SECOPS
Agentic Phishing Investigation & Case Builder
An autonomous agent picks up each reported phishing email, detonates links in a sandbox, enriches indicators via web research, decides quarantine and escalation actions.
How it runs
The automated pipeline, trigger to output.
- TriggerReported email lands in abuse mailboxGmail
- ActionAgent detonates links in sandbox sessionBrowserbase
- ActionEnrich domains and sender via web researchPerplexity
- LogicAgent decides disposition and blocks if maliciousCloudflare
- ActionWrite narrated investigation caseNotion
- OutputEscalate high-severity findings for reviewPagerDuty
What it does
Replaces the rote analyst workflow with an agent that reasons over a single phishing report end to end. It detonates the URLs, researches the domains and sender reputation, weighs the evidence, and produces a written case file with a recommended disposition and the actions it took, so a human reviews conclusions instead of doing the legwork.
When to use it
When report volume is unpredictable and you want consistent, well-documented investigations that capture not just a verdict but the reasoning and supporting evidence behind it.
How it works
- 1A new report arrives in the monitored Gmail abuse mailbox and hands the agent the raw email.
- 2The agent detonates each link in an isolated Browserbase session and inspects the landing behavior.
- 3It enriches the domains and sender with live web research to gauge reputation and registration age.
- 4The agent decides the disposition, blocking malicious infrastructure at Cloudflare when warranted.
- 5It composes a narrated investigation case with evidence and recommendations into Notion.
- 6High-severity findings are escalated through PagerDuty for human confirmation.
Set it up
What you configure once, before turning it on.
- 1Connect GmailRead, draft, send, label.
- 2Connect BrowserbaseHeadless browsers, sessions, replays.
- 3Connect PerplexitySearch-grounded answers with citations.
- 4Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 5Connect NotionPages, databases, comments.
- 6Connect PagerDutyIncidents, on-call, escalations.
- 7Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 8Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 9Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.