agent hive
Join the Waitlist

SECOPS

Cloudflare Block-Storm PagerDuty Triage and Rule Proposal

Triggered by a PagerDuty incident for a block-storm, it gathers the live Cloudflare attack picture, classifies whether it is an attack or a self-inflicted false positive.

CategorySecOps
Enginesim
Difficultyadvanced
Triggerwebhook
Steps5
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerPagerDuty block-storm incident webhookPagerDutyPagerDuty
  • ActionPull samples + recent rule changes from CloudflareCloudflareCloudflare
  • LogicClassify attack vs. false-positive block
  • ActionDraft block rule or rollback recommendationOpenAI
  • OutputPost triage verdict to incident channelSlack

What it does

It does the first ten minutes of incident triage automatically. When a block-storm pages the on-call, it assembles the attack picture from Cloudflare and decides the more useful next move: tighten with a new rule, or back off because a legitimate client is being blocked.

When to use it

When WAF block spikes page your team at all hours and you want a fast, evidence-based read on whether to escalate the block or roll back an overzealous rule before a human even opens the laptop.

How it works

  1. 1A PagerDuty incident webhook fires for the block-storm service.
  2. 2Pull blocked-request samples and recently changed rules from Cloudflare.
  3. 3Logic branches: concentrated malicious signature versus broad legitimate traffic hitting a recent rule.
  4. 4For an attack, an LLM step drafts a candidate block rule; for a false positive, it drafts a rollback recommendation.
  5. 5Post the verdict, evidence, and recommended action to the PagerDuty incident's Slack channel.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect PagerDutyIncidents, on-call, escalations.
  2. 2
    Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
  3. 3
    Connect OpenAIModels, embeddings, files.
  4. 4
    Connect SlackChannels, DMs, threads, mentions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Browse all SecOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows