SECOPS
Investigate a quarantined Dropbox link exposure end to end
An agent-driven investigation that, given a quarantined Dropbox link, gathers Cloudflare access history and Axiom context, assesses what data was exposed and to whom.
How it runs
The automated pipeline, trigger to output.
- TriggerGitLab issue labeled for investigation opensGitLab
- ActionFetch the link's full access history from Cloudflare and AxiomCloudflare
- ActionInspect Dropbox file/folder to classify data sensitivityDropbox
- LogicReason over access patterns to estimate scope and cause
- ActionWrite structured findings and recommendation into GitLab issueGitLab
- OutputPost case summary to Slack for the responderSlack
What it does
Takes a single quarantined Dropbox link and runs a full exposure investigation. The agent pulls the link's complete Cloudflare access history, cross-references geos and IPs in Axiom, inspects the shared file or folder contents in Dropbox to judge sensitivity, and assembles a reasoned findings report.
When to use it
Trigger this after a link has been auto-quarantined and you need a human-readable answer to the questions that matter: what was exposed, who accessed it, from where, and how bad is it. It turns raw logs into a decision-ready writeup.
How it works
- 1A GitLab issue labeled for investigation triggers the agent with the link ID.
- 2The agent fetches the link's full access history from Cloudflare and Axiom.
- 3It inspects the underlying Dropbox file or folder to classify data sensitivity.
- 4It reasons over access patterns to estimate exposure scope and likely cause.
- 5It writes a structured findings report and recommendation back into the GitLab issue.
- 6It posts a concise summary to Slack for the responder reviewing the case.
Set it up
What you configure once, before turning it on.
- 1Connect GitLabRepos, MRs, pipelines, registry.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect AxiomLog streams, queries, dashboards.
- 4Connect DropboxFiles and folders.
- 5Connect SlackChannels, DMs, threads, mentions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.