SECOPS
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
How it runs
The automated pipeline, trigger to output.
- TriggerLeaked-secret report webhookHTTP webhook
- ActionInvestigate secret location and dependentsGitHub
- LogicAgent decides revoke vs. escalate by severity
- ActionExecute rotation or page on-callPagerDuty
- OutputWrite incident record with timelineNotion
What it does
Drives full incident response for an exposed secret. Given an alert, the agent reasons about the secret's type and reach, picks the right remediation path, performs or delegates the rotation, and produces a documented incident timeline rather than just a notification.
When to use it
Reach for this when revocation needs judgment, not a fixed rule: ambiguous secret types, keys shared across services, or cases where you want a written postmortem-grade record. It is the org-level brain that orchestrates the deterministic rotators below it.
How it works
- 1An inbound webhook delivers a leaked-secret report from any scanner or human submitter.
- 2The agent queries GitHub to locate the secret, its history, and every dependent reference.
- 3A logic step lets the agent decide between automated revocation and PagerDuty escalation based on severity and reach.
- 4The agent executes the chosen path: revoke and rotate via provider API, or page on-call.
- 5A structured incident record is written to Notion with timeline, blast radius, actions taken, and follow-ups.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect GitHubRepos, issues, pull requests, actions.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect NotionPages, databases, comments.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.