Marth - Business Automation This workflow corresponds to n8n.io template #6724 — we link there as the canonical source.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "9AQd9r6sPeEbpy2a",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "Automated Vulnerability News Digest with RSS Feed",
"tags": [],
"nodes": [
{
"id": "bf19314a-9ce9-4ecf-9674-4e2d6c75a6ca",
"name": "CISA KEV List",
"type": "n8n-nodes-base.rssFeedReadTrigger",
"position": [
0,
0
],
"parameters": {
"feedUrl": "https://www.cisa.gov/rss/advisories/known-exploited-vulnerabilities.xml",
"pollTimes": {
"item": [
{
"mode": "everyMinute"
},
{
"hour": 12
}
]
}
},
"typeVersion": 1
},
{
"id": "0d146f40-12ff-41e1-8447-8ffac5ce96dc",
"name": "Format Vulnerability Alert",
"type": "n8n-nodes-base.code",
"position": [
224,
0
],
"parameters": {
"jsCode": "const vulnerabilityTitle = $json.title;\nconst vulnerabilityLink = $json.link;\nconst vulnerabilityDescription = $json.description.replace(/(<([^>]+)>)/ig, '').slice(0, 300) + '...'; // Strip HTML, truncate\n\n// You can add logic here to parse specific details if they are consistently structured in the RSS description.\n// For example, extracting CVE ID if it's always in a specific format.\n\nreturn [{\n json: {\n ...$json, // Keep original data if needed\n alertMessage: `\ud83d\udea8 *New Known Exploited Vulnerability!* \ud83d\udea8\\n\\n*Title:* ${vulnerabilityTitle}\\n*Summary:* ${vulnerabilityDescription}\\n*Learn More:* ${vulnerabilityLink}\\n\\n_Action Required: Review and assess impact._`\n }\n}];"
},
"typeVersion": 2
},
{
"id": "825444b4-b8d1-44e3-a61a-74380919f8a9",
"name": "Is Critical Vulnerability?",
"type": "n8n-nodes-base.if",
"position": [
448,
0
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "54899a2f-daf0-48f2-9705-ea819ae75857",
"operator": {
"type": "string",
"operation": "contains"
},
"leftValue": "={{ $json.title.toLowerCase() }}",
"rightValue": "\"critical\""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "75c8738b-0f46-4cb6-a9a0-c3ffb2a91e0b",
"name": "Send Critical Alert",
"type": "n8n-nodes-base.slack",
"position": [
672,
-96
],
"parameters": {
"text": "={{ $json.alertMessage }}",
"user": {
"__rl": true,
"mode": "id",
"value": "[YOUR_SECURITY_TEAM_SLACK_CHANNEL_ID]"
},
"select": "user",
"otherOptions": {}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.3
},
{
"id": "47984814-c736-45f2-8b20-03aa252dd853",
"name": "No Operation, do nothing",
"type": "n8n-nodes-base.noOp",
"position": [
672,
96
],
"parameters": {},
"typeVersion": 1
},
{
"id": "64aa387e-1cd2-4004-b691-a9803fcbf312",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-48,
-192
],
"parameters": {
"color": 3,
"width": 928,
"height": 480,
"content": "# Flow"
},
"typeVersion": 1
},
{
"id": "8a13ab3a-b055-40cc-bad2-4875d03aba4b",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-48,
352
],
"parameters": {
"color": 5,
"width": 928,
"height": 864,
"content": "# \ud83d\udea8 Automated Vulnerability News Digest \ud83d\udcf0\n\n* **Problem Solved:**\n Cybersecurity teams are constantly battling new threats. A major challenge is the **manual, time-consuming process of monitoring newly disclosed and actively exploited vulnerabilities** from critical sources like CISA's Known Exploited Vulnerabilities (KEV) catalog. Missing a critical vulnerability alert can have severe consequences for an organization's security posture.\n\n* **Solution Overview:**\n This n8n workflow offers a **simple, 5-node automation** designed specifically for proactive vulnerability management. It automatically pulls new vulnerability entries from a trusted RSS feed (such as the CISA KEV list) and delivers **instant, summarized alerts directly to your Slack channel**. This ensures your security team receives timely notifications about critical threats without the burden of manual, continuous monitoring. As an AI Agent developer, this is an efficient solution to a common SME cybersecurity pain point!\n\n* **For Whom:**\n This highly valuable, yet simple, automation is ideal for:\n * **Cybersecurity Operations (SecOps) Teams:** For immediate awareness of actively exploited vulnerabilities.\n * **IT Security Managers:** To quickly assess new risks and prioritize patching efforts.\n * **Incident Response Teams:** To get early warnings about vulnerabilities that might lead to an incident.\n * **Small & Medium Enterprises (SMEs):** That need a straightforward, cost-effective way to enhance their threat intelligence capabilities.\n\n---\n\n### How It Works: The 5-Node Vulnerability Monitoring Flow\n\nThis concise workflow efficiently captures, filters, and delivers crucial cybersecurity vulnerability alerts.\n\n1. **Trigger: CISA KEV List (RSS Feed Node):**\n * **Function:** This is the entry point. It regularly checks a designated RSS feed (pre-configured for CISA's Known Exploited Vulnerabilities catalog) for any new entries.\n * **Process:** When a new vulnerability is added to the feed, it acts as a trigger, initiating the workflow to process that specific vulnerability's information.\n\n2. **Format Vulnerability Alert (Code Node):**\n * **Function:** This node acts as a data processor, taking the raw RSS feed entry and structuring it into a clear, actionable alert message.\n * **Process:** It extracts key details like the vulnerability's title, a summary from its description (stripping HTML for cleanliness), and the direct link for more information. This data is then formatted into a concise `alertMessage` variable.\n\n3. **Is Critical Vulnerability? (If Node):**\n * **Function:** This node provides a quick, conditional check, allowing for basic prioritization of alerts.\n * **Process:** It evaluates the vulnerability's title (or description) for specific keywords (e.g., \"critical,\" \"zero-day,\" \"remote code execution\"). If the vulnerability contains these keywords, it's flagged as \"critical,\" and the workflow proceeds to send an alert. Otherwise, the workflow ends for that entry (or could be routed to a less urgent notification channel).\n\n4. **Send Critical Alert (Slack Node):**\n * **Function:** This is the delivery mechanism, ensuring your security team receives instant and highly visible notifications.\n * **Process:** The formatted `alertMessage` is immediately sent to your designated **Slack channel** (e.g., `#security-alerts` or `#incident-response`), providing real-time awareness.\n\n5. **End Workflow (No-Op Node):**\n * **Function:** This node simply signifies the successful completion of the workflow's execution path for a given vulnerability entry.\n\n---\n\n### How to Set Up\n\nImplementing this essential cybersecurity vulnerability monitor in your n8n instance is quick and straightforward.\n\n1. **Prepare Your Credentials:**\n * **Slack API:** Set up your **Slack credential** in n8n. You'll need to obtain the **Channel ID** of the specific Slack channel where you want your security alerts to be posted (e.g., `#security-alerts`).\n\n2. **Import the Workflow JSON:**\n * **Import:** In your n8n instance, navigate to the \"Workflows\" section. Click the \"New\" or \"+\" icon, then select \"Import from JSON.\" Paste the provided JSON code (from the previous response) into the import dialog and import the workflow.\n\n3. **Configure the Nodes:**\n * **Trigger: CISA KEV List (RSS Feed Node):**\n * The default URL (`https://www.cisa.gov/rss/advisories/known-exploited-vulnerabilities.xml`) is typically correct for CISA KEV.\n * You can adjust the **Polling Interval** if you want to check for new vulnerabilities more or less frequently.\n * **Is Critical Vulnerability? (If Node):**\n * Review the default condition (e.g., `title contains \"critical\"`). You can customize this by adding `OR` conditions for other high-priority keywords (e.g., `\"zero-day\"`, `\"RCE\"`) to precisely define what constitutes a \"critical\" alert for your team.\n * **Send Critical Alert (Slack Node):**\n * Select your configured **Slack Credential**.\n * Replace `[YOUR_SECURITY_TEAM_SLACK_CHANNEL_ID]` with the actual **Channel ID** for your security alert channel.\n\n4. **Test and Activate:**\n * **Manual Test:** Click the \"Test Workflow\" button (usually in the top right corner of the n8n editor). This will execute the workflow once, pulling the latest entries from the RSS feed.\n * **Verify Output:** Check your specified Slack channel. If there are new KEV entries or if recent entries match your \"critical\" criteria, you should see an alert appear.\n * **Activate:** Once you're satisfied that the workflow is correctly configured and working, toggle the \"Active\" switch (usually in the top right corner of the n8n editor) to `ON`. Your workflow will then automatically monitor the CISA KEV list at your set interval, providing continuous vulnerability awareness.\n\n---"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "3a4bc78e-d50e-49b1-aa84-6932c968dd63",
"connections": {
"CISA KEV List": {
"main": [
[
{
"node": "Format Vulnerability Alert",
"type": "main",
"index": 0
}
]
]
},
"Format Vulnerability Alert": {
"main": [
[
{
"node": "Is Critical Vulnerability?",
"type": "main",
"index": 0
}
]
]
},
"Is Critical Vulnerability?": {
"main": [
[
{
"node": "Send Critical Alert",
"type": "main",
"index": 0
}
],
[
{
"node": "No Operation, do nothing",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
slackApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This concise workflow efficiently captures, filters, and delivers crucial cybersecurity-related mentions.
Source: https://n8n.io/workflows/6724/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Track all n8n workflow failures with automatic error capture, severity classification, duplicate detection, Slack alerting, performance metrics, and log retention.
Error Trigger, HTTP Request, Slack
Automates monitoring of error logs and notifies developers of critical errors. Sends Slack alerts for critical and non-critical errors, with auto-creation of Jira tickets for critical issues. Triggers
Ssh, Slack, Jira
Stay ahead of payment disputes with this automated n8n workflow that integrates Stripe, Slack, and ClickUp. Perfect for finance teams, payment ops specialists, and SaaS businesses, this template fetch
HTTP Request, Slack, ClickUp
Teams that live in Notion and want an instant ping to the right person when a task changes state. Perfect for content creators, project managers, or any small team that tracks work in a Notion databas
Email Send, Slack, Telegram +3
This workflow automatically extracts, organizes, and tracks legal contract details from documents uploaded to Google Drive. Using VLM Run’s Execute Agent, it parses key metadata such as contract ID, p
Google Drive Trigger, Google Drive, @Vlm Run/N8N Nodes Vlmrun +3