SECOPS
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
How it runs
The automated pipeline, trigger to output.
- TriggerShort-interval schedule or on-demand
- ActionFetch recent Cloudflare ruleset blocksCloudflare
- LogicMeasure per-rule breadth across ASN, geo, path
- LogicBranch: false-positive storm vs attack
- OutputPage on-call via PagerDuty with rollbackPagerDuty
What it does
It looks for the inverse of an attack signature: one WAF rule that abruptly starts blocking a wide, diverse set of ASNs, geographies, and URI paths at once — the fingerprint of a misconfigured or overbroad rule blocking real customers. When it sees that pattern it pages on-call through PagerDuty with the offending rule, the affected breadth, and a recommended temporary disable so revenue traffic isn't stuck.
When to use it
Use it as a safety net after WAF rule changes. A bad rule can silently break checkout for whole regions; this catches the self-inflicted outage fast and routes it as an incident, not a chat message.
How it works
- 1A short-interval scheduled trigger fires (or it runs on demand post-deploy).
- 2Cloudflare returns recent blocks for the active ruleset.
- 3Logic measures per-rule breadth across ASNs, countries, and paths to flag a false-positive storm.
- 4A branch separates broad-spread storms from narrow attack patterns.
- 5PagerDuty receives a high-urgency incident for any storm, with the rule and a rollback recommendation.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect PagerDutyIncidents, on-call, escalations.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.