# TeleSint — Telegram Threat Intelligence API

## What This API Does
TeleSint monitors public Telegram threat intelligence channels in real time,
extracts IOCs, C2 infrastructure, threat actor activity, breach announcements,
and early attack intent signals. All records are AI-enriched by DeepSeek with
MITRE ATT&CK technique tagging, confidence scoring (0-100), TLP classification,
and structured JSON output. Pay per call in USDC on Base mainnet via x402.
No API key. No account. No subscription.

## Base URL
https://telesint-api.onrender.com

## Authentication
x402 micropayment protocol. Include a valid X-PAYMENT header with each request.
Payment: USDC on Base mainnet (eip155:8453). Facilitator: CDP (api.cdp.coinbase.com).

---

## Endpoints

### GET /ioc — Indicators of Compromise  ($0.01 USDC)
Returns defanged IOCs extracted from Telegram: IP addresses, domains, URLs, file hashes, CVEs.

**Query parameters:**
- type         (string, optional) — ip | domain | url | md5 | sha1 | sha256 | cve
- severity     (string, optional) — critical | high | medium | low | info  (returns this level and above)
- min_confidence (number, optional) — integer 0-100, filters by AI confidence score
- since        (string, optional) — ISO 8601 timestamp, e.g. 2026-05-01T00:00:00Z
- tlp          (string, optional) — WHITE | GREEN | AMBER | RED
- tag          (string, optional) — tag keyword, e.g. ransomware, cobalt-strike, apt
- channel      (string, optional) — partial match on source Telegram channel name
- limit        (number, optional) — page size, default 20, max 100
- offset       (number, optional) — pagination offset, default 0

**Response fields:**
- source       (string)  — "TeleSint"
- endpoint     (string)  — "ioc"
- total        (number)  — total matching records
- items[]      (array)   — list of IOC records
  - id         (string)  — record UUID
  - channel    (string)  — defanged source Telegram URL
  - ts         (string)  — ISO 8601 timestamp
  - category   (string)  — "ioc"
  - summary    (string)  — AI-generated summary of the raw message
  - iocs[]     (array)   — extracted indicators
    - type     (string)  — ip | domain | url | md5 | sha1 | sha256 | cve
    - value    (string)  — defanged indicator value
    - context  (string)  — usage context from the source message
  - ttps[]     (array)   — MITRE ATT&CK techniques
    - id       (string)  — e.g. T1566.001
    - name     (string)  — technique name
    - tactic   (string)  — tactic name
  - confidence (number)  — AI confidence score 0-100
  - severity   (string)  — critical | high | medium | low | info
  - tlp        (string)  — WHITE | GREEN | AMBER | RED
  - tags[]     (array)   — string keywords

**Example call:**
GET https://telesint-api.onrender.com/ioc?type=ip&severity=high&limit=10

**Example response:**
{
  "source": "TeleSint", "endpoint": "ioc", "total": 42, "limit": 10, "offset": 0,
  "items": [{
    "id": "abc123", "channel": "https://t[.]me/vxunderground",
    "ts": "2026-05-27T14:32:00Z", "category": "ioc",
    "summary": "Windows zero-day exploit released by Nightmare Eclipse threat group",
    "iocs": [{"type": "url", "value": "https://github[.]com/Nightmare-Eclipse/MiniPlasma", "context": "Exploit repo"}],
    "ttps": [{"id": "T1204.002", "name": "User Execution: Malicious File", "tactic": "Execution"}],
    "confidence": 80, "severity": "high", "tlp": "WHITE", "tags": ["zero-day", "windows", "exploit"]
  }]
}

---

### GET /c2 — C2 Infrastructure  ($0.02 USDC)
Returns Command-and-Control infrastructure: panels, listeners, beacons, malleable profiles.

**Query parameters:**
- framework    (string, optional) — cobalt_strike | sliver | havoc | brute_ratel | metasploit
- severity     (string, optional) — critical | high | medium | low | info
- min_confidence (number, optional) — 0-100
- since        (string, optional) — ISO 8601 timestamp
- tag          (string, optional) — tag keyword
- limit        (number, optional) — default 20, max 100
- offset       (number, optional) — default 0

**Response fields:**
- source, endpoint, total, items[] with same base structure as /ioc
- iocs[] — C2 infrastructure indicators (IPs, domains, URLs of panels/listeners)
- ttps[] — MITRE ATT&CK C2 techniques (T1071, T1095, T1573, etc.)
- tags[] — framework name, protocol, campaign tags

**Example call:**
GET https://telesint-api.onrender.com/c2?framework=cobalt_strike&severity=high

---

### GET /actor — Threat Actor Profiles  ($0.02 USDC)
Returns threat actor profiles with TTPs, attribution, targets, and motivation.

**Query parameters:**
- name         (string, optional) — actor name or alias, partial match (e.g. lazarus, sandworm)
- nation_state (string, optional) — ISO country code or name: kp | ru | cn | ir | us
- motivation   (string, optional) — financial | espionage | hacktivism | sabotage
- ttp          (string, optional) — MITRE ATT&CK ID prefix, e.g. T1059
- severity     (string, optional) — critical | high | medium | low | info
- limit        (number, optional) — default 20, max 100
- offset       (number, optional) — default 0

**Response fields — actor object:**
- actor        (object)
  - name       (string) — primary actor name
  - nation_state (string) — attributed country
  - motivation (string) — motivation category
- ttps[]       — MITRE ATT&CK techniques attributed to this actor
- target       (object)
  - sectors[]  (array) — targeted industry sectors
  - countries[] (array) — targeted countries

**Example call:**
GET https://telesint-api.onrender.com/actor?nation_state=ru&motivation=espionage

---

### GET /breach — Breach & Data Leak Disclosures  ($0.03 USDC)
Returns breach announcements and credential leak disclosures from Telegram.

**Query parameters:**
- sector       (string, optional) — targeted sector keyword: finance | healthcare | government | energy
- country      (string, optional) — targeted country keyword: us | uk | de | fr
- organization (string, optional) — organization name partial match
- severity     (string, optional) — critical | high | medium | low | info
- min_confidence (number, optional) — 0-100
- since        (string, optional) — ISO 8601 timestamp
- limit        (number, optional) — default 20, max 100
- offset       (number, optional) — default 0

**Example call:**
GET https://telesint-api.onrender.com/breach?sector=finance&country=us&severity=high

---

### GET /intent — Early Attack Intent Signals  ($0.05 USDC)
Returns pre-attack signals: targeting announcements, initial access sales, 0day disclosures,
ransomware group recruitment, and exploit kit availability. These signals appear BEFORE
attacks land. Highest-value endpoint for proactive defense.

**Query parameters:**
- sector       (string, optional) — targeted sector: finance | healthcare | government | energy | retail
- country      (string, optional) — targeted country
- organization (string, optional) — targeted organization partial match
- intent_type  (string, optional) — access_sale | 0day | ransomware | exploit | recruitment
- limit        (number, optional) — default 20, max 100
- offset       (number, optional) — default 0

**Example call:**
GET https://telesint-api.onrender.com/intent?sector=healthcare&intent_type=ransomware

---

### GET /feed — Full Threat Intel Feed  ($0.05 USDC)
Returns the unified feed across all categories. Use this when you want everything
and will filter client-side, or when building SIEM ingestion pipelines.

**Query parameters:**
- category     (string, optional) — ioc | c2 | actor | breach | intent
- severity     (string, optional) — critical | high | medium | low | info
- min_confidence (number, optional) — 0-100
- since        (string, optional) — ISO 8601 timestamp
- tag          (string, optional) — tag keyword
- tlp          (string, optional) — WHITE | GREEN | AMBER | RED
- limit        (number, optional) — default 20, max 100
- offset       (number, optional) — default 0

**Example call:**
GET https://telesint-api.onrender.com/feed?since=2026-05-27T00:00:00Z&severity=high&limit=50

---

## Data Sources (Telegram channels monitored 24/7)
- vxunderground — malware samples, exploits, threat actor announcements
- cyberinsider — breaking CTI news, breach disclosures
- ctinow — IOCs, threat feeds, campaign tracking
- TheTHReaTHunter — threat hunting IOCs and TTPs
- malwrhunterteam — malware samples and C2 infrastructure
- threatintelligencesharing — community IOC sharing
- ctifeeds — aggregated threat intelligence

## Pricing Summary
| Endpoint | Price   | Best for                              |
|----------|---------|---------------------------------------|
| /ioc     | $0.01   | IOC enrichment, blocklist generation  |
| /c2      | $0.02   | Network defense, firewall rules       |
| /actor   | $0.02   | Attribution, threat modeling          |
| /breach  | $0.03   | Dark web monitoring, breach tracking  |
| /intent  | $0.05   | Proactive defense, early warning      |
| /feed    | $0.05   | Full pipeline ingestion               |