[PRINCIPAL] - Collection Map

OSINT-053 Daily / Periodic Protective Intelligence Brief - collection workspace. Central topic = the protected principal (executive, family member, or operational team). Branches = watch criteria, threat categories, and collection lanes for the standing briefing service. Drop each newly-observed indicator as a child node; expand it with source, date, and tripwire fired. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-053. Requires seeded baseline: ingest OSINT-051-protective-intelligence-assessment or OSINT-042-pre-travel-threat-assessment / OSINT-031-country-risk-assessment before standing up watch lanes.

00 · Collection Plan - PIRs & EEIs

The standing protective intelligence requirements and essential elements of information (EEI) this service must satisfy each brief cycle. Tick when satisfied for the cycle; re-open each new cycle. → drives §1 Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, Annex A Source Register, and the running gaps register at cycle close.

PIR-1 - Geopolitical & country stability: has the threat environment in the principal’s operating areas changed since last brief?

  • EEI: government stability / civil unrest developments in operating jurisdictions
  • EEI: travel advisories (State Dept, FCDO, DFAT, or equivalent) updated since last cycle
  • EEI: elections, protests, strikes, or mass-gathering events scheduled in AO
  • EEI: sanctions, border-closure, or transport-disruption events affecting movement
  • EEI: regional conflict escalation indicators relevant to principal’s itinerary

PIR-2 - Threat-actor activity: has any terrorism, extremism, or transnational-crime indicator emerged targeting the principal’s sector, location, or profile?

  • EEI: new threat-actor communiqués or target-designation language observed
  • EEI: attack planning indicators (surveillance, dry-run, pre-attack chatter) surfaced
  • EEI: sector-targeted or executive-targeted threats (kidnap-for-ransom, extortion, cyber)
  • EEI: persons of interest activity changes relevant to principal

PIR-3 - Executive/family-specific targeting: is the principal or family member named, referenced, or surveilled in open sources?

  • EEI: principal/family name(s) in threat-adjacent online communities or dark-web forums
  • EEI: new doxing or PII exposure affecting principal or family
  • EEI: social media surveillance or location-disclosure posts referencing principal
  • EEI: hostile narrative or harassment campaign indicators targeting principal

PIR-4 - Operational-area security: has the physical security picture at venues, residences, or travel corridors changed?

  • EEI: criminal incident uptick (robbery, carjacking, express kidnap) in AO
  • EEI: venue, route, or infrastructure security changes observed
  • EEI: protests, demonstrations, or crowd-gathering events at or near principal locations
  • EEI: law-enforcement or emergency-services availability changes in AO

PIR-5 - Travel-corridor status: are planned routes and transport nodes safe and operationally viable?

  • EEI: airport / port / border status for planned travel within brief window
  • EEI: route-specific security incidents or closures reported
  • EEI: accommodation or venue security flag raised since last cycle
  • EEI: weather, natural hazard, or health advisory affecting route

PIR-6 - Collection-lane health: are all monitoring lanes functioning within SLA and returning actionable signals?

  • EEI: each §2 lane returned data within its scheduled cadence
  • EEI: no unresolved source degradation, access failure, or feed outage
  • EEI: previous-cycle gaps/RFIs resolved or formally carried forward

Collection gaps / RFIs (running)

  • [open item from current cycle] → route to [product / analyst / external request]
  • [open item]

00b · Monitoring Cadence & Triggers

OSINT-053 is a retained continuous briefing service. This branch governs the watch schedule, per-lane refresh cadence, alert thresholds, and escalation path. → feeds §1 Watch Criteria/Tripwires, §2 Collection Cadence & Sources, §3 Reporting Cadence, §4 Escalation & Notification Triggers, §5 Service Levels (SLA).

Active watch items (per §1 of deliverable)

Seed one block per §1 watch-item row. Clone per item. Score Likelihood × Impact (1–25).

  • [watch item - e.g. civil unrest in principal’s operating city]
    • Observable indicator:
    • Tripwire threshold:
    • Likelihood (1–5):
    • Impact (1–5):
    • L×I score:
    • Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
    • Escalation route (→ §4 tier):
    • Status this cycle: [Open / Fired / Clear]
    • Notes / tool output:
  • [watch item 2 - e.g. named threat-actor targeting principal’s sector]
    • Observable indicator:
    • Tripwire threshold:
    • Likelihood (1–5):
    • Impact (1–5):
    • L×I score:
    • Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
    • Escalation route (→ §4 tier):
    • Status this cycle: [Open / Fired / Clear]
    • Notes / tool output:

Collection-lane refresh cadence

Map each §2 source lane to its scheduled check frequency and last-run timestamp.

  • [lane - e.g. travel advisory monitors (State Dept / FCDO)]
    • Cadence: [continuous / hourly / daily / weekly]
    • Last run:
    • Next scheduled:
    • Source grade (Admiralty):
    • Status: [Healthy / Degraded / Offline]
  • [lane 2 - e.g. open-source media / news aggregation]
    • Cadence:
    • Last run:
    • Next scheduled:
    • Source grade (Admiralty):
    • Status: [Healthy / Degraded / Offline]

Alert thresholds & escalation path

  • Critical (L×I 21–25): notify within - method:
  • High (L×I 16–20): notify within - method:
  • Elevated (L×I 11–15): notify within - method:
  • Moderate / Low (L×I 1–10): include in next routine brief - method:
  • False-positive protocol:

Routine reporting schedule (per §3)

  • Daily protective brief: cadence - scheduled delivery time - recipient
  • On-tripwire alert: on-event, per §4 - last fired
  • Periodic service-health / SLA report: cadence - next due

Cycle review log

  • [cycle - e.g. 2026-06-19]
    • Tripwires fired:
    • Gaps carried forward:
    • Watch-list changes:
    • Brief delivery on-time: [Y/N]
    • Notes:

01 · Principal / Protectee Detail

Establishes the protected subject(s), household, and operational context that seeds all downstream watch criteria. Any change (new travel window, new family member at risk, profile change) updates the watch scope and must be reflected in §1. → feeds §1 Watch Criteria/Tripwires (scope), §3 Reporting Cadence (recipients), Annex B Onboarding.

Principal identity & profile

  • Full name(s):
  • Role / title:
  • Employer / organization:
  • Public profile level: [High / Medium / Low]
  • Risk tier assigned at baseline:
  • Seeding baseline product reference:

Protected household / family members in scope

  • [name]
    • Relationship to principal:
    • In-scope for this service: [Y/N - specify scope]
    • Specific watch criteria:
  • [name 2]

Operating locations (steady-state)

  • Primary residence:
  • Primary work location / HQ:
  • Other regular locations:

Planned travel windows (current brief period)

  • [trip - e.g. London → Dubai, 2026-06-22 to 2026-06-25]
  • Authority / consent basis:
  • Authorized scope jurisdictions:
  • Data-handling classification:
  • Annex B onboarding status:

02 · Venue & Geography

Physical site intelligence for residences, offices, venues, and any location the principal will occupy during the brief window. New venue or unvetted location is an immediate collection trigger. → feeds §1 Watch Criteria/Tripwires (venue security), §4 Escalation, PIR-4.

Primary residence

  • [address]
    • Ingress / egress points:
    • Perimeter changes observed:
    • Neighbouring event / disruption:
    • Confidence: [H/M/L]

Primary work / office venue

  • [address]
    • Security posture:
    • Access control changes:
    • Crowd / protest proximity:
    • Notes:

Travel venues (hotels, conference sites, meeting locations)

Clone per venue. Each new venue triggers a venue-vetting check.

  • [venue - e.g. hotel name + city]
    • Address:
    • Security rating (baseline or assessed):
    • Incidents at or near venue in last 30 days:
    • Ingress / egress:
    • Medical / emergency services proximity:
    • Source / date checked:
    • Notes / tool output:
  • [venue 2]

Operational area (city / district) status

  • [AO - e.g. city]
    • Criminal incident trend (this cycle vs. baseline):
    • Protest / gathering events scheduled:
    • LE / emergency posture:
    • Source:

03 · Routes & Movement

Route intelligence for each travel leg or commute corridor. A new route or deviation from approved corridor fires a collection task. Clone per leg. → feeds §1 Watch Criteria/Tripwires (route status), §2 Collection Cadence (travel-advisory lane), PIR-5.

Route legs

  • [leg - e.g. residence → airport, Route A]
    • Origin:
    • Destination:
    • Mode / carrier:
    • Scheduled timing:
    • Alternate route identified: [Y/N]
    • Incident reports on this corridor (this cycle):
    • Checkpoint / border / security inspection:
    • Tripwire threshold for this leg:
    • Notes / tool output:
  • [leg 2]

Airport / port / transit hub status

  • [hub - e.g. LHR / DXB]
    • Security posture:
    • Disruption / protest risk:
    • Health advisory:
    • Source / date:
    • Status: [Clear / Advisory / Disrupted]

Travel-advisory status

Check each jurisdiction’s official travel advisory each cycle.

  • [country / region]
    • Advisory level: [e.g., Level 1–4 / FCDO Standard / Essential Only / Advise Against All Travel]
    • Issuing authority:
    • Last updated:
    • Change since last cycle: [Y/N - specify]
    • Notes / tool output: ← travel.state.gov, gov.uk/foreign-travel-advice, smartraveller.gov.au

04 · Threat Actors & Persons of Interest

Named or profiled actors - individuals, groups, or criminal networks - whose activity could affect the principal. A new actor surfaced or a known actor changing posture fires an Elevated+ alert. Clone per actor. → feeds §1 Watch Criteria/Tripwires (threat-actor lane), §4 Escalation, PIR-2.

Named threat actors / groups

  • [actor - individual or group name / designator]
    • Type: [individual / network / group / state-proxied]
    • Threat category: [terrorism / extremism / criminal / targeted harassment / espionage / other]
    • Current posture / activity this cycle:
    • Geographic nexus to principal:
    • Known capabilities:
    • Link to principal (direct / sector / ideology):
    • Tripwire: [specific observable that fires alert]
    • Status this cycle: [Active / Dormant / Escalating / Degraded]
    • Reliability (A–F) / Credibility (1–6):
    • Notes / tool output:
  • [actor 2]

Persons of interest (individual-level)

Clone per POI. Each new POI added requires authorization review.

  • [name or designator - e.g. POI-01]
    • Known relationship to principal:
    • Physical description / identifiers:
    • Last known location:
    • Online presence / handles:
    • Adverse indicators:
    • Restraining order / legal action in place: [Y/N]
    • Surveillance or approach incidents:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← public records, social search, image reverse-lookup
  • [POI-02]

Protest / activist groups (operational area)

  • [group]
    • Relevance to principal:
    • Scheduled actions this cycle:
    • Risk level: [Low / Moderate / Elevated]

05 · Threat Landscape

Incident intelligence, historical pattern, and open-source chatter relevant to the principal’s sector, profile, geography, and brief window. Not actor-specific - landscape context. → feeds §1 Watch Criteria/Tripwires (threat-landscape lane), PIR-1, PIR-2, PIR-4.

Geopolitical stability indicators (operating jurisdictions)

  • [country / region]
    • Stability score / rating source:
    • Recent significant event:
    • Trend: [Stable / Deteriorating / Improving]
    • Implication for principal:

Terrorism & extremism incident feed

Incidents in operating area or principal’s sector within brief window.

  • [incident - date + location + type]
    • Perpetrator / group:
    • Method:
    • Proximity to principal’s AO:
    • Source grade:
    • Implications:

Criminal threat feed (kidnap, extortion, robbery, carjacking)

  • [incident or trend]
    • Location:
    • Modus operandi:
    • Victim profile similarity:
    • Source:

Online threat chatter / dark-web signals

Keyword / entity monitoring for principal name, employer, sector, or affiliates.

  • [keyword / entity monitored]
    • Platform / forum:
    • Observation:
    • Date:
    • Tripwire fired: [Y/N - tier]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← Telegram monitoring, open forums, news aggregators

Historical incident pattern (AO baseline)

  • [AO]
    • Incident type:
    • Frequency baseline:
    • Current-cycle deviation from baseline:

06 · Vulnerabilities & Attack Surface

Open-source-visible vulnerabilities: PII exposure, digital footprint, public schedules, predictable patterns that could enable targeting. Each exposure is a potential collection finding. → feeds §1 Watch Criteria/Tripwires (exposure tripwire), PIR-3, §4 Escalation.

Principal’s digital / social media exposure

Monitor for location-revealing posts, schedule disclosure, or PII leaks.

  • [platform - e.g. LinkedIn / X / Instagram]
    • Handle / URL:
    • Last post / activity:
    • Location-revealing content this cycle: [Y/N - describe]
    • Schedule / itinerary disclosure: [Y/N]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes:

Public schedule / event listings

  • [event - e.g. conference speaking slot, public appearance]
    • Date / time:
    • Publicly disclosed: [Y/N - source]
    • Venue public knowledge: [Y/N]
    • Risk implication:

PII / dox exposure

  • [indicator - name / address / phone / vehicle]
    • Source:
    • Date observed:
    • Severity: [Low / Moderate / High]
    • Tripwire fired: [Y/N - tier]
    • Notes / tool output: ← data-broker checks, Google Search, paste search

Predictable pattern vulnerabilities

  • [pattern - e.g. same coffee shop, fixed commute time]
    • Source observed:
    • Mitigation in place: [Y/N]

07 · Local Environment

Security, medical, and infrastructure intelligence in the principal’s operating areas - the immediate support environment that determines protective response options. → feeds §1 Watch Criteria/Tripwires (local-environment lane), PIR-4, §2 Collection Cadence.

Law enforcement & security posture

  • [jurisdiction / city]
    • LE capability assessment:
    • Response-time estimate:
    • Any known protests or LE actions affecting coverage:
    • Source / date:

Medical facilities (nearest to principal’s AO / venue)

  • [facility - name + address]
    • Trauma / emergency capability: [Y/N]
    • Distance / travel time from principal’s location:
    • Contact / pre-notification status:

Infrastructure status

  • Power / comms reliability in AO:
  • Transport network disruptions:
  • Health / epidemic advisory active: [Y/N - detail]
  • Natural hazard / weather advisory:

Friendly support resources

  • [asset - e.g. local security liaison, trusted fixer, embassy]
    • Type:
    • Contact:
    • Availability this brief window:

08 · Digital & Social Signals

Open-source digital monitoring: social media, online chatter, and web-published signals that reveal targeting interest, doxing, online harassment, or information operations against the principal. Clone per platform / channel monitored. → feeds PIR-3, §1 Watch Criteria, §2 Collection Cadence.

Social media keyword / entity monitoring

Run per cycle; flag any principal-name or employer-name hit in threat-adjacent contexts.

  • [keyword / entity - e.g. principal name, employer, home city]
    • Platforms monitored:
    • Hits this cycle: [number]
    • Sentiment: [Neutral / Negative / Threatening]
    • Notable posts:
    • Date of latest hit:
    • Tripwire fired: [Y/N - tier]
    • Notes / tool output:

Online forum / Telegram / extremist-platform monitoring

  • [platform / channel]
    • Keywords tracked:
    • Observation this cycle:
    • Date:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes:

Adverse media / reputation signals

Monitor for new adverse coverage that could signal targeting interest or escalate threat.

  • [outlet + headline + date]
    • Substance / significance:
    • Targeting implication:
    • Reliability (A–F) / Credibility (1–6):
    • New this cycle: [Y/N]
    • Notes / tool output: ← Google Alerts, media search, press-aggregators

Breach / PII exposure monitoring

  • [email / username / phone of principal or household]
    • Status: [No new exposure / New breach detected]
    • Source / date:
    • Data exposed:
    • Notes / tool output: ← haveibeenpwned, h8mail, intelx

09 · Indicators & Warnings

The structured I&W layer: specific observables that, when detected, indicate a threat moving from latent to active. Each indicator maps to a §1 watch item and a §4 escalation tier. Clone per indicator. → feeds §1 Watch Criteria/Tripwires (indicator row), §4 Escalation & Notification Triggers, PIR-2.

Pre-attack / pre-incident indicators

  • [indicator - e.g. surveillance detection near residence]
    • Category: [surveillance / pre-position / reconnaissance / probing / communications]
    • Observable:
    • Tripwire threshold: [e.g., two independent observations within 72 hours]
    • Detection method / source:
    • Date first observed:
    • Date last confirmed:
    • Frequency this cycle:
    • L×I score:
    • Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
    • Escalation action triggered:
    • Status: [Open / Fired / Cleared]
    • Reliability (A–F) / Credibility (1–6):
    • Notes / tool output:
  • [indicator 2]

Escalation indicators (trend-based)

  • [trend - e.g. increase in AO criminal incidents week-on-week]
    • Baseline frequency:
    • Current-cycle frequency:
    • Threshold to fire:
    • Status: [Below threshold / At threshold / Exceeded]
    • Escalation route:

De-escalation / all-clear indicators

  • [condition that clears an open indicator]:
    • Authority to stand down:
    • Date cleared:

Indicator status board (cycle summary)

  • Total indicators monitored this cycle:
  • Fired:
  • Cleared:
  • Carried forward:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind the service. → feeds Annex A Source & Watch-List Register, Annex B Onboarding/Offboarding Checklist, §5 SLA.

Source register

Every material datum traceable to a graded source. Grade per NATO Admiralty (A–F × 1–6).

  • [S-1 - source / lane - e.g. US State Dept Travel Advisory]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F) / Credibility (1–6):
    • Cadence / last accessed:
    • Lane health: [Healthy / Degraded / Offline]
    • Notes:
  • [S-2 - source / lane]
    • Type:
    • Reliability (A–F) / Credibility (1–6):
    • Cadence / last accessed:
    • Lane health:

Evidence archive

  • [screenshot / capture ref + hash + URL + timestamp]:

SLA compliance log (per §5)

  • [metric - e.g. daily brief delivery time]
    • Target:
    • Achieved this cycle:
    • Miss / credit triggered: [Y/N]
  • [metric - e.g. critical-tier alert delivery time]
    • Target:
    • Achieved this cycle:
    • Miss / credit triggered: [Y/N]

Onboarding / offboarding checklist status (Annex B)

  • Authority / consent captured and on file
  • Seeding baseline (protective assessment or country risk) ingested and watch list seeded
  • Collection lanes stood up and verified
  • Tripwires configured and tested against §1 watch-item table
  • Briefing recipients and delivery channels confirmed
  • Data retention / destruction schedule documented
  • Offboarding terms documented and acknowledged

Watch-list change log (per §6 change-control)

  • [date] - [watch item added / retired / threshold adjusted] - authorized by:

Open gaps / verification pending (carry-forward)

  • [item outstanding - source, date opened, routing]
  • [item]