GACS Logo
Academy
Target Package · Capstone Analytic Product
OIA — OSINT Intelligence Analyst

Target Package & Attribution Brief

Build an end-to-end OSINT target package on an operator or persona of interest: collection plan, persona dossier, infrastructure cluster, SOCMINT linkage, GEOINT/chronolocation, ACH-led attribution at the highest defensible rung, and a written brief that survives challenge.

Estimated effort25–40 hours over 2–3 weeks
Passing score70 / 100
ReviewerReviewed by a senior OSINT analyst playing the role of unit head. They will reproduce key pivots, re-derive geolocations, and read the brief as if forwarding it to a regulator, partner agency, or journalist liaison.

The brief

You are an analyst in a national-level open-source intelligence cell. A consumer has tasked you against a target — an operator, persona, infrastructure cluster, or coordinated-inauthentic-behavior network of your choice. Your task is to produce a target package that anchors attribution on durable indicators and is reproducible by an independent analyst.

Pick a target. Either (a) a real, lawfully observable target you can research entirely from open sources and lawful access (no breach data quoted as evidence; no ToS-prohibited access without documented rules of engagement), or (b) a synthetic-but-realistic target you construct from public typology reporting. State the path on page one.

Persona OPSEC matters. Document your collection OPSEC tier per platform touched. Sock-puppet engagement requires written justification and a documented persona dossier. Do not engage if read-only collection answers the requirement.

This is a written analytic product. It will be reviewed line by line. Every named entity must be evidenced. Every confidence rating must be defensible. Every attribution rung must name what would knock it down.

Deliverables

  1. 1
    Target Package (long-form)

    BLUF, executive summary, target dossier, infrastructure cluster, SOCMINT linkage, GEOINT/IMINT findings, attribution narrative with ACH, recommended actions, open gaps, caveats. 8–14 pages.

    format: target-package.pdf + target-package.md
  2. 2
    Collection Plan & OPSEC Register

    Per-PIR collection assignment: method, platform, OPSEC tier, persona used, proxy egress, capture cadence, cut-off. Persona dossier per persona deployed.

    format: collection-plan.md + personas/<id>.md
  3. 3
    Evidence Vault Manifest

    Per-artifact record: source URL, capture timestamp (UTC), capturing operator and persona, SHA-256, archive mirror, rendering tool/version, OPSEC tier at capture. Admiralty Code reliability/credibility rating per source.

    format: evidence/manifest.csv + evidence/<id>.{png,html,json}
  4. 4
    Infrastructure Cluster Diagram

    Graph of the durable infrastructure anchors (registrants, name-servers, TLS certs, analytics IDs, hosting, mail) with edge evidence pointers. At least one anchor must be durable across persona churn.

    format: cluster.svg + cluster.png
  5. 5
    GEOINT/IMINT Annex

    For at least one operationally important image or video: full verification pipeline (provenance, reverse search, EXIF, error-level analysis, generative-detection caveat), geolocation chain (constraint stack with each visible feature cited), chronolocation (shadow/weather/foliage/event basis) with explicit error window.

    format: geoint/<id>.md + geoint/<id>/*.png
  6. 6
    ACH Matrix & Attribution Ladder

    ACH with ≥3 competing hypotheses including a credible false-flag/copy-cat alternative. Attribution ladder (persona → operator → organization → sponsor) marking the highest defensible rung with what would knock it down.

    format: ach.csv + attribution-ladder.md
  7. 7
    Indicators & Warnings (I&W)

    Pre-committed observable signals that would shift confidence in either direction, with review cadence and re-tasking triggers.

    format: iw.md

Suggested timeline

  1. 1. PIRs & ROE
    Days 1–2

    Write PIRs/EEIs, sign rules of engagement, scope OPSEC tiers per persona.

  2. 2. Persona prep
    Days 3–4

    Stand up or refresh personas, age accounts, audit image hygiene.

  3. 3. Collection
    Days 5–10

    Run collection plan; SOCMINT, infrastructure, GEOINT/IMINT; hash + archive every artifact.

  4. 4. Cluster & attribution
    Days 11–13

    Build infrastructure cluster, run ACH, place the attribution ladder.

  5. 5. Geolocation & verification
    Days 14–15

    Complete GEOINT/IMINT annex with constraint stacks and error windows.

  6. 6. Write & QA
    Days 16–17

    Draft, internal red-team review, reproducibility check, submit.

Graded rubric (100 pts)

Each criterion is scored 0–4. Final score = Σ (score × weight) ÷ 4. You need ≥70 to earn the capstone seal on your transcript.

BLUF & analytic clarity
10 pts
  • 0

    Missing or unusable. No BLUF, or BLUF that overstates confidence.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. BLUF states judgement, confidence and so-what in 3–5 sentences. Exec summary expands without contradiction.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Reads like a service-published product. Consumer can act on page one.

Collection planning & PIR discipline
10 pts
  • 0

    Missing or unusable. No PIRs, no collection plan. Scavenged collection.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. PIRs and EEIs written before collection. Per EEI: method, platform, OPSEC tier, persona, cut-off.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Collection plan is a living document — gaps closed, new EEIs added — and the report shows the audit trail.

OPSEC posture & persona discipline
10 pts
  • 0

    Missing or unusable. Personal browser, real identity, recovery cross-links, or engagement under hot persona without justification.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Dedicated investigation env, persona dossiers, proxy egress consistent with cover, no recovery cross-links.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. OPSEC tiering is justified against an explicit threat model. Burn conditions are pre-committed and persona retirement is documented.

Evidence quality & provenance
15 pts
  • 0

    Missing or unusable. Screenshots only. No hashes, no archives, no Admiralty ratings.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Every artifact: URL, UTC time, operator, persona, hash, archive mirror, rendering tool. Admiralty rating per source.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Mirrored captures survive original takedown. Full-page DOM captures accompany screenshots wherever platform-permitted. Reproducible by an independent analyst at submission.

Infrastructure attribution & durable anchors
15 pts
  • 0

    Missing or unusable. Attribution rests entirely on personas. No infrastructure anchor.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. At least one durable infrastructure indicator anchors each attribution rung beyond persona level.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Cluster exposes a non-obvious anchor (analytics ID across portfolio, mail-server fingerprint, JA3, recurring SaaS verification token) and defends it in narrative.

GEOINT/IMINT discipline
10 pts
  • 0

    Missing or unusable. Geolocation asserted without visible-feature stack. EXIF treated as proof.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Geolocation is a documented constraint stack with each feature cited. Chronolocation has explicit error window. Generative-media risk noted.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Independent analyst can re-derive the geolocation and chronolocation from the annex alone. Verification pipeline catches at least one would-be deception.

ACH & attribution-ladder honesty
15 pts
  • 0

    Missing or unusable. Single hypothesis. No false-flag consideration. Top of ladder asserted without defence.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. ≥3 hypotheses including a credible false-flag. Attribution ladder marks the highest defensible rung and names what would knock it down.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. ACH surfaces a counter-hypothesis the analyst initially rejected and explains in writing why the evidence eventually overrode it.

Legal, ethical & duty-of-care posture
10 pts
  • 0

    Missing or unusable. Evidence of pretexting, ToS-prohibited access without ROE, breach-data evidence cited in proceedings, victim/minor PII exposure.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. ROE document included. Bright lines observed. Gray-zone decisions documented with pre-decision rationale.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Brief demonstrates that the rules of engagement were reviewed and signed off before the operation and that every gray-zone call cites them.

Writing & reproducibility
5 pts
  • 0

    Missing or unusable. Prose padded. Cannot reproduce the brief from the appendix.

  • 1

    Present but materially deficient. Multiple gaps a reviewer would flag on first pass.

  • 2

    Meets minimum professional bar. Direct paragraph-led prose. Independent analyst can re-derive every finding from the evidence vault.

  • 3

    Strong. Few corrections needed; would pass internal QA at a national-level cell.

  • 4

    Exemplary. Reads like a published service product. Every paragraph either advances the judgement or is cut.

Pre-submission checklist

Every item must be true before you submit. Reviewers will spot-check.

  • BLUF is 3–5 sentences and states judgement, confidence, and so-what
  • PIRs and EEIs were written before collection started
  • Per persona deployed: dossier, OPSEC tier, proxy egress, burn conditions
  • No personal identity, browser, or device was used against the target
  • Every artifact carries URL, UTC time, operator, persona, hash, archive mirror, Admiralty rating
  • At least one durable infrastructure anchor supports each attribution rung
  • GEOINT/IMINT annex shows the constraint stack with cited visible features
  • ACH lists ≥3 hypotheses including a credible false-flag/copy-cat alternative
  • Attribution ladder marks the highest defensible rung and names what would knock it down
  • Rules-of-engagement document is included and signed-off
  • No unredacted victim PII, no breach-data evidence cited in proceedings, no minor PII
  • Brief is reproducible end-to-end from the evidence vault by an independent analyst

Stretch goals (bonus 0–10 pts)

  • Add a counter-collection assessment: what indicators of *your* collection could the target observe, and what is the residual exposure
  • Include a parallel-analyst review where a colleague re-derives the top finding from the evidence vault and reports the delta
  • Author a journalist-facing background brief with embargo terms and redacted evidence excerpts
  • Publish the evidence-vault schema as a reusable internal standard with a JSON Schema definition