How to Monitor Cybersecurity Threats with a News API
Track ransomware, data breaches and vendor incidents by keyword and entity, then stream the alerts in real time
Written by Tasha Tatum
July 3, 2026
How to monitor cybersecurity threats
To monitor cybersecurity threats, query /v1/news/everything and narrow it to security coverage with a keyword search on title (for terms like ransomware or data breach), pin a vendor with organization.name, and add is_breaking=1 for urgent stories. There is no separate “security” endpoint — you assemble a threat feed from the shared filter chain, then point the same filters at the /v1/news/stream SSE feed or a dashboard webhook to get alerted the moment a new incident is published.
curl "https://api.apitube.io/v1/news/everything?title=ransomware&language.code=en&published_at.start=NOW-7DAY" \
-H "X-API-Key: YOUR_API_KEY"
You can pass the key as the api_key query parameter or as an X-API-Key header. This request returns English articles whose title mentions ransomware from the last seven days.
How do you catch threats by keyword?
The title filter is the core of threat monitoring: it matches security terms in the headline. A value must be 2–100 characters. When you pass several words without quotes, they are combined with AND logic and each word is matched as a whole token — so title=data breach returns titles that contain both data and breach, not either one alone.
# Both words must appear in the title
curl "https://api.apitube.io/v1/news/everything?title=data%20breach&published_at.start=NOW-1WEEK" \
-H "X-API-Key: YOUR_API_KEY"
To require the words next to each other as an exact phrase, wrap them in quotes; add ~N (N between 0 and 10) to allow up to N words of slop between them:
# Exact phrase, then a looser "supply chain … attack" match
curl 'https://api.apitube.io/v1/news/everything?title="zero-day"' -H "X-API-Key: YOUR_API_KEY"
curl 'https://api.apitube.io/v1/news/everything?title="supply chain attack"~2' -H "X-API-Key: YOUR_API_KEY"
To cut recurring false positives — for example gaming or movie “breach” stories — remove noise terms with ignore.title, which follows the same rules.
How do you follow one vendor or product’s incidents?
Article-level keyword search casts a wide net. To track incidents affecting a specific company, pin it with organization.name (or a numeric entity.id); use brand.name for a product line. Pair it with sentiment.overall.polarity=negative to bias toward bad news such as outages and compromises:
curl "https://api.apitube.io/v1/news/everything?organization.name=Microsoft&sentiment.overall.polarity=negative" \
-H "X-API-Key: YOUR_API_KEY"
To measure tone toward the vendor specifically rather than the whole article, add entity.sentiment.polarity=negative (it also accepts positive and neutral, scored on the same −1 to 1 band as entity.sentiment.score.min / entity.sentiment.score.max). If organization.name returns a not found error, the name did not resolve to a tracked entity — look it up first and filter by the stable numeric entity.id instead, as covered in how to find news mentioning a person or company.
How do you scope to a security topic or category?
Beyond keywords, you can narrow to a whole subject with topic.id or a broad IPTC section with category.id. Both accept up to three comma-separated values with OR logic. Do not guess the identifier — discover the right one with autocomplete, which requires a prefix:
curl "https://api.apitube.io/v1/suggest/topics?prefix=cyber" -H "X-API-Key: YOUR_API_KEY"
curl "https://api.apitube.io/v1/suggest/categories?prefix=technology" -H "X-API-Key: YOUR_API_KEY"
Take the id from a result and drop it straight into topic.id or category.id. An unknown identifier stops the whole request with an HTTP 400 error, so validate it with suggest first. See how to filter news by topic for the full topic rules.
How do you keep only urgent, breaking incidents?
A live security team usually wants the newest and most urgent items first. is_breaking=1 keeps only stories the pipeline flagged as breaking (it accepts exactly 0 or 1), and results are sorted newest-first by default. Bound the window with published_at.start, which accepts absolute dates (2026-06-01) and relative Solr-style values (NOW-1DAY, NOW-1WEEK), and pull a full page:
curl "https://api.apitube.io/v1/news/everything?title=cyberattack&is_breaking=1&published_at.start=NOW-1DAY&per_page=250" \
-H "X-API-Key: YOUR_API_KEY"
per_page defaults to 100 and maxes out at 250; walk deeper with page. On the Free plan, paging stops after the first 5 pages, so use a paid plan for large sweeps. To trim each result to just what an alert needs, add fl=id,title,source.domain,published_at.
How do you get threat alerts in real time?
Polling everything returns what already exists; real threat monitoring needs push. Keep the exact same filters and open the Server-Sent Events stream at /v1/news/stream — it runs the same filter chain and pushes each new matching article as it is published, polling every 30 seconds with a 30-second heartbeat, and supports the Last-Event-Id header so you can resume without gaps:
curl -N "https://api.apitube.io/v1/news/stream?title=ransomware&is_breaking=1" \
-H "X-API-Key: YOUR_API_KEY"
Each delivered article counts as one request against your stream quota. If you would rather have APITube POST incidents to your own endpoint (for a SIEM or a Slack alert), create a webhook — that is done in the dashboard, not over the API, and it pushes matching articles to your URL with a signed request. See how to set up a webhook for a saved search and how to monitor breaking news. The full parameter list lives in the News API parameters reference.
Common Questions
- Is there a dedicated cybersecurity endpoint?
- How do I track one vendor’s breaches specifically?
- Why does title=data breach miss the exact phrase?
- How do I get alerted the moment a breach is reported?
Is there a dedicated cybersecurity endpoint?
No. Cybersecurity monitoring uses the same /v1/news/everything endpoint and the same title, organization.name, topic.id, is_breaking, sentiment.* and published_at filters as any other subject. You define what counts as a threat with those filters — there is no separate security route.
How do I track one vendor’s breaches specifically?
Pin the company with organization.name (or its numeric entity.id) and add entity.sentiment.polarity=negative. That scores the tone toward the vendor itself, separate from the rest of the article, so you catch negative coverage about one vendor even inside a broader industry piece. If the name does not resolve, filter by entity.id instead — ids do not depend on exact spelling.
Why does title=data breach miss the exact phrase?
Multiple words in title are combined with AND and matched as whole tokens, so title=data breach returns any headline containing both data and breach in any position. To require the exact phrase, wrap it in quotes: title="data breach". Add ~N (0–10) after the closing quote to allow up to N words between them.
How do I get alerted the moment a breach is reported?
Move from polling to push. Open the /v1/news/stream SSE feed with your threat filters to receive new matching articles as they publish, resuming with Last-Event-Id after a drop, or create a webhook in the dashboard so APITube POSTs each incident to your endpoint. Both carry the same filters you use on search.