What this signal monitors
Telegram threat intelligence for venue security is SignalGuard's broader-discovery Telegram signal. Where the /docs/signals/telegram allowlist signal covers channels you've curated, this signal performs cross-channel keyword search against the public Telegram index — discovering channels you haven't yet allowlisted, surfacing messages that mention your venue, performer, or event keyword, and classifying each hit against a three-tier threat taxonomy: direct-threat, protest-disrupt, and dox/harass.
Telegram is, in 2026, where most extremist organizing, doxx campaigns, and "we're going to X tonight" chatter actually lives. It has displaced most of what used to live on Tor hidden services and 8chan-era forums. For event security, this is the single highest-signal "dark-web-adjacent" source SignalGuard integrates.
Data sources
Primary source: TGStat — a paid Telegram index. The /words/search endpoint returns up to 50 messages per query matching your keyword across the public Russian/CIS-leaning index, but also covering a large slice of English-language extremist and protest channels. Pricing: ~$30/mo basic, ~$100/mo with full word search (current TGStat published rate). Setup: TGSTAT_API_KEY in env.
Future fallback: t.me/s/{channel} HTML preview scraping against a curated allowlist. Not wired into the production path yet — left as a follow-up so the initial deploy stays clean.
Without an API key the signal returns { ok: false, reason: 'no_api_key' } with a clear setup message — the card hides gracefully and the rest of the brief renders normally.
How SignalGuard scores severity
Three keyword tiers run in priority order. Direct-threat tier (the only path to a Critical classification on its own) matches shoot, shooter, bomb, bomber, kill, attack, assault, massacre, gun, firearm, weapon, detonate, explosive, IED, pipe bomb, molotov, gonna die, going to die. Protest-disrupt tier (high) matches protest, march, rally, occupy, blockade, disrupt, storm, rush, mob, riot, antifa, counter-protest, walkout, shut down. Dox/harass tier (medium) matches dox, doxx, doxxed, home address, license plate, tag him, tag her, find him, find her, expose.
Overall severity escalates by message count plus target-mention coupling. Critical: ≥1 direct-threat hit that also mentions the event keyword or venue. High: ≥3 protest-disrupt or dox hits matching the target, OR ≥1 direct-threat anywhere. Medium: ≥5 hostile-context messages mentioning the target. Low: any matches without hostile framing. Caching is 15 minutes; rate-limit backoff is 10 minutes after a 429; stale-cache fallback runs up to 6 hours so the card doesn't go dark on a single upstream blip.
Use cases for event security
A high-profile speaker event (controversial politician, polarizing tech CEO) running Telegram threat intelligence for venue security will see direct-threat tier hits — "weapon" or "kill" combined with the speaker's name — within minutes of publication, frequently hours before the same chatter migrates to X.
A federal-building or courthouse with an upcoming high-profile case watches the dox/harass tier for "home address" combined with judge or prosecutor names — the canonical pattern for the doxx-then-confront escalation path.
A stadium with a protest-prone fixture (away derby, controversial visiting team) watches the protest-disrupt tier for pre-match, meet point, and outnumber clustering across multiple channels — leading indicator of a planned away-supporter intercept.
Pairs well with
- Telegram (allowlist) (
/docs/signals/telegram) — the allowlist signal covers known channels; this signal discovers new ones. Run both. - Dark web (
/docs/signals/dark-web) — Telegram and Tor onions cover overlapping but non-identical extremist-organizing surfaces. - X (Twitter) (
/docs/signals/x) — the public-facing manifestation of Telegram organizing usually surfaces on X within hours. Reading both reveals the operational-to-public arc.
Premium upgrade path
TGStat's $100/mo full-word-search tier is the right baseline for production deployments. For deeper coverage, the SignalGuard /integrations catalog includes BYOK paths to Flashpoint (enterprise-tier Telegram coverage with analyst enrichment) and Recorded Future (cross-source threat-actor attribution). See /pricing for the integration tier required.
Frequently asked questions
Can SignalGuard monitor private Telegram channels for venue threats? No. Even with TGStat, the only channels indexed are public — channels with an open join link, indexable content, and >50 subscribers per TGStat's documented indexing rules. Private channels require user-account access that SignalGuard does not automate. For private-channel intelligence, the right tool is a vetted analyst with explicit operational authorization.
How fast does Telegram threat intelligence for venue security detect a direct threat? TGStat indexes new messages on a roughly 5-30 minute cadence depending on channel size. SignalGuard caches results for 15 minutes and applies a 4-second minimum interval between TGStat calls to stay polite to the upstream. Worst-case end-to-end latency from message publication to brief surfacing is approximately 45 minutes; typical latency is 10-15 minutes.
Does SignalGuard share Telegram findings with anyone?
No. The TGStat call is made from your tenant, results are cached in-memory only, and no Telegram message content leaves your SignalGuard instance beyond the AI synthesis call to Anthropic (which sees a compacted summary, not raw bodies). See the data-handling section of /pricing for the full posture.
What does a "critical" Telegram threat look like in practice? A typical critical hit, drawn from real pilot scans: a public channel with a known extremist-network affiliation posts a message containing both a direct-threat keyword (e.g. "shoot") and the venue or performer name within a 14-day window of the event. The FBI's 2024 Internet Crime Report documents the migration of physical-threat coordination from Tor to mainstream messaging platforms — Telegram is the modal endpoint of that migration in 2026.
==========