Oneclick AI Squad 
This workflow corresponds to n8n.io template #10594 — we link there as the canonical source.
This workflow follows the Agent → Emailsend recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "ofae32o3DH2ZXfYs",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "Cybersecurity Vulnerability Management System with GPT-4 AI",
"tags": [],
"nodes": [
{
"id": "d8c55c54-efca-44dc-9584-abe4cb9f1efd",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
0
],
"parameters": {
"width": 780,
"height": 1400,
"content": "## Cybersecurity Vulnerability Management System with GPT-4 AI\n\nAutomates the full vulnerability lifecycle \u2014 from scheduled scanning and data aggregation to intelligent prioritization, ticket creation, real-time alerting, weekly reporting, and centralized tracking. Ensures critical vulnerabilities are patched quickly while maintaining audit-ready logs and executive visibility.\n\n### How it works\n\n1. **Dual Trigger** - Scheduled daily scans at 6 AM + on-demand webhook for emergency scans\n2. **Multi-Scanner Aggregation** - Pulls findings from Nessus, Qualys, and custom scanner APIs in parallel\n3. **Normalize & Deduplicate** - Unifies scan results into a standard CVE schema, removes duplicates\n4. **GPT-4 Risk Prioritization** - AI enriches each vuln with exploitability context, business impact, and remediation urgency\n5. **Severity Gate** - Routes Critical/High vulns to expedited track; Medium/Low to standard queue\n6. **Jira Ticket Creation** - Auto-creates structured remediation tickets with SLA-based due dates\n7. **Real-Time Alerting** - Sends Slack alerts for Critical vulns and email digests for High findings\n8. **Patch Verification** - Checks remediation status against scanner re-scan results\n9. **Weekly Executive Report** - Generates CISO-ready KPI summary and sends to leadership\n10. **Audit Log** - Writes immutable compliance log to Google Sheets for SOC2/ISO 27001\n\n### Setup Steps\n\n1. Import workflow into n8n\n2. Configure credentials:\n - **OpenAI API** \u2014 GPT-4o for risk prioritization\n - **Jira API** \u2014 Ticket creation and tracking\n - **Slack** \u2014 Critical vulnerability alerts\n - **Google Sheets** \u2014 Vulnerability registry and audit log\n - **SMTP / Gmail** \u2014 Executive and team email reports\n3. Set your scanner API endpoints and tokens in aggregation nodes\n4. Configure Jira project key and SLA thresholds\n5. Set Slack channel IDs for security team alerts\n6. Schedule weekly report trigger to your preferred day/time\n7. Activate both the scheduled and webhook triggers\n\n### CVE Severity SLA Targets\n- \ud83d\udd34 **CRITICAL (CVSS 9.0\u201310.0)** \u2014 Patch within 24 hours\n- \ud83d\udfe0 **HIGH (CVSS 7.0\u20138.9)** \u2014 Patch within 7 days\n- \ud83d\udfe1 **MEDIUM (CVSS 4.0\u20136.9)** \u2014 Patch within 30 days\n- \ud83d\udfe2 **LOW (CVSS 0.1\u20133.9)** \u2014 Patch within 90 days\n\n### Sample Scanner Payload (Nessus)\n```json\n{\n \"scanId\": \"SCAN-2025-0042\",\n \"scanner\": \"nessus\",\n \"targetHost\": \"192.168.1.105\",\n \"hostName\": \"prod-db-01\",\n \"cveId\": \"CVE-2024-21413\",\n \"cvssScore\": 9.8,\n \"pluginId\": \"212105\",\n \"description\": \"Microsoft Outlook RCE vulnerability\"\n}\n```\n\n### Features\n- **Multi-scanner normalization** \u2014 Nessus, Qualys, and custom scanners unified\n- **AI-powered exploit context** \u2014 GPT-4 adds CISA KEV status, weaponization likelihood\n- **SLA-driven Jira tickets** \u2014 auto-assigns, sets due dates, links CVE details\n- **Executive KPI dashboard** \u2014 weekly metrics: MTTD, MTTR, patch compliance rate\n- **Audit-ready log** \u2014 every vuln tracked from detection to closure"
},
"typeVersion": 1
},
{
"id": "ea074a48-e8a1-46d0-b5f8-7576723a096b",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
804,
712
],
"parameters": {
"color": 4,
"width": 424,
"height": 488,
"content": "## 1. Trigger & Multi-Scanner Aggregation"
},
"typeVersion": 1
},
{
"id": "d5725697-60f4-43d5-bb96-4e985ccc3136",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1280,
624
],
"parameters": {
"color": 4,
"width": 604,
"height": 684,
"content": "## 2. Normalize, Dedup & GPT-4 Risk Prioritization"
},
"typeVersion": 1
},
{
"id": "47311611-cd01-4e4d-86af-7253c7293a24",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
1936,
624
],
"parameters": {
"color": 4,
"width": 720,
"height": 732,
"content": "## 3. Severity Routing, Ticketing & Real-Time Alerting"
},
"typeVersion": 1
},
{
"id": "c34c7c58-ce67-4a97-bee9-aa1ef897535b",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
2704,
544
],
"parameters": {
"color": 4,
"width": 972,
"height": 796,
"content": "## 4. Patch Verification, Weekly Reporting & Audit Log"
},
"typeVersion": 1
},
{
"id": "91069cf6-319d-40d3-901d-5e74b91411fd",
"name": "Daily Scan Schedule \u2014 6 AM",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
848,
832
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 6 * * *"
}
]
}
},
"typeVersion": 1.2
},
{
"id": "4e0ec674-f5c1-4780-9bd8-992d5fb4a9e1",
"name": "On-Demand Emergency Scan Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
848,
1024
],
"parameters": {
"path": "vuln-scan",
"options": {},
"httpMethod": "POST",
"responseMode": "responseNode"
},
"typeVersion": 2
},
{
"id": "e9229d14-955f-4f9e-b4b4-4cf0beeeaede",
"name": "Merge Scan Triggers",
"type": "n8n-nodes-base.merge",
"position": [
1072,
880
],
"parameters": {
"mode": "mergeByPosition"
},
"typeVersion": 3
},
{
"id": "e6cb5d11-ab5a-436a-b4b5-03ea4c37db13",
"name": "Build Scan Context",
"type": "n8n-nodes-base.code",
"position": [
1296,
880
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "// Build a unified scan session context from either trigger\nconst body = $input.item.json?.body || $input.item.json || {};\n\nconst scanSession = {\n scanSessionId: `VSCAN-${Date.now()}-${Math.random().toString(36).substr(2, 8).toUpperCase()}`,\n scanType: body.scanType || 'scheduled',\n priority: body.priority || 'normal',\n requestedBy: body.requestedBy || 'scheduler',\n targetScope: body.targetScope || 'all',\n targetHosts: body.targetHosts || [],\n includeScanners: body.includeScanners || ['nessus', 'qualys', 'custom'],\n minCvssThreshold: parseFloat(body.minCvssThreshold) || 0.0,\n initiatedAt: new Date().toISOString(),\n environment: body.environment || 'production'\n};\n\nreturn { json: { scanSession } };"
},
"typeVersion": 2
},
{
"id": "696a0df6-9c68-4ffb-8358-6b23eb0ef20f",
"name": "Fetch Nessus Scan Results",
"type": "n8n-nodes-base.httpRequest",
"position": [
1520,
736
],
"parameters": {
"url": "https://YOUR_NESSUS_HOST:8834/scans/latest/export",
"options": {
"timeout": 30000
},
"sendQuery": true,
"sendHeaders": true,
"queryParameters": {
"parameters": [
{
"name": "limit",
"value": "500"
},
{
"name": "severity",
"value": "critical,high,medium,low"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "X-ApiKeys",
"value": "accessKey=YOUR_NESSUS_ACCESS_KEY; secretKey=YOUR_NESSUS_SECRET_KEY"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "61dacc7c-1bb1-421e-86a1-1535842acee3",
"name": "Fetch Qualys Scan Results",
"type": "n8n-nodes-base.httpRequest",
"position": [
1520,
928
],
"parameters": {
"url": "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/",
"method": "POST",
"options": {
"timeout": 30000
},
"sendBody": true,
"sendHeaders": true,
"specifyBody": "formUrlEncoded",
"headerParameters": {
"parameters": [
{
"name": "X-Requested-With",
"value": "n8n-vuln-mgmt"
},
{
"name": "Authorization",
"value": "Basic YOUR_QUALYS_BASE64_CREDENTIALS"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "d42250d1-7bbf-4396-8ea5-20598fcc41f8",
"name": "Fetch Custom Scanner Results",
"type": "n8n-nodes-base.httpRequest",
"position": [
1520,
1120
],
"parameters": {
"url": "https://YOUR_CUSTOM_SCANNER_API/v1/vulnerabilities",
"options": {
"timeout": 20000
},
"sendQuery": true,
"sendHeaders": true,
"queryParameters": {
"parameters": [
{
"name": "status",
"value": "open"
},
{
"name": "limit",
"value": "500"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "814df596-4fd8-45ae-bacc-1f6b5883e2ff",
"name": "Normalize and Deduplicate Findings",
"type": "n8n-nodes-base.code",
"position": [
1744,
880
],
"parameters": {
"jsCode": "const scanSession = $('Build Scan Context').first().json.scanSession;\nconst nessusRaw = $('Fetch Nessus Scan Results').all().map(i => i.json);\nconst qualysRaw = $('Fetch Qualys Scan Results').all().map(i => i.json);\nconst customRaw = $('Fetch Custom Scanner Results').all().map(i => i.json);\n\n// ---- Normalize Nessus findings ----\nconst nessusFindings = (nessusRaw[0]?.vulnerabilities || nessusRaw[0]?.findings || []).map(v => ({\n source: 'nessus',\n cveId: v.cve || v.cveId || v.plugin_id || 'NO-CVE',\n pluginId: v.plugin_id || v.pluginId || null,\n hostIp: v.host_ip || v.ip || 'unknown',\n hostName: v.hostname || v.hostName || v.host_ip || 'unknown',\n port: v.port || null,\n protocol: v.protocol || null,\n cvssScore: parseFloat(v.cvss_base_score || v.cvssScore || v.severity_index || 0),\n cvssVector: v.cvss_vector || null,\n severity: v.severity || (v.cvss_base_score >= 9 ? 'CRITICAL' : v.cvss_base_score >= 7 ? 'HIGH' : v.cvss_base_score >= 4 ? 'MEDIUM' : 'LOW'),\n title: v.plugin_name || v.title || v.description || 'Unknown Vulnerability',\n description: v.description || v.synopsis || '',\n solution: v.solution || '',\n firstSeen: v.first_seen || new Date().toISOString(),\n lastSeen: v.last_seen || new Date().toISOString(),\n assetCriticality: v.asset_criticality || 'medium'\n}));\n\n// ---- Normalize Qualys findings ----\nconst qualysFindings = (qualysRaw[0]?.HOST_LIST?.HOST || []).flatMap(host => {\n const detections = host.DETECTION_LIST?.DETECTION || [];\n return (Array.isArray(detections) ? detections : [detections]).map(d => ({\n source: 'qualys',\n cveId: d.CVE_LIST?.CVE?.[0]?.ID || d.QID || 'NO-CVE',\n pluginId: d.QID || null,\n hostIp: host.IP || 'unknown',\n hostName: host.DNS || host.IP || 'unknown',\n port: d.PORT || null,\n protocol: d.PROTOCOL || null,\n cvssScore: parseFloat(d.CVSS_FINAL || d.CVSS3_FINAL || 0),\n cvssVector: null,\n severity: d.SEVERITY === '5' ? 'CRITICAL' : d.SEVERITY === '4' ? 'HIGH' : d.SEVERITY === '3' ? 'MEDIUM' : 'LOW',\n title: d.RESULTS || 'Qualys Finding',\n description: d.RESULTS || '',\n solution: '',\n firstSeen: d.FIRST_FOUND_DATETIME || new Date().toISOString(),\n lastSeen: d.LAST_FOUND_DATETIME || new Date().toISOString(),\n assetCriticality: 'medium'\n }));\n});\n\n// ---- Normalize Custom scanner findings ----\nconst customFindings = (customRaw[0]?.data || customRaw[0]?.vulnerabilities || customRaw || []).map(v => ({\n source: 'custom',\n cveId: v.cveId || v.cve_id || v.identifier || 'NO-CVE',\n pluginId: v.checkId || v.pluginId || null,\n hostIp: v.hostIp || v.ip_address || 'unknown',\n hostName: v.hostName || v.hostname || 'unknown',\n port: v.port || null,\n protocol: v.protocol || null,\n cvssScore: parseFloat(v.cvssScore || v.cvss || 0),\n cvssVector: v.cvssVector || null,\n severity: v.severity?.toUpperCase() || 'LOW',\n title: v.title || v.name || 'Custom Finding',\n description: v.description || '',\n solution: v.remediation || v.solution || '',\n firstSeen: v.firstDetected || new Date().toISOString(),\n lastSeen: v.lastDetected || new Date().toISOString(),\n assetCriticality: v.assetCriticality || 'medium'\n}));\n\n// ---- Merge all ----\nconst allFindings = [...nessusFindings, ...qualysFindings, ...customFindings];\n\n// ---- Deduplicate by cveId + hostIp ----\nconst seen = new Set();\nconst deduped = allFindings.filter(f => {\n const key = `${f.cveId}::${f.hostIp}::${f.port || 'any'}`;\n if (seen.has(key)) return false;\n seen.add(key);\n return true;\n});\n\n// ---- Apply CVSS severity normalization ----\nconst normalized = deduped.map(f => {\n const score = f.cvssScore;\n const severity = score >= 9.0 ? 'CRITICAL' : score >= 7.0 ? 'HIGH' : score >= 4.0 ? 'MEDIUM' : 'LOW';\n return {\n ...f,\n severity,\n vulnId: `VID-${Date.now()}-${Math.random().toString(36).substr(2, 6).toUpperCase()}`,\n scanSessionId: scanSession.scanSessionId,\n detectedAt: new Date().toISOString(),\n status: 'OPEN'\n };\n});\n\n// Filter by configured threshold\nconst filtered = normalized.filter(f => f.cvssScore >= scanSession.minCvssThreshold);\n\nconst stats = {\n total: filtered.length,\n critical: filtered.filter(f => f.severity === 'CRITICAL').length,\n high: filtered.filter(f => f.severity === 'HIGH').length,\n medium: filtered.filter(f => f.severity === 'MEDIUM').length,\n low: filtered.filter(f => f.severity === 'LOW').length,\n fromNessus: nessusFindings.length,\n fromQualys: qualysFindings.length,\n fromCustom: customFindings.length,\n duplicatesRemoved: allFindings.length - deduped.length\n};\n\nreturn filtered.map(vuln => ({ json: { scanSession, vuln, stats } }));"
},
"typeVersion": 2
},
{
"id": "9bc2b04c-de46-4686-acb4-64d92bfc794a",
"name": "GPT-4 AI Risk Prioritization",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
1968,
880
],
"parameters": {
"text": "=You are a senior offensive security researcher and vulnerability risk analyst with expertise in CVE analysis, CVSS scoring, CISA KEV tracking, and enterprise risk management.\n\nAnalyze this vulnerability finding and provide an AI-enriched risk prioritization assessment.\n\n**Vulnerability Details:**\n- CVE ID: {{ $json.vuln.cveId }}\n- Title: {{ $json.vuln.title }}\n- Description: {{ $json.vuln.description }}\n- CVSS Score: {{ $json.vuln.cvssScore }}\n- CVSS Vector: {{ $json.vuln.cvssVector || 'Not provided' }}\n- Severity: {{ $json.vuln.severity }}\n- Affected Host: {{ $json.vuln.hostName }} ({{ $json.vuln.hostIp }})\n- Port/Protocol: {{ $json.vuln.port || 'N/A' }}/{{ $json.vuln.protocol || 'N/A' }}\n- Asset Criticality: {{ $json.vuln.assetCriticality }}\n- Scanner Source: {{ $json.vuln.source }}\n- First Seen: {{ $json.vuln.firstSeen }}\n- Environment: {{ $json.scanSession.environment }}\n\n**Session Context:**\n- Scan Session: {{ $json.scanSession.scanSessionId }}\n- Scan Type: {{ $json.scanSession.scanType }}\n- Total Findings This Session: {{ $json.stats.total }} ({{ $json.stats.critical }} Critical, {{ $json.stats.high }} High)\n\n**Risk Analysis Tasks:**\n1. Assess if this CVE is in CISA's Known Exploited Vulnerabilities (KEV) catalog\n2. Determine weaponization status \u2014 is exploit code publicly available (Metasploit, ExploitDB, PoC)?\n3. Assess exploitability in the wild vs theoretical exploit complexity\n4. Factor in asset criticality and network exposure for business impact\n5. Recommend a priority tier beyond raw CVSS score\n6. Suggest specific remediation steps with patch/mitigation guidance\n7. Estimate remediation complexity and time\n8. Flag any compensating controls that could reduce risk temporarily\n9. Assess if this could be part of a known attack chain or campaign\n10. Generate Jira ticket title and description\n\n**Response Format (JSON only, no markdown):**\n{\n \"aiRiskScore\": 94,\n \"priorityTier\": \"P1-CRITICAL | P2-HIGH | P3-MEDIUM | P4-LOW\",\n \"cisakevStatus\": \"confirmed | possible | not_listed\",\n \"exploitAvailable\": true,\n \"exploitSources\": [\"Metasploit\", \"ExploitDB\"],\n \"exploitabilityInWild\": \"active | limited | theoretical\",\n \"weaponizationLikelihood\": \"high | medium | low\",\n \"businessImpact\": \"critical | high | medium | low\",\n \"businessImpactRationale\": \"Why this matters to the business specifically\",\n \"attackVector\": \"network | adjacent | local | physical\",\n \"isPartOfKnownCampaign\": false,\n \"campaignDetails\": null,\n \"remediationSteps\": [\n \"Step 1: Apply patch MS24-001 immediately\",\n \"Step 2: Verify patch deployment\",\n \"Step 3: Rescan to confirm closure\"\n ],\n \"compensatingControls\": [\"Block port 445 at perimeter\", \"Enable IDS signature X\"],\n \"remediationComplexity\": \"low | medium | high\",\n \"estimatedRemediationHours\": 2,\n \"slaDays\": 1,\n \"jiraTicketTitle\": \"[CRITICAL] CVE-XXXX-XXXX \u2014 Brief description on hostname\",\n \"jiraDescription\": \"Full Jira ticket description with all relevant context for the patching team\",\n \"executiveSummary\": \"One sentence non-technical summary for leadership\",\n \"falsePositiveLikelihood\": \"low | medium | high\",\n \"recommendedAction\": \"PATCH_IMMEDIATELY | PATCH_SCHEDULED | MITIGATE | ACCEPT_RISK | INVESTIGATE_FURTHER\"\n}",
"options": {
"systemMessage": "You are a senior vulnerability risk analyst. Respond with valid JSON only \u2014 no markdown, no code blocks, no preamble. Be precise about CVE details, exploit availability, and business risk. Always provide actionable remediation guidance."
},
"promptType": "define"
},
"typeVersion": 1.6
},
{
"id": "76b348c6-3a44-4a6e-bdda-9dace84d0177",
"name": "GPT-4o Model",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
2040,
1104
],
"parameters": {
"model": "=gpt-4o",
"options": {
"maxTokens": 2000,
"temperature": 0.1
}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "47f7dc68-02c5-446e-9462-0aea235ebd77",
"name": "Parse GPT-4 Risk Assessment",
"type": "n8n-nodes-base.code",
"position": [
2320,
880
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "const aiResponse = $input.item.json;\nlet aiText = aiResponse.response || aiResponse.output || aiResponse.text || '';\nif (aiResponse.content && Array.isArray(aiResponse.content)) {\n aiText = aiResponse.content[0]?.text || aiResponse.content[0]?.message?.content || '';\n}\nconst clean = aiText.replace(/```json\\s*/g,'').replace(/```\\s*/g,'').trim();\n\nlet riskAssessment;\ntry { riskAssessment = JSON.parse(clean); }\ncatch(e) { throw new Error(`GPT-4 parse failed: ${e.message}. Raw: ${clean.substring(0,200)}`); }\n\n// Reconstruct full vuln record from upstream\nconst upstream = $('Normalize and Deduplicate Findings').item.json;\n\n// SLA due date calculation\nconst slaDays = riskAssessment.slaDays || (riskAssessment.priorityTier === 'P1-CRITICAL' ? 1 : riskAssessment.priorityTier === 'P2-HIGH' ? 7 : riskAssessment.priorityTier === 'P3-MEDIUM' ? 30 : 90);\nconst dueDate = new Date(Date.now() + slaDays * 24 * 60 * 60 * 1000).toISOString();\n\nreturn {\n json: {\n scanSession: upstream.scanSession,\n vuln: upstream.vuln,\n stats: upstream.stats,\n riskAssessment,\n slaDays,\n dueDate,\n isCriticalOrHigh: ['CRITICAL', 'HIGH'].includes(upstream.vuln.severity),\n isCritical: upstream.vuln.severity === 'CRITICAL',\n enrichedAt: new Date().toISOString()\n }\n};"
},
"typeVersion": 2
},
{
"id": "683aefec-c06a-4ffb-a2c7-e70d61921b7c",
"name": "Severity Gate \u2014 Critical/High vs Medium/Low",
"type": "n8n-nodes-base.if",
"position": [
2544,
880
],
"parameters": {
"options": {},
"conditions": {
"options": {
"caseSensitive": false,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.vuln.severity }}",
"rightValue": "CRITICAL"
},
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.vuln.severity }}",
"rightValue": "HIGH"
}
]
}
},
"typeVersion": 2
},
{
"id": "fd90cc74-64ea-4281-b060-42f7e4f9eb55",
"name": "Create Jira Ticket \u2014 Critical/High",
"type": "n8n-nodes-base.httpRequest",
"position": [
2768,
736
],
"parameters": {
"url": "https://YOUR_JIRA_DOMAIN.atlassian.net/rest/api/3/issue",
"method": "POST",
"options": {
"timeout": 15000
},
"jsonBody": "={\n \"fields\": {\n \"project\": { \"key\": \"SEC\" },\n \"summary\": \"{{ $json.riskAssessment.jiraTicketTitle }}\",\n \"description\": {\n \"type\": \"doc\",\n \"version\": 1,\n \"content\": [{\n \"type\": \"paragraph\",\n \"content\": [{ \"type\": \"text\", \"text\": \"{{ $json.riskAssessment.jiraDescription }}\" }]\n }]\n },\n \"issuetype\": { \"name\": \"Security Vulnerability\" },\n \"priority\": { \"name\": \"{{ $json.vuln.severity === 'CRITICAL' ? 'Highest' : 'High' }}\" },\n \"duedate\": \"{{ $json.dueDate.substring(0, 10) }}\",\n \"labels\": [\"vulnerability\", \"{{ $json.vuln.severity.toLowerCase() }}\", \"{{ $json.vuln.source }}\", \"cvss-{{ Math.floor($json.vuln.cvssScore) }}\"],\n \"customfield_10015\": \"{{ $json.dueDate.substring(0, 10) }}\",\n \"customfield_10016\": {{ $json.slaDays }},\n \"customfield_10020\": { \"id\": \"1\" }\n }\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Basic YOUR_JIRA_BASE64_TOKEN"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "3ebbf353-7bc3-498a-a3b4-57914b0d6e6f",
"name": "Create Jira Ticket \u2014 Medium/Low",
"type": "n8n-nodes-base.httpRequest",
"position": [
2768,
928
],
"parameters": {
"url": "https://YOUR_JIRA_DOMAIN.atlassian.net/rest/api/3/issue",
"method": "POST",
"options": {
"timeout": 15000
},
"jsonBody": "={\n \"fields\": {\n \"project\": { \"key\": \"SEC\" },\n \"summary\": \"{{ $json.riskAssessment.jiraTicketTitle }}\",\n \"description\": {\n \"type\": \"doc\",\n \"version\": 1,\n \"content\": [{\n \"type\": \"paragraph\",\n \"content\": [{ \"type\": \"text\", \"text\": \"{{ $json.riskAssessment.jiraDescription }}\" }]\n }]\n },\n \"issuetype\": { \"name\": \"Security Vulnerability\" },\n \"priority\": { \"name\": \"{{ $json.vuln.severity === 'MEDIUM' ? 'Medium' : 'Low' }}\" },\n \"duedate\": \"{{ $json.dueDate.substring(0, 10) }}\",\n \"labels\": [\"vulnerability\", \"{{ $json.vuln.severity.toLowerCase() }}\", \"{{ $json.vuln.source }}\"]\n }\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Basic YOUR_JIRA_BASE64_TOKEN"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "46f6f83b-6067-4368-a97b-6f0a233d8c43",
"name": "Slack Alert \u2014 Critical Vulnerabilities",
"type": "n8n-nodes-base.httpRequest",
"position": [
2768,
1120
],
"parameters": {
"url": "https://hooks.slack.com/services/YOUR_SLACK_WEBHOOK_PATH",
"method": "POST",
"options": {
"timeout": 10000
},
"jsonBody": "={\n \"channel\": \"#security-critical\",\n \"username\": \"VulnBot\",\n \"icon_emoji\": \":rotating_light:\",\n \"blocks\": [\n {\n \"type\": \"header\",\n \"text\": { \"type\": \"plain_text\", \"text\": \"\ud83d\udea8 CRITICAL VULNERABILITY DETECTED\", \"emoji\": true }\n },\n {\n \"type\": \"section\",\n \"fields\": [\n { \"type\": \"mrkdwn\", \"text\": \"*CVE ID:*\\n{{ $json.vuln.cveId }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*CVSS Score:*\\n{{ $json.vuln.cvssScore }} / 10\" },\n { \"type\": \"mrkdwn\", \"text\": \"*Host:*\\n{{ $json.vuln.hostName }} ({{ $json.vuln.hostIp }})\" },\n { \"type\": \"mrkdwn\", \"text\": \"*SLA Deadline:*\\n{{ $json.dueDate.substring(0, 10) }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*AI Risk Score:*\\n{{ $json.riskAssessment.aiRiskScore }}/100\" },\n { \"type\": \"mrkdwn\", \"text\": \"*Exploit Available:*\\n{{ $json.riskAssessment.exploitAvailable ? '\u26a0\ufe0f YES \u2014 ' + ($json.riskAssessment.exploitSources || []).join(', ') : '\u2705 No public exploit' }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*CISA KEV:*\\n{{ $json.riskAssessment.cisakevStatus }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*Priority Tier:*\\n{{ $json.riskAssessment.priorityTier }}\" }\n ]\n },\n {\n \"type\": \"section\",\n \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Vulnerability:*\\n{{ $json.vuln.title }}\" }\n },\n {\n \"type\": \"section\",\n \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Executive Summary:*\\n{{ $json.riskAssessment.executiveSummary }}\" }\n },\n {\n \"type\": \"section\",\n \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Recommended Action:*\\n{{ $json.riskAssessment.recommendedAction }}\" }\n },\n {\n \"type\": \"context\",\n \"elements\": [{ \"type\": \"mrkdwn\", \"text\": \"Scan Session: {{ $json.scanSession.scanSessionId }} | Vuln ID: {{ $json.vuln.vulnId }} | Detected: {{ $json.vuln.detectedAt }}\" }]\n }\n ]\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "c29fa39d-dc9d-4fc1-bbbb-9e7e976a02de",
"name": "Merge Post-Routing Paths",
"type": "n8n-nodes-base.merge",
"position": [
2992,
928
],
"parameters": {
"mode": "mergeByPosition"
},
"typeVersion": 3
},
{
"id": "e5cb83ec-08a5-483b-a3a5-0f37b5574cf1",
"name": "Store to Vulnerability Registry",
"type": "n8n-nodes-base.googleSheets",
"position": [
3216,
640
],
"parameters": {
"columns": {
"value": {},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [],
"attemptToConvertTypes": false,
"convertFieldsToString": false
},
"options": {},
"operation": "append",
"sheetName": {
"__rl": true,
"mode": "id",
"value": "="
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "="
},
"authentication": "serviceAccount"
},
"credentials": {
"googleApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
},
{
"id": "5fcf5b0a-b358-40dc-8441-7a0e7dac3896",
"name": "Check Patch Status in Registry",
"type": "n8n-nodes-base.googleSheets",
"position": [
3216,
880
],
"parameters": {
"options": {},
"sheetName": {
"__rl": true,
"mode": "id",
"value": "="
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "="
},
"authentication": "serviceAccount"
},
"credentials": {
"googleApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
},
{
"id": "593bf583-e664-4c25-9bc4-f6828fb3c834",
"name": "Email High Severity Digest",
"type": "n8n-nodes-base.emailSend",
"position": [
3216,
1072
],
"parameters": {
"options": {},
"subject": "=[{{ $json.vuln.severity }}] Vulnerability Alert \u2014 {{ $json.vuln.cveId }} on {{ $json.vuln.hostName }} | CVSS {{ $json.vuln.cvssScore }}",
"toEmail": "=",
"fromEmail": "="
},
"credentials": {
"smtp": {
"name": "<your credential>"
}
},
"typeVersion": 2.1,
"continueOnFail": true
},
{
"id": "58bebd3c-879a-4070-b60c-4451c462d700",
"name": "Weekly Report Schedule \u2014 Monday 7 AM",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
880,
80
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 7 * * 1"
}
]
}
},
"typeVersion": 1.2
},
{
"id": "83fca6a1-ea20-4592-a900-85496d3c48d1",
"name": "Fetch Weekly Vuln Data for Report",
"type": "n8n-nodes-base.googleSheets",
"position": [
1104,
80
],
"parameters": {
"options": {},
"sheetName": {
"__rl": true,
"mode": "id",
"value": "="
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "="
}
},
"credentials": {
"googleSheetsOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
},
{
"id": "719534e9-b4dc-4c88-8fef-d63bf79ab18b",
"name": "Build Weekly Executive Report",
"type": "n8n-nodes-base.code",
"position": [
1312,
80
],
"parameters": {
"jsCode": "const allVulns = $input.all().map(i => i.json);\nconst now = new Date();\nconst oneWeekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);\n\n// Filter vulns detected this week\nconst weekVulns = allVulns.filter(v => v.detectedAt && new Date(v.detectedAt) >= oneWeekAgo);\n\n// Stats\nconst total = weekVulns.length;\nconst critical = weekVulns.filter(v => v.severity === 'CRITICAL');\nconst high = weekVulns.filter(v => v.severity === 'HIGH');\nconst medium = weekVulns.filter(v => v.severity === 'MEDIUM');\nconst low = weekVulns.filter(v => v.severity === 'LOW');\nconst patched = weekVulns.filter(v => v.status === 'PATCHED');\nconst open = weekVulns.filter(v => v.status === 'OPEN');\nconst overdue = open.filter(v => v.dueDate && new Date(v.dueDate) < now);\nconst withExploit = weekVulns.filter(v => String(v.exploitAvailable).toLowerCase() === 'true');\nconst kevConfirmed = weekVulns.filter(v => v.cisakevStatus === 'confirmed');\n\n// SLA compliance rate\nconst slaCompliant = patched.filter(v => {\n const closedDate = v.closedAt ? new Date(v.closedAt) : null;\n const dueDate = v.dueDate ? new Date(v.dueDate) : null;\n return closedDate && dueDate && closedDate <= dueDate;\n}).length;\nconst slaComplianceRate = patched.length > 0 ? Math.round((slaCompliant / patched.length) * 100) : 100;\n\n// MTTD / MTTR (from detectedAt vs closedAt)\nconst closedThisWeek = patched.filter(v => v.closedAt);\nconst avgMttrHours = closedThisWeek.length > 0\n ? Math.round(closedThisWeek.reduce((sum, v) => {\n const detected = new Date(v.detectedAt);\n const closed = new Date(v.closedAt);\n return sum + (closed - detected) / (1000 * 60 * 60);\n }, 0) / closedThisWeek.length)\n : 0;\n\n// Top hosts\nconst hostCounts = {};\nweekVulns.forEach(v => { hostCounts[v.hostName] = (hostCounts[v.hostName] || 0) + 1; });\nconst topHosts = Object.entries(hostCounts).sort((a, b) => b[1] - a[1]).slice(0, 5);\n\nconst weekLabel = `${oneWeekAgo.toDateString()} \u2013 ${now.toDateString()}`;\n\nreturn [{\n json: {\n reportPeriod: weekLabel,\n generatedAt: now.toISOString(),\n stats: {\n total, critical: critical.length, high: high.length, medium: medium.length, low: low.length,\n patched: patched.length, open: open.length, overdue: overdue.length,\n withExploit: withExploit.length, kevConfirmed: kevConfirmed.length,\n slaComplianceRate, avgMttrHours\n },\n topVulnerableHosts: topHosts,\n topCritical: critical.slice(0, 5).map(v => ({ cveId: v.cveId, host: v.hostName, score: v.cvssScore, action: v.recommendedAction })),\n overdueVulns: overdue.slice(0, 10).map(v => ({ cveId: v.cveId, host: v.hostName, severity: v.severity, dueDate: v.dueDate }))\n }\n}];"
},
"typeVersion": 2
},
{
"id": "4f17f494-494f-42cb-894f-07c2a6f4f3e2",
"name": "Send CISO Weekly Executive Report",
"type": "n8n-nodes-base.emailSend",
"position": [
1520,
80
],
"parameters": {
"options": {},
"subject": "=[Weekly Vuln Report] {{ $json.stats.critical }} Critical \u00b7 {{ $json.stats.high }} High \u00b7 SLA {{ $json.stats.slaComplianceRate }}% Compliant \u2014 {{ $json.reportPeriod }}",
"toEmail": "=",
"fromEmail": "="
},
"credentials": {
"smtp": {
"name": "<your credential>"
}
},
"typeVersion": 2.1,
"continueOnFail": true
},
{
"id": "54755d53-0ca8-4a9e-92cb-e413edc4fda2",
"name": "Write SOC2 Audit Log",
"type": "n8n-nodes-base.googleSheets",
"position": [
3440,
832
],
"parameters": {
"columns": {
"value": {},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [],
"attemptToConvertTypes": false,
"convertFieldsToString": false
},
"options": {},
"operation": "append",
"sheetName": {
"__rl": true,
"mode": "id",
"value": "="
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "="
},
"authentication": "serviceAccount"
},
"credentials": {
"googleApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
},
{
"id": "608c6615-a2db-4822-b083-6b5f75b830dc",
"name": "Respond to Emergency Scan Webhook",
"type": "n8n-nodes-base.respondToWebhook",
"position": [
3440,
1024
],
"parameters": {
"options": {
"responseHeaders": {
"entries": [
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "X-Vuln-Session-ID",
"value": "={{ $json.scanSession.scanSessionId }}"
}
]
}
},
"respondWith": "json",
"responseBody": "={\n \"scanSessionId\": \"{{ $json.scanSession.scanSessionId }}\",\n \"status\": \"SCAN_INITIATED\",\n \"vulnId\": \"{{ $json.vuln.vulnId }}\",\n \"severity\": \"{{ $json.vuln.severity }}\",\n \"priorityTier\": \"{{ $json.riskAssessment.priorityTier }}\",\n \"dueDate\": \"{{ $json.dueDate.substring(0, 10) }}\",\n \"message\": \"Vulnerability processed and tickets created.\"\n}"
},
"typeVersion": 1
},
{
"id": "e3858686-5145-477b-bb83-761d3e1cb2ef",
"name": "Sticky Note5",
"type": "n8n-nodes-base.stickyNote",
"position": [
832,
-144
],
"parameters": {
"color": 4,
"width": 924,
"height": 412,
"content": "## 5. Weekly Executive Report"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "af915885-236d-405e-9622-9326f1178199",
"connections": {
"GPT-4o Model": {
"ai_languageModel": [
[
{
"node": "GPT-4 AI Risk Prioritization",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Build Scan Context": {
"main": [
[
{
"node": "Fetch Nessus Scan Results",
"type": "main",
"index": 0
},
{
"node": "Fetch Qualys Scan Results",
"type": "main",
"index": 0
},
{
"node": "Fetch Custom Scanner Results",
"type": "main",
"index": 0
}
]
]
},
"Merge Scan Triggers": {
"main": [
[
{
"node": "Build Scan Context",
"type": "main",
"index": 0
}
]
]
},
"Merge Post-Routing Paths": {
"main": [
[
{
"node": "Store to Vulnerability Registry",
"type": "main",
"index": 0
},
{
"node": "Check Patch Status in Registry",
"type": "main",
"index": 0
},
{
"node": "Email High Severity Digest",
"type": "main",
"index": 0
}
]
]
},
"Fetch Nessus Scan Results": {
"main": [
[
{
"node": "Normalize and Deduplicate Findings",
"type": "main",
"index": 0
}
]
]
},
"Fetch Qualys Scan Results": {
"main": [
[
{
"node": "Normalize and Deduplicate Findings",
"type": "main",
"index": 0
}
]
]
},
"Email High Severity Digest": {
"main": [
[
{
"node": "Write SOC2 Audit Log",
"type": "main",
"index": 0
}
]
]
},
"Parse GPT-4 Risk Assessment": {
"main": [
[
{
"node": "Severity Gate \u2014 Critical/High vs Medium/Low",
"type": "main",
"index": 0
}
]
]
},
"Daily Scan Schedule \u2014 6 AM": {
"main": [
[
{
"node": "Merge Scan Triggers",
"type": "main",
"index": 0
}
]
]
},
"Fetch Custom Scanner Results": {
"main": [
[
{
"node": "Normalize and Deduplicate Findings",
"type": "main",
"index": 0
}
]
]
},
"GPT-4 AI Risk Prioritization": {
"main": [
[
{
"node": "Parse GPT-4 Risk Assessment",
"type": "main",
"index": 0
}
]
]
},
"Build Weekly Executive Report": {
"main": [
[
{
"node": "Send CISO Weekly Executive Report",
"type": "main",
"index": 0
}
]
]
},
"Check Patch Status in Registry": {
"main": [
[
{
"node": "Write SOC2 Audit Log",
"type": "main",
"index": 0
}
]
]
},
"Store to Vulnerability Registry": {
"main": [
[
{
"node": "Write SOC2 Audit Log",
"type": "main",
"index": 0
},
{
"node": "Respond to Emergency Scan Webhook",
"type": "main",
"index": 0
}
]
]
},
"On-Demand Emergency Scan Webhook": {
"main": [
[
{
"node": "Merge Scan Triggers",
"type": "main",
"index": 1
}
]
]
},
"Create Jira Ticket \u2014 Medium/Low": {
"main": [
[
{
"node": "Merge Post-Routing Paths",
"type": "main",
"index": 1
}
]
]
},
"Fetch Weekly Vuln Data for Report": {
"main": [
[
{
"node": "Build Weekly Executive Report",
"type": "main",
"index": 0
}
]
]
},
"Normalize and Deduplicate Findings": {
"main": [
[
{
"node": "GPT-4 AI Risk Prioritization",
"type": "main",
"index": 0
}
]
]
},
"Create Jira Ticket \u2014 Critical/High": {
"main": [
[
{
"node": "Merge Post-Routing Paths",
"type": "main",
"index": 0
}
]
]
},
"Weekly Report Schedule \u2014 Monday 7 AM": {
"main": [
[
{
"node": "Fetch Weekly Vuln Data for Report",
"type": "main",
"index": 0
}
]
]
},
"Slack Alert \u2014 Critical Vulnerabilities": {
"main": [
[
{
"node": "Merge Post-Routing Paths",
"type": "main",
"index": 0
}
]
]
},
"Severity Gate \u2014 Critical/High vs Medium/Low": {
"main": [
[
{
"node": "Create Jira Ticket \u2014 Critical/High",
"type": "main",
"index": 0
},
{
"node": "Slack Alert \u2014 Critical Vulnerabilities",
"type": "main",
"index": 0
}
],
[
{
"node": "Create Jira Ticket \u2014 Medium/Low",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
googleApigoogleSheetsOAuth2ApiopenAiApismtp
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
Automates the full vulnerability lifecycle — from scheduled scanning and data aggregation to intelligent prioritization, ticket creation, real-time alerting, weekly reporting, and centralized tracking. Ensures critical vulnerabilities are patched quickly while maintaining…
Source: https://n8n.io/workflows/10594/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Automate the entire YouTube content creation pipeline — from video idea to AI-generated avatar video, upload, metadata generation, and publishing — with zero manual intervention!
Output Parser Structured, HTTP Request, OpenAI Chat +4
This workflow automates comprehensive risk signal detection and regulatory compliance management across financial and claims data sources. Designed for risk management teams, compliance officers, and
HTTP Request, Agent, OpenAI Chat +5
This template is perfect for daily fantasy sports (DFS) enthusiasts, sports analysts, and content creators who want automated, AI-optimized lineups for DraftKings contests. Works for multiple sports i
HTTP Request, OpenAI Chat, Agent +3
K&S-Media Downloadliste SQL. Uses httpRequest, agent, googleSheets, lmChatOpenAi. Event-driven trigger; 97 nodes.
HTTP Request, Agent, Google Sheets +3
This n8n workflow orchestrates a powerful suite of AI Agents and automations to manage and optimize various aspects of an e-commerce operation, particularly for platforms like Shopify. It leverages La
Google Sheets, HTTP Request, Slack +10