AI AGENTS
On-Call WAF Runbook Agent with Linear Postmortem
When a WAF alert fires, an agent reads the matching runbook, executes the documented Cloudflare remediation (toggling or tightening WAF rules).
How it runs
The automated pipeline, trigger to output.
- TriggerWAF alert webhook receivedHTTP webhook
- ActionFetch matching runbook from MCP knowledge serverCustom MCP server
- LogicDecide: auto-remediate or escalate to human
- ActionApply documented Cloudflare WAF rule changeCloudflare
- ActionOpen pre-filled Linear postmortem stubLinear
- OutputPost remediation summary to Slack on-call channelSlack
What it does
Turns an incoming WAF alert into a hands-on remediation. An agent looks up the runbook that matches the alert signature, performs the exact Cloudflare WAF rule change the runbook prescribes, and files a Linear postmortem stub seeded with what it saw and what it did.
When to use it
Use it when your team has documented runbooks for common edge-security incidents (credential-stuffing spikes, bad-bot floods, suspicious path probing) and wants first-response remediation to happen in minutes, not after someone wakes up. Best when remediations are well-bounded and reversible.
How it works
- 1A WAF alert webhook arrives with the rule ID, zone, and attack signature.
- 2The agent fetches the matching runbook from your internal MCP knowledge server.
- 3It decides whether the documented action applies or needs a human (logic branch on confidence and blast radius).
- 4If clear, it applies the Cloudflare WAF rule change (enable, tighten sensitivity, or block the offending pattern).
- 5It opens a Linear postmortem stub pre-filled with the alert, runbook used, and action taken.
- 6It posts a Slack summary to the on-call channel with the Linear link.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect LinearIssues, projects, cycles, triage.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect Custom MCP serverConnect any MCP-compatible tool you own.
- 5Connect HTTP webhookTrigger any URL on agent actions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More AI Agents workflows
Observability Cost Allocation Report
Monthly, an agent pulls Datadog and Honeycomb usage, allocates spend to teams and services by tags, writes the breakdown to Snowflake, and posts a chargeback summary to Slack.
Vendor Shortlist Matrix from a Buying Brief
An agent reads a buying brief, researches candidate vendors across the live web, and builds a scored comparison matrix in Coda ranking each vendor against your stated criteria.
Split oversized Linear epics into estimated child issues
An agent scans newly created Linear epics, breaks each one above a size threshold into discrete child issues with point estimates and acceptance criteria.
Datadog Bill Spike Attribution Agent
When a daily Datadog cost check detects a spend jump, an agent attributes the increase to the specific services and metric types driving it and posts a ranked breakdown to Slack.
Buying Brief Email to Shortlist Doc in Drive
When a buying brief arrives by email, an agent researches the market and produces a polished narrative shortlist document in Google Drive, then replies to the sender with the link.
Zoom Demo Low-Score Objection Escalation to Manager
Scores how well a rep handled objections in each Zoom demo, and only when the handling score falls below a threshold does it create a coaching task in ClickUp and alert the rep's…
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.