SECOPS
Assemble a Takedown Evidence Pack on Demand
On request, gathers Brave Search and live-page evidence for a confirmed impersonation domain, compiles a structured evidence document into Google Drive.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook receives confirmed domain and ticket IDHTTP webhook
- ActionBrave Search retrieves indexed evidenceBrave Search
- ActionCapture live page screenshots and sourceBrowserbase
- ActionDraft infringement narrative with OpenAIOpenAI
- ActionWrite evidence pack to Google DriveGoogle Drive
- OutputAttach link to the Linear ticket as takedown-readyLinear
What it does
This workflow produces the paperwork a takedown actually needs. For one confirmed impersonation domain it pulls search evidence, captures the live phishing page, and assembles a structured evidence pack — domain details, screenshots, infringing-content notes, and timestamps — into a Google Drive document ready to attach to a registrar or host abuse report.
When to use it
Use it the moment a domain is confirmed malicious and you are ready to file a takedown. It removes the manual screenshot-and-write-up grind and ensures every report carries consistent, timestamped evidence.
How it works
- 1A webhook trigger receives the confirmed domain and its Linear ticket ID.
- 2A Brave Search action retrieves indexed pages and references for the domain.
- 3A browser action loads the live site and captures screenshots and page source.
- 4An OpenAI action drafts the infringement narrative and brand-misuse summary from the captured material.
- 5A Google Drive action writes the compiled evidence pack as a document.
- 6The output attaches the document link to the originating Linear ticket and marks it takedown-ready.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect Brave SearchWeb, news, image, video search.
- 3Connect BrowserbaseHeadless browsers, sessions, replays.
- 4Connect OpenAIModels, embeddings, files.
- 5Connect Google DriveDocs, sheets, slides, files.
- 6Connect LinearIssues, projects, cycles, triage.
- 7Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 8Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 9Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.