Ghostwire

About Ghostwire

Independent cybersecurity intelligence. Operated by one analyst. No investors, no advertising, no vendor sponsorship.

What this is

Ghostwire is a fusion platform that collects, enriches, and synthesizes cybersecurity intelligence from 190+ public sources across 12+ languages. It exists because the threat picture in any single source — even an excellent one — is partial. Combining government CERTs, vendor research, independent press, and non-English regional coverage closes gaps that single-source consumption cannot.

Who runs it

Ghostwire is operated by a single security analyst. There is no team, no parent company, no holding entity, no investors, and no advertising relationships. The platform has been in continuous operation under the same operator since launch and the same operator is responsible for source selection, code, infrastructure, and the analytical framework used in the briefings.

This continuity is deliberate. Editorial drift in threat intelligence usually shows up after ownership or staffing changes; keeping the operator constant keeps the analytical voice constant.

How it's funded

Free tier — full feed, vulnerability database, daily public briefing, threat actor tracking.
Pro tier — personalized briefings, watchlists, asset inventory matching, push alerts. Paid via Stripe.
No ads. No sponsored items in the feed or briefing. No affiliate links.
No vendor relationships. Ghostwire does not accept vendor copy, embargoed pre-briefs, or paid coverage.

Editorial disclosure — analytical priors

Ghostwire is not "neutral" in the sense that some news products claim to be neutral. It has an explicit analytical framework, and you should know what it is before you read the briefings.

The briefing voice and pattern library are derived from the published research of Caroline Orr Bueno, PhD on cognitive security, narrative warfare, and information operations. That framework is opinionated about a specific set of structural claims:

Disinformation is a security problem. We treat coordinated inauthentic behavior, algorithmic amplification, and information laundering as adversary TTPs, not as "discourse."
Institutional capacity matters. When a defensive institution (CISA, an election office, a CERT, a trust-and-safety team) loses staffing, authorities, or funding, we cover that as a threat surface — because adversary tempo demonstrably tracks it.
We name patterns that cross domestic political lines. The pattern library includes things like Reverse Algorithmic Capture, Criminalization of Dissent, and Accelerationist Feedback. These are structural descriptions, but their referents are sometimes domestic political actors. We do not pretend otherwise.
We distinguish disinformation (deliberate) from misinformation (non-deliberate), and we use that distinction even when it is unflattering to a specific actor.

If you want feed-only intelligence without the analytical layer, use the raw feed and the CVE database directly. They have no editorial overlay.

The framework above reflects analytical interpretation of structural patterns observed in public reporting. Nothing on this site is an assertion of unlawful conduct by any specific individual; named actors are discussed only where attributed by primary sources, and we link to those sources.

What the AI does and doesn't do

Daily briefings are generated by Anthropic Claude against the day's harvested corpus using the prompt and verification protocol described in the methodology. There is no human editor in the loop before publication. The model can and does make mistakes — quantifier flips, date compression, cross-article bleed. We have guardrails for these failure modes but they are not infallible.

Treat briefings as a synthesis layer over primary sources, not as a replacement for them. Every story links to its source. Verify before you act.

Privacy and data

Ghostwire stores the minimum needed to operate the product: account email and password hash for authentication, watchlist and asset inventory entries you create, push tokens for devices that opt in to alerts, anonymous request analytics. Bookmarks are stored locally on your device. We do not sell data, share it with brokers, or run third-party trackers in the app or on the marketing site.

Contact & security disclosures

General contact, corrections, and security disclosures: contact@ghostwire.news. Coordinated vulnerability disclosure on Ghostwire infrastructure itself is welcome at the same address.

Affiliations

Ghostwire is not affiliated with any vendor, government agency, commercial threat-intelligence provider, or political organization. Provided as-is, for informational purposes, without warranty.