[PRINCIPAL] - Collection Map

OSINT-057 Executive Digital Protection Program - collection workspace. Central topic = the protected executive (principal). Branches = digital-surface watch categories covering identity, selectors, credential/breach exposure, dark-web presence, PII footprint, infrastructure, and attack surface under continuous monitoring. Drop each collected or newly-observed value as a child node; expand with source, date, and which tripwire (§1) it triggered. Paste raw tool output into the node’s Notes. Seeding baseline: OSINT-055-digital-footprint-and-exposure-assessment must be ingested first. → feeds deliverable OSINT-057.

00 · Collection Plan - PIRs & EEIs

Standing intelligence requirements and essential elements of information (EEI) that this monitoring service must keep current. Tick when satisfied for the reporting cycle; re-open each new cycle. → drives §1 Watch Criteria/Tripwires, §4 Escalation & Notification Triggers, Annex A.

PIR-1 - Identity anchor: is the principal’s core identity surface stable and uncompromised?

  • EEI: legal name, primary email(s), and phone(s) confirmed current and unaltered
  • EEI: no new alias, pseudonym, or impostor account detected
  • EEI: no credential material (password/token) tied to principal’s anchor identity found in new breaches
  • EEI: no unauthorized account creation or takeover signal observed

PIR-2 - Selector set: have any new selectors surfaced or existing ones been compromised?

  • EEI: full active email set enumerated and breach-checked this cycle
  • EEI: full active username/handle set verified across agreed platform scope
  • EEI: phone numbers checked for porting/hijack signals
  • EEI: new selectors (email, username, phone) discovered and attributed this cycle

PIR-3 - Credential & breach exposure: has new material appeared in breaches, pastes, or leaks?

  • EEI: new breach/combo/stealer-log appearance confirmed or ruled out this cycle
  • EEI: severity of exposed data assessed (cleartext password vs. hash vs. PII)
  • EEI: credential material actionably tied to live accounts identified
  • EEI: paste/infostealer appearance compared to prior cycle baseline

PIR-4 - Dark-web presence: is the principal mentioned, traded, or targeted on dark-web/restricted forums?

  • EEI: principal’s PII (name, email, org) appearing in dark-web markets or leak sites
  • EEI: targeting language, doxxing posts, or threat actor interest detected
  • EEI: corporate credentials or internal data attributed to principal’s org advertised
  • EEI: ransomware/extortion forum mention or negotiation thread observed

PIR-5 - PII & data-broker exposure: has the principal’s public data footprint expanded materially?

  • EEI: new data-broker profile or public record aggregation detected and catalogued
  • EEI: home address, family members, or routine locations newly published
  • EEI: social media content inadvertently disclosing sensitive location or schedule
  • EEI: change in overall PII exposure risk score vs. prior cycle

PIR-6 - Infrastructure & attack surface: has a new cyber asset or vulnerability been exposed?

  • EEI: new domain registrations associated with principal or spoofing principal’s identity
  • EEI: certificate transparency logs showing new TLS assets attributed to principal
  • EEI: personal device, cloud account, or home-network exposure signals observed
  • EEI: phishing or typosquat domain mimicking principal’s identity detected

PIR-7 - Threat actor targeting: is any known actor actively pursuing the principal?

  • EEI: spear-phishing campaigns referencing principal detected in threat feeds
  • EEI: social-engineering approach or impersonation attempt reported or observed
  • EEI: targeting attributable to a known actor or campaign cluster identified
  • EEI: any operational indicator linking collection activity to the principal

PIR-8 - Are all collection lanes healthy and within SLA?

  • EEI: each §2 lane returned results within its scheduled cadence
  • EEI: no source degradation or access failure outstanding
  • EEI: prior-cycle gaps/RFIs resolved or formally carried forward

Collection gaps / RFIs (running)

  • [open item from current cycle] → route to [analyst / external request / product]
  • [open item]

00b · Monitoring Cadence & Triggers

OSINT-057 is a retained continuous service. This branch governs the watch schedule, per-lane refresh cadence, alert thresholds, and escalation path for the executive digital protection program. → feeds §1 Watch Criteria/Tripwires, §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, §4 Escalation & Notification Triggers, §5 SLA.

Active watch items (per §1 of deliverable)

Seed one block per §1 watch-item row. Clone per item.

  • [watch item - e.g. credential exposure in new breach]
    • Observable indicator:
    • Tripwire threshold:
    • Likelihood (1–5):
    • Impact (1–5):
    • L×I score:
    • Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
    • Escalation route (→ §4 tier):
    • Status this cycle: [Open / Fired / Clear]
    • Notes / tool output:
  • [watch item 2]

Collection-lane refresh cadence

Map each §2 source lane to its scheduled check frequency and last-run timestamp.

  • [lane - e.g. breach/paste monitoring]
    • Cadence: [continuous / hourly / daily / weekly]
    • Last run:
    • Next scheduled:
    • Source grade (Admiralty):
    • Status: [Healthy / Degraded / Offline]
  • [lane 2]

Alert thresholds & escalation path

  • Critical (L×I 21–25): notify within - method:
  • High (L×I 16–20): notify within - method:
  • Elevated (L×I 11–15): notify within - method:
  • Moderate / Low (L×I 1–10): include in next routine product - method:
  • False-positive protocol:

Routine reporting schedule

  • Routine periodic summary: cadence - next due - recipient
  • Tripwire alert: on-event, per §4 - last fired
  • Service-health / SLA report: cadence - next due

Cycle review log

One block per completed reporting cycle.

  • [cycle - e.g. 2026-W25]
    • Tripwires fired:
    • Gaps carried forward:
    • Watch-list changes:
    • Notes:

01 · Identity Anchor

The principal’s resolved core identity - established by the OSINT-055 seeding baseline. Monitor for unauthorized changes, new aliases, or impostor accounts that indicate targeting. → feeds §1 Watch Criteria (identity-change tripwire), Annex A Source Register.

Principal identity (baseline)

  • Full legal name:
  • Title / executive role:
  • Employing / sponsoring organization:
  • DOB / YOB (if in scope):
  • Nationality / citizenship(s):
  • Primary confirmed identifiers:

Known aliases & pseudonyms

  • [alias / pseudonym]
    • Context (professional / personal / legacy):
    • Platforms using it:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Baseline or new this cycle: [Baseline / New]
    • Notes:

Impostor / impersonation accounts detected

Each detected account is a PIR-1 tripwire event.

  • [platform + handle / URL]
    • Date first detected:
    • Nature (clone / fake / parody):
    • Reported / actioned: [Y/N]
    • Escalation tier triggered:
    • Notes / evidence ref:

02 · Selectors & Accounts

The pivot core. Each selector or account is its own clonable block. New selectors are themselves tripwire events. Re-verify the full set each cycle and compare to baseline. → feeds §1 Watch Criteria (selector-change tripwire), §2 Collection Cadence & Sources, PIR-2.

Email addresses

→ alert on new address; run breach/paste check every cycle. Tool hints: holehe, h8mail, hunter.io, haveibeenpwned.

  • [email - e.g. exec@company.com]
    • Status: [Active / Inactive / New this cycle]
    • Linked accounts (account discovery):
    • New breach / paste appearance this cycle:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Last verified:
    • Notes / tool output: ← holehe, h8mail, hunter.io
  • [email 2]

Usernames / handles

→ alert on new handle or account deletion; re-run each cycle. Tool hints: idcrawl, sherlock, whatsmyname.

  • [handle - e.g. exec_name]
    • Platforms / where found (URL):
    • Status: [Active / Dormant / New this cycle / Deleted this cycle]
    • Linked email(s):
    • Linked phone(s):
    • Other accounts reusing handle:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Last verified:
    • Notes / tool output: ← idcrawl, sherlock, whatsmyname
  • [handle 2]

Phone numbers

→ alert on porting / hijack signal; re-check carrier and app linkage each cycle.

  • [number - e.g. +1 555-0100]
    • Type / carrier: [mobile / landline / VoIP]
    • Status: [Active / Inactive / Ported this cycle]
    • Linked accounts / apps:
    • Porting / SIM-swap signal: [None / Suspected / Confirmed]
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Last verified:
    • Notes / tool output: ← carrier lookup, truecaller
  • [number 2]

Social media accounts (in-scope platforms)

Clone per platform. Re-check account status, activity, and content each cycle.

  • [platform - LinkedIn / X / Facebook / Instagram / Threads / other]
    • Handle / URL:
    • Status: [Active / Dormant / New this cycle / Deleted this cycle]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Privacy settings observed: [Public / Restricted / Private]
    • Notable PII-disclosing content this cycle:
    • Impostor account on same platform: [Y/N - ref]
    • Last checked:
    • Notes:
  • [platform 2]

03 · Credential & Breach Exposure

Track every known appearance of the principal’s selectors in breach compilations, paste sites, infostealer logs, and combo lists. Each new appearance is a triggered watch item. → feeds §1 Watch Criteria (credential-exposure tripwire), PIR-3, §4 Escalation.

Breach appearances

One block per breach/exposure event. Clone per event. Tool hints: haveibeenpwned, dehashed, h8mail, intelx.

  • [breach / dataset - e.g. “MegaLeak 2025-Q3”]
    • Selector exposed: [email / username / phone]
    • Data exposed: [email / cleartext pw / hashed pw / PII / other]
    • Date of breach:
    • Date first observed:
    • New since baseline: [Y/N]
    • Severity: [Critical / High / Elevated / Low]
    • Remediation actioned: [Y/N - detail]
    • Escalation tier triggered:
    • Notes / tool output: ← haveibeenpwned, dehashed, h8mail, intelx
  • [breach 2]

Paste / infostealer / combo-list appearances

Re-run paste search each cycle.

  • [paste ref / URL / date]
    • Selector:
    • Data in paste:
    • Context (combo / stealer log / doxx):
    • New this cycle: [Y/N]
    • Notes / tool output: ← pastebin-scrape, intelx, leak lookup
  • [paste 2]

Credential reuse risk assessment

  • Live accounts using exposed credential:
  • Password reuse across accounts: [Assessed Y/N - method]
  • MFA status on exposed accounts:
  • Remediation recommendations issued:

04 · Dark-Web Presence

Monitor dark-web markets, forums, leak sites, and restricted channels for mentions, listings, or targeting activity referencing the principal, their org, or their selectors. → feeds §1 Watch Criteria (dark-web tripwire), PIR-4, §4 Escalation (high/critical).

Dark-web market listings

One block per detected listing. Clone per item.

  • [market + listing ref]
    • Content (PII / credential / access / data):
    • Price / ask:
    • Seller handle:
    • Date first observed:
    • Attributed to principal: [Confirmed / Probable / Possible]
    • Escalation tier triggered:
    • Notes / evidence ref:
  • [listing 2]

Forum mentions / doxxing threads

  • [forum / channel + thread ref]
    • Content summary:
    • Actor handles:
    • Date first observed:
    • Threat language: [None / Implied / Explicit]
    • Escalation tier triggered:
    • Notes:

Ransomware / extortion leak sites

  • [site + entry ref]
    • Org / principal named:
    • Data published or pending:
    • Date first observed:
    • Escalation tier triggered:
    • Notes:

Restricted-channel / Telegram monitoring

  • [channel / group ref]
    • Principal or org mentioned:
    • Nature of mention:
    • Date:
    • Confidence of attribution: [Confirmed / Probable / Possible]
    • Notes:

05 · Digital Footprint & PII Exposure

Monitor data-broker aggregators, public records, and social media for PII that could enable targeting of the principal or their family. Scope limited to lawful open sources per the Scope, Authorities & Limitations section. → feeds §1 Watch Criteria (PII-expansion tripwire), PIR-5, §3 Reporting Cadence.

Data-broker profiles

One block per data-broker site. Clone per site. Tool hints: people-search engines, Spokeo, BeenVerified, IntelligenceX.

  • [broker / aggregator - e.g. Whitepages, Spokeo, Intelius]
    • Selectors / PII listed:
    • Home address published: [Y/N]
    • Family members listed: [Y/N]
    • New / changed since last cycle: [Y/N]
    • Opt-out / suppression requested: [Y/N - date]
    • Notes:
  • [broker 2]

Public records exposure

  • [record type - voter roll / court filing / property deed / business reg]
    • Jurisdiction / source:
    • PII exposed:
    • New this cycle: [Y/N]
    • Suppression / redaction actioned: [Y/N]
    • Notes:

Social media PII disclosure

Inadvertent disclosure of home address, schedule, travel, or family.

  • [platform + post ref]
    • PII type disclosed: [address / location / schedule / family / other]
    • Date of post:
    • Still live: [Y/N]
    • Takedown requested: [Y/N]
    • Notes:

Geolocation / EXIF exposure

  • [source - photo EXIF / check-in / map tag]
    • Location revealed:
    • Date:
    • Platform:
    • Still live: [Y/N]
    • Notes:

Overall PII exposure risk assessment

  • Risk score this cycle: [H/M/L]
  • Change from prior cycle: [Increased / Stable / Decreased]
  • Key new exposures:

06 · Infrastructure

Track internet-facing assets attributed to the principal (personal domains, hosting, cloud presence) and spoof/typosquat domains mimicking the principal’s identity or org. → feeds §1 Watch Criteria (infrastructure-change and spoof-domain tripwires), PIR-6.

Personal / executive domains

One block per domain. Tool hints: whois, crt.sh, viewdns.info, SecurityTrails.

  • [domain - e.g. johnsmith.com]
    • Registrant / WHOIS:
    • Registrar / expiry:
    • Hosting / IP:
    • TLS cert (crt.sh):
    • Status: [Active / Parked / Expired / New this cycle]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← whois, crt.sh, viewdns.info
  • [domain 2]

Typosquat / spoof / impersonation domains

Monitor cert transparency and domain registration feeds for lookalike domains. Tool hints: dnstwist, crt.sh, URLscan.

  • [domain - e.g. john-smyth.com]
    • Similarity type: [typosquat / homoglyph / prefix-suffix / brand-spoof]
    • Registrant (if visible):
    • Infrastructure:
    • Date first detected:
    • Active / parked:
    • Escalation tier triggered:
    • Takedown / blocking initiated: [Y/N]
    • Notes / tool output: ← dnstwist, crt.sh, URLscan
  • [spoof domain 2]

Cloud / SaaS accounts (personal)

  • [service - e.g. personal iCloud / Gmail / Dropbox]
    • Status: [In scope / Out of scope]
    • Exposure signals:
    • Notes:

Home-network / device exposure signals

  • [source - Shodan / Censys / exposure report]
    • Asset type: [router / NAS / IoT / other]
    • IP / network:
    • Exposure:
    • Date observed:
    • Remediation recommended: [Y/N]
    • Notes / tool output: ← Shodan, Censys
  • [asset 2]

07 · Attack Surface & Vulnerabilities

Map the observable attack vectors against the principal’s digital surface: phishing / BEC campaigns, social-engineering channels, credential-stuffing targets, and known CVEs in personal infrastructure. → feeds §1 Watch Criteria (attack-surface tripwire), PIR-6, PIR-7.

Phishing / spear-phishing campaigns

One block per detected campaign targeting the principal.

  • [campaign ref / date]
    • Lure type: [email / SMS / voice / social]
    • Infrastructure (sending domain / IP):
    • Targeting method:
    • Date first detected:
    • Attribution (actor / campaign cluster):
    • Escalation tier triggered:
    • Actioned: [Y/N - detail]
    • Notes / evidence ref:
  • [campaign 2]

BEC / account-takeover indicators

  • [indicator - e.g. inbox rule, forwarding, login from anomalous IP]
    • Source / detection method:
    • Date:
    • Escalation tier triggered:
    • Notes:

Credential-stuffing / login-attempt signals

  • [service / platform]
    • Signal type: [failed logins / account-lock / notification]
    • Date:
    • Likely source:
    • MFA held: [Y/N]
    • Notes:

Personal-infrastructure CVEs / misconfigurations

  • [asset + CVE / misconfiguration]
    • Severity (CVSS):
    • Date observed:
    • Remediation recommended: [Y/N - detail]
    • Status: [Open / Remediated]
    • Notes / tool output:

Social-engineering approach / pretexting

  • [approach type + date]
    • Method: [phone / in-person / online / other]
    • Actor handle or description:
    • Information sought:
    • Escalation tier triggered:
    • Notes:

08 · Attribution & Threat Actors

Characterize any actor(s) demonstrating collection interest, exploitation capability, or hostile intent toward the principal. Each attributed actor is a standing watch-item node. → feeds §1 Watch Criteria (threat-actor tripwire), PIR-7, §4 Escalation.

Threat actor profiles

One block per actor or campaign cluster. Clone per actor.

  • [actor handle / group / campaign cluster]
    • Actor type: [state-sponsored / criminal / hacktivist / insider / unknown]
    • Motivation: [financial / espionage / harassment / reputational / other]
    • Known TTPs (observed against this principal):
    • First observed:
    • Last active:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Current activity status: [Active / Dormant / Unknown]
    • Related IOCs:
    • Notes:
  • [actor 2]

Indicators of compromise (IOCs) observed

One block per IOC cluster.

  • [IOC type - IP / domain / hash / email header / payload]
    • Value:
    • First seen:
    • Campaign / actor link:
    • Shared to threat-intel platform: [Y/N]
    • Notes:
  • [IOC 2]

Social-media / forum actor intelligence

  • [actor handle on platform]
    • Platform:
    • Observed behaviors toward principal:
    • Date first noted:
    • Confidence: [H/M/L]
    • Notes:

Watch-list of known hostile actors

Running register of actors cleared through the program; update each cycle.

  • [actor ref]
    • Status this cycle: [Active / Quiet / Escalated / Resolved]
    • Last observed action:
    • Notes:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind the service. → feeds Annex A Source & Watch-List Register, Annex B Onboarding/Offboarding Checklist, §5 SLA.

Source register

Every material datum traceable to a graded source. Grade per NATO Admiralty (A–F × 1–6).

  • [S-1 - source / lane]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F) / Credibility (1–6):
    • Cadence / last accessed:
    • Lane health: [Healthy / Degraded / Offline]
    • Notes:
  • [S-2]

Evidence archive

  • [screenshot / capture ref + hash + URL + timestamp]:

SLA compliance log

  • [metric - e.g. alert delivery time, critical tier]
    • Target (per §5):
    • Achieved this cycle:
    • Miss / credit triggered: [Y/N]

Onboarding / offboarding checklist status

  • Authority / consent basis captured and on file
  • Seeding baseline (OSINT-055) ingested and watch list seeded
  • Collection lanes stood up and verified
  • Tripwires configured and tested
  • Data retention / destruction schedule documented
  • Offboarding / data-return/purge terms documented

Open gaps / verification pending (carry-forward)

  • [item outstanding - source, date opened, routing]
  • [item]

Watch-list change log

  • [date] - [watch item added / retired / threshold adjusted] - authorized by: