OSINT (Open Source Intelligence) is intelligence derived from publicly available sources including news media, government publications, satellite imagery, social media, and structured data feeds like USGS earthquake data or GDELT event records.

What is Agentic OSINT?

Agentic OSINT is the application of agentic AI to open-source intelligence. It automates the monitoring and initial analysis layers, letting human analysts focus on judgment and decision-making rather than manually checking dashboards.

What is Delta Intelligence?

Delta intelligence focuses on what changed rather than what is. Instead of showing raw data, it surfaces changes, escalations, and de-escalations compared to historical baselines, highlighting significant deviations.

What is a Wargame Simulation in intelligence?

A wargame simulation models possible outcomes of a scenario using historical intelligence data. It projects multiple trajectories with probabilities, identifies key actors and decision points, and provides confidence-rated assessments.

ADS-B (Automatic Dependent Surveillance-Broadcast) is an aircraft surveillance technology where planes broadcast their position, altitude, speed, and identification. Military and government aircraft tracking via ADS-B provides real-time aviation intelligence.

What is the GDELT Project?

GDELT (Global Database of Events, Language, and Tone) is a massive open dataset that monitors news media worldwide and codes events using the CAMEO taxonomy. It processes thousands of events daily with conflict scoring via the Goldstein Scale.

What is Push Intelligence?

Push intelligence is intelligence delivered to the analyst without the analyst requesting it. Instead of checking dashboards (pull intelligence), alerts arrive via email, Slack, Discord, SMS, or webhooks when significant events are detected.

What is Entity Tracking in OSINT?

Entity tracking monitors specific objects (aircraft, vessels, satellites) over time, building position history and detecting behavioral changes like route deviations, AIS gaps, or orbital parameter shifts.

What is Feed Normalization?

Feed normalization converts heterogeneous data sources into a common schema so agents can analyze events across domains uniformly, regardless of whether the source is USGS GeoJSON, GDELT CSV, or NOAA XML.

OSINT & Intelligence Glossary | WYRM Sentinel

Q: What is Agentic AI?

Agentic AI refers to AI systems that operate autonomously toward goals, making decisions and taking actions without step-by-step human instruction. Unlike chatbots, agentic AI decides what to look at, when to look, and what matters.

OSINT (Open Source Intelligence)

Intelligence derived from publicly available sources. That includes news media, government publications, academic papers, satellite imagery, social media, radio frequencies, and structured data feeds like USGS earthquake data or GDELT event records. The "open source" refers to the accessibility of the data, not software licensing. OSINT is the foundation of modern intelligence work because the volume of public data now exceeds what classified channels produce. The challenge is not access — it is processing. A single day of GDELT data contains tens of thousands of coded events. Sentinel exists because no human can read all of it, but an AI agent can.

Agentic AI

AI systems that operate autonomously toward goals, making decisions and taking actions without step-by-step human instruction. Unlike a chatbot that responds to prompts, an agentic AI decides what to look at, when to look, and what matters. It plans, executes, and adapts. In the context of intelligence, this means an AI agent that monitors feeds continuously, detects anomalies against historical baselines, correlates events across domains, and pushes alerts — all without a human asking it to. The agent does not wait for questions. It watches for answers. Sentinel uses domain-specific agents built on Claude Sonnet 4, each specializing in one intelligence domain.

Agentic OSINT

The application of agentic AI to open-source intelligence. Traditional OSINT requires a human analyst to find, read, and interpret data. Agentic OSINT automates the monitoring and initial analysis layers, letting the human focus on judgment and decision-making. Sentinel is an agentic OSINT platform: it continuously ingests 20+ public feeds, runs AI agents that detect changes and anomalies, correlates signals across 10+ intelligence domains, and delivers plain-English alerts. The analyst does not check dashboards. The intelligence finds them. This is the core differentiator from traditional OSINT platforms that display data but expect humans to find the signal.

Delta Intelligence

Intelligence focused on what changed, not what exists. Most platforms show you the current state — here are today's earthquakes, here are today's flights. Delta intelligence compares the current state against historical baselines and surfaces the difference. A magnitude 3.2 earthquake near Yellowstone is not interesting by itself. Twelve magnitude 3+ earthquakes near Yellowstone in 24 hours when the 90-day average is two per week — that is a delta. Sentinel computes deltas across all feeds automatically. Every alert explains not just what happened, but how it compares to what is normal. Without normalization and deduplication, delta computation is impossible.

Situational Awareness

Understanding what is happening in your environment right now and what it means for the near future. Originally a military concept, now used across security operations, emergency management, and risk analysis. Situational awareness requires three things: perception of relevant data, comprehension of its meaning, and projection of its trajectory. Most OSINT dashboards handle perception — they show you data. Sentinel handles all three: it perceives events across 10+ domains, comprehends them through AI analysis and delta computation, and projects outcomes through wargame simulations.

Threat Intelligence

Intelligence about current or emerging threats to an organization, region, or system. In cybersecurity, this means indicators of compromise (IOCs), vulnerability disclosures, and attack pattern data. In geopolitical contexts, it means conflict escalation signals, sanctions activity, and force posture changes. Sentinel ingests threat intelligence from multiple layers: CISA Known Exploited Vulnerabilities (KEV) for cyber threats, GDELT for geopolitical conflict, ACLED for armed conflict events, and NOAA for environmental threats. The security teams use case covers cyber threat integration in detail.

GDELT (Global Database of Events, Language, and Tone)

The largest open dataset of global human society events. GDELT monitors news media worldwide in 65+ languages and codes events using the CAMEO taxonomy. Updated every 15 minutes with tens of thousands of new event records. Each event includes actors, action type, geographic coordinates, Goldstein scale conflict score, and source URLs. GDELT is one of Sentinel's primary geopolitical feeds, polled every 15 minutes. The raw data is a CSV file with 60+ columns per event. Sentinel normalizes this into structured events with location, severity, and actor metadata for downstream AI analysis.

ADS-B (Automatic Dependent Surveillance-Broadcast)

A surveillance technology where aircraft broadcast their position, altitude, velocity, and identification via radio signals on 1090 MHz. Anyone with a receiver can pick up these broadcasts — it is not encrypted. Networks of volunteer receivers (like ADS-B Exchange and adsb.lol) aggregate this data globally. Sentinel polls three ADS-B feeds: military aircraft, LADD-filtered aircraft (Limited Aircraft Data Displayed — often government or VIP), and emergency squawk codes (7700 for general emergency, 7600 for communications failure, 7500 for hijack). Polling intervals range from 15 to 30 seconds. Aircraft positions are tracked as persistent entities with full flight history.

CAMEO (Conflict and Mediation Event Observations)

A coding framework for categorizing political events. Every event gets a numeric code: 01 is "Make Public Statement," 19 is "Use Conventional Military Force," 20 is "Use Unconventional Mass Violence." CAMEO codes are hierarchical — 17 is "Coerce," 171 is "Seize or Damage Property," 1711 is "Confiscate Property." GDELT uses CAMEO to code every event it ingests. Sentinel uses CAMEO codes to classify event severity and filter geopolitical signals. A cluster of CAMEO 18-20 codes in a region means military and violent activity — the kind of pattern that triggers escalation alerts. CAMEO gives structure to the chaos of global news.

Wargame Simulation

Predictive modeling that takes a scenario and projects likely outcomes using real data. Not a video game. In intelligence, wargaming means asking "if X happens, what follows?" and answering that question with evidence from historical patterns and live telemetry. Sentinel's wargame engine cross-references all intelligence domains: if a conflict escalation scenario is modeled, it pulls GDELT event history, ADS-B military flight patterns, maritime route data, and seismic activity to project supply chain disruption, infrastructure risk, and regional instability. Every projection is sourced and cited. See the agentic AI page for how this connects to the agent architecture.

Entity Tracking

Persistent monitoring of a specific object, person, organization, or asset across time. Most OSINT tools show you a snapshot — where is this aircraft right now? Entity tracking builds a history: where was this aircraft last week, what routes does it normally fly, and is today's behavior anomalous? Sentinel tracks entities across ADS-B (aircraft), CelesTrak (satellites), GDELT (organizations and state actors), and cyber feeds (IP addresses, domains). Entity history is stored in Supabase with timestamped position records. Anomaly detection runs against the entity's own baseline, not a global average. A C-17 flying from Dover to Ramstein is routine. The same C-17 flying to an airfield it has never visited is a signal.

SIGINT vs OSINT

SIGINT (Signals Intelligence) is intelligence gathered from intercepting electronic communications and signals — radio, radar, telemetry. It requires specialized equipment and is typically classified. OSINT uses publicly available sources only. The distinction matters because OSINT is legal for anyone to collect and analyze, while SIGINT collection is restricted to authorized government agencies. Modern OSINT has blurred the line: ADS-B signals are broadcast publicly and anyone can receive them, but they are technically radio signals. Sentinel operates entirely in the OSINT domain — every data source it ingests is publicly accessible without special authorization, clearance, or intercept capability.

TLE (Two-Line Element)

A standardized format for describing the orbit of an Earth-orbiting object. Created by NORAD and maintained by the 18th Space Defense Squadron. A TLE contains six orbital parameters encoded in two 69-character lines: inclination, eccentricity, right ascension, argument of perigee, mean anomaly, and mean motion. With these six numbers and a propagation algorithm (SGP4), you can predict a satellite's position at any future time. Sentinel ingests TLEs from CelesTrak every 12 hours for tracked objects including military satellites, ISS, Starlink clusters, and reconnaissance platforms. TLEs decay in accuracy over days, which is why regular updates matter.

HUMINT vs OSINT

HUMINT (Human Intelligence) is intelligence gathered from human sources — informants, agents, diplomatic contacts, interrogations. It is the oldest form of intelligence and remains critical for understanding intent, which signals alone cannot reveal. OSINT tells you what is happening. HUMINT tells you why. The two are complementary, not competing. Sentinel is an OSINT platform — it processes structured data feeds and public information. It does not process HUMINT. However, Sentinel's analysis can identify patterns that prompt HUMINT collection: if satellite imagery and flight data suggest unusual military activity, that is the kind of finding a human source can help explain.

Goldstein Scale

A numeric scale from -10 to +10 that rates the expected impact of an event type on the stability of a country. Developed by Joshua Goldstein in 1992. Negative values indicate conflict (-10 is military attack), positive values indicate cooperation (+10 is major agreement). Zero is neutral. GDELT assigns a Goldstein score to every event based on its CAMEO code. Sentinel uses Goldstein scores to weight geopolitical alerts — a cluster of events scoring below -5 in a region triggers escalation monitoring. The scale is blunt by design; it was built for aggregate pattern detection, not individual event assessment. A single -7 event means little. Twenty -7 events in the same region in 48 hours means something.

Feed Normalization

The process of converting data from different sources into a common schema. USGS sends earthquake data as GeoJSON. GDELT sends events as tab-separated CSV. NOAA sends weather alerts as CAP/XML. ADS-B data arrives as JSON with aviation-specific fields. Sentinel normalizes all of these into a unified event format: source, timestamp, location (lat/lng), category, severity, raw payload, and metadata. Without normalization, cross-domain correlation is impossible — you cannot compare an earthquake to a flight diversion if they do not share a common coordinate system and timestamp format. Normalization is the unsexy prerequisite that makes every interesting feature possible.

Deduplication

Ensuring the same event is not stored or alerted on twice. Harder than it sounds. USGS updates earthquake magnitude estimates — the same quake might appear in three consecutive polls with slightly different magnitudes. GDELT codes the same real-world event from multiple news sources. ADS-B reports aircraft positions every few seconds. Sentinel uses two-layer deduplication: Redis for fast in-memory checks (24-hour TTL keyed by feed and source ID) and a Postgres unique index for permanent enforcement. Without dedup, a 15-second ADS-B poll interval would generate hundreds of duplicate records per aircraft per hour. The goal is one record per event, updated as new information arrives.

Push Intelligence

Intelligence delivered to the analyst without the analyst requesting it. The opposite of a dashboard, which is pull intelligence — you open it, you look, you find (or miss) what matters. Push intelligence means Sentinel watches the feeds, identifies significant events or pattern changes, and sends an alert to your preferred channel: email, Slack, Discord, SMS, Telegram, or webhook. The alert arrives in plain English with context, severity, and source citations. You do not need to be watching. You do not need to be at your desk. The intelligence finds you. This is the core design principle of WYRM Sentinel.