Tidewatch Labs

The Baltic Sea has become Europe’s most contested undersea-infrastructure environment. Between September 2022 and December 2024, four publicly-reported incidents disabled gas pipelines (Nord Stream 1 + 2, Balticconnector), telecom cables (C-Lion1, BCS East-West, two more on the Sweden side), and a power interconnector (Estlink 2). In each case, a suspect vessel was identified by combining AIS data with open-source reporting.

Tidewatch is the system a NATO-aligned analyst would have wanted while those incidents were happening. It runs the same detectors that retrospectively flagged Yi Peng 3 and Eagle S, against live AIS streams, with SAR and OSINT context, and a tool-grounded language interface so an operator can ask a plain-English question and get a sourced answer in seconds.

Everything is built on open or commercially-licensed data. No classified inputs, no ITAR components, no sanctioned data routes. Source available; demo public.

Tidewatch is built and operated by Alex Bobes, a Romanian technology leader based in Bucharest. CTO across eight companies in 16+ years, with deep work in AI systems (RAG, LLMs, agents), cybersecurity (infrastructure hardening, compliance, penetration testing), cloud architecture (AWS, Azure, Terraform), and technical SEO. Tech investor focused on AI, blockchain, and cybersecurity startups, and a published author on Amazon, HackerNoon, and Authority Magazine.

Alex is also founder of Asociatia Taxi Gratis, Romania’s free medical-transport NGO. Twelve years of operation, 30,000+ km/year, 400+ people helped annually. JCI Ten Outstanding Young Persons (2019). The same operator discipline shows up in Tidewatch: ship the artefact, document the data, keep things reproducible.

• AIS ingest: live WebSocket from AISStream.io for the entire Baltic bbox, with retry/backoff and a 7-day rolling cache.
• SAR fusion: daily Sentinel-1 GRD pulls from Copernicus Data Space. CA-CFAR detection with land masking; matched against AIS to surface dark vessels (vessel detected by SAR but no broadcasting AIS within ±30 min / 500 m).
• OSINT: GDELT 2.0 polling and curated Baltic-region RSS (Yle, ERR, LRT, LSM, Naval News, gCaptain, Lloyd’s List). Geocoded via spaCy NER, embedded for similarity search.
• Detectors: rules-based, transparent, and tunable. Loitering near infrastructure, AIS-off in monitored zones, dark-vessel fusion, anchor-strike speed pattern. Each fires with a plain-text severity rationale.
• Analyst console: Claude 4.x with strict tool-calling. Six tools (search_alerts, get_vessel_history, find_infra, nearby_infra, nearby_osint, search_osint) return structured IDs. The system prompt forbids unsourced claims; every assertion in an answer must trace back to a tool result.
• Course-of-action workbench: analytical (not ML) intercept ranker. Place friendly assets on the map; the engine computes time-to-intercept against a contact (vessel or SAR detection), with feasibility and explainable reasoning.
• Incident replay: three curated historical incidents (Yi Peng 3, Eagle S, Nord Stream) replayable with a timeline scrubber. The live detectors run against the replayed track; a captured JSON shows which alerts would have fired.

• No classified data, ever. Every source is open or commercially licensable and publicly citable.
• No general maritime domain awareness. Baltic Sea, subsea-cable + suspicious-vessel threat model, full stop.
• No accusations against currently-operating vessels in product copy or marketing. Demos and case studies use only historical, publicly-reported incidents.
• No black-box ML where rules are sufficient. Detectors are explainable; the CoA generator is analytical, not ML; LLM answers cite their evidence.

Tidewatch is currently a research preview, with funding pursued through DASA and DIANA tracks. Open to collaborations with NATO partner CCDCOE, Baltic ministries of defence, infrastructure operators, and other research groups working on undersea-cable security.

Get in touch: [email protected].