SECOPS
Customer-Reported Block to WAF Exception Proposal
Turns a customer-submitted "I'm being blocked" report into a traced Cloudflare WAF investigation and a drafted, ready-to-apply rule exception, routed to secops for sign-off.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook receives customer block report with ray IDHTTP webhook
- ActionLook up matching Cloudflare WAF event and firing ruleCloudflare
- LogicVerify request signature looks like a legitimate user
- ActionDraft tightly scoped exception for rule and path
- OutputPost proposal to Slack and file audit note in NotionSlack
What it does
When a customer reports being wrongly blocked, this workflow takes their ray ID or request details, looks up the exact Cloudflare WAF event that blocked them, identifies the responsible rule, and drafts a precise, narrowly scoped exception. It packages the finding and proposed change for a secops engineer to approve, so support and security stay in sync.
When to use it
Use it to close the loop between support tickets and WAF tuning. Instead of support guessing and security re-investigating from scratch, one report produces one traced root cause and one concrete fix.
How it works
- 1A webhook receives the customer block report (ray ID, URL, timestamp) from your support form or helpdesk.
- 2The workflow queries Cloudflare for the matching firewall event and the rule that fired.
- 3Logic checks whether the request signature is consistent with a legitimate user.
- 4If benign, it drafts a tightly scoped exception for that rule and path.
- 5The proposal and evidence post to Slack for engineer approval, and an audit note is filed in Notion.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect SlackChannels, DMs, threads, mentions.
- 3Connect NotionPages, databases, comments.
- 4Connect HTTP webhookTrigger any URL on agent actions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.