SECOPS
Detonate Reported Phishing URLs and Score Risk
When an employee forwards a suspicious email to your phishing inbox, this extracts every URL, detonates them in a headless sandbox browser.
How it runs
The automated pipeline, trigger to output.
- TriggerNew email in phishing report inboxGmail
- ActionExtract URLs and sender domain from message
- ActionDetonate each URL in sandbox browserBrowserbase
- ActionScore risk and write verdictOpenAI
- OutputPost scored card to SOC channelSlack
What it does
Turns a noisy phishing report mailbox into a triaged queue. Each forwarded message is parsed for links, every link is opened in an isolated sandbox browser to capture its real landing behavior, and an LLM combines the detonation evidence into a single risk score and verdict that lands in your security channel.
When to use it
Run this when employees forward suspicious mail to a shared address like phishing@yourco.com and your analysts are manually opening links (dangerously) or copy-pasting them into ad-hoc scanners. It removes the manual detonation step and gives every report a consistent score.
How it works
- 1A new message arriving in the monitored Gmail inbox triggers the run.
- 2URLs and the sender domain are extracted from the raw body and headers.
- 3Each URL is loaded in a Browserbase sandbox session, capturing redirects, final domain, page title, and a screenshot.
- 4An OpenAI step weighs redirect chains, credential-form patterns, and domain age signals into a 0-100 risk score plus a clear verdict.
- 5The scored card, screenshot, and recommended action post to the SOC Slack channel.
Set it up
What you configure once, before turning it on.
- 1Connect GmailRead, draft, send, label.
- 2Connect BrowserbaseHeadless browsers, sessions, replays.
- 3Connect OpenAIModels, embeddings, files.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.