Blog / Guide

Threat intelligence from open-source news and Telegram

GuideJuly 2, 2026· 5 min read

Physical and cyber threat intelligence lives or dies on how early you see it. A lot of incident signal breaks on Telegram before any wire — if you can read it, score it and geo-tag it automatically, monitoring becomes an alert instead of a scramble.

Where threats surface first

Attack claims, unrest, and field reports often hit Telegram before traditional media. We ingest ~3,000 public channels via MTProto alongside RSS — the layer that web-only threat feeds simply can't read. That breadth, deepest on Russian and English, is the point.

Triage by urgency + the security audience

Mass-casualty, attack, disaster and escalation language scores high on the 0–10 urgency scale, so a threshold surfaces incidents and drops chatter. The audience=security filter pre-selects security-relevant items:

curl -H "X-API-Key: YOUR_KEY" \
  "https://api.newsagentdata.com/v1/breaking?audience=security&country=ua&min_score=7"

Geo-locate for physical security

country_tags support travel-risk and site-security use; topics like terrorism, cyber, nuclear and defense narrow to the threat class you own.

Hunt a specific actor or facility

Full-text search runs across Russian and English titles + content — track a named group, CVE, facility or region:

curl -H "X-API-Key: YOUR_KEY" \
  "https://api.newsagentdata.com/v1/search?q=YOUR_TERM&min_score=5&days=7"

Push to the SOC, once per incident

A webhook or SSE stream delivers matches in ~60 seconds, HMAC-signed and de-duplicated by cluster_id so one incident pages you once — route 9–10 to a faster channel (see alerts to Slack/Telegram).

Honest scope

Open-source signal is early warning, not verified intelligence — corroborate before acting. Public sources only. More on the collection layer in the OSINT news API guide.

Try it free

Grab a free API key — no card — and query live data in under a minute.

Get a free API key