agent hive
Join the Waitlist

SECOPS

Lookalike Domain Detection & Cloudflare Quarantine

On each reported phishing email, computes edit-distance and homoglyph similarity between linked domains and your protected brand list.

CategorySecOps
Enginesim
Difficultyadvanced
Triggerevent
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerReported phishing email receivedGmailGmail
  • ActionExtract and normalize linked domains
  • LogicCompare against protected brand list for lookalikes
  • ActionRecord confirmed typosquat in quarantine ledgerPostgreSQLPostgres
  • ActionCreate Cloudflare block rule for domainCloudflareCloudflare
  • OutputAlert security channel with score and rule IDSlack

What it does

Focuses on the lookalike-domain half of phishing defense. For every reported link, it measures how close the domain is to your real brand domains using edit distance and homoglyph normalization, and when a typosquat is confirmed it pushes a DNS/firewall block via Cloudflare so users can't reach the impostor again.

When to use it

When attackers register near-identical domains (paypa1.com, your-c0mpany.co) to impersonate you, and you want detection-to-block to happen in seconds rather than after a manual takedown ticket.

How it works

  1. 1A reported phishing email arrives in the monitored Gmail mailbox.
  2. 2The flow pulls every linked domain and normalizes homoglyphs to ASCII.
  3. 3A logic step compares each candidate against your protected brand list and flags matches within the similarity threshold.
  4. 4Confirmed lookalikes are recorded in a Postgres quarantine ledger with the source report ID.
  5. 5A Cloudflare gateway/firewall rule is created to block resolution of the typosquat domain.
  6. 6A Slack message notifies the security channel with the domain, similarity score, and rule ID.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect GmailRead, draft, send, label.
  2. 2
    Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
  3. 3
    Connect PostgresAny Postgres URL — query, write, migrate.
  4. 4
    Connect SlackChannels, DMs, threads, mentions.
  5. 5
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  6. 6
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  7. 7
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Page on-call when a WAF rule mass-blocks legitimate traffic

On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).

PII Content Scan on New Dropbox External Share

When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.

Compile a weekly WAF tuning review with trends to Confluence

Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.

Sensitive Dropbox Link Owner Remediation Loop

When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.

GitLab Push Secret Detection to Block and History Purge

On a GitLab push that contains a detected secret, it revokes the exposed credential, opens a tracking issue with git-history purge instructions.

Browse all SecOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows