[PRINCIPAL] - Collection Map
OSINT-054 Custom Protective Threat Feed - collection workspace. Central topic = the principal / protectee the feed is built to protect. Branches = the data-point categories for this continuous protective threat-feed. This map captures the seeding data, actor inventory, watch criteria, source lanes, and feed-configuration parameters that the operator populates before standing up the feed. It does NOT record final feed output - those are emitted by the running system and stored in the evidence archive (§99). Feeds into: OSINT-054 system configuration; seeded from OSINT-051 Protective Intelligence Assessment.
00 · Collection Plan - PIRs & EEIs
The questions this feed must continuously answer, expressed as EEIs. Tick when the seeding collection satisfies each requirement sufficiently to configure a watch rule. Map to the OSINT-051 PIA sections that provide the baseline answers. → drives §3 Key Judgments, §4 PIRs, §12 Requirements & Indicators / Collection Plan, §16 Escalation Indicators & Tripwires of the seeding OSINT-051 PIA.
PIR-1 - Principal profile: is the protectee fully characterized for watch-rule scoping?
- EEI: confirmed legal name + known aliases/variants used in public records and social media
- EEI: principal’s digital selectors (emails, usernames, phone numbers) for exposure monitoring
- EEI: principal’s physical locations (residence, office, habitual venues) for geo-scoped alerting
- EEI: principal’s public exposure surface (media presence, event schedule, travel patterns)
- EEI: insider-threat nexus nodes (household/staff with threat-actor linkage) identified
PIR-2 - Threat-actor inventory: are all threat nodes from the PIA enumerated as feed watchees?
- EEI: all threat-node identifiers (name, aliases, accounts, selectors) from OSINT-051 §5
- EEI: per-node threat level and pathway stage (from OSINT-051 §9) - sets alert-severity tier
- EEI: per-node grievance driver and primary attack vector - sets watch-category priority
- EEI: nexus/insider-threat nodes (from OSINT-051 §8) flagged for elevated monitoring
- EEI: escalation indicators / tripwires (from OSINT-051 §16) translated to feed alert rules
PIR-3 - Threat landscape: are ambient threat categories and geographies defined for the feed scope?
- EEI: geopolitical/country-level risk categories relevant to principal’s operating areas
- EEI: ideological / extremist / targeted-violence communities referencing principal or similar targets
- EEI: dark-web / closed-community chatter lanes monitoring principal’s name/selectors
- EEI: adverse media and public-records lanes scoped to principal’s name and entity affiliations
- EEI: physical-security incident lanes for principal’s residential/office locations
PIR-4 - Feed architecture: are collection lanes, sources, cadence, and alert thresholds fully specified?
- EEI: open-source intelligence lanes mapped to each watch category with refresh cadence
- EEI: commercial threat-intelligence or vendor feeds incorporated with reliability grade
- EEI: alert-threshold logic (L×I band → severity tier) configured per §00b
- EEI: delivery channel and recipient list confirmed and tested
- EEI: false-positive / noise-suppression rules defined (keyword exclusions, entity disambiguation)
PIR-5 - System health: are monitoring availability, SLA, and review cadence established?
- EEI: monitoring coverage windows and any blind-spot gaps documented
- EEI: escalation path and ACK targets confirmed (from OSINT-051 §20 / OSINT-053 §4)
- EEI: feed review cadence and watch-list update authority defined
- EEI: data-retention and offboarding obligations captured
Collection gaps / RFIs (running)
- [open item] → route to [product / analyst]
- [open item]
00b · Monitoring Cadence & Triggers
This is a continuous/standing feed. Defines the watch items, refresh cadences, alert thresholds, and escalation path for the live feed. → drives §1 Scope & Watch Criteria / Tripwires and §2 Collection Cadence & Sources of OSINT-053 (Daily / Periodic Protective Intelligence Brief), and OSINT-051 §16 Escalation Indicators.
Watch-item inventory
One entry per configured watch category. Clone per item. Alert tier maps to L×I band from OSINT-051 §14.
- [watch item - e.g., Threat-actor online activity / Node N-x]
- Observable indicator:
- Tripwire threshold (fires alert):
- L×I score from PIA (OSINT-051 §14):
- Severity tier: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate-Low 1–10]
- Refresh cadence: [continuous / hourly / 4-hourly / daily / weekly]
- Collection lane (→ §08 Digital & Social Signals or §09 Indicators & Warnings):
- Notes / current status:
- [watch item 2]
Refresh cadence register
| Feed layer | Watch items served | Cadence | Tool / lane | Owner |
|---|---|---|---|---|
| [e.g., social media keyword monitor] | [e.g., hourly] | [e.g., RSS aggregator / social-search API] | ||
| [e.g., dark-web mention scan] | [e.g., daily] | [e.g., dark-web monitoring service] | ||
| [e.g., adverse media / news scan] | [e.g., 4-hourly] | [e.g., news aggregation, Google Alerts] | ||
| [e.g., geopolitical advisory feed] | [e.g., daily] | [e.g., govt travel advisories, OSAC] | ||
| [e.g., court/registry records] | [e.g., weekly] | [e.g., PACER, state court portals] | ||
| [e.g., sanctions/watchlist delta] | [e.g., daily] | [e.g., OFAC/EU/UN delta feeds] |
Alert thresholds and severity tiers
| Severity tier | L×I band | Trigger condition | Notify | Method | ACK target |
|---|---|---|---|---|---|
| Critical | 21–25 | [e.g., ≤15 min] | |||
| High | 16–20 | [e.g., ≤30 min] | |||
| Elevated | 11–15 | [e.g., ≤2 hr] | |||
| Moderate / Low | 1–10 | [e.g., next scheduled brief] |
Escalation path
- Primary contact / protective officer:
- Secondary / backup:
- Law-enforcement liaison (pre-identified):
- Feed owner / service manager:
- Escalation for imminent-danger tripwire: [immediate LE / 911 - no delay]
01 · Principal / Protectee Profile
Who the feed is protecting. Feeds the watch-rule scoping in §00b and the exposure surface mapping in §06. All fields from OSINT-051 §11 Protectee Exposure Surface. → §11 Protectee Exposure Surface & Nexus Layer, §5 Threat-Network Frame.
Identity & confirmed selectors
- Full name (and known public variants):
- DOB / YOB:
- Nationality / passport(s):
- Primary role / title (public-facing):
- Known pseudonyms / pen names / stage names:
Digital selectors (exposure surface - for feed scoping)
Clone per selector. These drive the keyword/entity rules in the feed.
- [email address - e.g. principal@domain.com]
- Linked accounts / platforms:
- Breach / paste exposure:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← holehe, h8mail, hunter.io
- [username / handle]
- Platforms:
- Attribution confidence:
- Notes / tool output: ← sherlock, idcrawl, whatsmyname
- [phone number]
- Type: [mobile / VoIP / office]
- Linked services:
- Notes / tool output: ← truecaller, numverify
Entity / organizational affiliations (feed-scope anchors)
Clone per entity. Entity names/tickers drive corporate-news and regulatory watch lanes.
- [entity - e.g. Company Name / Foundation / Political org]
- Role / position:
- Public-facing: [Y / N]
- Registry record: ← OpenCorporates, state registry
- Notes:
02 · Venue & Geography - Fixed-Exposure Points
The principal’s predictable, fixed-location exposure that a threat actor would exploit. Feeds the geo-scoped alert lanes (e.g., crime/incident monitoring for residential area, venue perimeter alerts). → §11 Protectee Exposure Surface (OAKOC lens), §2 Collection Cadence & Sources (OSINT-053).
Residence(s)
- [address - primary]
- Geo-fence radius for incident monitoring:
- Associated entities (HOA / property mgmt):
- Publicly linkable (e.g., property records): [Y / N / Partial]
- Confidence: [H / M / L]
- [address - secondary / vacation]
- Geo-fence radius:
- Publicly linkable:
Primary workplace / office
- [address / building]
- Publicly listed: [Y / N]
- Associated entities:
- Confidence: [H / M / L]
Habitual / recurring venues
- [venue - e.g., gym / club / school / house of worship]
- Frequency:
- Publicly linkable: [Y / N]
Travel hubs (airports, transit nodes)
- [hub / route]
- Associated schedule pattern:
- Notes:
03 · Routes & Movement
The principal’s habitual routes and mobility patterns that feed route-risk watch lanes and pre-departure advisories. → §11 Protectee Exposure Surface, §12 Requirements & Indicators (OSINT-051). Clone the block per route leg.
Habitual route legs
- [route leg - e.g., residence → office]
- Mode (vehicle / foot / transit):
- Typical timing window:
- Key chokepoints / fixed exposure points:
- Alternative routes available: [Y / N]
- Observable / trackable: [Y / N]
- Notes:
- [route leg 2]
Travel patterns
- [destination - e.g., London quarterly board meeting]
- Frequency:
- Mode / carrier:
- Publicly announced / ticketed: [Y / N]
- Advance-security requirements:
Anomaly detection baseline
- Normal mobility pattern:
- Deviations that should trigger alert:
04 · Threat Actors & Persons of Interest
The actor inventory seeded from OSINT-051 §5–§9. Each node becomes a persistent watch entity in the feed. Clone the block per actor. → §5 Threat-Network Frame, §9 Per-Actor Threat Characterization, §16 Escalation Indicators & Tripwires (OSINT-051).
Threat node
- [Node ID / name - e.g., N-1 / John Doe]
- Threat level (from OSINT-051 §9): [Minimal / Low / Moderate / High / Imminent]
- Pathway stage (from OSINT-051 §9): [Grievance / Ideation / Research / Preparation / Breach / Attack]
- Primary grievance vector:
- Hunter / Howler designation:
- Known selectors (names / usernames / emails / phones):
- [selector]
- Platform / context:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← sherlock, idcrawl, social-search
- [selector]
- Known locations / area of operation:
- Watch rules active for this node:
- Last observed activity (date + source):
- PIA source grade: [A–F / 1–6]
- Notes / tool output:
- [Node ID 2]
Nexus / insider-threat nodes (from OSINT-051 §8)
- [Node ID / name]
- Networks bridged: [friendly ↔ threat / neutral ↔ threat]
- Role / access to principal:
- Watch posture: [passive monitor / elevated / alert-on-contact]
- Notes:
Potential / emerging persons of interest (not yet PIA-assessed)
- [name / handle]
- Basis for flagging:
- Current concern level: [Low / Watch / Escalate to PIA]
- Notes:
05 · Threat Landscape
Ambient threat environment relevant to the principal’s exposure areas and sector. Feeds the geopolitical, extremist-chatter, and incident-history watch lanes. Not actor-specific. → §2 Executive Summary / §5 Threat-Network Frame (OSINT-051); §1 Scope & Watch Criteria (OSINT-053).
Geopolitical / country-level threats
- [country / region relevant to principal]
- Active threat categories: [terrorism / civil unrest / organized crime / state-actor / other]
- Current travel-advisory level: ← state.gov, FCDO, OSAC
- Relevant incidents (last 90 days):
- Watch-lane assigned: [Y / N → lane ID in §00b]
- Notes:
Ideological / extremist communities
- [community / movement - e.g., anti-executive / stalker forums / ideological group]
- Platform(s):
- Principal mentioned / targeted: [Y / N / Unknown]
- Last observed activity:
- Watch-lane assigned:
- Notes / tool output:
Sector / industry threat patterns
- [threat pattern - e.g., CEO-targeting scam waves / ransomware / physical intrusion trend]
- Source:
- Relevance to principal:
Incident history (prior events involving principal or proximate targets)
- [incident - date + summary]
- Type: [communication / approach / stalking / protest / other]
- Response taken:
- Residual risk:
06 · Vulnerabilities & Attack Surface
The principal’s exploitable gaps in physical, digital, and procedural security that feed the hardening and exposure-reduction recommendations. → §11 Protectee Exposure Surface (OAKOC lens), §10 Critical Factors Analysis, §13 Engagement-Option Matrix (OSINT-051).
Physical vulnerabilities
- [vulnerability - e.g., publicly accessible lobby / unmonitored parking]
- Location:
- Exploitability: [H / M / L]
- Mitigation status: [Open / Mitigated / Accepted]
Digital / online exposure gaps
- [gap - e.g., home-address linkable via property records / PII on data-broker sites]
- Source / discovery method: ← data brokers: Spokeo, Whitepages, BeenVerified
- Exploitability: [H / M / L]
- Mitigation status:
Procedural / behavioral vulnerabilities
- [gap - e.g., predictable daily routine / public social-media schedule announcements]
- Basis:
- Exploitability:
- Mitigation status:
Insider-threat surface
- [gap - e.g., staff member with threat-actor social link]
- Nexus node (→ §04):
- Mitigation status:
07 · Local Environment
Security, medical, law-enforcement, and critical infrastructure resources at principal’s key exposure points. Feeds operational awareness and response-option configuration for the feed. → §11 Protectee Exposure Surface, §20 Protective-Intelligence Program Recommendations (OSINT-051).
Law-enforcement contacts (per location)
- [location - e.g., residential jurisdiction]
- Police district / station:
- Non-emergency number:
- Pre-established liaison contact: [Y / N]
- Response time estimate:
Medical / emergency resources
- [location]
- Nearest trauma center:
- EMS response time:
- Hospital name / address:
Security infrastructure at key venues
- [venue]
- On-site security: [Y / N / Contract / Off-duty LE]
- CCTV coverage:
- Access-control type:
- Notes:
Critical infrastructure dependencies
- [dependency - e.g., power / comms / transport corridor]
- Potential disruption impact on principal:
- Contingency:
08 · Digital & Social Signals
Open-source collection lanes monitoring the principal’s digital exposure and threat-actor online activity. Each platform/source is a recurring collection target for the feed. Clone per platform. → §12 Requirements & Indicators / Collection Plan, §16 Escalation Indicators & Tripwires (OSINT-051).
Principal’s social media accounts (exposure monitoring)
Monitor for unauthorized content, threatening replies, follower-growth anomalies, stalker accounts.
- [platform - e.g., LinkedIn / X / Instagram]
- Handle / URL:
- Attribution confidence: [Confirmed / Probable / Possible]
- Status: [Active / Dormant]
- Monitoring focus: [threatening content / new followers / location leakage / schedule disclosure]
- Alert rule:
- Notes:
Keyword / entity watch (social media + forums)
Social-listening for principal’s name, entity affiliations, and threat-actor handles. Clone per keyword set.
- [keyword set - e.g., “Principal Full Name” OR “Company Name”]
- Platforms monitored:
- Cadence: [continuous / hourly / daily]
- Last sweep result:
- Alert threshold (what fires an alert):
- Notes / tool output:
Dark-web and closed-community monitoring
- [community / market / forum type]
- Principal mentioned: [Y / N / Unknown]
- Threat-actor presence:
- Cadence: [daily / weekly]
- Alert rule:
- Notes / tool output: ← dark-web monitoring service, DarkOwl, Intel471-style
Data-broker / PII-exposure monitoring
- [data-broker or public-record source]
- Principal’s data present: [Y / N / Partial]
- Fields exposed:
- Removal requested: [Y / N / Date]
- Notes / tool output: ← Spokeo, Whitepages, BeenVerified, DeleteMe
Domain and infrastructure watch (principal’s entities)
- [domain - e.g., principalcompany.com]
- WHOIS registrant status:
- Typosquat / lookalike domains found:
- Certificate transparency alerts: ← crt.sh
- Notes / tool output: ← whois, crt.sh, DomainTools
09 · Indicators & Warnings
The observable tripwires and escalation signals drawn from OSINT-051 §16, translated into configured alert rules for the feed. Each indicator is a discrete, monitorable observable. Clone the block per indicator. → §16 Escalation Indicators & Tripwires, §12 Requirements & Indicators (OSINT-051); §1 Scope & Watch Criteria (OSINT-053).
Escalation indicator / tripwire
- [indicator - e.g., Threat node N-1 acquires a weapon]
- Observable (how detected via OSINT):
- Source lane (→ §08 or §05):
- Severity tier on fire: [Critical / High / Elevated / Moderate]
- L×I score:
- Configured alert rule ID in feed:
- Escalation action:
- Last tested / confirmed active:
- Notes:
- [indicator 2]
Warning-behavior signal library (TRAP-18 derived - from OSINT-051 §9)
Pre-coded behavioral signals to watch for per threat actor.
- [warning behavior - e.g., Leakage: public statement of intent to harm]
- Applicable node(s):
- Observable:
- Alert tier:
- Notes:
Pathway-stage progression alerts
- [stage transition - e.g., Ideation → Research: target-specific information-gathering observed]
- Applicable node(s):
- Observable:
- Alert tier:
- Action on fire:
Geopolitical / ambient I&W
- [indicator - e.g., Travel advisory level escalates in principal’s destination country]
- Source: ← state.gov, FCDO, OSAC advisories
- Alert tier:
- Action:
99 · Collection Admin
Audit trail and working register for the collection feeding this system’s configuration. Not a deliverable section - the traceability layer behind the feed-setup package.
Source register
Every datum used to configure a watch rule traceable to a graded source.
- [S-1 - source name]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- Feed watch rule(s) it backs:
Evidence archive
Captures from seeding collection (OSINT-051 PIA baseline) and standing feed output.
- [capture ref - e.g., screenshot / archived URL + hash + timestamp]:
Feed configuration log
Track each watch-rule addition, modification, or removal.
- [rule change - date + description + authority]
- Change type: [Add / Modify / Remove]
- Watch item affected:
- Authorized by:
- Effective date:
Open gaps / verification pending
- [item - e.g., Node N-3 selectors unconfirmed → route to follow-on subject investigation]
- [item]