[PRINCIPAL] - Collection Map

OSINT-054 Custom Protective Threat Feed - collection workspace. Central topic = the principal / protectee the feed is built to protect. Branches = the data-point categories for this continuous protective threat-feed. This map captures the seeding data, actor inventory, watch criteria, source lanes, and feed-configuration parameters that the operator populates before standing up the feed. It does NOT record final feed output - those are emitted by the running system and stored in the evidence archive (§99). Feeds into: OSINT-054 system configuration; seeded from OSINT-051 Protective Intelligence Assessment.

00 · Collection Plan - PIRs & EEIs

The questions this feed must continuously answer, expressed as EEIs. Tick when the seeding collection satisfies each requirement sufficiently to configure a watch rule. Map to the OSINT-051 PIA sections that provide the baseline answers. → drives §3 Key Judgments, §4 PIRs, §12 Requirements & Indicators / Collection Plan, §16 Escalation Indicators & Tripwires of the seeding OSINT-051 PIA.

PIR-1 - Principal profile: is the protectee fully characterized for watch-rule scoping?

  • EEI: confirmed legal name + known aliases/variants used in public records and social media
  • EEI: principal’s digital selectors (emails, usernames, phone numbers) for exposure monitoring
  • EEI: principal’s physical locations (residence, office, habitual venues) for geo-scoped alerting
  • EEI: principal’s public exposure surface (media presence, event schedule, travel patterns)
  • EEI: insider-threat nexus nodes (household/staff with threat-actor linkage) identified

PIR-2 - Threat-actor inventory: are all threat nodes from the PIA enumerated as feed watchees?

  • EEI: all threat-node identifiers (name, aliases, accounts, selectors) from OSINT-051 §5
  • EEI: per-node threat level and pathway stage (from OSINT-051 §9) - sets alert-severity tier
  • EEI: per-node grievance driver and primary attack vector - sets watch-category priority
  • EEI: nexus/insider-threat nodes (from OSINT-051 §8) flagged for elevated monitoring
  • EEI: escalation indicators / tripwires (from OSINT-051 §16) translated to feed alert rules

PIR-3 - Threat landscape: are ambient threat categories and geographies defined for the feed scope?

  • EEI: geopolitical/country-level risk categories relevant to principal’s operating areas
  • EEI: ideological / extremist / targeted-violence communities referencing principal or similar targets
  • EEI: dark-web / closed-community chatter lanes monitoring principal’s name/selectors
  • EEI: adverse media and public-records lanes scoped to principal’s name and entity affiliations
  • EEI: physical-security incident lanes for principal’s residential/office locations

PIR-4 - Feed architecture: are collection lanes, sources, cadence, and alert thresholds fully specified?

  • EEI: open-source intelligence lanes mapped to each watch category with refresh cadence
  • EEI: commercial threat-intelligence or vendor feeds incorporated with reliability grade
  • EEI: alert-threshold logic (L×I band → severity tier) configured per §00b
  • EEI: delivery channel and recipient list confirmed and tested
  • EEI: false-positive / noise-suppression rules defined (keyword exclusions, entity disambiguation)

PIR-5 - System health: are monitoring availability, SLA, and review cadence established?

  • EEI: monitoring coverage windows and any blind-spot gaps documented
  • EEI: escalation path and ACK targets confirmed (from OSINT-051 §20 / OSINT-053 §4)
  • EEI: feed review cadence and watch-list update authority defined
  • EEI: data-retention and offboarding obligations captured

Collection gaps / RFIs (running)

  • [open item] → route to [product / analyst]
  • [open item]

00b · Monitoring Cadence & Triggers

This is a continuous/standing feed. Defines the watch items, refresh cadences, alert thresholds, and escalation path for the live feed. → drives §1 Scope & Watch Criteria / Tripwires and §2 Collection Cadence & Sources of OSINT-053 (Daily / Periodic Protective Intelligence Brief), and OSINT-051 §16 Escalation Indicators.

Watch-item inventory

One entry per configured watch category. Clone per item. Alert tier maps to L×I band from OSINT-051 §14.

  • [watch item - e.g., Threat-actor online activity / Node N-x]
    • Observable indicator:
    • Tripwire threshold (fires alert):
    • L×I score from PIA (OSINT-051 §14):
    • Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
    • Refresh cadence: [continuous / hourly / 4-hourly / daily / weekly]
    • Collection lane (→ §08 Digital & Social Signals or §09 Indicators & Warnings):
    • Notes / current status:
  • [watch item 2]

Refresh cadence register

Feed layerWatch items servedCadenceTool / laneOwner
[e.g., social media keyword monitor][e.g., hourly][e.g., RSS aggregator / social-search API]
[e.g., dark-web mention scan][e.g., daily][e.g., dark-web monitoring service]
[e.g., adverse media / news scan][e.g., 4-hourly][e.g., news aggregation, Google Alerts]
[e.g., geopolitical advisory feed][e.g., daily][e.g., govt travel advisories, OSAC]
[e.g., court/registry records][e.g., weekly][e.g., PACER, state court portals]
[e.g., sanctions/watchlist delta][e.g., daily][e.g., OFAC/EU/UN delta feeds]

Alert thresholds and severity tiers

Severity tierL×I bandTrigger conditionNotifyMethodACK target
Critical21–25[e.g., ≤15 min]
High16–20[e.g., ≤30 min]
Elevated11–15[e.g., ≤2 hr]
Moderate / Low1–10[e.g., next scheduled brief]

Escalation path

  • Primary contact / protective officer:
  • Secondary / backup:
  • Law-enforcement liaison (pre-identified):
  • Feed owner / service manager:
  • Escalation for imminent-danger tripwire: [immediate LE / 911 - no delay]

01 · Principal / Protectee Profile

Who the feed is protecting. Feeds the watch-rule scoping in §00b and the exposure surface mapping in §06. All fields from OSINT-051 §11 Protectee Exposure Surface. → §11 Protectee Exposure Surface & Nexus Layer, §5 Threat-Network Frame.

Identity & confirmed selectors

  • Full name (and known public variants):
  • DOB / YOB:
  • Nationality / passport(s):
  • Primary role / title (public-facing):
  • Known pseudonyms / pen names / stage names:

Digital selectors (exposure surface - for feed scoping)

Clone per selector. These drive the keyword/entity rules in the feed.

  • [email address - e.g. principal@domain.com]
    • Linked accounts / platforms:
    • Breach / paste exposure:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← holehe, h8mail, hunter.io
  • [username / handle]
    • Platforms:
    • Attribution confidence:
    • Notes / tool output: ← sherlock, idcrawl, whatsmyname
  • [phone number]
    • Type: [mobile / VoIP / office]
    • Linked services:
    • Notes / tool output: ← truecaller, numverify

Entity / organizational affiliations (feed-scope anchors)

Clone per entity. Entity names/tickers drive corporate-news and regulatory watch lanes.

  • [entity - e.g. Company Name / Foundation / Political org]
    • Role / position:
    • Public-facing: [Y / N]
    • Registry record: ← OpenCorporates, state registry
    • Notes:

02 · Venue & Geography - Fixed-Exposure Points

The principal’s predictable, fixed-location exposure that a threat actor would exploit. Feeds the geo-scoped alert lanes (e.g., crime/incident monitoring for residential area, venue perimeter alerts). → §11 Protectee Exposure Surface (OAKOC lens), §2 Collection Cadence & Sources (OSINT-053).

Residence(s)

  • [address - primary]
    • Geo-fence radius for incident monitoring:
    • Associated entities (HOA / property mgmt):
    • Publicly linkable (e.g., property records): [Y / N / Partial]
    • Confidence: [H / M / L]
  • [address - secondary / vacation]
    • Geo-fence radius:
    • Publicly linkable:

Primary workplace / office

  • [address / building]
    • Publicly listed: [Y / N]
    • Associated entities:
    • Confidence: [H / M / L]

Habitual / recurring venues

  • [venue - e.g., gym / club / school / house of worship]
    • Frequency:
    • Publicly linkable: [Y / N]

Travel hubs (airports, transit nodes)

  • [hub / route]
    • Associated schedule pattern:
    • Notes:

03 · Routes & Movement

The principal’s habitual routes and mobility patterns that feed route-risk watch lanes and pre-departure advisories. → §11 Protectee Exposure Surface, §12 Requirements & Indicators (OSINT-051). Clone the block per route leg.

Habitual route legs

  • [route leg - e.g., residence → office]
    • Mode (vehicle / foot / transit):
    • Typical timing window:
    • Key chokepoints / fixed exposure points:
    • Alternative routes available: [Y / N]
    • Observable / trackable: [Y / N]
    • Notes:
  • [route leg 2]

Travel patterns

  • [destination - e.g., London quarterly board meeting]
    • Frequency:
    • Mode / carrier:
    • Publicly announced / ticketed: [Y / N]
    • Advance-security requirements:

Anomaly detection baseline

  • Normal mobility pattern:
  • Deviations that should trigger alert:

04 · Threat Actors & Persons of Interest

The actor inventory seeded from OSINT-051 §5–§9. Each node becomes a persistent watch entity in the feed. Clone the block per actor. → §5 Threat-Network Frame, §9 Per-Actor Threat Characterization, §16 Escalation Indicators & Tripwires (OSINT-051).

Threat node

  • [Node ID / name - e.g., N-1 / John Doe]
    • Threat level (from OSINT-051 §9): [Minimal / Low / Moderate / High / Imminent]
    • Pathway stage (from OSINT-051 §9): [Grievance / Ideation / Research / Preparation / Breach / Attack]
    • Primary grievance vector:
    • Hunter / Howler designation:
    • Known selectors (names / usernames / emails / phones):
      • [selector]
        • Platform / context:
        • Attribution confidence: [Confirmed / Probable / Possible]
        • Notes / tool output: ← sherlock, idcrawl, social-search
    • Known locations / area of operation:
    • Watch rules active for this node:
    • Last observed activity (date + source):
    • PIA source grade: [A–F / 1–6]
    • Notes / tool output:
  • [Node ID 2]

Nexus / insider-threat nodes (from OSINT-051 §8)

  • [Node ID / name]
    • Networks bridged: [friendly ↔ threat / neutral ↔ threat]
    • Role / access to principal:
    • Watch posture: [passive monitor / elevated / alert-on-contact]
    • Notes:

Potential / emerging persons of interest (not yet PIA-assessed)

  • [name / handle]
    • Basis for flagging:
    • Current concern level: [Low / Watch / Escalate to PIA]
    • Notes:

05 · Threat Landscape

Ambient threat environment relevant to the principal’s exposure areas and sector. Feeds the geopolitical, extremist-chatter, and incident-history watch lanes. Not actor-specific. → §2 Executive Summary / §5 Threat-Network Frame (OSINT-051); §1 Scope & Watch Criteria (OSINT-053).

Geopolitical / country-level threats

  • [country / region relevant to principal]
    • Active threat categories: [terrorism / civil unrest / organized crime / state-actor / other]
    • Current travel-advisory level: ← state.gov, FCDO, OSAC
    • Relevant incidents (last 90 days):
    • Watch-lane assigned: [Y / N → lane ID in §00b]
    • Notes:

Ideological / extremist communities

  • [community / movement - e.g., anti-executive / stalker forums / ideological group]
    • Platform(s):
    • Principal mentioned / targeted: [Y / N / Unknown]
    • Last observed activity:
    • Watch-lane assigned:
    • Notes / tool output:

Sector / industry threat patterns

  • [threat pattern - e.g., CEO-targeting scam waves / ransomware / physical intrusion trend]
    • Source:
    • Relevance to principal:

Incident history (prior events involving principal or proximate targets)

  • [incident - date + summary]
    • Type: [communication / approach / stalking / protest / other]
    • Response taken:
    • Residual risk:

06 · Vulnerabilities & Attack Surface

The principal’s exploitable gaps in physical, digital, and procedural security that feed the hardening and exposure-reduction recommendations. → §11 Protectee Exposure Surface (OAKOC lens), §10 Critical Factors Analysis, §13 Engagement-Option Matrix (OSINT-051).

Physical vulnerabilities

  • [vulnerability - e.g., publicly accessible lobby / unmonitored parking]
    • Location:
    • Exploitability: [H / M / L]
    • Mitigation status: [Open / Mitigated / Accepted]

Digital / online exposure gaps

  • [gap - e.g., home-address linkable via property records / PII on data-broker sites]
    • Source / discovery method: ← data brokers: Spokeo, Whitepages, BeenVerified
    • Exploitability: [H / M / L]
    • Mitigation status:

Procedural / behavioral vulnerabilities

  • [gap - e.g., predictable daily routine / public social-media schedule announcements]
    • Basis:
    • Exploitability:
    • Mitigation status:

Insider-threat surface

  • [gap - e.g., staff member with threat-actor social link]
    • Nexus node (→ §04):
    • Mitigation status:

07 · Local Environment

Security, medical, law-enforcement, and critical infrastructure resources at principal’s key exposure points. Feeds operational awareness and response-option configuration for the feed. → §11 Protectee Exposure Surface, §20 Protective-Intelligence Program Recommendations (OSINT-051).

Law-enforcement contacts (per location)

  • [location - e.g., residential jurisdiction]
    • Police district / station:
    • Non-emergency number:
    • Pre-established liaison contact: [Y / N]
    • Response time estimate:

Medical / emergency resources

  • [location]
    • Nearest trauma center:
    • EMS response time:
    • Hospital name / address:

Security infrastructure at key venues

  • [venue]
    • On-site security: [Y / N / Contract / Off-duty LE]
    • CCTV coverage:
    • Access-control type:
    • Notes:

Critical infrastructure dependencies

  • [dependency - e.g., power / comms / transport corridor]
    • Potential disruption impact on principal:
    • Contingency:

08 · Digital & Social Signals

Open-source collection lanes monitoring the principal’s digital exposure and threat-actor online activity. Each platform/source is a recurring collection target for the feed. Clone per platform. → §12 Requirements & Indicators / Collection Plan, §16 Escalation Indicators & Tripwires (OSINT-051).

Principal’s social media accounts (exposure monitoring)

Monitor for unauthorized content, threatening replies, follower-growth anomalies, stalker accounts.

  • [platform - e.g., LinkedIn / X / Instagram]
    • Handle / URL:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Status: [Active / Dormant]
    • Monitoring focus: [threatening content / new followers / location leakage / schedule disclosure]
    • Alert rule:
    • Notes:

Keyword / entity watch (social media + forums)

Social-listening for principal’s name, entity affiliations, and threat-actor handles. Clone per keyword set.

  • [keyword set - e.g., “Principal Full Name” OR “Company Name”]
    • Platforms monitored:
    • Cadence: [continuous / hourly / daily]
    • Last sweep result:
    • Alert threshold (what fires an alert):
    • Notes / tool output:

Dark-web and closed-community monitoring

  • [community / market / forum type]
    • Principal mentioned: [Y / N / Unknown]
    • Threat-actor presence:
    • Cadence: [daily / weekly]
    • Alert rule:
    • Notes / tool output: ← dark-web monitoring service, DarkOwl, Intel471-style

Data-broker / PII-exposure monitoring

  • [data-broker or public-record source]
    • Principal’s data present: [Y / N / Partial]
    • Fields exposed:
    • Removal requested: [Y / N / Date]
    • Notes / tool output: ← Spokeo, Whitepages, BeenVerified, DeleteMe

Domain and infrastructure watch (principal’s entities)

  • [domain - e.g., principalcompany.com]
    • WHOIS registrant status:
    • Typosquat / lookalike domains found:
    • Certificate transparency alerts: ← crt.sh
    • Notes / tool output: ← whois, crt.sh, DomainTools

09 · Indicators & Warnings

The observable tripwires and escalation signals drawn from OSINT-051 §16, translated into configured alert rules for the feed. Each indicator is a discrete, monitorable observable. Clone the block per indicator. → §16 Escalation Indicators & Tripwires, §12 Requirements & Indicators (OSINT-051); §1 Scope & Watch Criteria (OSINT-053).

Escalation indicator / tripwire

  • [indicator - e.g., Threat node N-1 acquires a weapon]
    • Observable (how detected via OSINT):
    • Source lane (→ §08 or §05):
    • Severity tier on fire: [Critical / High / Elevated / Moderate]
    • L×I score:
    • Configured alert rule ID in feed:
    • Escalation action:
    • Last tested / confirmed active:
    • Notes:
  • [indicator 2]

Warning-behavior signal library (TRAP-18 derived - from OSINT-051 §9)

Pre-coded behavioral signals to watch for per threat actor.

  • [warning behavior - e.g., Leakage: public statement of intent to harm]
    • Applicable node(s):
    • Observable:
    • Alert tier:
    • Notes:

Pathway-stage progression alerts

  • [stage transition - e.g., Ideation → Research: target-specific information-gathering observed]
    • Applicable node(s):
    • Observable:
    • Alert tier:
    • Action on fire:

Geopolitical / ambient I&W

  • [indicator - e.g., Travel advisory level escalates in principal’s destination country]
    • Source: ← state.gov, FCDO, OSAC advisories
    • Alert tier:
    • Action:

99 · Collection Admin

Audit trail and working register for the collection feeding this system’s configuration. Not a deliverable section - the traceability layer behind the feed-setup package.

Source register

Every datum used to configure a watch rule traceable to a graded source.

  • [S-1 - source name]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • Feed watch rule(s) it backs:

Evidence archive

Captures from seeding collection (OSINT-051 PIA baseline) and standing feed output.

  • [capture ref - e.g., screenshot / archived URL + hash + timestamp]:

Feed configuration log

Track each watch-rule addition, modification, or removal.

  • [rule change - date + description + authority]
    • Change type: [Add / Modify / Remove]
    • Watch item affected:
    • Authorized by:
    • Effective date:

Open gaps / verification pending

  • [item - e.g., Node N-3 selectors unconfirmed → route to follow-on subject investigation]
  • [item]

RFIs routed out