What this signal monitors
Reddit threat monitoring for events is the long-form counterpart to the X signal in SignalGuard's Chatter pillar. We search public Reddit posts that combine your event keyword with a threat vocabulary OR-list (protest, unrest, riot, attack, shooting, bomb, threat, evacuation, security, violence) and surface results scored by both content and the subreddit they came from. Reddit is where the why lives: a local subreddit like r/LasVegas or r/Coachella rarely posts a one-liner panic — instead, attendees explain logistics frustrations, post warnings about specific gates, and coordinate meet-ups in threads that frequently run several hours ahead of public news.
Data sources
The Reddit signal calls Reddit's public search JSON API at /search.json with the sort=new, t=week, and type=link parameters, filtering by a built query that ANDs your keyword against the threat vocabulary plus event name or location if supplied. SignalGuard prefers OAuth access when REDDIT_CLIENT_ID and REDDIT_CLIENT_SECRET are set in env (per Reddit's OAuth2 docs) — that path gets you the 60-requests-per-minute per-app tier and an auth header to oauth.reddit.com. Without OAuth credentials, the client falls back to anonymous www.reddit.com JSON, which Reddit rate-limits at ~10 req/min per IP and is shared across every tenant on a host like Render or Vercel.
Because shared-egress anonymous access gets rate-limited constantly in production, the client serializes requests with a 6-second floor when running anonymous, caches every response for 20 minutes, and applies a 5-minute "rate-limited" backoff after any 429 to avoid hammering the upstream.
How SignalGuard scores severity
Severity is classified per post and then escalated for the corpus. Critical and high tiers match on the post title only — selftext is too noisy at top severity, with song lyrics and game-day threads regularly tripping a body-only regex. Medium tier accepts title or selftext. Subreddit context modifies the score: posts from r/news, r/worldnews, r/politics, r/ProtectAndServe, r/security, or r/osint get bumped up one tier; posts from r/jokes, r/memes, or r/funny get dropped one tier. A false-positive suppressor downgrades critical and high hits that match patterns like setlist, live at, panic attack, tequila, or shot of — observed false-positive sources from real pilot scans. A volume bump pushes the overall score up to medium if the corpus has 15+ posts and 4+ combined hits across protest, violence, and terror vocabulary.
Use cases for event security
Coordinated protest organizing in r/portland or r/chicago is often visible six hours before doors. A duty officer running Reddit threat monitoring for events on the day-of scan will see the protest thread, the discussion of meet points, and the count of upvotes — all signals the X-only operator misses entirely.
Ticket-fraud warnings cluster on subreddits like r/electricdaisycarnival and r/coachella. A festival operator can detect a fraud-warning thread and proactively flag the ticket SKU at the gate.
Logistics-failure threads catch operational problems early — a "south gate is wrapping around the block" thread on a local sub is a leading indicator of an ingress chokepoint that hasn't yet generated a 911 call.
Pairs well with
- X (Twitter) (
/docs/signals/x) — Reddit gives depth, X gives speed. Together they tell you both that something is happening and why. - News (GDELT) (
/docs/signals/news) — Reddit threads frequently link to news articles; GDELT catches the editorial response. - YouTube (
/docs/signals/youtube) — Reddit users post video links into threads; YouTube's comment threads on those same videos are where protest plans and ticket-fraud warnings collect.
Premium upgrade path
The Reddit signal scales with the Reddit OAuth tier. Configure a free "script" app at reddit.com/prefs/apps and supply REDDIT_CLIENT_ID and REDDIT_CLIENT_SECRET for the 60 req/min OAuth tier — this is the single highest-leverage premium move for shared-hosting deployments. Recorded Future (threat-intelligence enrichment) on the SignalGuard /integrations catalog enriches matched Reddit posts with TTP context when the threat actor's handle is known. See /pricing for the integration tier required.
Frequently asked questions
Does SignalGuard read private subreddits or quarantined content?
No. We use Reddit's public search JSON API. Private subreddits, quarantined content, and posts behind an nsfw opt-in that the API filters out by default are not visible to SignalGuard. This is a Reddit Data API constraint and a SignalGuard policy.
Why does Reddit threat monitoring for events sometimes show "rate-limited"?
If you are running without OAuth credentials on a shared host (Render, Vercel), the anonymous Reddit tier (~10 req/min per IP) is shared with every other tenant on the same egress IP. The simplest fix is to create a free Reddit "script" app and set REDDIT_CLIENT_ID and REDDIT_CLIENT_SECRET in env — that moves you to the 60 req/min OAuth tier, scoped to your app and not the IP.
How recent are the posts SignalGuard returns?
The default search window is the last seven days, sorted newest-first. You can shorten that to 24 hours or extend it to 30 days via the daysBack parameter. The cache TTL is 20 minutes, so repeated scans of the same event keyword inside a 20-minute window return the cached corpus and don't hit Reddit again.
Is Reddit threat monitoring legal under Reddit's terms? SignalGuard uses Reddit's published Data API in the way it is documented — public search, OAuth-authenticated where credentials are configured, with conservative rate-limiting. See Reddit's Data API terms for the full policy. We do not scrape behind authentication walls and we never persist post bodies to disk longer than the cache TTL.
==========