SECOPS
Weekly Exposed-Credential Digest with Slack Triage Buttons
Every Monday, aggregates the week's Brave Search exposure hits for your domains into one ranked Slack digest where the team triages each item.
How it runs
The automated pipeline, trigger to output.
- TriggerWeekly Monday schedule starts the digest
- ActionBrave Search trailing-7-day sweep per domainBrave Search
- ActionOpenAI dedupes, ranks, and writes rationalesOpenAI
- OutputPost ranked digest to Slack with triage buttonsSlack
- LogicRoute only approved items downstream
- ActionOpen Linear rotation ticket for approved itemsLinear
What it does
Replaces a flood of per-hit alerts with a single weekly, severity-ranked digest. The team reviews exposures together in Slack and decides which ones warrant a rotation ticket, keeping a human in the loop for ambiguous finds while still capturing the obvious ones.
When to use it
Use it when continuous paging is overkill and you'd rather batch-review credential exposure once a week — good for smaller teams or lower-risk domains where triage judgment matters more than speed.
How it works
- 1A weekly schedule (Monday morning) starts the digest build.
- 2Brave Search sweeps paste sites and the open web for each monitored domain over the trailing seven days.
- 3An OpenAI step deduplicates, ranks by severity, and writes a one-line rationale per finding.
- 4A formatted Slack message posts the ranked list with Approve / Dismiss controls per item.
- 5On approval, a Linear ticket is created with the evidence; dismissed items are logged and suppressed from next week's digest.
Set it up
What you configure once, before turning it on.
- 1Connect Brave SearchWeb, news, image, video search.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect LinearIssues, projects, cycles, triage.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.