Telesint Api
Telesint API delivers real-time threat indicators aggregated from Telegram channels across IPs, domains, URLs, hashes, and CVEs.
Trust signal
3 of 4 pillars
coverage 75%
Pillars
Signals
Evidence tiers, not an endorsement · trust model v0.1.0 (provisional) · CDP-lane settlement only (D3) · Trust API coming soon
On-chain traction
ERC-8004 agent registry
Not found in the ERC-8004 agent registry. This is the default state — absence is not a negative signal.
Identity & classification
Settlement volume
USDC settled on-chain · monthly
as of Jul 12, 2026
Endpoints(14)
IOC feed from Telegram CTI channels. Filters: type(ip|domain|url|hash|cve), severity, min_confidence, since, tlp, tag, channel, limit, offset. Returns items[] with iocs[], ttps[], confidence, severity, tlp, tags[].
Threat actor profiles from Telegram. Filters: name, nation_state(kp|ru|cn|ir), motivation(financial|espionage|hacktivism), ttp, severity, limit. Returns items[] with actor{}, ttps[], target{sectors,countries}.
C2 infrastructure from Telegram. Filters: framework(cobalt_strike|sliver|havoc|brute_ratel), severity, min_confidence, since, tag, limit, offset. Returns items[] with C2 IPs/domains, MITRE TTPs, confidence.
Malware family intelligence from Telegram: new sample drops, behavior analysis, loader/stealer/RAT/backdoor writeups. Filters: severity, min_confidence, since, tag(stealer|loader|rat|backdoor), limit, offset.
Raw source verification for a TeleSint record. Pass id (UUID from any items[].id). Returns original defanged message text and source language alongside the AI summary for provenance checks.
ASN threat intelligence from Telegram CTI channels. Pass ?asn=AS215540. Returns C2 framework associations, phishing kit links (Tycoon2FA, EvilProxy, NakedPages), threat actor mentions, bulletproof hosting indicators, blocking recommendation with WAF rule hint, and matching TeleSint record IDs for pivoting into /c2 or /ioc. Distinct from OT-Intel /ot/asn — angle is cybercriminal Telegram chatter about hosting infrastructure, not ICS actor campaigns.
Breach disclosures from Telegram. Filters: sector, country, organization, severity, min_confidence, since, limit. Returns items[] with target{sectors,countries,organizations}, leak iocs[], confidence.
Dark web intelligence from Telegram: marketplace listings, forum chatter, access broker posts, credential shops, Tor site activity. Filters: severity, min_confidence, since, tag, sector, country, organization, limit, offset.
CVE and exploitation-in-the-wild signals from Telegram CTI channels. Filters: severity, min_confidence, since, tag(cve|exploit|poc|patch), ttp, type(cve), limit, offset. Returns CVE IDs, affected products, exploit status.
Ransomware group activity from Telegram: victim posts, leak site announcements, extortion demands. Filters: severity, min_confidence, since, tag(lockbit|blackcat|cl0p|ransomhub), sector, country, limit, offset.
Cross-category pivot across all TeleSint intel. Use ?q= for broad keyword or combine filters: category, severity, sector, country, tag, ttp, name, organization, min_confidence, since. Returns items[] across any category.
CTI artifact export from a TeleSint record. Required: id (record UUID), format (sigma|stix|report). Returns Sigma rule, STIX 2.1 bundle, or structured analyst report built from real enriched intel.
Full intel feed across all categories. Filters: category(ioc|c2|actor|breach|intent|vulnerability), severity, min_confidence, since, tag, tlp, limit, offset. Returns all record types newest first. Use for SIEM ingestion.
Pre-attack intent signals from Telegram: access sales, 0days, ransomware targeting. Filters: sector, country, organization, intent_type(access_sale|0day|ransomware|exploit), limit. Signals appear before attacks.