SECOPS
Canary Token Tripwire Lockdown
Listens for a planted decoy credential being used, treats any hit as a confirmed breach, disables the associated principal, and escalates with full request context.
How it runs
The automated pipeline, trigger to output.
- TriggerCanary token webhook firesHTTP webhook
- LogicValidate token against canary registry
- ActionDisable compromised IAM principalAWS S3
- ActionOpen critical breach incidentPagerDuty
- ActionWrite request context to incident logPostgres
- OutputPost breach to Slack war roomSlack
What it does
Deploys an alarm on bait credentials. A canary token should never be used legitimately, so any single use is treated as a confirmed compromise: the flow locks down the principal and escalates immediately with the source IP and user agent that tripped it.
When to use it
Use it when you have intentionally planted decoy keys in code, config files, or honeypot S3 buckets and want zero-tolerance, instant response. This is detection by trap, not pattern matching, so false positives are near zero.
How it works
- 1An inbound webhook receives the canary trigger payload with caller metadata.
- 2A logic step validates the token ID against the registry of active canaries.
- 3The matched IAM principal is immediately disabled through the AWS API to stop further use.
- 4PagerDuty opens a critical incident flagged as a confirmed breach.
- 5The full request context (IP, user agent, timestamp) is written to a Postgres incident log.
- 6A Slack war-room message posts with the breach summary and the disabled principal.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect AWS S3Buckets, objects, signed URLs.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect PostgresAny Postgres URL — query, write, migrate.
- 5Connect SlackChannels, DMs, threads, mentions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.