[PRINCIPAL] - Collection Map
OSINT-057 Executive Digital Protection Program - collection workspace. Central topic = the protected executive (principal). Branches = digital-surface watch categories covering identity, selectors, credential/breach exposure, dark-web presence, PII footprint, infrastructure, and attack surface under continuous monitoring. Drop each collected or newly-observed value as a child node; expand with source, date, and which tripwire (§1) it triggered. Paste raw tool output into the node’s Notes. Seeding baseline: OSINT-055-digital-footprint-and-exposure-assessment must be ingested first. → feeds deliverable OSINT-057.
00 · Collection Plan - PIRs & EEIs
Standing intelligence requirements and essential elements of information (EEI) that this monitoring service must keep current. Tick when satisfied for the reporting cycle; re-open each new cycle. → drives §1 Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, Annex A.
PIR-1 - Identity anchor: is the principal’s core identity surface stable and uncompromised?
- EEI: legal name, primary email(s), and phone(s) confirmed current and unaltered
- EEI: no new alias, pseudonym, or impostor account detected
- EEI: no credential material (password/token) tied to principal’s anchor identity found in new breaches
- EEI: no unauthorized account creation or takeover signal observed
PIR-2 - Selector set: have any new selectors surfaced or existing ones been compromised?
- EEI: full active email set enumerated and breach-checked this cycle
- EEI: full active username/handle set verified across agreed platform scope
- EEI: phone numbers checked for porting/hijack signals
- EEI: new selectors (email, username, phone) discovered and attributed this cycle
PIR-3 - Credential & breach exposure: has new material appeared in breaches, pastes, or leaks?
- EEI: new breach/combo/stealer-log appearance confirmed or ruled out this cycle
- EEI: severity of exposed data assessed (cleartext password vs. hash vs. PII)
- EEI: credential material actionably tied to live accounts identified
- EEI: paste/infostealer appearance compared to prior cycle baseline
PIR-4 - Dark-web presence: is the principal mentioned, traded, or targeted on dark-web/restricted forums?
- EEI: principal’s PII (name, email, org) appearing in dark-web markets or leak sites
- EEI: targeting language, doxxing posts, or threat actor interest detected
- EEI: corporate credentials or internal data attributed to principal’s org advertised
- EEI: ransomware/extortion forum mention or negotiation thread observed
PIR-5 - PII & data-broker exposure: has the principal’s public data footprint expanded materially?
- EEI: new data-broker profile or public record aggregation detected and catalogued
- EEI: home address, family members, or routine locations newly published
- EEI: social media content inadvertently disclosing sensitive location or schedule
- EEI: change in overall PII exposure risk score vs. prior cycle
PIR-6 - Infrastructure & attack surface: has a new cyber asset or vulnerability been exposed?
- EEI: new domain registrations associated with principal or spoofing principal’s identity
- EEI: certificate transparency logs showing new TLS assets attributed to principal
- EEI: personal device, cloud account, or home-network exposure signals observed
- EEI: phishing or typosquat domain mimicking principal’s identity detected
PIR-7 - Threat actor targeting: is any known actor actively pursuing the principal?
- EEI: spear-phishing campaigns referencing principal detected in threat feeds
- EEI: social-engineering approach or impersonation attempt reported or observed
- EEI: targeting attributable to a known actor or campaign cluster identified
- EEI: any operational indicator linking collection activity to the principal
PIR-8 - Are all collection lanes healthy and within SLA?
- EEI: each §2 lane returned results within its scheduled cadence
- EEI: no source degradation or access failure outstanding
- EEI: prior-cycle gaps/RFIs resolved or formally carried forward
Collection gaps / RFIs (running)
- [open item from current cycle] → route to [analyst / external request / product]
- [open item]
00b · Monitoring Cadence & Triggers
OSINT-057 is a retained continuous service. This branch governs the watch schedule, per-lane refresh cadence, alert thresholds, and escalation path for the executive digital protection program. → feeds §1 Watch Criteria/Tripwires, §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, §4 Escalation & Notification Triggers, §5 SLA.
Active watch items (per §1 of deliverable)
Seed one block per §1 watch-item row. Clone per item.
- [watch item - e.g. credential exposure in new breach]
- Observable indicator:
- Tripwire threshold:
- Likelihood (1–5):
- Impact (1–5):
- L×I score:
- Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
- Escalation route (→ §4 tier):
- Status this cycle: [Open / Fired / Clear]
- Notes / tool output:
- [watch item 2]
Collection-lane refresh cadence
Map each §2 source lane to its scheduled check frequency and last-run timestamp.
- [lane - e.g. breach/paste monitoring]
- Cadence: [continuous / hourly / daily / weekly]
- Last run:
- Next scheduled:
- Source grade (Admiralty):
- Status: [Healthy / Degraded / Offline]
- [lane 2]
Alert thresholds & escalation path
- Critical (L×I 21–25): notify within - method:
- High (L×I 16–20): notify within - method:
- Elevated (L×I 11–15): notify within - method:
- Moderate / Low (L×I 1–10): include in next routine product - method:
- False-positive protocol:
Routine reporting schedule
- Routine periodic summary: cadence - next due - recipient
- Tripwire alert: on-event, per §4 - last fired
- Service-health / SLA report: cadence - next due
Cycle review log
One block per completed reporting cycle.
- [cycle - e.g. 2026-W25]
- Tripwires fired:
- Gaps carried forward:
- Watch-list changes:
- Notes:
01 · Identity Anchor
The principal’s resolved core identity - established by the OSINT-055 seeding baseline. Monitor for unauthorized changes, new aliases, or impostor accounts that indicate targeting. → feeds §1 Watch Criteria (identity-change tripwire), Annex A Source Register.
Principal identity (baseline)
- Full legal name:
- Title / executive role:
- Employing / sponsoring organization:
- DOB / YOB (if in scope):
- Nationality / citizenship(s):
- Primary confirmed identifiers:
Known aliases & pseudonyms
- [alias / pseudonym]
- Context (professional / personal / legacy):
- Platforms using it:
- Attribution confidence: [Confirmed / Probable / Possible]
- Baseline or new this cycle: [Baseline / New]
- Notes:
Impostor / impersonation accounts detected
Each detected account is a PIR-1 tripwire event.
- [platform + handle / URL]
- Date first detected:
- Nature (clone / fake / parody):
- Reported / actioned: [Y/N]
- Escalation tier triggered:
- Notes / evidence ref:
02 · Selectors & Accounts
The pivot core. Each selector or account is its own clonable block. New selectors are themselves tripwire events. Re-verify the full set each cycle and compare to baseline. → feeds §1 Watch Criteria (selector-change tripwire), §2 Collection Cadence & Sources, PIR-2.
Email addresses
→ alert on new address; run breach/paste check every cycle. Tool hints: holehe, h8mail, hunter.io, haveibeenpwned.
- [email - e.g. exec@company.com]
- Status: [Active / Inactive / New this cycle]
- Linked accounts (account discovery):
- New breach / paste appearance this cycle:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Last verified:
- Notes / tool output: ← holehe, h8mail, hunter.io
- [email 2]
Usernames / handles
→ alert on new handle or account deletion; re-run each cycle. Tool hints: idcrawl, sherlock, whatsmyname.
- [handle - e.g. exec_name]
- Platforms / where found (URL):
- Status: [Active / Dormant / New this cycle / Deleted this cycle]
- Linked email(s):
- Linked phone(s):
- Other accounts reusing handle:
- Attribution confidence: [Confirmed / Probable / Possible]
- Last verified:
- Notes / tool output: ← idcrawl, sherlock, whatsmyname
- [handle 2]
Phone numbers
→ alert on porting / hijack signal; re-check carrier and app linkage each cycle.
- [number - e.g. +1 555-0100]
- Type / carrier: [mobile / landline / VoIP]
- Status: [Active / Inactive / Ported this cycle]
- Linked accounts / apps:
- Porting / SIM-swap signal: [None / Suspected / Confirmed]
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Last verified:
- Notes / tool output: ← carrier lookup, truecaller
- [number 2]
Social media accounts (in-scope platforms)
Clone per platform. Re-check account status, activity, and content each cycle.
- [platform - LinkedIn / X / Facebook / Instagram / Threads / other]
- Handle / URL:
- Status: [Active / Dormant / New this cycle / Deleted this cycle]
- Attribution confidence: [Confirmed / Probable / Possible]
- Privacy settings observed: [Public / Restricted / Private]
- Notable PII-disclosing content this cycle:
- Impostor account on same platform: [Y/N - ref]
- Last checked:
- Notes:
- [platform 2]
03 · Credential & Breach Exposure
Track every known appearance of the principal’s selectors in breach compilations, paste sites, infostealer logs, and combo lists. Each new appearance is a triggered watch item. → feeds §1 Watch Criteria (credential-exposure tripwire), PIR-3, §4 Escalation.
Breach appearances
One block per breach/exposure event. Clone per event. Tool hints: haveibeenpwned, dehashed, h8mail, intelx.
- [breach / dataset - e.g. “MegaLeak 2025-Q3”]
- Selector exposed: [email / username / phone]
- Data exposed: [email / cleartext pw / hashed pw / PII / other]
- Date of breach:
- Date first observed:
- New since baseline: [Y/N]
- Severity: [Critical / High / Elevated / Low]
- Remediation actioned: [Y/N - detail]
- Escalation tier triggered:
- Notes / tool output: ← haveibeenpwned, dehashed, h8mail, intelx
- [breach 2]
Paste / infostealer / combo-list appearances
Re-run paste search each cycle.
- [paste ref / URL / date]
- Selector:
- Data in paste:
- Context (combo / stealer log / doxx):
- New this cycle: [Y/N]
- Notes / tool output: ← pastebin-scrape, intelx, leak lookup
- [paste 2]
Credential reuse risk assessment
- Live accounts using exposed credential:
- Password reuse across accounts: [Assessed Y/N - method]
- MFA status on exposed accounts:
- Remediation recommendations issued:
04 · Dark-Web Presence
Monitor dark-web markets, forums, leak sites, and restricted channels for mentions, listings, or targeting activity referencing the principal, their org, or their selectors. → feeds §1 Watch Criteria (dark-web tripwire), PIR-4, §4 Escalation (high/critical).
Dark-web market listings
One block per detected listing. Clone per item.
- [market + listing ref]
- Content (PII / credential / access / data):
- Price / ask:
- Seller handle:
- Date first observed:
- Attributed to principal: [Confirmed / Probable / Possible]
- Escalation tier triggered:
- Notes / evidence ref:
- [listing 2]
Forum mentions / doxxing threads
- [forum / channel + thread ref]
- Content summary:
- Actor handles:
- Date first observed:
- Threat language: [None / Implied / Explicit]
- Escalation tier triggered:
- Notes:
Ransomware / extortion leak sites
- [site + entry ref]
- Org / principal named:
- Data published or pending:
- Date first observed:
- Escalation tier triggered:
- Notes:
Restricted-channel / Telegram monitoring
- [channel / group ref]
- Principal or org mentioned:
- Nature of mention:
- Date:
- Confidence of attribution: [Confirmed / Probable / Possible]
- Notes:
05 · Digital Footprint & PII Exposure
Monitor data-broker aggregators, public records, and social media for PII that could enable targeting of the principal or their family. Scope limited to lawful open sources per the Scope, Authorities & Limitations section. → feeds §1 Watch Criteria (PII-expansion tripwire), PIR-5, §3 Reporting Cadence.
Data-broker profiles
One block per data-broker site. Clone per site. Tool hints: people-search engines, Spokeo, BeenVerified, IntelligenceX.
- [broker / aggregator - e.g. Whitepages, Spokeo, Intelius]
- Selectors / PII listed:
- Home address published: [Y/N]
- Family members listed: [Y/N]
- New / changed since last cycle: [Y/N]
- Opt-out / suppression requested: [Y/N - date]
- Notes:
- [broker 2]
Public records exposure
- [record type - voter roll / court filing / property deed / business reg]
- Jurisdiction / source:
- PII exposed:
- New this cycle: [Y/N]
- Suppression / redaction actioned: [Y/N]
- Notes:
Social media PII disclosure
Inadvertent disclosure of home address, schedule, travel, or family.
- [platform + post ref]
- PII type disclosed: [address / location / schedule / family / other]
- Date of post:
- Still live: [Y/N]
- Takedown requested: [Y/N]
- Notes:
Geolocation / EXIF exposure
- [source - photo EXIF / check-in / map tag]
- Location revealed:
- Date:
- Platform:
- Still live: [Y/N]
- Notes:
Overall PII exposure risk assessment
- Risk score this cycle: [H/M/L]
- Change from prior cycle: [Increased / Stable / Decreased]
- Key new exposures:
06 · Infrastructure
Track internet-facing assets attributed to the principal (personal domains, hosting, cloud presence) and spoof/typosquat domains mimicking the principal’s identity or org. → feeds §1 Watch Criteria (infrastructure-change and spoof-domain tripwires), PIR-6.
Personal / executive domains
One block per domain. Tool hints: whois, crt.sh, viewdns.info, SecurityTrails.
- [domain - e.g. johnsmith.com]
- Registrant / WHOIS:
- Registrar / expiry:
- Hosting / IP:
- TLS cert (crt.sh):
- Status: [Active / Parked / Expired / New this cycle]
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← whois, crt.sh, viewdns.info
- [domain 2]
Typosquat / spoof / impersonation domains
Monitor cert transparency and domain registration feeds for lookalike domains. Tool hints: dnstwist, crt.sh, URLscan.
- [domain - e.g. john-smyth.com]
- Similarity type: [typosquat / homoglyph / prefix-suffix / brand-spoof]
- Registrant (if visible):
- Infrastructure:
- Date first detected:
- Active / parked:
- Escalation tier triggered:
- Takedown / blocking initiated: [Y/N]
- Notes / tool output: ← dnstwist, crt.sh, URLscan
- [spoof domain 2]
Cloud / SaaS accounts (personal)
- [service - e.g. personal iCloud / Gmail / Dropbox]
- Status: [In scope / Out of scope]
- Exposure signals:
- Notes:
Home-network / device exposure signals
- [source - Shodan / Censys / exposure report]
- Asset type: [router / NAS / IoT / other]
- IP / network:
- Exposure:
- Date observed:
- Remediation recommended: [Y/N]
- Notes / tool output: ← Shodan, Censys
- [asset 2]
07 · Attack Surface & Vulnerabilities
Map the observable attack vectors against the principal’s digital surface: phishing / BEC campaigns, social-engineering channels, credential-stuffing targets, and known CVEs in personal infrastructure. → feeds §1 Watch Criteria (attack-surface tripwire), PIR-6, PIR-7.
Phishing / spear-phishing campaigns
One block per detected campaign targeting the principal.
- [campaign ref / date]
- Lure type: [email / SMS / voice / social]
- Infrastructure (sending domain / IP):
- Targeting method:
- Date first detected:
- Attribution (actor / campaign cluster):
- Escalation tier triggered:
- Actioned: [Y/N - detail]
- Notes / evidence ref:
- [campaign 2]
BEC / account-takeover indicators
- [indicator - e.g. inbox rule, forwarding, login from anomalous IP]
- Source / detection method:
- Date:
- Escalation tier triggered:
- Notes:
Credential-stuffing / login-attempt signals
- [service / platform]
- Signal type: [failed logins / account-lock / notification]
- Date:
- Likely source:
- MFA held: [Y/N]
- Notes:
Personal-infrastructure CVEs / misconfigurations
- [asset + CVE / misconfiguration]
- Severity (CVSS):
- Date observed:
- Remediation recommended: [Y/N - detail]
- Status: [Open / Remediated]
- Notes / tool output:
Social-engineering approach / pretexting
- [approach type + date]
- Method: [phone / in-person / online / other]
- Actor handle or description:
- Information sought:
- Escalation tier triggered:
- Notes:
08 · Attribution & Threat Actors
Characterize any actor(s) demonstrating collection interest, exploitation capability, or hostile intent toward the principal. Each attributed actor is a standing watch-item node. → feeds §1 Watch Criteria (threat-actor tripwire), PIR-7, §4 Escalation.
Threat actor profiles
One block per actor or campaign cluster. Clone per actor.
- [actor handle / group / campaign cluster]
- Actor type: [state-sponsored / criminal / hacktivist / insider / unknown]
- Motivation: [financial / espionage / harassment / reputational / other]
- Known TTPs (observed against this principal):
- First observed:
- Last active:
- Attribution confidence: [Confirmed / Probable / Possible]
- Current activity status: [Active / Dormant / Unknown]
- Related IOCs:
- Notes:
- [actor 2]
Indicators of compromise (IOCs) observed
One block per IOC cluster.
- [IOC type - IP / domain / hash / email header / payload]
- Value:
- First seen:
- Campaign / actor link:
- Shared to threat-intel platform: [Y/N]
- Notes:
- [IOC 2]
Social-media / forum actor intelligence
- [actor handle on platform]
- Platform:
- Observed behaviors toward principal:
- Date first noted:
- Confidence: [H/M/L]
- Notes:
Watch-list of known hostile actors
Running register of actors cleared through the program; update each cycle.
- [actor ref]
- Status this cycle: [Active / Quiet / Escalated / Resolved]
- Last observed action:
- Notes:
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind the service. → feeds Annex A Source & Watch-List Register, Annex B Onboarding/Offboarding Checklist, §5 SLA.
Source register
Every material datum traceable to a graded source. Grade per NATO Admiralty (A–F × 1–6).
- [S-1 - source / lane]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F) / Credibility (1–6):
- Cadence / last accessed:
- Lane health: [Healthy / Degraded / Offline]
- Notes:
- [S-2]
Evidence archive
- [screenshot / capture ref + hash + URL + timestamp]:
SLA compliance log
- [metric - e.g. alert delivery time, critical tier]
- Target (per §5):
- Achieved this cycle:
- Miss / credit triggered: [Y/N]
Onboarding / offboarding checklist status
- Authority / consent basis captured and on file
- Seeding baseline (OSINT-055) ingested and watch list seeded
- Collection lanes stood up and verified
- Tripwires configured and tested
- Data retention / destruction schedule documented
- Offboarding / data-return/purge terms documented
Open gaps / verification pending (carry-forward)
- [item outstanding - source, date opened, routing]
- [item]
Watch-list change log
- [date] - [watch item added / retired / threshold adjusted] - authorized by: