SECOPS
Cloudflare Daily Audit Digest with AI Triage
Each morning, pulls the prior day's Cloudflare audit log, uses an AI agent to triage and rank changes by risk.
How it runs
The automated pipeline, trigger to output.
- TriggerEvery morning, pull prior 24h of Cloudflare audit entriesCloudflare
- ActionAI agent triages and risk-ranks each changeOpenAI
- LogicSplit high-risk items from the rest
- ActionFile Linear ticket per high-risk changeLinear
- ActionPost ranked digest to SlackSlack
- OutputReturn digest and ticket IDs
What it does
Produces a once-a-day, human-readable summary of everything that changed in Cloudflare the previous day. An AI agent reviews each audit entry, scores it for risk (considering actor, action type, off-hours timing, and sensitivity of the resource), and writes a plain-English digest grouped by risk tier. Low and medium items stay in the Slack digest for awareness; only high-risk changes get a Linear ticket so the queue stays clean.
When to use it
Use this when you want daily situational awareness of Cloudflare activity without per-event alert fatigue, and you want a smart summary rather than a raw log dump.
How it works
- 1A morning schedule pulls the previous 24 hours of Cloudflare audit entries.
- 2An AI agent triages every entry, assigns a risk tier, and drafts a grouped digest with reasoning.
- 3A logic step splits high-risk items from the rest.
- 4An action files a Linear ticket for each high-risk change with the agent's rationale.
- 5An action posts the full ranked digest to the secops Slack channel.
- 6The digest and any ticket IDs are returned as output.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect LinearIssues, projects, cycles, triage.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.