{ "id": "tW5dPtBvejlxrOfr", "name": "AI agent for cybersecurity threat analysis with CVSS scoring and risk routing", "tags": [], "nodes": [ { "id": "e5bc67cd-e920-4a4f-81df-bd07918dc28c", "name": "Start Threat Analysis", "type": "n8n-nodes-base.manualTrigger", "position": [ 240, 608 ], "parameters": {}, "typeVersion": 1 }, { "id": "c89f0cf2-a3ed-431c-8f11-5a3810f4c6fe", "name": "Cybersecurity Orchestrator Agent", "type": "@n8n/n8n-nodes-langchain.agent", "position": [ 960, 560 ], "parameters": { "text": "={{ $json.analysis_request || 'Perform comprehensive threat modeling and attack surface analysis of our current security posture. Analyze internal security logs, authentication traces, and anomaly detection outputs to identify emerging threats. Construct network topology models and assess lateral movement risks using STRIDE methodology with CVSS-style scoring.' }}", "options": { "systemMessage": "You are a Cybersecurity Threat Modeling Orchestrator. Your role is to coordinate threat intelligence analysis and attack surface mapping to produce comprehensive cybersecurity assessments. You have access to two specialized sub-agents: 1) Threat Intelligence Agent - analyzes security logs, authentication traces, and anomaly detection outputs to identify emerging attack vectors. 2) Attack Surface Mapping Agent - constructs network topology graphs, models lateral movement scenarios using STRIDE methodology, and quantifies risk using CVSS-style scoring. Your task is to: (1) Delegate security log analysis to the Threat Intelligence Agent, (2) Delegate attack surface mapping and STRIDE analysis to the Attack Surface Mapping Agent, (3) Synthesize their findings into a comprehensive threat assessment with both SOC-level operational guidance and executive-level cybersecurity posture reporting. Ensure all outputs are actionable and prioritized by risk severity." }, "promptType": "define", "hasOutputParser": true }, "typeVersion": 3.1 }, { "id": "164505ee-c5fc-4cf5-9f1c-26a2f4fd418b", "name": "Orchestrator Chat Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [ 480, 720 ], "parameters": { "model": { "__rl": true, "mode": "id", "value": "gpt-4o" }, "options": { "temperature": 0.3 }, "builtInTools": {} }, "credentials": { "openAiApi": { "name": "" } }, "typeVersion": 1.3 }, { "id": "bc7577ce-6b05-4f69-bf58-d3457c845d90", "name": "Structured Threat Report Parser", "type": "@n8n/n8n-nodes-langchain.outputParserStructured", "position": [ 1280, 720 ], "parameters": { "schemaType": "manual", "inputSchema": "{\"type\": \"object\", \"properties\": {\"executive_summary\": {\"type\": \"string\", \"description\": \"High-level cybersecurity posture summary for executive leadership\"}, \"threat_intelligence\": {\"type\": \"object\", \"properties\": {\"emerging_attack_vectors\": {\"type\": \"array\", \"items\": {\"type\": \"object\", \"properties\": {\"vector_name\": {\"type\": \"string\"}, \"severity\": {\"type\": \"string\", \"enum\": [\"Critical\", \"High\", \"Medium\", \"Low\"]}, \"indicators\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"recommended_actions\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}}}}, \"authentication_anomalies\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"log_analysis_summary\": {\"type\": \"string\"}}}, \"attack_surface\": {\"type\": \"object\", \"properties\": {\"network_topology\": {\"type\": \"string\", \"description\": \"Description of simulated network topology graph\"}, \"stride_analysis\": {\"type\": \"object\", \"properties\": {\"spoofing_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"tampering_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"repudiation_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"information_disclosure_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"denial_of_service_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"elevation_of_privilege_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}}}, \"lateral_movement_scenarios\": {\"type\": \"array\", \"items\": {\"type\": \"object\", \"properties\": {\"scenario_name\": {\"type\": \"string\"}, \"attack_path\": {\"type\": \"string\"}, \"cvss_score\": {\"type\": \"number\"}, \"impact\": {\"type\": \"string\"}}}}, \"risk_quantification\": {\"type\": \"object\", \"properties\": {\"overall_cvss_score\": {\"type\": \"number\"}, \"critical_assets_at_risk\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}}}}}, \"soc_operational_guidance\": {\"type\": \"array\", \"items\": {\"type\": \"object\", \"properties\": {\"priority\": {\"type\": \"string\", \"enum\": [\"P0-Critical\", \"P1-High\", \"P2-Medium\", \"P3-Low\"]}, \"action\": {\"type\": \"string\"}, \"timeline\": {\"type\": \"string\"}, \"resources_required\": {\"type\": \"string\"}}}}, \"overall_risk_rating\": {\"type\": \"string\", \"enum\": [\"Critical\", \"High\", \"Medium\", \"Low\"]}}, \"required\": [\"executive_summary\", \"threat_intelligence\", \"attack_surface\", \"soc_operational_guidance\", \"overall_risk_rating\"]}" }, "typeVersion": 1.3 }, { "id": "2a46e3ea-acf0-45da-ad0f-70c134e12834", "name": "Threat Intelligence Agent", "type": "@n8n/n8n-nodes-langchain.agentTool", "position": [ 608, 720 ], "parameters": { "text": "={{ $fromAI('security_analysis_task', 'The specific security analysis task to perform, including which logs or traces to analyze and what threats to look for') }}", "options": { "systemMessage": "You are a Threat Intelligence Analyst specializing in security log analysis and attack vector identification. Your expertise includes: (1) Analyzing security logs for suspicious patterns and anomalies, (2) Identifying authentication trace irregularities that may indicate credential compromise or unauthorized access attempts, (3) Interpreting anomaly detection outputs to distinguish true threats from false positives, (4) Classifying emerging attack vectors by severity (Critical, High, Medium, Low), (5) Providing actionable threat intelligence with specific indicators of compromise. When analyzing security data, focus on: unusual authentication patterns, privilege escalation attempts, lateral movement indicators, data exfiltration signatures, malware communication patterns, and zero-day exploit indicators. Always provide specific evidence from the logs to support your findings and recommend concrete mitigation actions." }, "toolDescription": "Analyzes internal security logs, authentication traces, and anomaly detection outputs to identify emerging attack vectors, suspicious patterns, and potential security threats. Returns detailed threat intelligence findings with severity classifications and recommended actions." }, "typeVersion": 3 }, { "id": "a4b800c7-6855-4474-9b3b-0f11f732a59b", "name": "Threat Intelligence Chat Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [ 480, 928 ], "parameters": { "model": { "__rl": true, "mode": "id", "value": "gpt-4o" }, "options": { "temperature": 0.2 }, "builtInTools": {} }, "credentials": { "openAiApi": { "name": "" } }, "typeVersion": 1.3 }, { "id": "13d74fce-b83e-48f1-a26c-086d1001fbae", "name": "Fetch Security Logs Tool", "type": "n8n-nodes-base.httpRequestTool", "position": [ 656, 928 ], "parameters": { "url": "={{ $fromAI('log_endpoint', 'The internal API endpoint to fetch security logs from (e.g., /api/security/logs, /api/auth/traces, /api/anomalies)', 'string', '<__PLACEHOLDER_VALUE__internal_security_api_endpoint__>') }}", "options": {}, "toolDescription": "Fetches internal security logs, authentication traces, and anomaly detection outputs from internal security systems for threat analysis" }, "typeVersion": 4.4 }, { "id": "2da2ce78-fb29-4e75-a5ba-3de9bc595b79", "name": "Risk Score Calculator", "type": "@n8n/n8n-nodes-langchain.toolCalculator", "position": [ 816, 928 ], "parameters": {}, "typeVersion": 1 }, { "id": "e2cb5bb0-fc19-4038-a3ae-efb935921e8b", "name": "Attack Surface Mapping Agent", "type": "@n8n/n8n-nodes-langchain.agentTool", "position": [ 992, 720 ], "parameters": { "text": "={{ $fromAI('attack_surface_task', 'The specific attack surface mapping task to perform, including network topology to analyze and STRIDE categories to focus on') }}", "options": { "systemMessage": "You are an Attack Surface Mapping and STRIDE Threat Modeling Expert. Your expertise includes: (1) Constructing network topology graphs that represent system architecture, trust boundaries, and data flows, (2) Applying STRIDE methodology to identify threats across six categories: Spoofing (identity), Tampering (data), Repudiation (actions), Information Disclosure (confidentiality), Denial of Service (availability), and Elevation of Privilege (authorization), (3) Modeling lateral movement scenarios showing how attackers could pivot through the network after initial compromise, (4) Quantifying risk using CVSS-style scoring (0-10 scale) based on exploitability, impact, and scope, (5) Identifying critical assets at risk and attack paths with highest impact. When performing attack surface analysis: map all network nodes and connections, identify trust boundaries, enumerate attack vectors for each STRIDE category, simulate realistic lateral movement paths, calculate CVSS scores for each scenario, and prioritize findings by risk severity. Use the STRIDE and CVSS tools available to you for systematic analysis." }, "toolDescription": "Constructs simulated network topology graphs, models lateral movement scenarios under STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), and quantifies risk using CVSS-style scoring. Returns comprehensive attack surface analysis with risk quantification." }, "typeVersion": 3 }, { "id": "4c1bb276-d6a0-4674-a61e-d2892b5efb3c", "name": "Attack Surface Chat Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [ 992, 928 ], "parameters": { "model": { "__rl": true, "mode": "id", "value": "gpt-4o" }, "options": { "temperature": 0.2 }, "builtInTools": {} }, "credentials": { "openAiApi": { "name": "" } }, "typeVersion": 1.3 }, { "id": "8b8e835e-9046-4b4a-9fde-771057e16863", "name": "STRIDE Analysis Tool", "type": "@n8n/n8n-nodes-langchain.toolCode", "position": [ 1152, 928 ], "parameters": { "jsCode": "const threat = $input.first().json.threat_description || \"\";\nconst strideCategories = {\n spoofing: [],\n tampering: [],\n repudiation: [],\n information_disclosure: [],\n denial_of_service: [],\n elevation_of_privilege: []\n};\n\nconst lowerThreat = threat.toLowerCase();\n\nif (lowerThreat.includes(\"identity\") || lowerThreat.includes(\"authentication\") || lowerThreat.includes(\"impersonat\") || lowerThreat.includes(\"credential\")) {\n strideCategories.spoofing.push(threat);\n}\n\nif (lowerThreat.includes(\"tamper\") || lowerThreat.includes(\"modify\") || lowerThreat.includes(\"alter\") || lowerThreat.includes(\"integrity\")) {\n strideCategories.tampering.push(threat);\n}\n\nif (lowerThreat.includes(\"log\") || lowerThreat.includes(\"audit\") || lowerThreat.includes(\"deny\") || lowerThreat.includes(\"repudiat\")) {\n strideCategories.repudiation.push(threat);\n}\n\nif (lowerThreat.includes(\"disclosure\") || lowerThreat.includes(\"leak\") || lowerThreat.includes(\"exposure\") || lowerThreat.includes(\"confidential\") || lowerThreat.includes(\"exfiltrat\")) {\n strideCategories.information_disclosure.push(threat);\n}\n\nif (lowerThreat.includes(\"dos\") || lowerThreat.includes(\"denial\") || lowerThreat.includes(\"availability\") || lowerThreat.includes(\"flood\") || lowerThreat.includes(\"exhaust\")) {\n strideCategories.denial_of_service.push(threat);\n}\n\nif (lowerThreat.includes(\"privilege\") || lowerThreat.includes(\"escalat\") || lowerThreat.includes(\"authorization\") || lowerThreat.includes(\"admin\") || lowerThreat.includes(\"root\")) {\n strideCategories.elevation_of_privilege.push(threat);\n}\n\nreturn [{ json: { threat_description: threat, stride_categories: strideCategories, analysis_timestamp: new Date().toISOString() } }];", "description": "Categorizes security threats using STRIDE methodology: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Input should be a threat description or attack scenario." }, "typeVersion": 1.3 }, { "id": "936ac68c-98fc-4e3d-a405-b33c7e3fdb34", "name": "CVSS Scoring Tool", "type": "@n8n/n8n-nodes-langchain.toolCode", "position": [ 1312, 928 ], "parameters": { "jsCode": "const input = $input.first().json;\n\nconst attackVector = input.attack_vector || \"network\";\nconst attackComplexity = input.attack_complexity || \"low\";\nconst privilegesRequired = input.privileges_required || \"none\";\nconst userInteraction = input.user_interaction || \"none\";\nconst scope = input.scope || \"unchanged\";\nconst confidentialityImpact = input.confidentiality_impact || \"high\";\nconst integrityImpact = input.integrity_impact || \"high\";\nconst availabilityImpact = input.availability_impact || \"high\";\n\nconst avScore = attackVector === \"network\" ? 0.85 : attackVector === \"adjacent\" ? 0.62 : attackVector === \"local\" ? 0.55 : 0.2;\nconst acScore = attackComplexity === \"low\" ? 0.77 : 0.44;\nconst prScore = privilegesRequired === \"none\" ? 0.85 : privilegesRequired === \"low\" ? 0.62 : 0.27;\nconst uiScore = userInteraction === \"none\" ? 0.85 : 0.62;\nconst scopeMultiplier = scope === \"changed\" ? 1.08 : 1.0;\n\nconst cScore = confidentialityImpact === \"high\" ? 0.56 : confidentialityImpact === \"low\" ? 0.22 : 0;\nconst iScore = integrityImpact === \"high\" ? 0.56 : integrityImpact === \"low\" ? 0.22 : 0;\nconst aScore = availabilityImpact === \"high\" ? 0.56 : availabilityImpact === \"low\" ? 0.22 : 0;\n\nconst exploitability = 8.22 * avScore * acScore * prScore * uiScore;\nconst impact = 1 - ((1 - cScore) * (1 - iScore) * (1 - aScore));\nconst impactSubScore = 6.42 * impact;\n\nlet baseScore;\nif (impact <= 0) {\n baseScore = 0;\n} else {\n if (scope === \"unchanged\") {\n baseScore = Math.min(exploitability + impactSubScore, 10);\n } else {\n baseScore = Math.min(1.08 * (exploitability + impactSubScore), 10);\n }\n}\n\nbaseScore = Math.round(baseScore * 10) / 10;\n\nlet severity;\nif (baseScore === 0) severity = \"None\";\nelse if (baseScore < 4.0) severity = \"Low\";\nelse if (baseScore < 7.0) severity = \"Medium\";\nelse if (baseScore < 9.0) severity = \"High\";\nelse severity = \"Critical\";\n\nreturn [{ json: { cvss_score: baseScore, severity: severity, exploitability_score: Math.round(exploitability * 10) / 10, impact_score: Math.round(impactSubScore * 10) / 10, parameters: input } }];", "description": "Calculates CVSS-style risk scores (0-10 scale) based on attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. Input should include these parameters as a JSON object." }, "typeVersion": 1.3 }, { "id": "48a13efb-69b2-41f2-b65d-f4cc265cfec4", "name": "Route by Risk Severity", "type": "n8n-nodes-base.switch", "position": [ 1536, 720 ], "parameters": { "rules": { "values": [ { "conditions": { "options": { "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.overall_risk_rating }}", "rightValue": "Critical" } ] } }, { "conditions": { "options": { "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.overall_risk_rating }}", "rightValue": "High" } ] } }, { "conditions": { "options": { "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.overall_risk_rating }}", "rightValue": "Medium" } ] } } ] }, "options": {} }, "typeVersion": 3.4 }, { "id": "b23b2fff-6d0e-4508-b0a0-0c7a48ba41c6", "name": "Format SOC Alert", "type": "n8n-nodes-base.set", "position": [ 1824, 624 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "id-1", "name": "alert_type", "type": "string", "value": "CRITICAL_SECURITY_THREAT" }, { "id": "id-2", "name": "timestamp", "type": "string", "value": "={{ $now.toISO() }}" }, { "id": "id-3", "name": "risk_rating", "type": "string", "value": "={{ $json.output.overall_risk_rating }}" }, { "id": "id-4", "name": "executive_summary", "type": "string", "value": "={{ $json.output.executive_summary }}" }, { "id": "id-5", "name": "soc_actions", "type": "array", "value": "={{ JSON.stringify($json.output.soc_operational_guidance) }}" }, { "id": "id-6", "name": "threat_vectors", "type": "array", "value": "={{ JSON.stringify($json.output.threat_intelligence.emerging_attack_vectors) }}" }, { "id": "id-7", "name": "attack_surface", "type": "object", "value": "={{ JSON.stringify($json.output.attack_surface) }}" }, { "id": "id-8", "name": "immediate_actions_required", "type": "array", "value": "={{ JSON.stringify($json.output.soc_operational_guidance.filter(action => action.priority === 'P0-Critical' || action.priority === 'P1-High')) }}" } ] } }, "typeVersion": 3.4 }, { "id": "9ce79d98-46cf-4e79-b76a-a0bf2b3d82e3", "name": "Format Executive Report", "type": "n8n-nodes-base.set", "position": [ 1824, 816 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "id-1", "name": "report_type", "type": "string", "value": "EXECUTIVE_CYBERSECURITY_POSTURE" }, { "id": "id-2", "name": "timestamp", "type": "string", "value": "={{ $now.toISO() }}" }, { "id": "id-3", "name": "risk_rating", "type": "string", "value": "={{ $json.output.overall_risk_rating }}" }, { "id": "id-4", "name": "executive_summary", "type": "string", "value": "={{ $json.output.executive_summary }}" }, { "id": "id-5", "name": "overall_cvss_score", "type": "number", "value": "={{ $json.output.attack_surface.risk_quantification.overall_cvss_score }}" }, { "id": "id-6", "name": "critical_assets_at_risk", "type": "array", "value": "={{ JSON.stringify($json.output.attack_surface.risk_quantification.critical_assets_at_risk) }}" }, { "id": "id-7", "name": "high_priority_actions", "type": "array", "value": "={{ JSON.stringify($json.output.soc_operational_guidance.filter(action => action.priority === 'P0-Critical' || action.priority === 'P1-High').map(action => action.action)) }}" }, { "id": "id-8", "name": "threat_count", "type": "number", "value": "={{ $json.output.threat_intelligence.emerging_attack_vectors.length }}" } ] } }, "typeVersion": 3.4 }, { "id": "b8e74e2d-ef16-485b-b133-0ffa7330d5e5", "name": "Format Standard Report", "type": "n8n-nodes-base.set", "position": [ 1824, 1008 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "id-1", "name": "report_type", "type": "string", "value": "STANDARD_THREAT_ASSESSMENT" }, { "id": "id-2", "name": "timestamp", "type": "string", "value": "={{ $now.toISO() }}" }, { "id": "id-3", "name": "risk_rating", "type": "string", "value": "={{ $json.overall_risk_rating }}" }, { "id": "id-4", "name": "executive_summary", "type": "string", "value": "={{ $json.executive_summary }}" }, { "id": "id-5", "name": "threat_intelligence", "type": "object", "value": "={{ JSON.stringify($json.threat_intelligence) }}" }, { "id": "id-6", "name": "attack_surface", "type": "object", "value": "={{ JSON.stringify($json.attack_surface) }}" }, { "id": "id-7", "name": "soc_operational_guidance", "type": "array", "value": "={{ JSON.stringify($json.soc_operational_guidance) }}" } ] } }, "typeVersion": 3.4 }, { "id": "20c8f84c-b9f0-49f6-b912-25fa97be7328", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ 192, 80 ], "parameters": { "width": 560, "height": 336, "content": "## How It Works\nThis workflow automates end-to-end cybersecurity threat analysis using a multi-agent AI architecture, targeting Security Operations Centre (SOC) analysts, security engineers, and IT risk teams responsible for continuous threat monitoring and incident response. The core problem it solves is the slow, fragmented process of manually correlating threat intelligence, scoring vulnerabilities, and producing actionable reports, tasks that demand both speed and consistency under pressure. A manual trigger initiates the Cybersecurity Orchestrator Agent, which coordinates two specialist sub-agents: a Threat Intelligence Agent (backed by security log fetching and risk scoring tools) and an Attack Surface Mapping Agent (leveraging STRIDE analysis and CVSS scoring tools). Each agent operates with its own chat model and memory. Outputs are parsed by a Structured Threat Report Parser, then routed by a Rules-based Risk Severity router into three report formats such as SOC Alert, Executive Report, or Standard Report, ensuring every threat is communicated at the right level of urgency to the right audience." }, "typeVersion": 1 }, { "id": "dadce1b5-66ee-43da-b839-52163089203a", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ 768, 112 ], "parameters": { "width": 432, "height": 256, "content": "## Setup Steps\n1. Connect your LLM API credentials to all Chat Model nodes (Orchestrator, Threat Intelligence, Attack Surface).\n2. Configure the Fetch Security Logs Tool with your SIEM or log source API credentials.\n3. Set risk threshold rules in the Risk Score Calculator node.\n4. Define STRIDE and CVSS parameters in their respective tool nodes.\n5. Set routing thresholds (e.g., CVSS \u22659 \u2192 SOC Alert, \u22656 \u2192 Executive, <6 \u2192 Standard) in Route by Risk Severity." }, "typeVersion": 1 }, { "id": "386ae1fc-2b9a-435b-a9ce-79984af9c5bd", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 1216, -16 ], "parameters": { "color": 4, "width": 368, "height": 384, "content": "## Prerequisites\n- LLM API key (OpenAI or compatible)\n- SIEM or security log source with API access\n- CVSS and STRIDE configuration parameters\n- Report template definitions for each severity tier\n## Use Cases\n- Auto-triage incoming vulnerability disclosures into severity-ranked reports.\n## Customisation\n- Add more routing branches (e.g., Critical, Zero-Day).\n## Benefits\n- Accelerates threat triage from hours to minutes." }, "typeVersion": 1 }, { "id": "05636dee-34e9-4394-9076-908864fdce76", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 192, 432 ], "parameters": { "color": 7, "width": 704, "height": 640, "content": "## Trigger, Threat Intelligence & Risk Scoring\n**What:** Threat Intelligence Agent fetches security logs and calculates risk scores.\n**Why:** Grounds AI analysis in real telemetry data, enabling evidence-based risk prioritisation.\n" }, "typeVersion": 1 }, { "id": "5930bde6-cd15-4b86-af01-a7c274ed5dfe", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 912, 416 ], "parameters": { "color": 7, "width": 560, "height": 720, "content": "## Attack Surface Mapping\n**What:** Attack Surface Mapping Agent applies STRIDE methodology and CVSS scoring.\n**Why:** Systematically identifies exploitable vectors and assigns industry-standard severity ratings." }, "typeVersion": 1 }, { "id": "3ba42550-082b-4172-9deb-351bb841c290", "name": "Sticky Note5", "type": "n8n-nodes-base.stickyNote", "position": [ 1488, 416 ], "parameters": { "color": 7, "height": 720, "content": "## Parse & Route by Severity\n**What:** Structured Threat Report Parser extracts findings; Rules router directs output by risk level.\n**Why:** Ensures outputs are structured and stakeholder-appropriate without manual triage." }, "typeVersion": 1 }, { "id": "356d390f-90de-4ac2-9a02-61af59e864c2", "name": "Sticky Note6", "type": "n8n-nodes-base.stickyNote", "position": [ 1744, 416 ], "parameters": { "color": 7, "width": 448, "height": 736, "content": "## Format & Deliver Report\n**What:** Generates SOC Alert, Executive Report, or Standard Report based on severity routing.\n**Why:** Delivers the right level of detail to the right audience \u2014 operational, strategic, or routine." }, "typeVersion": 1 } ], "active": false, "settings": { "binaryMode": "separate", "executionOrder": "v1" }, "versionId": "c7c263a2-ff2f-4cda-9c3d-529c908cb116", "connections": { "CVSS Scoring Tool": { "ai_tool": [ [ { "node": "Attack Surface Mapping Agent", "type": "ai_tool", "index": 0 } ] ] }, "STRIDE Analysis Tool": { "ai_tool": [ [ { "node": "Attack Surface Mapping Agent", "type": "ai_tool", "index": 0 } ] ] }, "Risk Score Calculator": { "ai_tool": [ [ { "node": "Threat Intelligence Agent", "type": "ai_tool", "index": 0 } ] ] }, "Start Threat Analysis": { "main": [ [ { "node": "Cybersecurity Orchestrator Agent", "type": "main", "index": 0 } ] ] }, "Route by Risk Severity": { "main": [ [ { "node": "Format SOC Alert", "type": "main", "index": 0 } ], [ { "node": "Format Executive Report", "type": "main", "index": 0 } ], [ { "node": "Format Standard Report", "type": "main", "index": 0 } ] ] }, "Orchestrator Chat Model": { "ai_languageModel": [ [ { "node": "Cybersecurity Orchestrator Agent", "type": "ai_languageModel", "index": 0 } ] ] }, "Fetch Security Logs Tool": { "ai_tool": [ [ { "node": "Threat Intelligence Agent", "type": "ai_tool", "index": 0 } ] ] }, "Attack Surface Chat Model": { "ai_languageModel": [ [ { "node": "Attack Surface Mapping Agent", "type": "ai_languageModel", "index": 0 } ] ] }, "Threat Intelligence Agent": { "ai_tool": [ [ { "node": "Cybersecurity Orchestrator Agent", "type": "ai_tool", "index": 0 } ] ] }, "Attack Surface Mapping Agent": { "ai_tool": [ [ { "node": "Cybersecurity Orchestrator Agent", "type": "ai_tool", "index": 0 } ] ] }, "Threat Intelligence Chat Model": { "ai_languageModel": [ [ { "node": "Threat Intelligence Agent", "type": "ai_languageModel", "index": 0 } ] ] }, "Structured Threat Report Parser": { "ai_outputParser": [ [ { "node": "Cybersecurity Orchestrator Agent", "type": "ai_outputParser", "index": 0 } ] ] }, "Cybersecurity Orchestrator Agent": { "main": [ [ { "node": "Route by Risk Severity", "type": "main", "index": 0 } ] ] } } }