[ORGANIZATION / CREDENTIAL SCOPE] - Collection Map

OSINT-060 Continuous Dark Web & Credential Monitoring - collection workspace. Central topic = the organization / credential scope under watch. Branches = data categories and monitoring lanes. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output or alert detail into the node’s Notes. → feeds deliverable OSINT-060. This is a standing subscription: operator clones recurring blocks each collection cycle.

00 · Collection Plan - PIRs & EEIs

The questions this monitoring subscription must answer + the essential elements of information (EEI) for each. Tick as satisfied each cycle. → drives §1 Scope & Watch Criteria/Tripwires, §4 Escalation, §5 SLAs, and Annex A Source/Watch-List Register.

PIR-1 - Credential Exposure: have any org/executive/vendor credentials appeared in breach data or dark-web listings?

  • EEI: org email domain(s) found in breach aggregator or stealer log
  • EEI: named executive / privileged-account credential found on dark-web forum or marketplace
  • EEI: third-party vendor / contractor credential tied to org scope appeared in compromise dataset
  • EEI: SSO, API key, or OAuth token exposed in public dump or marketplace listing

PIR-2 - Adversarial Targeting: is the organization actively discussed or targeted on dark-web forums?

  • EEI: organization name / brand mentioned in threat forum or adversarial channel
  • EEI: reconnaissance query, access-brokerage listing, or targeting thread identified
  • EEI: threat actor or group attributable to discussion or listing
  • EEI: method / vector described in the targeting discussion

PIR-3 - Data Exposure: has proprietary or sensitive data (PII, source code, financial records) been posted or offered?

  • EEI: corporate data identified in dark-web marketplace offer or dump
  • EEI: customer PII / financial records posted on paste aggregator or leak site
  • EEI: source code or internal documentation offered for sale or shared
  • EEI: data volume and scope of any identified dump

PIR-4 - Collection Health & SLA: is monitoring coverage operating within agreed service levels?

  • EEI: all collection lanes active per §2 cadence
  • EEI: alert-delivery times within tier targets per §4 / §5
  • EEI: false-positive rate within quality bound per §5
  • EEI: gaps in coverage reported and remediation steps recorded

Collection gaps / RFIs (running)

  • [open gap] → route to [collection lane / escalation tier]
  • [open gap]

00b · Monitoring Cadence & Triggers

Standing watch schedule and alert conditions for this subscription. Review against §2 Collection Cadence and §3 Reporting Cadence in the deliverable. Update each cycle or when scope changes per §6 Review & Renewal.

Watch items registry (mirror of §1 tripwire table)

  • [Watch item - e.g., organizational credential exposure]
    • Observable indicator:
    • Tripwire threshold:
    • Risk score (L×I):
    • Severity tier: [Critical / High / Elevated / Moderate / Low]
    • Active: [Yes / No]
  • [Watch item 2]

Refresh cadence per lane

  • Public credential-breach aggregator: [real-time / daily verification sweep]
  • Dark-web forum monitoring: [daily keyword sweep + human review on detection]
  • Dark-web marketplace monitoring: [continuous automated sweep + human verification on match]
  • Paste/public dump aggregators: [real-time / hourly]
  • Social media / public-web credential recon: [weekly / monthly per executive or credential set]

Alert thresholds

  • Critical (L×I 21–25): [trigger condition - e.g., C-suite or privileged account exposed; active targeting]
    • Notify:
    • Method: [phone call + encrypted email + secure channel]
    • Acknowledgement target: [15-minute acknowledgement]
  • High (L×I 16–20): [trigger condition - e.g., executive account breach; significant PII; active forum discussion]
    • Notify:
    • Method: [encrypted email + phone within 1 hour]
    • Acknowledgement target: [1-hour acknowledgement]
  • Elevated (L×I 11–15): [trigger condition - e.g., non-executive staff breach; vendor exposure; recon activity]
    • Notify:
    • Method: [encrypted email + follow-up call within 4 hours]
    • Acknowledgement target: [4-hour acknowledgement]
  • Moderate/Low (L×I 1–10): [trigger condition - e.g., low-confidence match; historical breach re-surfacing]
    • Notify:
    • Method: [email in next batch report]
    • Acknowledgement target: [next scheduled report cycle]

Escalation path

  • Escalation route (Critical/High):
  • Incident-response handoff:
  • Change-control (add/retire watch item) → [5-business-day notice; per §6]

Cycle log

  • Last collection sweep:
  • Next scheduled sweep:
  • Lane outages / exceptions:
  • Scope changes since last review:

01 · Identity Anchor

Who and what is under watch. Establishes the unique org/scope identifier that all collected selectors attach to. → feeds §1 Scope & Watch Criteria/Tripwires (watch item rows), Annex B Onboarding Checklist.

Organization / scope identity

  • Legal entity name:
  • DBA / trading names:
  • Primary domain(s):
  • Secondary / affiliate domains:
  • Industry / sector:
  • HQ / primary jurisdiction:
  • Seeding baseline product (OSINT-058 ref):

Authorized credential scope

  • Email domain(s) in scope:
  • Executive / named individual accounts in scope:
  • Vendor / contractor accounts in scope:
  • SSO / API / service account types in scope:
  • Explicit out-of-scope items:
  • Authorization document ref:
  • Consent capture date:
  • Renewal / review date:

02 · Selectors & Accounts

The monitored credential identifiers. Each entry is its own clonable block; operator duplicates per selector. → feeds §1 Watch Criteria (tripwire table), §2 Collection Cadence, Annex A Source Register.

Email addresses / domains under watch

Clone per selector. → §1 watch items (credential exposure rows), §2 breach-aggregator lane.

  • [email / domain - e.g., @example.com]
    • Scope tier: [Org domain / Executive / Vendor / Service account]
    • Named individual (if applicable):
    • Breach aggregators queried:
    • Paste/dump aggregators queried:
    • Last verified clean:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← holehe, h8mail, HIBP API, dehashed, IntelX
  • [email 2]

Usernames / handles under watch

Clone per handle. → §1 watch items, §2 social/public-web lane.

  • [handle - e.g., corp_admin]
    • Platforms / where found (URL):
    • Linked email(s):
    • Scope tier: [Executive / Staff / Service account]
    • Last sweep:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← sherlock, whatsmyname, idcrawl
  • [handle 2]

Phone numbers under watch

Clone per number. → §1 (where phone tied to credential scope).

  • [number - e.g., +1 555-0100]
    • Type: [mobile / VoIP / corporate]
    • Named individual:
    • Linked accounts / apps:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [number 2]

API keys / tokens / service credentials under watch

Clone per key/token type. → §1 (SSO / API key / OAuth exposure rows).

  • [key/token descriptor - e.g., GitHub PAT pattern, AWS key prefix]
    • Service / platform:
    • Leak sites / code repos checked:
    • Last verified:
    • Notes / tool output: ← GitGuardian-style scan, GitHub search, Pastebin search
  • [key type 2]

03 · Credential & Breach Exposure

Active and historical breach, stealer-log, and paste detections. Each exposure is its own clonable block. → feeds §1 Watch Criteria (credential-exposure rows), §3 Reporting (alert and summary products), §4 Escalation tiers, Annex A Source Register.

Breach / stealer-log appearances

Clone per detection event. Grade each using Admiralty two-character code.

  • [breach/stealer-log - e.g., ComboList-2025-09, Stealer-X dump]
    • Detection date:
    • Affected credential(s):
    • Source lane (→ §2):
    • Source grade (Admiralty):
    • Severity tier triggered: [Critical / High / Elevated / Moderate / Low]
    • Alert fired: [Yes / No] - timestamp:
    • Remediation status: [Notified / Password reset / Under review / Closed]
    • Notes / tool output: ← HIBP API, dehashed, IntelX, Snusbase
  • [event 2]

Paste / public-dump appearances

Clone per paste event.

  • [paste / dump ref - e.g., Pastebin key abc123, date]
    • Affected credentials:
    • Data types in dump: [emails / passwords / PII / other]
    • Source lane (→ §2):
    • Source grade (Admiralty):
    • Severity tier triggered:
    • Alert fired: [Yes / No] - timestamp:
    • Notes / tool output: ← psbdmp, ghostproject, pastebin monitors, IntelX
  • [event 2]

Historical breach backlog (baseline from OSINT-058)

  • [historical breach name - e.g., LinkedIn 2012]
    • Affected credential(s):
    • Data exposed:
    • Remediation confirmed: [Yes / No / Unknown]
    • Notes:

04 · Dark-Web Presence

Dark-web forum, marketplace, and leak-site detections relevant to the scope. Each detection is a clonable block. → feeds §1 Watch Criteria (adversarial activity, data-exposure rows), §3 Reporting, §4 Escalation, Annex A Source Register.

Forum / adversarial channel mentions

Clone per detected mention or thread. → §1 adversarial-activity row, §4 escalation tier.

  • [forum / channel - e.g., RaidForums successor, XSS, BreachForums]
    • Thread / post reference:
    • Date observed:
    • Content summary:
    • Org / credential identifiers mentioned:
    • Threat actor / handle:
    • Severity tier triggered:
    • Alert fired: [Yes / No] - timestamp:
    • Source grade (Admiralty):
    • Notes / tool output:
  • [forum 2]

Marketplace listings

Clone per detected listing. → §1 adversarial-activity / data-exposure rows.

  • [marketplace - e.g., AlphaBay-successor, dark-web carding forum]
    • Listing title / descriptor:
    • Date observed:
    • Offer type: [credentials / data dump / access / other]
    • Org / credential identifiers involved:
    • Asking price / currency:
    • Severity tier triggered:
    • Alert fired: [Yes / No] - timestamp:
    • Source grade (Admiralty):
    • Notes / tool output:
  • [marketplace 2]

Leak sites / data-dump postings

Clone per detected leak-site post.

  • [leak site - e.g., ransomware group site, CL0P leak page]
    • Organization named:
    • Data described:
    • Date observed:
    • Download / sample available: [Yes / No]
    • Severity tier triggered:
    • Alert fired: [Yes / No] - timestamp:
    • Source grade (Admiralty):
    • Notes / tool output:
  • [leak site 2]

Access-brokerage detections

  • [broker listing - e.g., initial access for sale]
    • Access type described: [RDP / VPN / webshell / other]
    • Org indicators:
    • Asking price:
    • Date:
    • Severity tier triggered:
    • Notes:

05 · Digital Footprint & PII Exposure

Public-web, data-broker, and social-media credential or PII exposure surfacing that feeds the watch scope. Broader surface than §03 (breach data) - covers open OSINT lanes. → feeds §1 (social-media / public-web credential recon row), §2 (open-source lane), §3 reporting products.

Data-broker / people-search exposure

Clone per data-broker profile found for in-scope individuals.

  • [data broker - e.g., Spokeo, BeenVerified, Whitepages, Intelius]
    • Individuals / scope affected:
    • PII types exposed: [address / employer / relatives / email / phone / other]
    • URL / listing ref:
    • Opt-out status: [Submitted / Confirmed / Pending / N/A]
    • Notes / tool output: ← data broker removal services, optery, DeleteMe
  • [data broker 2]

Social media public exposure

Clone per platform / in-scope individual.

  • [platform - e.g., LinkedIn / X / GitHub / Glassdoor]
    • In-scope individual / handle:
    • PII or credential signals exposed:
    • Observed date:
    • Status: [Active / Removed / Archived]
    • Notes:
  • [platform 2]

Code repository exposure

Clone per detected repository leak.

  • [repo - e.g., GitHub public repo]
    • Org / user:
    • Content exposed: [API key / password / internal docs / config / other]
    • Detected via:
    • Date:
    • Remediation status: [Removed / Archived / Under review]
    • Notes / tool output: ← GitGuardian, truffleHog, grep.app
  • [repo 2]

06 · Infrastructure

Org-owned and org-associated internet infrastructure relevant to the monitoring scope. Detects domain lookalikes, subdomain exposure, IP/cert changes that may indicate threat-actor activity. → feeds §1 (data-breach / adversarial-activity rows indirectly), §2 collection lanes.

Domains - primary and affiliate

Clone per domain. → infrastructure integrity check, typosquat/lookalike detection.

  • [domain - e.g., example.com]
    • Registrar / WHOIS:
    • Expiry date:
    • MX / mail configuration:
    • SPF / DKIM / DMARC status:
    • Last verified:
    • Notes / tool output: ← whois, SecurityTrails, DomainTools, crt.sh
  • [domain 2]

Lookalike / typosquat domains detected

Clone per detected lookalike.

  • [typosquat domain - e.g., examp1e.com]
    • Detection method:
    • Registrar:
    • Active MX / hosting: [Yes / No]
    • Threat assessment: [Phishing risk / Parked / Benign / Unknown]
    • Date detected:
    • Notes / tool output: ← dnstwist, URLscan, VirusTotal
  • [lookalike 2]

IP ranges / cloud assets

  • [IP range / ASN / cloud account]
    • Provider:
    • Exposure:
    • Notes:

TLS / certificate monitoring

  • [cert CN / SAN - newly issued]
    • Issued to:
    • CA:
    • Date:
    • Anomalous: [Yes / No]
    • Notes / tool output: ← crt.sh, Certstream
  • [cert 2]

07 · Attack Surface & Vulnerabilities

OSINT-visible vulnerability and exposure indicators relevant to the credential / dark-web watch scope. Complements §06 infrastructure. → feeds §1 (adversarial-activity rows where exploit advertising observed), escalation per §4.

Exposed services / ports (OSINT-visible)

  • [host / service - e.g., exposed RDP, VPN login page]
    • Port / protocol:
    • Detection method:
    • Date observed:
    • Remediation status:
    • Notes / tool output: ← Shodan, Censys, FOFA
  • [service 2]

CVE / known-vulnerability mentions (dark-web / threat-intel context)

  • [CVE or vuln reference]
    • Mentioned in: [forum / marketplace / advisory]
    • Org targeted: [Confirmed / Probable / Possible]
    • Date observed:
    • Notes:

Advertised access types (from §04 marketplace detections)

  • [access type - e.g., VPN credentials, RDP access]
    • Linked to (from §04):
    • Severity tier:
    • Remediation:

08 · Attribution & Threat Actors

Identities and TTPs of threat actors observed in §04 dark-web detections. Informs escalation routing and client notification framing. → feeds §4 Escalation (notify party, method), §3 reporting products.

Threat actor / handle profiles

Clone per identified actor or handle. → §4 escalation, §3 alert product.

  • [actor / handle - e.g., forum alias, ransomware group]
    • Observed in: [forum / marketplace / leak site]
    • Associated campaigns:
    • Claimed affiliation:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Prior activity against org / sector:
    • Source grade (Admiralty):
    • Notes / tool output:
  • [actor 2]

TTP indicators

  • [TTP - e.g., phishing kit, specific stealer family, initial-access method]
    • Observed in context:
    • MITRE ATT&CK ref:
    • Relevance to scope:
    • Notes:

False-positive log

  • [alert ref] - determined FP: [Yes / No]
    • Reason:
    • Tuning action taken:
    • Date closed:

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind it. Maps to Annex A (Source & Watch-List Register) and Annex B (Onboarding / Offboarding Checklist) in the deliverable.

Source register

Every material datum traceable to a graded source. Use NATO Admiralty two-character code. Reliability A–F: A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Cannot be judged. Credibility 1–6: 1 Confirmed · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Cannot be judged.

  • [S-1 - source / lane]
    • Type: [Public aggregator / Dark-web forum / Marketplace / Paste feed / Social/public-web]
    • Reliability (A–F):
    • Credibility (1–6):
    • Grade:
    • Last verified:
    • Notes:

Evidence archive

  • [alert / detection ref + hash + URL + timestamp]:

SLA compliance log (per §5)

  • Reporting period:
  • Credential detection latency (measured):
  • Alert-delivery time by tier (measured):
  • Routine product punctuality:
  • Monitoring availability / coverage:
  • False-positive rate:
  • SLA miss / exception:
  • Remedy applied:

Onboarding / offboarding status (per Annex B)

  • Authority / consent captured: [Yes / No] - date:
  • Baseline (OSINT-058) ingested: [Yes / No] - date:
  • Collection lanes stood up: [Yes / No] - date:
  • Alerting channels + escalation matrix configured: [Yes / No] - date:
  • Data-retention schedule confirmed: [Yes / No]
  • Offboarding / purge completed: [Yes / No] - date:

Open gaps / RFIs

  • [gap or RFI - submitted, not yet returned]

Watch-list change log (per §6)

  • [date] - [change: added / retired watch item or selector] - [authorized by]: