Threat intelligence from open-source news and Telegram
Physical and cyber threat intelligence lives or dies on how early you see it. A lot of incident signal breaks on Telegram before any wire — if you can read it, score it and geo-tag it automatically, monitoring becomes an alert instead of a scramble.
Where threats surface first
Attack claims, unrest, and field reports often hit Telegram before traditional media. We ingest ~3,000 public channels via MTProto alongside RSS — the layer that web-only threat feeds simply can't read. That breadth, deepest on Russian and English, is the point.
Triage by urgency + the security audience
Mass-casualty, attack, disaster and escalation language scores high on the 0–10 urgency scale, so a threshold surfaces incidents and drops chatter. The audience=security filter pre-selects security-relevant items:
curl -H "X-API-Key: YOUR_KEY" \ "https://api.newsagentdata.com/v1/breaking?audience=security&country=ua&min_score=7"
Geo-locate for physical security
country_tags support travel-risk and site-security use; topics like terrorism, cyber, nuclear and defense narrow to the threat class you own.
Hunt a specific actor or facility
Full-text search runs across Russian and English titles + content — track a named group, CVE, facility or region:
curl -H "X-API-Key: YOUR_KEY" \ "https://api.newsagentdata.com/v1/search?q=YOUR_TERM&min_score=5&days=7"
Push to the SOC, once per incident
A webhook or SSE stream delivers matches in ~60 seconds, HMAC-signed and de-duplicated by cluster_id so one incident pages you once — route 9–10 to a faster channel (see alerts to Slack/Telegram).
Honest scope
Open-source signal is early warning, not verified intelligence — corroborate before acting. Public sources only. More on the collection layer in the OSINT news API guide.