What this signal monitors
The X (formerly Twitter) signal is SignalGuard's fastest pulse for event-day chatter. We poll public posts mentioning your event keyword, venue, performer handles, or location, and surface any that carry threat-adjacent vocabulary — protest organizing, ticket-fraud chatter, weapons references, evacuation rumors, and on-the-ground complaints that frequently land on X before they reach a newsroom or a 911 dispatcher. X threat monitoring for event security exists in this product because, in the median incident our pilots have triaged, X posts beat the news cycle by 30 to 90 minutes.
Data sources
The X signal calls /2/tweets/search/recent — the X API v2 recent-search endpoint, which returns posts from the last seven days. SignalGuard's client builds a query that combines your keyword with -is:retweet lang:en to suppress amplifier noise and non-English content, then requests up to 100 results per call with tweet.fields=id,text,created_at,author_id,public_metrics,lang and user.fields=id,username,name,verified so the analyst sees the post, its engagement metrics, and the author's verification status at a glance.
Access requires an X_BEARER_TOKEN. The Basic tier of the X API ($200/month at the time of writing per X's developer portal) grants enough recent-search volume for a small portfolio of venues; if no token is configured, SignalGuard falls back to a realistic mock dataset so you can rehearse the workflow before you commit to a paid X tier.
How SignalGuard scores severity
The X classifier reads each post's text and assigns one of five tiers — none, low, medium, high, or critical — using the same vocabulary the Reddit and Bluesky classifiers use, so signals are directly comparable in the fusion layer. Critical triggers are explicit weapons or violence terms (/\bshoot(?:ing|er|s)?\b/, /\bterror/, /\bbomb(?:ing|er)?\b/, /\bmass\s*shooting\b/, /\bhostage/). High covers /\battack/, /\briot/, /\bevacuat/, /\bkidnap/. Medium catches /\bprotest/, /\bclash/, /\barrest/, /\bcrowd\s+crush/. Low is the soft signals (/\bcancel/, /\bdelay/, /\bsuspici/). A false-positive suppressor downgrades critical and high hits when the text reads like song lyrics, setlist mentions, or "panic attack" used in a medical sense — patterns lifted from real false-positive cases observed during pilot scans.
Use cases for event security
A music festival operator can watch a stadium-show keyword and see, in real time, a sudden spike of posts complaining of pat-down failures at the south gate — long before that pattern reaches Ticketmaster's customer-service queue.
A corporate-event security lead can pre-load the CEO's name, the venue, and the date as a keyword set and surface counter-protest organizing in the hours leading up to ingress. The classic case is a published shareholder meeting where a single high-engagement X post calling for disruption sits at Medium severity, and three more like it inside two hours auto-escalate the per-source roll-up.
A sports-venue duty officer can detect rumor cascades — "stadium evacuated" posts that aren't true but are gathering retweets — and intercept the rumor before it triggers a real crowd-flow event.
Pairs well with
- Reddit (
/docs/signals/reddit) — X gives speed, Reddit gives the explanation. A spike on X is almost always sourced from a deeper Reddit thread that names why. - News (GDELT) (
/docs/signals/news) — when X chatter starts citing a news article URL, the GDELT signal usually catches the story within an hour, validating the X spike against editorial coverage. - Telegram threats (
/docs/signals/telegram-threats) — organized chatter migrates between X and Telegram, with serious operational planning more often on Telegram and the public-facing rallying cries on X. Reading them together exposes the gap.
Premium upgrade path
The X signal's ceiling is set by the tier of your X API access. SignalGuard supports a BYOK pattern on /integrations — connect your own X Pro or X Enterprise key and unlock higher query volumes, longer historical windows, and the streaming filtered-stream endpoint for sub-minute alert latency. PredictHQ (event-intelligence enrichment) is also available on the integrations catalog and pairs well with X by tagging matched events with attendance, demand-rank, and predicted spend.
Frequently asked questions
Is an X API key required to use the X signal?
No. SignalGuard ships with a realistic mock dataset when X_BEARER_TOKEN is not configured. The product fully renders, the brief shows X cards, and the severity logic exercises end-to-end — useful for dashboards, demos, and pre-purchase evaluation. Real X coverage activates the moment you add a Basic-tier or higher bearer token.
How fast does SignalGuard detect a chatter spike on X? The recent-search endpoint returns posts within seconds of publication, and SignalGuard polls each active event keyword on the scan cadence you configure (default 5 minutes). On the X API Basic tier you can comfortably run a fresh scan every five minutes across a small venue portfolio; higher tiers shorten that window further.
Can SignalGuard monitor X DMs or private accounts? No. We only access public posts via X's official search endpoint. Protected accounts and DMs are not visible and are not part of the product scope. This is a stated X API recent-search constraint and a SignalGuard policy choice.
Does X chatter alone trigger a Critical event brief? A single Critical X post will elevate the X card to Critical, but the overall event severity is fused across all 50+ signals — the AI synthesis layer (Claude Haiku 4.5) reads X alongside Reddit, news, weather, and the rest, and writes the headline based on convergent evidence. This is consistent with the DHS National Threat Assessment Center guidance to triangulate threats across multiple open-source streams before escalating.
==========