SECOPS
Live API-Key Exposure Detector with PagerDuty Escalation
On demand or via webhook, hunts Brave Search for your live API key prefixes and service tokens leaking on public pages.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook or manual run starts the key huntHTTP webhook
- ActionBrave Search for live key prefixes plus org markersBrave Search
- ActionOpenAI validates key structure and scores severityOpenAI
- LogicBranch active high-severity keys vs examples
- ActionPage on-call via PagerDuty for active keysPagerDuty
- OutputSummarize non-urgent hits to SlackSlack
What it does
Detects when an active production secret — identified by its provider prefix (`sk-`, `AKIA`, `ghp_`, `xoxb-` and friends) — shows up on a publicly indexed page, and escalates immediately instead of waiting for a daily report. Active keys are a fire, not a ticket.
When to use it
Trigger it right after a suspected leak, a contractor offboarding, or a repo that briefly went public — when you need a fast, focused answer to "are any of our live keys out there right now?" with paging if the answer is yes.
How it works
- 1A webhook (or manual run) kicks off the check, optionally scoped to specific key prefixes.
- 2Brave Search queries the public web for each prefix pattern combined with your org markers.
- 3An OpenAI step inspects each candidate, judging whether the string is a structurally valid live key versus a placeholder or example, and scores severity.
- 4A logic branch separates active high-severity keys from examples and stale tokens.
- 5Active keys trigger a PagerDuty incident with the key fingerprint and source URL; everything else is summarized to Slack for review.
Set it up
What you configure once, before turning it on.
- 1Connect Brave SearchWeb, news, image, video search.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Connect HTTP webhookTrigger any URL on agent actions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.