Cheng Siong Chin This workflow corresponds to n8n.io template #14410 — we link there as the canonical source.
This workflow follows the Agent → Agenttool recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "tW5dPtBvejlxrOfr",
"name": "AI agent for cybersecurity threat analysis with CVSS scoring and risk routing",
"tags": [],
"nodes": [
{
"id": "e5bc67cd-e920-4a4f-81df-bd07918dc28c",
"name": "Start Threat Analysis",
"type": "n8n-nodes-base.manualTrigger",
"position": [
240,
608
],
"parameters": {},
"typeVersion": 1
},
{
"id": "c89f0cf2-a3ed-431c-8f11-5a3810f4c6fe",
"name": "Cybersecurity Orchestrator Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
960,
560
],
"parameters": {
"text": "={{ $json.analysis_request || 'Perform comprehensive threat modeling and attack surface analysis of our current security posture. Analyze internal security logs, authentication traces, and anomaly detection outputs to identify emerging threats. Construct network topology models and assess lateral movement risks using STRIDE methodology with CVSS-style scoring.' }}",
"options": {
"systemMessage": "You are a Cybersecurity Threat Modeling Orchestrator. Your role is to coordinate threat intelligence analysis and attack surface mapping to produce comprehensive cybersecurity assessments. You have access to two specialized sub-agents: 1) Threat Intelligence Agent - analyzes security logs, authentication traces, and anomaly detection outputs to identify emerging attack vectors. 2) Attack Surface Mapping Agent - constructs network topology graphs, models lateral movement scenarios using STRIDE methodology, and quantifies risk using CVSS-style scoring. Your task is to: (1) Delegate security log analysis to the Threat Intelligence Agent, (2) Delegate attack surface mapping and STRIDE analysis to the Attack Surface Mapping Agent, (3) Synthesize their findings into a comprehensive threat assessment with both SOC-level operational guidance and executive-level cybersecurity posture reporting. Ensure all outputs are actionable and prioritized by risk severity."
},
"promptType": "define",
"hasOutputParser": true
},
"typeVersion": 3.1
},
{
"id": "164505ee-c5fc-4cf5-9f1c-26a2f4fd418b",
"name": "Orchestrator Chat Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
480,
720
],
"parameters": {
"model": {
"__rl": true,
"mode": "id",
"value": "gpt-4o"
},
"options": {
"temperature": 0.3
},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "bc7577ce-6b05-4f69-bf58-d3457c845d90",
"name": "Structured Threat Report Parser",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
1280,
720
],
"parameters": {
"schemaType": "manual",
"inputSchema": "{\"type\": \"object\", \"properties\": {\"executive_summary\": {\"type\": \"string\", \"description\": \"High-level cybersecurity posture summary for executive leadership\"}, \"threat_intelligence\": {\"type\": \"object\", \"properties\": {\"emerging_attack_vectors\": {\"type\": \"array\", \"items\": {\"type\": \"object\", \"properties\": {\"vector_name\": {\"type\": \"string\"}, \"severity\": {\"type\": \"string\", \"enum\": [\"Critical\", \"High\", \"Medium\", \"Low\"]}, \"indicators\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"recommended_actions\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}}}}, \"authentication_anomalies\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"log_analysis_summary\": {\"type\": \"string\"}}}, \"attack_surface\": {\"type\": \"object\", \"properties\": {\"network_topology\": {\"type\": \"string\", \"description\": \"Description of simulated network topology graph\"}, \"stride_analysis\": {\"type\": \"object\", \"properties\": {\"spoofing_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"tampering_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"repudiation_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"information_disclosure_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"denial_of_service_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}, \"elevation_of_privilege_risks\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}}}, \"lateral_movement_scenarios\": {\"type\": \"array\", \"items\": {\"type\": \"object\", \"properties\": {\"scenario_name\": {\"type\": \"string\"}, \"attack_path\": {\"type\": \"string\"}, \"cvss_score\": {\"type\": \"number\"}, \"impact\": {\"type\": \"string\"}}}}, \"risk_quantification\": {\"type\": \"object\", \"properties\": {\"overall_cvss_score\": {\"type\": \"number\"}, \"critical_assets_at_risk\": {\"type\": \"array\", \"items\": {\"type\": \"string\"}}}}}}, \"soc_operational_guidance\": {\"type\": \"array\", \"items\": {\"type\": \"object\", \"properties\": {\"priority\": {\"type\": \"string\", \"enum\": [\"P0-Critical\", \"P1-High\", \"P2-Medium\", \"P3-Low\"]}, \"action\": {\"type\": \"string\"}, \"timeline\": {\"type\": \"string\"}, \"resources_required\": {\"type\": \"string\"}}}}, \"overall_risk_rating\": {\"type\": \"string\", \"enum\": [\"Critical\", \"High\", \"Medium\", \"Low\"]}}, \"required\": [\"executive_summary\", \"threat_intelligence\", \"attack_surface\", \"soc_operational_guidance\", \"overall_risk_rating\"]}"
},
"typeVersion": 1.3
},
{
"id": "2a46e3ea-acf0-45da-ad0f-70c134e12834",
"name": "Threat Intelligence Agent",
"type": "@n8n/n8n-nodes-langchain.agentTool",
"position": [
608,
720
],
"parameters": {
"text": "={{ $fromAI('security_analysis_task', 'The specific security analysis task to perform, including which logs or traces to analyze and what threats to look for') }}",
"options": {
"systemMessage": "You are a Threat Intelligence Analyst specializing in security log analysis and attack vector identification. Your expertise includes: (1) Analyzing security logs for suspicious patterns and anomalies, (2) Identifying authentication trace irregularities that may indicate credential compromise or unauthorized access attempts, (3) Interpreting anomaly detection outputs to distinguish true threats from false positives, (4) Classifying emerging attack vectors by severity (Critical, High, Medium, Low), (5) Providing actionable threat intelligence with specific indicators of compromise. When analyzing security data, focus on: unusual authentication patterns, privilege escalation attempts, lateral movement indicators, data exfiltration signatures, malware communication patterns, and zero-day exploit indicators. Always provide specific evidence from the logs to support your findings and recommend concrete mitigation actions."
},
"toolDescription": "Analyzes internal security logs, authentication traces, and anomaly detection outputs to identify emerging attack vectors, suspicious patterns, and potential security threats. Returns detailed threat intelligence findings with severity classifications and recommended actions."
},
"typeVersion": 3
},
{
"id": "a4b800c7-6855-4474-9b3b-0f11f732a59b",
"name": "Threat Intelligence Chat Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
480,
928
],
"parameters": {
"model": {
"__rl": true,
"mode": "id",
"value": "gpt-4o"
},
"options": {
"temperature": 0.2
},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "13d74fce-b83e-48f1-a26c-086d1001fbae",
"name": "Fetch Security Logs Tool",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
656,
928
],
"parameters": {
"url": "={{ $fromAI('log_endpoint', 'The internal API endpoint to fetch security logs from (e.g., /api/security/logs, /api/auth/traces, /api/anomalies)', 'string', '<__PLACEHOLDER_VALUE__internal_security_api_endpoint__>') }}",
"options": {},
"toolDescription": "Fetches internal security logs, authentication traces, and anomaly detection outputs from internal security systems for threat analysis"
},
"typeVersion": 4.4
},
{
"id": "2da2ce78-fb29-4e75-a5ba-3de9bc595b79",
"name": "Risk Score Calculator",
"type": "@n8n/n8n-nodes-langchain.toolCalculator",
"position": [
816,
928
],
"parameters": {},
"typeVersion": 1
},
{
"id": "e2cb5bb0-fc19-4038-a3ae-efb935921e8b",
"name": "Attack Surface Mapping Agent",
"type": "@n8n/n8n-nodes-langchain.agentTool",
"position": [
992,
720
],
"parameters": {
"text": "={{ $fromAI('attack_surface_task', 'The specific attack surface mapping task to perform, including network topology to analyze and STRIDE categories to focus on') }}",
"options": {
"systemMessage": "You are an Attack Surface Mapping and STRIDE Threat Modeling Expert. Your expertise includes: (1) Constructing network topology graphs that represent system architecture, trust boundaries, and data flows, (2) Applying STRIDE methodology to identify threats across six categories: Spoofing (identity), Tampering (data), Repudiation (actions), Information Disclosure (confidentiality), Denial of Service (availability), and Elevation of Privilege (authorization), (3) Modeling lateral movement scenarios showing how attackers could pivot through the network after initial compromise, (4) Quantifying risk using CVSS-style scoring (0-10 scale) based on exploitability, impact, and scope, (5) Identifying critical assets at risk and attack paths with highest impact. When performing attack surface analysis: map all network nodes and connections, identify trust boundaries, enumerate attack vectors for each STRIDE category, simulate realistic lateral movement paths, calculate CVSS scores for each scenario, and prioritize findings by risk severity. Use the STRIDE and CVSS tools available to you for systematic analysis."
},
"toolDescription": "Constructs simulated network topology graphs, models lateral movement scenarios under STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), and quantifies risk using CVSS-style scoring. Returns comprehensive attack surface analysis with risk quantification."
},
"typeVersion": 3
},
{
"id": "4c1bb276-d6a0-4674-a61e-d2892b5efb3c",
"name": "Attack Surface Chat Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
992,
928
],
"parameters": {
"model": {
"__rl": true,
"mode": "id",
"value": "gpt-4o"
},
"options": {
"temperature": 0.2
},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "8b8e835e-9046-4b4a-9fde-771057e16863",
"name": "STRIDE Analysis Tool",
"type": "@n8n/n8n-nodes-langchain.toolCode",
"position": [
1152,
928
],
"parameters": {
"jsCode": "const threat = $input.first().json.threat_description || \"\";\nconst strideCategories = {\n spoofing: [],\n tampering: [],\n repudiation: [],\n information_disclosure: [],\n denial_of_service: [],\n elevation_of_privilege: []\n};\n\nconst lowerThreat = threat.toLowerCase();\n\nif (lowerThreat.includes(\"identity\") || lowerThreat.includes(\"authentication\") || lowerThreat.includes(\"impersonat\") || lowerThreat.includes(\"credential\")) {\n strideCategories.spoofing.push(threat);\n}\n\nif (lowerThreat.includes(\"tamper\") || lowerThreat.includes(\"modify\") || lowerThreat.includes(\"alter\") || lowerThreat.includes(\"integrity\")) {\n strideCategories.tampering.push(threat);\n}\n\nif (lowerThreat.includes(\"log\") || lowerThreat.includes(\"audit\") || lowerThreat.includes(\"deny\") || lowerThreat.includes(\"repudiat\")) {\n strideCategories.repudiation.push(threat);\n}\n\nif (lowerThreat.includes(\"disclosure\") || lowerThreat.includes(\"leak\") || lowerThreat.includes(\"exposure\") || lowerThreat.includes(\"confidential\") || lowerThreat.includes(\"exfiltrat\")) {\n strideCategories.information_disclosure.push(threat);\n}\n\nif (lowerThreat.includes(\"dos\") || lowerThreat.includes(\"denial\") || lowerThreat.includes(\"availability\") || lowerThreat.includes(\"flood\") || lowerThreat.includes(\"exhaust\")) {\n strideCategories.denial_of_service.push(threat);\n}\n\nif (lowerThreat.includes(\"privilege\") || lowerThreat.includes(\"escalat\") || lowerThreat.includes(\"authorization\") || lowerThreat.includes(\"admin\") || lowerThreat.includes(\"root\")) {\n strideCategories.elevation_of_privilege.push(threat);\n}\n\nreturn [{ json: { threat_description: threat, stride_categories: strideCategories, analysis_timestamp: new Date().toISOString() } }];",
"description": "Categorizes security threats using STRIDE methodology: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Input should be a threat description or attack scenario."
},
"typeVersion": 1.3
},
{
"id": "936ac68c-98fc-4e3d-a405-b33c7e3fdb34",
"name": "CVSS Scoring Tool",
"type": "@n8n/n8n-nodes-langchain.toolCode",
"position": [
1312,
928
],
"parameters": {
"jsCode": "const input = $input.first().json;\n\nconst attackVector = input.attack_vector || \"network\";\nconst attackComplexity = input.attack_complexity || \"low\";\nconst privilegesRequired = input.privileges_required || \"none\";\nconst userInteraction = input.user_interaction || \"none\";\nconst scope = input.scope || \"unchanged\";\nconst confidentialityImpact = input.confidentiality_impact || \"high\";\nconst integrityImpact = input.integrity_impact || \"high\";\nconst availabilityImpact = input.availability_impact || \"high\";\n\nconst avScore = attackVector === \"network\" ? 0.85 : attackVector === \"adjacent\" ? 0.62 : attackVector === \"local\" ? 0.55 : 0.2;\nconst acScore = attackComplexity === \"low\" ? 0.77 : 0.44;\nconst prScore = privilegesRequired === \"none\" ? 0.85 : privilegesRequired === \"low\" ? 0.62 : 0.27;\nconst uiScore = userInteraction === \"none\" ? 0.85 : 0.62;\nconst scopeMultiplier = scope === \"changed\" ? 1.08 : 1.0;\n\nconst cScore = confidentialityImpact === \"high\" ? 0.56 : confidentialityImpact === \"low\" ? 0.22 : 0;\nconst iScore = integrityImpact === \"high\" ? 0.56 : integrityImpact === \"low\" ? 0.22 : 0;\nconst aScore = availabilityImpact === \"high\" ? 0.56 : availabilityImpact === \"low\" ? 0.22 : 0;\n\nconst exploitability = 8.22 * avScore * acScore * prScore * uiScore;\nconst impact = 1 - ((1 - cScore) * (1 - iScore) * (1 - aScore));\nconst impactSubScore = 6.42 * impact;\n\nlet baseScore;\nif (impact <= 0) {\n baseScore = 0;\n} else {\n if (scope === \"unchanged\") {\n baseScore = Math.min(exploitability + impactSubScore, 10);\n } else {\n baseScore = Math.min(1.08 * (exploitability + impactSubScore), 10);\n }\n}\n\nbaseScore = Math.round(baseScore * 10) / 10;\n\nlet severity;\nif (baseScore === 0) severity = \"None\";\nelse if (baseScore < 4.0) severity = \"Low\";\nelse if (baseScore < 7.0) severity = \"Medium\";\nelse if (baseScore < 9.0) severity = \"High\";\nelse severity = \"Critical\";\n\nreturn [{ json: { cvss_score: baseScore, severity: severity, exploitability_score: Math.round(exploitability * 10) / 10, impact_score: Math.round(impactSubScore * 10) / 10, parameters: input } }];",
"description": "Calculates CVSS-style risk scores (0-10 scale) based on attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. Input should include these parameters as a JSON object."
},
"typeVersion": 1.3
},
{
"id": "48a13efb-69b2-41f2-b65d-f4cc265cfec4",
"name": "Route by Risk Severity",
"type": "n8n-nodes-base.switch",
"position": [
1536,
720
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.overall_risk_rating }}",
"rightValue": "Critical"
}
]
}
},
{
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.overall_risk_rating }}",
"rightValue": "High"
}
]
}
},
{
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.overall_risk_rating }}",
"rightValue": "Medium"
}
]
}
}
]
},
"options": {}
},
"typeVersion": 3.4
},
{
"id": "b23b2fff-6d0e-4508-b0a0-0c7a48ba41c6",
"name": "Format SOC Alert",
"type": "n8n-nodes-base.set",
"position": [
1824,
624
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "alert_type",
"type": "string",
"value": "CRITICAL_SECURITY_THREAT"
},
{
"id": "id-2",
"name": "timestamp",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "risk_rating",
"type": "string",
"value": "={{ $json.output.overall_risk_rating }}"
},
{
"id": "id-4",
"name": "executive_summary",
"type": "string",
"value": "={{ $json.output.executive_summary }}"
},
{
"id": "id-5",
"name": "soc_actions",
"type": "array",
"value": "={{ JSON.stringify($json.output.soc_operational_guidance) }}"
},
{
"id": "id-6",
"name": "threat_vectors",
"type": "array",
"value": "={{ JSON.stringify($json.output.threat_intelligence.emerging_attack_vectors) }}"
},
{
"id": "id-7",
"name": "attack_surface",
"type": "object",
"value": "={{ JSON.stringify($json.output.attack_surface) }}"
},
{
"id": "id-8",
"name": "immediate_actions_required",
"type": "array",
"value": "={{ JSON.stringify($json.output.soc_operational_guidance.filter(action => action.priority === 'P0-Critical' || action.priority === 'P1-High')) }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "9ce79d98-46cf-4e79-b76a-a0bf2b3d82e3",
"name": "Format Executive Report",
"type": "n8n-nodes-base.set",
"position": [
1824,
816
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "report_type",
"type": "string",
"value": "EXECUTIVE_CYBERSECURITY_POSTURE"
},
{
"id": "id-2",
"name": "timestamp",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "risk_rating",
"type": "string",
"value": "={{ $json.output.overall_risk_rating }}"
},
{
"id": "id-4",
"name": "executive_summary",
"type": "string",
"value": "={{ $json.output.executive_summary }}"
},
{
"id": "id-5",
"name": "overall_cvss_score",
"type": "number",
"value": "={{ $json.output.attack_surface.risk_quantification.overall_cvss_score }}"
},
{
"id": "id-6",
"name": "critical_assets_at_risk",
"type": "array",
"value": "={{ JSON.stringify($json.output.attack_surface.risk_quantification.critical_assets_at_risk) }}"
},
{
"id": "id-7",
"name": "high_priority_actions",
"type": "array",
"value": "={{ JSON.stringify($json.output.soc_operational_guidance.filter(action => action.priority === 'P0-Critical' || action.priority === 'P1-High').map(action => action.action)) }}"
},
{
"id": "id-8",
"name": "threat_count",
"type": "number",
"value": "={{ $json.output.threat_intelligence.emerging_attack_vectors.length }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "b8e74e2d-ef16-485b-b133-0ffa7330d5e5",
"name": "Format Standard Report",
"type": "n8n-nodes-base.set",
"position": [
1824,
1008
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "report_type",
"type": "string",
"value": "STANDARD_THREAT_ASSESSMENT"
},
{
"id": "id-2",
"name": "timestamp",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "risk_rating",
"type": "string",
"value": "={{ $json.overall_risk_rating }}"
},
{
"id": "id-4",
"name": "executive_summary",
"type": "string",
"value": "={{ $json.executive_summary }}"
},
{
"id": "id-5",
"name": "threat_intelligence",
"type": "object",
"value": "={{ JSON.stringify($json.threat_intelligence) }}"
},
{
"id": "id-6",
"name": "attack_surface",
"type": "object",
"value": "={{ JSON.stringify($json.attack_surface) }}"
},
{
"id": "id-7",
"name": "soc_operational_guidance",
"type": "array",
"value": "={{ JSON.stringify($json.soc_operational_guidance) }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "20c8f84c-b9f0-49f6-b912-25fa97be7328",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
192,
80
],
"parameters": {
"width": 560,
"height": 336,
"content": "## How It Works\nThis workflow automates end-to-end cybersecurity threat analysis using a multi-agent AI architecture, targeting Security Operations Centre (SOC) analysts, security engineers, and IT risk teams responsible for continuous threat monitoring and incident response. The core problem it solves is the slow, fragmented process of manually correlating threat intelligence, scoring vulnerabilities, and producing actionable reports, tasks that demand both speed and consistency under pressure. A manual trigger initiates the Cybersecurity Orchestrator Agent, which coordinates two specialist sub-agents: a Threat Intelligence Agent (backed by security log fetching and risk scoring tools) and an Attack Surface Mapping Agent (leveraging STRIDE analysis and CVSS scoring tools). Each agent operates with its own chat model and memory. Outputs are parsed by a Structured Threat Report Parser, then routed by a Rules-based Risk Severity router into three report formats such as SOC Alert, Executive Report, or Standard Report, ensuring every threat is communicated at the right level of urgency to the right audience."
},
"typeVersion": 1
},
{
"id": "dadce1b5-66ee-43da-b839-52163089203a",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
768,
112
],
"parameters": {
"width": 432,
"height": 256,
"content": "## Setup Steps\n1. Connect your LLM API credentials to all Chat Model nodes (Orchestrator, Threat Intelligence, Attack Surface).\n2. Configure the Fetch Security Logs Tool with your SIEM or log source API credentials.\n3. Set risk threshold rules in the Risk Score Calculator node.\n4. Define STRIDE and CVSS parameters in their respective tool nodes.\n5. Set routing thresholds (e.g., CVSS \u22659 \u2192 SOC Alert, \u22656 \u2192 Executive, <6 \u2192 Standard) in Route by Risk Severity."
},
"typeVersion": 1
},
{
"id": "386ae1fc-2b9a-435b-a9ce-79984af9c5bd",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1216,
-16
],
"parameters": {
"color": 4,
"width": 368,
"height": 384,
"content": "## Prerequisites\n- LLM API key (OpenAI or compatible)\n- SIEM or security log source with API access\n- CVSS and STRIDE configuration parameters\n- Report template definitions for each severity tier\n## Use Cases\n- Auto-triage incoming vulnerability disclosures into severity-ranked reports.\n## Customisation\n- Add more routing branches (e.g., Critical, Zero-Day).\n## Benefits\n- Accelerates threat triage from hours to minutes."
},
"typeVersion": 1
},
{
"id": "05636dee-34e9-4394-9076-908864fdce76",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
192,
432
],
"parameters": {
"color": 7,
"width": 704,
"height": 640,
"content": "## Trigger, Threat Intelligence & Risk Scoring\n**What:** Threat Intelligence Agent fetches security logs and calculates risk scores.\n**Why:** Grounds AI analysis in real telemetry data, enabling evidence-based risk prioritisation.\n"
},
"typeVersion": 1
},
{
"id": "5930bde6-cd15-4b86-af01-a7c274ed5dfe",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
912,
416
],
"parameters": {
"color": 7,
"width": 560,
"height": 720,
"content": "## Attack Surface Mapping\n**What:** Attack Surface Mapping Agent applies STRIDE methodology and CVSS scoring.\n**Why:** Systematically identifies exploitable vectors and assigns industry-standard severity ratings."
},
"typeVersion": 1
},
{
"id": "3ba42550-082b-4172-9deb-351bb841c290",
"name": "Sticky Note5",
"type": "n8n-nodes-base.stickyNote",
"position": [
1488,
416
],
"parameters": {
"color": 7,
"height": 720,
"content": "## Parse & Route by Severity\n**What:** Structured Threat Report Parser extracts findings; Rules router directs output by risk level.\n**Why:** Ensures outputs are structured and stakeholder-appropriate without manual triage."
},
"typeVersion": 1
},
{
"id": "356d390f-90de-4ac2-9a02-61af59e864c2",
"name": "Sticky Note6",
"type": "n8n-nodes-base.stickyNote",
"position": [
1744,
416
],
"parameters": {
"color": 7,
"width": 448,
"height": 736,
"content": "## Format & Deliver Report\n**What:** Generates SOC Alert, Executive Report, or Standard Report based on severity routing.\n**Why:** Delivers the right level of detail to the right audience \u2014 operational, strategic, or routine."
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"binaryMode": "separate",
"executionOrder": "v1"
},
"versionId": "c7c263a2-ff2f-4cda-9c3d-529c908cb116",
"connections": {
"CVSS Scoring Tool": {
"ai_tool": [
[
{
"node": "Attack Surface Mapping Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"STRIDE Analysis Tool": {
"ai_tool": [
[
{
"node": "Attack Surface Mapping Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Risk Score Calculator": {
"ai_tool": [
[
{
"node": "Threat Intelligence Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Start Threat Analysis": {
"main": [
[
{
"node": "Cybersecurity Orchestrator Agent",
"type": "main",
"index": 0
}
]
]
},
"Route by Risk Severity": {
"main": [
[
{
"node": "Format SOC Alert",
"type": "main",
"index": 0
}
],
[
{
"node": "Format Executive Report",
"type": "main",
"index": 0
}
],
[
{
"node": "Format Standard Report",
"type": "main",
"index": 0
}
]
]
},
"Orchestrator Chat Model": {
"ai_languageModel": [
[
{
"node": "Cybersecurity Orchestrator Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Fetch Security Logs Tool": {
"ai_tool": [
[
{
"node": "Threat Intelligence Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Attack Surface Chat Model": {
"ai_languageModel": [
[
{
"node": "Attack Surface Mapping Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Threat Intelligence Agent": {
"ai_tool": [
[
{
"node": "Cybersecurity Orchestrator Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Attack Surface Mapping Agent": {
"ai_tool": [
[
{
"node": "Cybersecurity Orchestrator Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Threat Intelligence Chat Model": {
"ai_languageModel": [
[
{
"node": "Threat Intelligence Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Structured Threat Report Parser": {
"ai_outputParser": [
[
{
"node": "Cybersecurity Orchestrator Agent",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"Cybersecurity Orchestrator Agent": {
"main": [
[
{
"node": "Route by Risk Severity",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
openAiApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow automates end-to-end cybersecurity threat analysis using a multi-agent AI architecture, targeting Security Operations Centre (SOC) analysts, security engineers, and IT risk teams responsible for continuous threat monitoring and incident response. The core problem…
Source: https://n8n.io/workflows/14410/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This workflow automates blockchain risk assessment using a multi-agent AI architecture, targeting DeFi developers, blockchain auditors, and Web3 project teams who need rigorous smart contract and toke
Read Write File, Agent, OpenAI Chat +6
Who is this for? Agencies, consultants, and service providers who conduct discovery calls and need to quickly turn conversations into professional proposals.
Tool Think, Tool Calculator, Agent Tool +18
This multi-agent n8n workflow delivers an automated, intelligent trading analysis system for the WEEX Spot Market. It uses GPT-4o to interpret user prompts, route them to the correct sub-agent tools,
OpenAI Chat, Telegram Trigger, Agent +7
CashMate – Your AI-Powered WhatsApp Finance Agent Turn WhatsApp into a smart finance assistant that auto-registers you, logs transactions in natural language, extracts data from receipts and voice not
Tool Code, Output Parser Structured, Tool Calculator +6
🧠 Automate end-to-end SEO blog creation and WordPress publishing using a GPT-5 multi-agent workflow with real-time research, metadata generation, and optional featured images.
Output Parser Structured, HTTP Request, OpenAI +10