What this signal monitors
TikTok threat monitoring for events in SignalGuard's Chatter pillar covers a signal profile fundamentally different from text-first platforms. A single TikTok reaching 500K views in 6 hours is a coordination event regardless of how mild the caption text reads — virality is itself the signal. So this client uses a composite severity that multiplies keyword severity by the natural log of views-per-hour. SignalGuard watches for walkout videos, "link in bio" ticket-fraud accounts, "POV" content that telegraphs day-of plans, and flash-mob style mobilization tied to your event keyword.
Data sources
The signal calls the TikTok Research API at https://open.tiktokapis.com/v2/research/video/query/ with OAuth client-credentials authentication. Setup: TIKTOK_CLIENT_KEY and TIKTOK_CLIENT_SECRET in env; tokens cache for 110 minutes (TikTok issues 2-hour tokens). The Research API has a 4-6 week approval window via developer.tiktok.com — until keys land, the client returns realistic mock data with the same envelope so SignalGuard's UI and the threat-fusion pipeline behave identically.
Hashtag discovery is allowlisted via TIKTOK_HASHTAGS env var — explicitly never following recommended-hashtag chains, which would be a scope-creep problem. Video files and thumbnails are never stored; SignalGuard surfaces URLs and metadata only, with click-through to TikTok for the actual content.
How SignalGuard scores severity
Per-video classification runs against the caption text. Critical: /\bshoot/, /\bterror/, /\bkilled?\b/, /\bbomb/, /\bmass\s*shooting\b/, /\bhostage/. High: /\battack/, /\briot/, /\bevacuat/, /\bkidnap/, plus TikTok-specific lexicon /\bwalkout\b/, /\beveryone\s+(meet|meeting|walk)/, /\bspread\s+this\b/. Medium: /\bprotest/, /\bclash/, /\barrest/, /\bcrowd\s+crush/, plus /\blink\s+in\s+bio\b/, /\bPOV\b/.
The composite virality multiplier is applied after keyword classification:
composite_score = keyword_severity × log(views_per_hour + 1)
Composite thresholds: critical ≥8, high ≥4, medium ≥2, else low. Examples: a medium-keyword caption at 1000 views/hour scores 2 × log(1001) ≈ 13.8 → critical. A low-keyword caption at 100 views/hour scores 1 × log(101) ≈ 4.6 → medium. A critical-keyword caption (e.g. "shooting") at any virality stays critical. The cache TTL is 10 minutes — TikTok virality compounds over hours, not minutes.
Use cases for event security
A live-tour operator running TikTok threat monitoring for events will catch "everyone meet at the south gate" walkout-coordination videos within the first hours of upload — the canonical 24-48 hour TikTok virality cycle is fast enough to matter for event-day staffing, where it's far too slow to matter for text-platform alerts.
A festival operator watches the link in bio lexicon for ticket-resale scam clusters: TikTok's lack of in-feed links forces fraud accounts into the recognizable "link in bio" pattern, and the velocity of these uploads in the 7 days before an event is itself a leading indicator of ingress-time scam volume at the gate.
A sports venue can watch a specific hashtag for "POV" content shot at prior games — POV: I snuck in through the east lot fence videos are useful intel for closing the actual physical gap before the next fixture.
Pairs well with
- YouTube (
/docs/signals/youtube) — both are video-first but with vastly different virality timescales; TikTok feeds short-form clips into YouTube long-form reposts. - X (Twitter) (
/docs/signals/x) — viral TikTok content frequently triggers X amplification within hours; reading both catches the full virality cycle. - Reddit (
/docs/signals/reddit) — Reddit threads post TikTok URLs and discuss them, giving the context the TikTok caption lacks.
Premium upgrade path
The TikTok Research API has tight quotas at the default tier. The /integrations catalog includes BYOK paths to Brandwatch and Talkwalker, both of which offer first-class TikTok coverage with higher rate limits, deeper historical windows, and pre-computed virality metrics. Pair with PredictHQ for event-context enrichment when TikTok caption keywords match a tracked event entity.
Frequently asked questions
Is TikTok Research API access required for TikTok threat monitoring for events? For production use, yes. Apply at developer.tiktok.com with a documented research or security use case; approval typically takes 4-6 weeks. Without credentials, SignalGuard returns realistic mock data so the UI, severity classifier, and threat-fusion pipeline all exercise end-to-end during evaluation.
How does virality weighting work in practice? A non-viral mild-caption video (low keyword × low velocity) stays Low. A viral mild-caption video (low keyword × high velocity) escalates to Medium because crowd dynamics on the day-of are reshaped by what 50,000 attendees just watched on their phones during ingress. A non-viral severe-caption video stays Critical because explicit threat speech matters regardless of audience size. This pattern follows the TikTok virality research published by the Stanford Internet Observatory on event-tied content cascades.
Can SignalGuard read TikTok comment threads?
The current implementation uses the Research API's video query endpoint, which returns captions, view counts, and engagement metrics but not the full comment thread. Comment-thread retrieval is on the roadmap, gated on TikTok's Research API surface expansion. For comment-heavy coordination signals, the YouTube signal (/docs/signals/youtube) is the right complement today.
Does SignalGuard store TikTok videos or thumbnails? No. The Operational rules are locked: SignalGuard surfaces video URLs and metadata only, with click-through to TikTok for actual content. This matches TikTok's Research API content-handling requirements and SignalGuard's broader posture on user-generated content.