change detected:
    • Certificate transparency (crt.sh) - new issue:
    • Notes / tool output: ← (whois, crt.sh, SecurityTrails)
  • [domain 2]

Data-broker / public-record sweep (cycle log)

  • [broker - e.g. Spokeo, Whitepages, BeenVerified, FastPeopleSearch]
    • Last sweep date:
    • Result - address present: [Yes / No]
    • Suppression status:
    • Notes:
  • [broker 2]

09 · Indicators & Warnings

The running I&W log: each fired or near-fired tripwire from §1. Clone per indicator observation. → feeds §3 Reporting (routine product + tripwire alert), §4 Escalation.

Indicator / warning entry

Clone per observation per cycle.

  • [I&W entry - e.g. new data-broker address listing detected 2026-06-19]
    • Watch item triggered (§1 ref):
    • Tripwire threshold crossed: [Yes / No / Near-miss]
    • Date / time observed:
    • Source / lane:
    • L×I score at observation:
    • Severity tier: [Critical / High / Elevated / Moderate / Low]
    • Alert issued: [Yes / No - product ref]
    • Disposition / resolution:
    • Notes / tool output:
  • [I&W entry 2]

Indicators cleared / resolved

  • [indicator]
    • Date cleared:
    • Clearing basis:

Persistent / unresolved indicators

  • [open indicator - route to §6 Review & Renewal or escalate]

99 · Collection Admin

Working register - audit trail behind each deliverable. → backs Annex A Source & Watch-List Register and Annex B Onboarding/Offboarding Checklist in the deliverable.

Source register

Every material datum traceable to a graded source. Admiralty scale reproduced below. Reliability A–F: A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Cannot be judged. Credibility 1–6: 1 Confirmed · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Cannot be judged.

  • [S-1 - source name / lane description]
    • Type: [Primary / Secondary / Tertiary]
    • Lane (→ §2):
    • Reliability (A–F):
    • Credibility (1–6):
    • Grade: [e.g. B2]
    • Date last verified:
    • Notes:
  • [S-2]

Evidence archive

  • [capture ref - screenshot / export / hash + URL + timestamp]:

Onboarding / offboarding status (Annex B)

  • Authority / consent captured + scope signed off
  • OSINT-043 baseline ingested and watch list seeded
  • Collection lanes and tripwires stood up
  • Data retention / destruction schedule confirmed
  • Offboarding + data return / purge procedure documented

Open gaps / verification pending

  • [item submitted, not yet returned - route to §6 Review & Renewal if persistent]

RFIs (requests for information)

  • [RFI text - date raised - owner - due date]