This work addresses the challenge of fragmented cyber threat signals dispersed across platforms such as X, Reddit, Telegram, and Discord, where effective automated methods for synthesizing actionable intelligence remain lacking. The paper introduces TIBlender, the first multi-agent system enabling fully automated, cross-platform fusion and early warning of emerging threats. TIBlender employs role-specialized large language model agents that collaboratively collect, reason over, and trace cross-platform evidence chains to produce structured threat intelligence reports. Experimental results demonstrate that each platform contributes complementary threat information, collectively proving indispensable. In real-world deployment, TIBlender significantly advanced the detection timeline for emerging threats, with most indicators absent from existing intelligence sources. Its end-to-end extraction of Indicators of Compromise (IoCs) substantially outperformed single-platform baselines, validating the system’s effectiveness and scalability.

Cyber threat signals are fragmented across multiple social media platforms, yet no existing approach has fully automated their integration into actionable threat intelligence (TI) reports. We present TIBlender, a multi-agent system that monitors four platforms (X, Reddit, Telegram, and Discord) and produces structured TI reports via role-specialized LLM agents. These agents conduct multi-perspective investigations, tracing chains of evidence to uncover related Indicators of Compromise (IoCs) via collaborative, evidence-backed analysis. In a real-world deployment, TIBlender detected emerging threats across all four threat categories ahead of public feeds, including in-the-wild exploitation ahead of public vulnerability registries; the majority of its IoCs were absent from each evaluated feed. Quantitative evaluation confirms that each platform contributes unique threat information unavailable from the others, and that excluding any single platform results in substantial loss of reports in specific threat categories. Under identical single-platform input conditions, TIBlender's IoC extraction meets or exceeds each baseline; the full pipeline surfaces substantially more IoCs, most of which are absent from any single-platform baseline. These results establish cross-platform social media monitoring as an effective and scalable early-warning layer for operational TI pipelines.