BYOK

Bring Your Own Key — Use your existing API contracts with SignalGuard

SignalGuard supports 25 BYOK paid providers — AccuWeather, Ticketmaster, Dataminr, Recorded Future, Flashpoint, HERE Traffic, INRIX, Brandwatch, Sprinklr, PredictHQ, Foursquare, Placer.ai, Mandiant and more — so customers who already pay for these feeds plug their own subscriptions straight into the 50+-signal scan. You keep the contract, the quota, and the fidelity. SignalGuard handles fusion, scoring, and the brief.

Why BYOK matters

The economics of premium event-security data are brutal. A single AccuWeather Enterprise contract with MinuteCast and Lightning Imminent Strikes lands around $25/mo on Standard and climbs from there. A Dataminr Pulse seat is $25K–100K+ a year. Recorded Future is $50K–150K. Flashpoint, Mandiant, Placer.ai, Veraset — every one of them sits in the same neighborhood. If SignalGuard tried to bake those contracts into every customer's subscription, PAYG could not exist at $19 and Pro could not exist at $249/mo. The bill would be the bill, regardless of whether a customer wanted the fidelity those feeds buy.

The alternative — capping every signal at whatever the free upstream tier supports — punishes the operators who actually need event-security threat intel the most. A festival production company already paying AccuWeather for minute-level precip forecasts should not get the same weather fidelity as a hobbyist running their first scan. A protective intelligence team that already runs Flashpoint and Dataminr should not see their dark-web and breaking-event coverage downgraded just because SignalGuard happens to mediate the request.

BYOK splits the difference honestly. SignalGuard ships working coverage on all 50+ signals at every tier using shared upstream quotas — enough for evaluation, enough for occasional scans, enough that the platform is useful out of the box. When a customer already pays for a premium feed, they paste their key into /integrations, and that signal's resolver switches over to the customer's contract on the next scan. Same brief, same scoring, higher-fidelity input. The contract stays where it already is — finance and procurement do not have to learn a new vendor.

The result is unit economics that work for everyone. Customers do not pay twice for data they already license. SignalGuard does not have to wrap premium contracts into the SaaS price. And the operators who care about fidelity — the ones whose event day depends on Lightning Imminent Strikes, on Dataminr's earliest-warning detection, on Recorded Future's threat coverage — get the data they already paid for, fused into the same brief as everything else.

How it works

Open /integrations in your workspace. Each supported provider has a tile with the fields it needs — usually one API key, sometimes a client ID and secret pair. Paste the credential, hit validate.

The validator runs server-side, never in the browser. For most providers it makes a single cheap probe against the upstream API — an AccuWeather geoposition lookup, a Ticketmaster events search with limit=1, a Tomorrow.io realtime call. The request uses your key, so the response tells us in one round-trip whether the key is real, scoped correctly, and not expired. Soft validators (for providers with no public test endpoint — Flashpoint, Recorded Future, Veraset, etc.) check shape and length, then surface real auth errors on the first signal-time use.

Once validated, the credential is encrypted with AES-256-GCM and stored against your workspace ID, bound as additional authenticated data so a key cannot be replayed across workspaces even if our database were dumped. The plaintext never lands on disk. At scan time, the signal resolver decrypts the key, swaps it into the upstream request, and throws the plaintext away as soon as the call completes. The key never leaves the resolver process, is never logged, never appears in error traces.

Deleting the credential purges the ciphertext from the database. The next scan falls back to SignalGuard's shared upstream for that signal. No state lingers.

Supported providers

25 paid providers, grouped by the four signal pillars they enrich. Every entry on this list is wired into a working signal resolver — there are no coming-soon placeholders.

Chatter — 11 providers

Social listening, threat intel, dark-web monitoring, news enrichment. Upgrade the inputs to the chatter pillar with your existing PR, security ops, or threat-intel contracts.

  • NewsAPI.org — headline-level news enrichment beyond GDELT
  • X API (Pro/Enterprise) — higher-volume X chatter monitoring
  • YouTube Data API — livestream and comment monitoring with quota uplift
  • Zignal Labs — cross-platform narrative intelligence
  • Brandwatch — enterprise social listening across X, Reddit, news, forums
  • Sprinklr — unified social listening across X, Reddit, news, TikTok, YouTube
  • Flashpoint — Telegram extremist channels and dark-web forums
  • Recorded Future — gold-standard threat intel across dark web, social, technical sources
  • Dataminr Pulse — real-time event detection across X, news, blogs, dark web
  • Mandiant — nation-state and APT-grade threat intelligence
  • Cybersixgill — deep + dark web with hostile-language coverage

Environment — 4 providers

Weather, air quality, severe-weather alerts. Premium feeds with minute-level precip prediction, lightning, and enterprise global coverage.

  • AccuWeather — MinuteCast and Lightning Imminent Strikes
  • Tomorrow.io — hyperlocal severe-weather forecasts
  • IQAir AirVisual — global air-quality with city-level forecasts
  • IBM Weather Company — enterprise-grade weather with severe-weather alerts

Movement — 4 providers

Traffic, airspace, cellular. Premium mobility feeds that surface incidents and flow data the shared upstream paths do not see.

  • HERE Traffic — premium traffic incident + flow data
  • INRIX — premium traffic + transportation analytics
  • Flightradar24 Business — full ADS-B coverage including military / obscured flights
  • Downdetector — real-time carrier outage reports

Context — 6 providers

Nearby events, POI density, foot-traffic, critical-event management. The pillar that tells you what else is happening around the venue.

  • PredictHQ — predicted attendance and impact ranks for nearby events
  • Ticketmaster Discovery — bypass the 5K/day shared quota
  • Foursquare Places Premium — richer POI taxonomy for catchment context
  • Placer.ai — foot-traffic analytics and crowd-density forecasts
  • Veraset — anonymized mobility / device-ping data
  • Everbridge — fuse SignalGuard signals into your CEM workflow

Security model

AES-256-GCM at rest. Every BYOK credential is encrypted with a workspace-scoped key derived from a master key held in our KMS. The IV is regenerated on every write — no IV reuse, no nonce collisions. The cipher's authentication tag is verified on decrypt, so a tampered ciphertext fails closed.

AAD binding. Additional authenticated data binds each ciphertext to the workspace ID and provider ID. A row exfiltrated from the database cannot be decrypted into the wrong workspace's session, even by someone with the master key, because the AAD does not match.

Never logged. Request loggers, error handlers, and tracing middleware redact known credential fields. Plaintext keys live only inside the signal resolver function for the duration of the upstream call, then go out of scope. The encrypted form never appears in stdout, never in error reports, never in third-party APM.

DELETE purges. Removing a credential from /integrations deletes the ciphertext row outright. No tombstone, no soft delete, no "we kept a copy in case." The next scan falls back to shared upstream.

Workspace-isolated. BYOK credentials never cross workspace boundaries. A Team workspace's AccuWeather key is invisible to an Enterprise workspace under the same parent org unless the credential is explicitly added to that workspace. There is no global pool.

Frequently asked

Do I need BYOK to use SignalGuard?

No. Every tier ships with working coverage on all 50+ signals using SignalGuard's shared upstream quotas. BYOK is for teams that already pay AccuWeather, Ticketmaster, Dataminr, or any of the 25 supported providers and want the fidelity their contract entitles them to — minute-by-minute precip, full quota, partner-tier endpoints — flowing through the same brief.

What happens if my BYOK key expires?

The signal falls back to SignalGuard's shared upstream and the brief still ships — degraded, not broken. You get an in-product warning the next time the validator runs against the key, plus an email if your workspace has notifications enabled. Rotate the key in /integrations and the next scan picks it up.

Can I rotate BYOK keys?

Yes — paste the new key into /integrations and click validate. The old key is overwritten in place, server-side, encrypted under the same workspace AAD. There is no rotation window where both keys are live. The next scan uses the new key.

Does SignalGuard see the data my BYOK provider returns?

Yes — SignalGuard's signal resolvers receive the upstream response so they can score it against the 50+-signal severity model and write the brief. We don't sell or share that data with anyone else, and the response is never persisted beyond the scan record your workspace already owns. The key itself never leaves the encrypted store and is never logged.

What if my BYOK key starts failing mid-scan?

The signal client catches the upstream error, falls back to SignalGuard's shared quota for that one call, and tags the affected signal in the brief so the operator can see exactly which input degraded. The scan still ships in the same SLA window. Repeated failures surface in the integrations dashboard with the upstream error code.

Set up BYOK in your workspace

Or read the pricing page to see which tiers unlock BYOK.