SecOps workflows

On request, gathers Brave Search and live-page evidence for a confirmed impersonation domain, compiles a structured evidence document into Google Drive.

A chat-triggered security agent investigates a suspected leak by iteratively querying Brave Search, cross-referencing your secrets inventory in Postgres.

An autonomous agent picks up each reported phishing email, detonates links in a sandbox, enriches indicators via web research, decides quarantine and escalation actions.

Webhook-triggered when an analyst confirms a phishing case; searches the Gmail tenant for other copies of the same malicious URL or sender, tallies every recipient.

When a GitHub security advisory matches a dependency you use, identify which internal services import the vulnerable code path and page the owning team only if a real call site…

On demand or via webhook, hunts Brave Search for your live API key prefixes and service tokens leaking on public pages.

Scans every newly published Loom recording's on-screen text for exposed credentials, revokes confirmed secrets at the source, and pages the security team.

Lets security file a revocation request for a risky OAuth app through a form, tracks approval in Linear.

When Datadog detects an anomalous blocked-request spike, it correlates the offending traffic in Cloudflare and opens a GitHub pull request adding the candidate firewall rule…

Triggered manually for a named WAF rule, this workflow builds a full investigation packet from Cloudflare and Sentry.

Listens for a planted decoy credential being used, treats any hit as a confirmed breach, disables the associated principal, and escalates with full request context.

Datadog + Sentry security signals are triaged for severity and either auto-closed as noise or escalated to PagerDuty + Slack.

Confirms a WAF block spike is a false positive against Sentry, then drafts a tightened Cloudflare rule expression and opens a GitHub pull request with the change for review.

Runs a scheduled deep scan of repository history for committed secrets, rotates each confirmed finding in Cloudflare.

Takes a candidate lookalike domain, fetches the live page to confirm it clones your brand, and if confirmed adds the host to a Cloudflare blocklist while alerting the team.

An agent-driven investigation that, given a quarantined Dropbox link, gathers Cloudflare access history and Axiom context, assesses what data was exposed and to whom.

Watches Cloudflare access logs for hits on public Dropbox share links coming from countries outside your expected list.

Once a week, summarizes which public Dropbox links saw access from new geos or anonymized sources, quantifies the riskiest links.

Accepts phishing reports from a mail-gateway or browser-extension webhook, enriches the IOCs, has an agent draft an investigation writeup.

Each week, aggregates all secret-scan findings and rotation events from the audit database, summarizes trends, and publishes a reviewable report page to Notion.

When a new third-party OAuth app grant is detected, it scores the scope blast radius, posts a plain-English risk summary to Slack, and routes the grant for human approve or revoke.

When a new third-party OAuth app grant is detected, it scores the scope blast radius, posts a plain-English risk summary to Slack, and routes the grant for human approve or revoke.

An agent triages each incoming secret-scanner hit, judges blast radius and key type, drafts a tailored rotation plan.

Watches a shared phishing-report inbox, extracts URLs, domains, and sender details from each reported email, enriches them with reputation data.

Every week, aggregates the org's Loom secret findings into a Notion report with trends, repeat offenders, and mean time to revoke, then posts the summary to a leadership channel.

Lets staff report a suspicious message from a Slack shortcut, auto-enriches any links and senders they paste.

When an OAuth app from an unverified or unknown publisher is consented to, it enriches the app with web research on the vendor and posts an investigation brief so reviewers judge…

On every merge request, scan the diff for hardcoded secrets and, if any are found, apply a security label, block the MR, and alert the secrets-response pod.

Detects a sudden spike in Cloudflare requests against one public Dropbox link within a short window, expires the link.

When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.

Watches Cloudflare Logpush for outbound traffic spikes, enriches the destination, scores severity, and opens a structured SOC investigation page in Notion with a starter IOC…

After a reported email is triaged, this emails the employee who reported it with the outcome, awards a recognition note for true positives.

An agent reads each security-labeled merge request, reasons about which reviewer pod and specialist should own it, applies the routing labels.

When a secret is found in a Loom video, searches the org's GitHub repos for the same secret in code, and if it lives in a tracked file.

When an external secret scanner posts a detection webhook, this workflow rotates the credential in its source system, force-expires user sessions.

On each new advisory, cross-references the affected package against a live service inventory and, when a CISA-KEV or actively-exploited critical CVE hits a production dependency…

Each morning, pulls the prior day's Cloudflare audit log, uses an AI agent to triage and rank changes by risk.

On every privileged role assignment from your identity provider, it enriches the event with HR and threat context, classifies risk with an LLM, and routes the grant to Slack.

When a domain is added to your monitored list, runs a deep Brave Search exposure scan, snapshots every confirmed leak into a Postgres baseline table.

Each morning, sweeps Loom recordings published in the last 24 hours for exposed secrets and logs every finding to a Linear-tracked queue with severity and owner.

When a secret scanner flags a leaked credential in a GitHub repo, it opens a tracked rotation ticket, pings the owning team in Slack.

On each Cloudflare firewall webhook, evaluates whether a blocked request looks like a legitimate false positive and posts an interactive Slack approval card.

Every Monday, aggregates the week's Brave Search exposure hits for your domains into one ranked Slack digest where the team triages each item.

Watches Axiom for new privileged-role grants, scores each against baseline behavior with an LLM, and posts high-risk grants to Slack with one-click approve or revoke actions.

Fires the moment a break-glass or emergency admin role is granted, immediately pages on-call via PagerDuty.

Builds a quarterly inventory of every third-party OAuth app authorized in Google Workspace, summarizes scope risk and usage.

Each week, reconciles your full SBOM against accumulated advisories and publishes a Confluence report of open exposures, newly-fixed items, and aging unpatched CVEs.

Listens for a webhook whenever a Drive file is newly shared externally, classifies whether the file is sensitive.

When a vendor offboarding event arrives via webhook, opens a tracked revocation checklist, verifies access is actually removed in Postgres.

Takes a reported phishing email submitted via webhook, extracts every URL and sender indicator, enriches them against threat-intel lookups.

On demand, an agent reviews flagged public Dropbox links on sensitive folders, classifies each by data type and severity, drafts remediation steps.

On demand, an agent researches a named vendor breach, cross-references it with your SSO inventory and integration scopes.

When a secret leak alert arrives, an agent investigates where the credential is used, drafts a blast-radius and rotation plan, and routes it to the right owners for approval.

Triggered by a PagerDuty incident for a block-storm, it gathers the live Cloudflare attack picture, classifies whether it is an attack or a self-inflicted false positive.

On detection of an exposed Cloudflare API token, this workflow immediately revokes the live token, issues a scoped replacement, stores it securely.

When GitHub's secret-scanning raises an alert, this rotates the leaked value in Cloudflare Workers secrets, marks the GitHub alert resolved.

When an employee forwards a suspicious email to your phishing inbox, this extracts every URL, detonates them in a headless sandbox browser.

Scans every push to GitHub for credential patterns, and on a confirmed hit rotates the matching Vercel environment variable, revokes the old key.

When a high-severity credential exposure is confirmed, this workflow opens a PagerDuty incident, spins up a Slack war room.

Turns a customer-submitted "I'm being blocked" report into a traced Cloudflare WAF investigation and a drafted, ready-to-apply rule exception, routed to secops for sign-off.