SECOPS
Escalate critical exploited CVEs against running services to PagerDuty
On each new advisory, cross-references the affected package against a live service inventory and, when a CISA-KEV or actively-exploited critical CVE hits a production dependency…
How it runs
The automated pipeline, trigger to output.
- TriggerNew advisory received (webhook)HTTP webhook
- ActionCheck CISA-KEV and exploit maturityHTTP webhook
- ActionQuery production service inventoryPostgres
- LogicGate on critical + exploited + in-prod
- ActionTrigger PagerDuty incidentPagerDuty
- OutputPost incident alert to SlackSlack
What it does
Separates the genuine fire-drills from routine patching. When an advisory lands, it checks whether the affected package is running in a production service and whether the CVE is on CISA's Known Exploited Vulnerabilities list or flagged as actively exploited. If both are true, it pages on-call immediately with the exact services at risk.
When to use it
Use it when you need a tight, low-false-positive escalation path for the rare advisories that demand same-day action, without waking on-call for every medium-severity bump. Best for teams running PagerDuty with a maintained service-to-dependency inventory.
How it works
- 1A new advisory webhook fires.
- 2An HTTP call checks the CVE against the CISA-KEV catalog and exploit-maturity sources.
- 3A service inventory is queried from Postgres to find production services depending on the affected package.
- 4Logic gates: escalate only if critical AND exploited AND present in production.
- 5Non-escalating advisories are dropped to the standard remediation queue and skipped here.
- 6A PagerDuty incident is triggered listing impacted services, fixed version, and the advisory link.
- 7A parallel Slack alert is posted to the security incident channel.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.