Oneclick AI Squad 
This workflow corresponds to n8n.io template #13692 — we link there as the canonical source.
This workflow follows the Agent → Airtable recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "JPbwQJMuUKgxecyr",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "AI Zero-Day Threat Intelligence Monitor",
"tags": [],
"nodes": [
{
"id": "ef9931f7-9320-43de-9bab-be44eac1aa83",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
-224
],
"parameters": {
"width": 1000,
"height": 1984,
"content": "## AI Zero-Day Threat Intelligence Monitor\n\nThis workflow continuously monitors CVE databases, threat intelligence feeds, and public security advisories to surface emerging zero-day threats, correlates them against your registered infrastructure assets and software inventory, and uses Claude AI to score exploitability, assess business impact, and generate actionable remediation playbooks \u2014 all before attackers can operationalise the vulnerability.\n\n### How it works\n\n1. **Trigger** \u2014 Hourly schedule or on-demand webhook for immediate threat scans\n2. **Load Asset Inventory** \u2014 Fetches registered infrastructure (IPs, hostnames, software, versions) from Airtable\n3. **Scrape CVE Sources** \u2014 Queries NVD API, CISA KEV, and GitHub Security Advisories in parallel\n4. **Fetch Threat Feeds** \u2014 Pulls OSINT feeds (AlienVault OTX, abuse.ch, Shodan) for active exploitation signals\n5. **Normalise & Deduplicate** \u2014 Merges all findings, deduplicates by CVE ID, enriches with CVSS scores\n6. **Correlate with Assets** \u2014 Matches CVEs to your specific software/version inventory\n7. **AI Threat Assessment** \u2014 Claude AI scores exploitability, blast radius, and urgency per matched threat\n8. **Filter Critical Findings** \u2014 Keeps only threats scoring above configurable risk threshold\n9. **Route by Severity** \u2014 Branches CRITICAL / HIGH / MEDIUM for different response paths\n10. **Alert SOC via Slack** \u2014 Immediate notification with threat summary and patch status\n11. **Create Incident Tickets** \u2014 Auto-opens Jira/ServiceNow issues for CRITICAL and HIGH threats\n12. **Email Security Team** \u2014 Detailed HTML threat brief with CVE details and remediation steps\n13. **Update Threat Register** \u2014 Appends findings to Google Sheets threat intelligence log\n14. **Trigger Patch Workflow** \u2014 Webhooks downstream patch management system for auto-remediation\n15. **Return API Response** \u2014 Structured JSON result for SIEM/SOAR integration\n\n### Setup Steps\n\n1. Import workflow into n8n\n2. Configure credentials:\n - **Anthropic API** \u2014 Claude AI for threat assessment\n - **NVD API Key** \u2014 NIST National Vulnerability Database\n - **CISA KEV** \u2014 Known Exploited Vulnerabilities catalogue (public)\n - **AlienVault OTX API** \u2014 Open Threat Exchange pulses\n - **Shodan API** \u2014 Internet exposure checks\n - **Airtable** \u2014 Asset/software inventory\n - **Google Sheets OAuth** \u2014 Threat intelligence log\n - **Slack OAuth** \u2014 SOC alerts\n - **Jira API** \u2014 Incident ticket creation\n - **SendGrid / SMTP** \u2014 Security team email digests\n3. Register your asset inventory in Airtable (hostnames, IPs, software, versions)\n4. Set your risk score threshold (default: 65) in the filter node\n5. Set your Slack SOC channel IDs\n6. Configure downstream patch webhook URL\n7. Activate the workflow\n\n### Sample Webhook Payload (On-Demand Scan)\n```json\n{\n \"scanType\": \"targeted\",\n \"software\": \"Apache HTTP Server\",\n \"version\": \"2.4.51\",\n \"urgency\": \"high\",\n \"requestedBy\": \"soc-analyst@company.com\"\n}\n```\n\n### Threat Sources Monitored\n- **NVD (NIST)** \u2014 Full CVE database with CVSS v3.1 scores\n- **CISA KEV** \u2014 Actively exploited vulnerabilities catalogue\n- **GitHub Security Advisories** \u2014 Open source dependency vulnerabilities\n- **AlienVault OTX** \u2014 Community threat intelligence pulses\n- **abuse.ch URLhaus** \u2014 Malware distribution and C2 URLs\n- **Shodan** \u2014 Internet-exposed asset enumeration\n- **EPSS** \u2014 Exploit Prediction Scoring System probabilities\n\n### AI Assessment Dimensions\n- **CVSS Score** \u2014 Base, temporal, and environmental scoring\n- **EPSS Probability** \u2014 Likelihood of exploitation in the wild\n- **Asset Exposure** \u2014 Internal vs external facing, attack surface\n- **Patch Availability** \u2014 Vendor patch, workaround, or no fix status\n- **Active Exploitation** \u2014 CISA KEV / OTX confirmation\n- **Business Impact** \u2014 Confidentiality, integrity, availability impact\n- **Blast Radius** \u2014 Number of affected assets and systems\n- **Urgency Score** \u2014 Composite prioritisation score (0\u2013100)\n\n### Features\n- Multi-source CVE aggregation with deduplication\n- Asset correlation against software/version inventory\n- EPSS-weighted AI exploitability scoring\n- Automated CRITICAL/HIGH/MEDIUM severity routing\n- Jira ticket creation with full CVE context\n- Patch management webhook integration\n- Full threat intelligence audit log\n- SIEM/SOAR-ready JSON output\n\n---\n\n**Explore More Automation:** \n[Contact us](https://www.oneclickitsolution.com/contact-us/) to design AI-powered lead nurturing, content engagement, and multi-platform reply workflows tailored to your growth strategy."
},
"typeVersion": 1
},
{
"id": "fd75b7f9-7c5e-4160-93c7-d5a97b9f0a0c",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
1056,
640
],
"parameters": {
"color": 4,
"width": 500,
"height": 552,
"content": "## 1. Trigger & Asset Inventory Load\n### Hourly Schedule \u00b7 On-Demand Webhook \u00b7 Airtable Asset Pull"
},
"typeVersion": 1
},
{
"id": "841206c3-7598-47c9-b1e1-15b6c50f5b23",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1584,
384
],
"parameters": {
"color": 4,
"width": 820,
"height": 1068,
"content": "## 2. Multi-Source Threat Intelligence Collection\n### NVD \u00b7 CISA KEV \u00b7 GitHub Advisories \u00b7 AlienVault OTX \u00b7 EPSS \u00b7 Shodan"
},
"typeVersion": 1
},
{
"id": "66a4f898-f60e-4efc-9912-33bbe506c113",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
2448,
784
],
"parameters": {
"color": 4,
"width": 796,
"height": 464,
"content": "## 3. Normalisation \u00b7 Asset Correlation \u00b7 Claude AI Threat Scoring"
},
"typeVersion": 1
},
{
"id": "e66d305b-a04d-4e78-8cf4-23cbdf4b409a",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
3312,
496
],
"parameters": {
"color": 4,
"width": 1548,
"height": 852,
"content": "## 4. Severity Routing \u00b7 SOC Alerts \u00b7 Jira Tickets \u00b7 Patch Trigger \u00b7 Threat Log"
},
"typeVersion": 1
},
{
"id": "839596de-1cc8-45b8-94ea-a561f053db46",
"name": "On-Demand Scan Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
1184,
832
],
"parameters": {
"path": "scan-threats",
"options": {
"allowedOrigins": "*"
},
"httpMethod": "POST",
"responseMode": "responseNode"
},
"typeVersion": 2
},
{
"id": "2130e835-8065-422a-83e7-3d4bb76f9da5",
"name": "Hourly Threat Scan Schedule",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
1184,
1024
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 * * * *"
}
]
}
},
"typeVersion": 1.2
},
{
"id": "72d60fee-69c2-4697-86c2-fd0024aba31e",
"name": "Load Asset & Software Inventory",
"type": "n8n-nodes-base.airtable",
"position": [
1408,
928
],
"parameters": {
"base": {
"__rl": true,
"mode": "id",
"value": "="
},
"table": {
"__rl": true,
"mode": "id",
"value": "="
},
"options": {},
"operation": "search",
"filterByFormula": "AND({Status} = 'Active', {Monitor} = TRUE())"
},
"credentials": {
"airtableTokenApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.1,
"continueOnFail": true
},
{
"id": "e54cb6da-9dec-4332-bf4b-9a49564e9e12",
"name": "Build Scan Context & Search Terms",
"type": "n8n-nodes-base.code",
"position": [
1632,
928
],
"parameters": {
"jsCode": "const allItems = $input.all();\nconst webhookBody = allItems[0]?.json?.body || allItems[0]?.json || {};\nconst isWebhook = !!(webhookBody.scanType || webhookBody.software);\n\n// Build asset inventory from Airtable\nconst assets = allItems\n .filter(i => i.json.fields?.['Asset ID'])\n .map(i => {\n const f = i.json.fields;\n return {\n assetId: f['Asset ID'],\n hostname: f['Hostname'] || '',\n ipAddress: f['IP Address'] || '',\n assetType: f['Asset Type'] || 'Server',\n os: f['Operating System'] || '',\n osVersion: f['OS Version'] || '',\n software: (f['Software'] || '').split(',').map(s => s.trim()).filter(Boolean),\n softwareVersion: (f['Software Version'] || '').split(',').map(s => s.trim()).filter(Boolean),\n vendor: f['Vendor'] || '',\n environment: f['Environment'] || 'Production',\n internetFacing: f['Internet Facing'] === true || f['Internet Facing'] === 'Yes',\n criticality: f['Criticality'] || 'MEDIUM',\n owner: f['Owner'] || '',\n lastPatched: f['Last Patched'] || null\n };\n });\n\n// Demo assets if none loaded\nconst demoAssets = assets.length > 0 ? assets : [\n { assetId: 'ASSET-001', hostname: 'web-prod-01', ipAddress: '203.0.113.10', assetType: 'Web Server', os: 'Ubuntu', osVersion: '22.04', software: ['Apache HTTP Server', 'OpenSSL', 'PHP'], softwareVersion: ['2.4.54', '3.0.2', '8.1.12'], vendor: 'Apache Software Foundation', environment: 'Production', internetFacing: true, criticality: 'CRITICAL', owner: 'user@example.com', lastPatched: '2024-11-01' },\n { assetId: 'ASSET-002', hostname: 'db-prod-01', ipAddress: '10.0.1.5', assetType: 'Database Server', os: 'CentOS', osVersion: '7.9', software: ['MySQL', 'OpenSSH'], softwareVersion: ['8.0.31', '7.4p1'], vendor: 'Oracle', environment: 'Production', internetFacing: false, criticality: 'CRITICAL', owner: 'user@example.com', lastPatched: '2024-10-15' },\n { assetId: 'ASSET-003', hostname: 'k8s-master-01', ipAddress: '10.0.2.1', assetType: 'Container Orchestrator', os: 'Ubuntu', osVersion: '20.04', software: ['Kubernetes', 'Docker', 'containerd'], softwareVersion: ['1.26.0', '24.0.5', '1.6.20'], vendor: 'CNCF', environment: 'Production', internetFacing: false, criticality: 'HIGH', owner: 'user@example.com', lastPatched: '2024-09-20' },\n { assetId: 'ASSET-004', hostname: 'vpn-gateway-01', ipAddress: '203.0.113.20', assetType: 'Network Appliance', os: 'FortiOS', osVersion: '7.2.4', software: ['FortiGate', 'FortiSSL'], softwareVersion: ['7.2.4', '7.2.4'], vendor: 'Fortinet', environment: 'Production', internetFacing: true, criticality: 'CRITICAL', owner: 'user@example.com', lastPatched: '2024-08-30' }\n];\n\nconst finalAssets = demoAssets;\n\n// Build search terms from asset inventory\nconst searchTerms = [];\nfor (const asset of finalAssets) {\n searchTerms.push(asset.os + ' ' + asset.osVersion);\n for (let i = 0; i < asset.software.length; i++) {\n searchTerms.push(asset.software[i]);\n if (asset.softwareVersion[i]) searchTerms.push(asset.software[i] + ' ' + asset.softwareVersion[i]);\n }\n}\nconst uniqueTerms = [...new Set(searchTerms.filter(Boolean))];\n\n// Also include webhook-specified software if provided\nif (isWebhook && webhookBody.software) {\n uniqueTerms.unshift(webhookBody.software + (webhookBody.version ? ' ' + webhookBody.version : ''));\n}\n\nconst scanRunId = `SCAN-${Date.now()}-${Math.random().toString(36).substr(2,5).toUpperCase()}`;\n\nreturn [{\n json: {\n assets: finalAssets,\n searchTerms: uniqueTerms.slice(0, 20),\n scanRunId,\n scanType: isWebhook ? (webhookBody.scanType || 'targeted') : 'scheduled',\n requestedBy: webhookBody.requestedBy || 'system',\n scanStartedAt: new Date().toISOString()\n }\n}];"
},
"typeVersion": 2
},
{
"id": "2106a468-24a6-46dc-adfe-ef9afce7bcc3",
"name": "Query NVD CVE Database",
"type": "n8n-nodes-base.httpRequest",
"position": [
1856,
512
],
"parameters": {
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0",
"options": {
"timeout": 20000
},
"sendQuery": true,
"sendHeaders": true,
"queryParameters": {
"parameters": [
{
"name": "keywordSearch",
"value": "={{ $json.searchTerms.slice(0,3).join(' OR ') }}"
},
{
"name": "pubStartDate",
"value": "={{ new Date(Date.now() - 72*60*60*1000).toISOString().split('.')[0] + '+00:00' }}"
},
{
"name": "cvssV3Severity",
"value": "HIGH,CRITICAL"
},
{
"name": "resultsPerPage",
"value": "50"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "apiKey",
"value": "YOUR_NVD_API_KEY"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "af006cc1-356d-4673-853e-eac2332ff6ea",
"name": "Fetch CISA Known Exploited Vulns",
"type": "n8n-nodes-base.httpRequest",
"position": [
1856,
704
],
"parameters": {
"url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
"options": {
"timeout": 15000
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "7862a1df-aef9-4898-ad4e-487910472c8e",
"name": "Query GitHub Security Advisories",
"type": "n8n-nodes-base.httpRequest",
"position": [
1856,
896
],
"parameters": {
"url": "https://api.github.com/advisories",
"options": {
"timeout": 15000
},
"sendQuery": true,
"sendHeaders": true,
"queryParameters": {
"parameters": [
{
"name": "severity",
"value": "critical,high"
},
{
"name": "per_page",
"value": "50"
},
{
"name": "published",
"value": "={{ '>' + new Date(Date.now() - 72*60*60*1000).toISOString().split('T')[0] }}"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Accept",
"value": "application/vnd.github+json"
},
{
"name": "X-GitHub-Api-Version",
"value": "2022-11-28"
},
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "bd982345-90b4-49f1-85a3-d98ac21b8239",
"name": "Fetch AlienVault OTX Pulses",
"type": "n8n-nodes-base.httpRequest",
"position": [
1856,
1088
],
"parameters": {
"url": "https://otx.alienvault.com/api/v1/pulses/subscribed",
"options": {
"timeout": 15000
},
"sendQuery": true,
"sendHeaders": true,
"queryParameters": {
"parameters": [
{
"name": "limit",
"value": "25"
},
{
"name": "modified_since",
"value": "={{ new Date(Date.now() - 24*60*60*1000).toISOString() }}"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "X-OTX-API-KEY",
"value": "YOUR_OTX_API_KEY"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "3f6e6c47-bf5b-4e3b-95b9-d4f6dc8bf96a",
"name": "Fetch EPSS Exploit Probability Scores",
"type": "n8n-nodes-base.httpRequest",
"position": [
1856,
1280
],
"parameters": {
"url": "https://api.first.org/data/v1/epss",
"options": {
"timeout": 12000
},
"sendQuery": true,
"queryParameters": {
"parameters": [
{
"name": "order",
"value": "!epss"
},
{
"name": "limit",
"value": "100"
},
{
"name": "epss-gt",
"value": "0.5"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "766d13c2-b4ff-468a-b835-9cc2e898373c",
"name": "Merge All Threat Feed Results",
"type": "n8n-nodes-base.merge",
"position": [
2080,
896
],
"parameters": {
"mode": "mergeByPosition"
},
"typeVersion": 3
},
{
"id": "ff28594d-6674-47fc-a179-7177ec5529ad",
"name": "Normalise, Deduplicate & Correlate",
"type": "n8n-nodes-base.code",
"position": [
2304,
896
],
"parameters": {
"jsCode": "const items = $input.all();\nconst scanContext = $('Build Scan Context & Search Terms').first().json;\nconst { assets, searchTerms, scanRunId } = scanContext;\n\n// \u2500\u2500 Parse NVD Results \u2500\u2500\nconst nvdRaw = $('Query NVD CVE Database').first()?.json || {};\nconst nvdCVEs = (nvdRaw.vulnerabilities || []).map(v => {\n const cve = v.cve || {};\n const metrics = cve.metrics?.cvssMetricV31?.[0] || cve.metrics?.cvssMetricV30?.[0] || {};\n const cvssData = metrics.cvssData || {};\n return {\n cveId: cve.id || '',\n source: 'NVD',\n description: cve.descriptions?.find(d => d.lang === 'en')?.value || '',\n cvssScore: cvssData.baseScore || 0,\n cvssVector: cvssData.vectorString || '',\n severity: cvssData.baseSeverity || metrics.baseSeverity || 'UNKNOWN',\n publishedDate: cve.published || '',\n lastModified: cve.lastModified || '',\n affectedProducts: (cve.configurations || []).flatMap(c =>\n c.nodes?.flatMap(n => n.cpeMatch?.map(m => m.criteria) || []) || []\n ).slice(0, 10),\n references: (cve.references || []).map(r => r.url).slice(0, 3),\n patchAvailable: (cve.references || []).some(r => r.tags?.includes('Patch') || r.tags?.includes('Vendor Advisory')),\n cisaKev: false,\n epssScore: null\n };\n});\n\n// \u2500\u2500 Parse CISA KEV \u2500\u2500\nconst cisaRaw = $('Fetch CISA Known Exploited Vulns').first()?.json || {};\nconst kevSet = new Set();\nconst kevDetails = {};\nfor (const v of (cisaRaw.vulnerabilities || [])) {\n kevSet.add(v.cveID);\n kevDetails[v.cveID] = {\n vendorProject: v.vendorProject,\n product: v.product,\n vulnerabilityName: v.vulnerabilityName,\n dateAdded: v.dateAdded,\n requiredAction: v.requiredAction,\n dueDate: v.dueDate\n };\n}\n\n// \u2500\u2500 Parse GitHub Advisories \u2500\u2500\nconst ghRaw = $('Query GitHub Security Advisories').first()?.json || [];\nconst ghCVEs = (Array.isArray(ghRaw) ? ghRaw : []).map(a => ({\n cveId: a.cve_id || a.ghsa_id || '',\n source: 'GitHub',\n description: a.summary || a.description || '',\n cvssScore: a.cvss?.score || 0,\n cvssVector: a.cvss?.vector_string || '',\n severity: (a.severity || 'UNKNOWN').toUpperCase(),\n publishedDate: a.published_at || '',\n lastModified: a.updated_at || '',\n affectedProducts: (a.vulnerabilities || []).map(v => `${v.package?.ecosystem}:${v.package?.name}@${v.vulnerable_version_range}`).slice(0, 5),\n references: [a.html_url || ''].filter(Boolean),\n patchAvailable: !!(a.vulnerabilities?.[0]?.patched_versions),\n cisaKev: false,\n epssScore: null\n}));\n\n// \u2500\u2500 Parse EPSS Scores \u2500\u2500\nconst epssRaw = $('Fetch EPSS Exploit Probability Scores').first()?.json || {};\nconst epssMap = {};\nfor (const e of (epssRaw.data || [])) {\n epssMap[e.cve] = parseFloat(e.epss);\n}\n\n// \u2500\u2500 Parse OTX Pulses for CVE mentions \u2500\u2500\nconst otxRaw = $('Fetch AlienVault OTX Pulses').first()?.json || {};\nconst otxCveIds = new Set();\nfor (const pulse of (otxRaw.results || [])) {\n for (const tag of (pulse.tags || [])) {\n if (/CVE-\\d{4}-\\d{4,}/i.test(tag)) otxCveIds.add(tag.toUpperCase());\n }\n const cveRefs = (pulse.references || []).filter(r => /CVE-\\d{4}-\\d{4,}/i.test(r));\n for (const r of cveRefs) {\n const m = r.match(/CVE-\\d{4}-\\d{4,}/i);\n if (m) otxCveIds.add(m[0].toUpperCase());\n }\n}\n\n// \u2500\u2500 Merge & Deduplicate \u2500\u2500\nconst allCVEs = [...nvdCVEs, ...ghCVEs];\nconst cveMap = {};\nfor (const cve of allCVEs) {\n if (!cve.cveId) continue;\n const id = cve.cveId.toUpperCase();\n if (!cveMap[id] || (cve.cvssScore > (cveMap[id].cvssScore || 0))) {\n cveMap[id] = {\n ...cve,\n cveId: id,\n cisaKev: kevSet.has(id),\n kevDetails: kevDetails[id] || null,\n epssScore: epssMap[id] || null,\n activelyExploited: kevSet.has(id) || otxCveIds.has(id),\n otxMentioned: otxCveIds.has(id)\n };\n }\n}\n\n// Add high-EPSS CVEs not yet in map\nfor (const [cveId, epss] of Object.entries(epssMap)) {\n if (!cveMap[cveId] && epss > 0.7) {\n cveMap[cveId] = {\n cveId, source: 'EPSS', description: 'High exploit probability \u2014 check NVD for details',\n cvssScore: 0, severity: 'UNKNOWN', publishedDate: '', affectedProducts: [],\n references: [`https://nvd.nist.gov/vuln/detail/${cveId}`],\n patchAvailable: false, cisaKev: kevSet.has(cveId),\n kevDetails: kevDetails[cveId] || null,\n epssScore: epss, activelyExploited: kevSet.has(cveId) || otxCveIds.has(cveId), otxMentioned: otxCveIds.has(cveId)\n };\n }\n}\n\n// \u2500\u2500 Asset Correlation \u2500\u2500\nconst softwareKeywords = assets.flatMap(a => [\n ...a.software.map(s => s.toLowerCase()),\n a.os.toLowerCase(),\n a.vendor.toLowerCase()\n].filter(Boolean));\n\nconst correlatedThreats = [];\nfor (const cve of Object.values(cveMap)) {\n // Match CVE to assets\n const matchedAssets = [];\n const descLower = cve.description.toLowerCase();\n const productsLower = cve.affectedProducts.map(p => p.toLowerCase()).join(' ');\n const searchText = descLower + ' ' + productsLower;\n\n for (const asset of assets) {\n let matched = false;\n for (const sw of asset.software) {\n if (searchText.includes(sw.toLowerCase()) || sw.toLowerCase().split(' ').some(w => w.length > 3 && searchText.includes(w))) {\n matched = true;\n break;\n }\n }\n if (!matched && (searchText.includes(asset.os.toLowerCase()) || searchText.includes(asset.vendor.toLowerCase()))) matched = true;\n if (matched) matchedAssets.push({ assetId: asset.assetId, hostname: asset.hostname, criticality: asset.criticality, internetFacing: asset.internetFacing, environment: asset.environment });\n }\n\n // Only include CVEs that match assets OR are CISA KEV / EPSS > 0.8\n if (matchedAssets.length > 0 || cve.cisaKev || (cve.epssScore || 0) > 0.8) {\n correlatedThreats.push({ ...cve, matchedAssets, assetMatchCount: matchedAssets.length });\n }\n}\n\n// Sort by severity composite\nconst sev = (c) => {\n let score = c.cvssScore * 8;\n if (c.cisaKev) score += 25;\n if (c.activelyExploited) score += 20;\n if ((c.epssScore || 0) > 0.7) score += 15;\n if (c.assetMatchCount > 0) score += 10;\n return score;\n};\ncorrelatedThreats.sort((a, b) => sev(b) - sev(a));\n\n// Demo threats if nothing found\nconst demoThreats = correlatedThreats.length > 0 ? correlatedThreats : [\n { cveId: 'CVE-2024-38856', source: 'NVD', description: 'Apache OFBiz before 18.12.15 is vulnerable to pre-authentication remote code execution via the ViewHandlerExt endpoint, allowing unauthenticated attackers to execute arbitrary code.', cvssScore: 9.8, cvssVector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', severity: 'CRITICAL', publishedDate: '2024-08-05', affectedProducts: ['cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*'], references: ['https://nvd.nist.gov/vuln/detail/CVE-2024-38856'], patchAvailable: true, cisaKev: true, kevDetails: { product: 'Apache OFBiz', requiredAction: 'Apply mitigations per vendor instructions', dueDate: '2024-08-28' }, epssScore: 0.94, activelyExploited: true, otxMentioned: true, matchedAssets: [{ assetId: 'ASSET-001', hostname: 'web-prod-01', criticality: 'CRITICAL', internetFacing: true, environment: 'Production' }], assetMatchCount: 1 },\n { cveId: 'CVE-2024-21762', source: 'NVD', description: 'Fortinet FortiOS out-of-bounds write vulnerability in sslvpnd allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.', cvssScore: 9.6, cvssVector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', severity: 'CRITICAL', publishedDate: '2024-02-09', affectedProducts: ['cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*'], references: ['https://nvd.nist.gov/vuln/detail/CVE-2024-21762'], patchAvailable: true, cisaKev: true, kevDetails: { product: 'Fortinet FortiOS', requiredAction: 'Apply mitigations per vendor instructions or disable SSL VPN', dueDate: '2024-02-16' }, epssScore: 0.97, activelyExploited: true, otxMentioned: true, matchedAssets: [{ assetId: 'ASSET-004', hostname: 'vpn-gateway-01', criticality: 'CRITICAL', internetFacing: true, environment: 'Production' }], assetMatchCount: 1 },\n { cveId: 'CVE-2024-6387', source: 'NVD', description: 'OpenSSH regreSSHion: A signal handler race condition in sshd(8) on glibc-based Linux systems allows unauthenticated remote code execution as root. Regression of CVE-2006-5051.', cvssScore: 8.1, cvssVector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H', severity: 'HIGH', publishedDate: '2024-07-01', affectedProducts: ['cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*'], references: ['https://nvd.nist.gov/vuln/detail/CVE-2024-6387'], patchAvailable: true, cisaKev: false, kevDetails: null, epssScore: 0.88, activelyExploited: true, otxMentioned: false, matchedAssets: [{ assetId: 'ASSET-002', hostname: 'db-prod-01', criticality: 'CRITICAL', internetFacing: false, environment: 'Production' }], assetMatchCount: 1 }\n];\n\nreturn [{\n json: {\n scanRunId,\n assets,\n scanContext,\n threats: demoThreats,\n stats: {\n totalCVEsFound: Object.keys(cveMap).length || demoThreats.length,\n correlatedToAssets: demoThreats.filter(t => t.assetMatchCount > 0).length,\n cisaKevCount: demoThreats.filter(t => t.cisaKev).length,\n activelyExploited: demoThreats.filter(t => t.activelyExploited).length,\n highEPSS: demoThreats.filter(t => (t.epssScore || 0) > 0.7).length\n },\n normalisedAt: new Date().toISOString()\n }\n}];"
},
"typeVersion": 2
},
{
"id": "85a02970-fc2e-4c5e-933f-87790de20267",
"name": "AI Threat Assessment & Prioritisation",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
2528,
896
],
"parameters": {
"text": "=You are a Principal Threat Intelligence Analyst and Vulnerability Researcher (OSCP, CEH, GREM certified). Conduct a comprehensive threat assessment for the following correlated vulnerabilities against the organisation's asset inventory. Prioritise ruthlessly \u2014 SOC teams need to act, not analyse.\n\n**Scan Run:** {{ $json.scanRunId }}\n**Scan Time:** {{ $json.normalisedAt }}\n\n**Organisation Asset Inventory ({{ $json.assets.length }} assets):**\n{{ JSON.stringify($json.assets.map(a => ({ id: a.assetId, host: a.hostname, env: a.environment, facing: a.internetFacing ? 'Internet-facing' : 'Internal', criticality: a.criticality, software: a.software, versions: a.softwareVersion, lastPatched: a.lastPatched })), null, 2) }}\n\n**Correlated Threats ({{ $json.threats.length }} CVEs matched to assets):**\n{{ JSON.stringify($json.threats, null, 2) }}\n\n**Feed Statistics:**\n- Total CVEs Evaluated: {{ $json.stats.totalCVEsFound }}\n- Correlated to Your Assets: {{ $json.stats.correlatedToAssets }}\n- On CISA KEV (Actively Exploited): {{ $json.stats.cisaKevCount }}\n- Confirmed Active Exploitation: {{ $json.stats.activelyExploited }}\n- High EPSS Score (>70%): {{ $json.stats.highEPSS }}\n\n---\n\n**Assessment Requirements:**\n\nFor EACH threat, evaluate:\n1. **Exploitability** \u2014 How easily can this be weaponised? Public PoC available? Metasploit module? Automated scanning?\n2. **Asset Exposure** \u2014 Are affected assets internet-facing? What's the privilege level of compromise?\n3. **Business Impact** \u2014 What data/systems are at risk? RCE vs privilege escalation vs DoS?\n4. **Urgency** \u2014 CISA KEV + EPSS > 0.7 + internet-facing asset = drop everything right now\n5. **Patch Status** \u2014 Is a patch available? Is there a workaround? Any vendor advisory?\n6. **Blast Radius** \u2014 If exploited, what lateral movement paths exist? What can an attacker reach next?\n\n**Urgency Score Formula:**\n- Base: CVSS \u00d7 8 (max 80)\n- +25 if CISA KEV listed\n- +20 if active exploitation confirmed\n- +15 if EPSS > 0.7\n- +15 if internet-facing critical asset\n- +10 if no patch available\n- Cap at 100\n\n**Severity Thresholds:**\n- CRITICAL (80\u2013100): Weaponised, CISA KEV, RCE on internet-facing \u2014 patch or isolate in 24 hours\n- HIGH (60\u201379): High CVSS + active exploitation signals \u2014 patch within 72 hours\n- MEDIUM (40\u201359): Elevated CVSS, not yet weaponised \u2014 patch in scheduled maintenance\n- LOW (0\u201339): Theoretical, no public exploit \u2014 monitor\n\n**Response Format (JSON only, no markdown):**\n{\n \"scanRunId\": \"{{ $json.scanRunId }}\",\n \"assessmentTimestamp\": \"ISO timestamp\",\n \"overallThreatLevel\": \"CRITICAL | HIGH | MEDIUM | LOW\",\n \"executiveSummary\": \"3-sentence plain-English summary for CISO\",\n \"totalThreatsAssessed\": 3,\n \"immediateActionRequired\": true,\n \"threatAssessments\": [\n {\n \"cveId\": \"CVE-XXXX-XXXXX\",\n \"threatName\": \"descriptive threat name\",\n \"severity\": \"CRITICAL | HIGH | MEDIUM | LOW\",\n \"urgencyScore\": 95,\n \"cvssScore\": 9.8,\n \"epssScore\": 0.94,\n \"isActivelyExploited\": true,\n \"isCisaKev\": true,\n \"affectedAssets\": [\"hostname1\", \"hostname2\"],\n \"internetFacingAssets\": [\"hostname1\"],\n \"attackVector\": \"Network | Adjacent | Local | Physical\",\n \"attackComplexity\": \"Low | High\",\n \"privilegesRequired\": \"None | Low | High\",\n \"impactType\": \"RCE | Privilege Escalation | Data Exfiltration | DoS | Information Disclosure\",\n \"exploitMaturity\": \"Weaponised | PoC Available | Theoretical | No Known Exploit\",\n \"patchAvailable\": true,\n \"patchURL\": \"https://...\",\n \"workaround\": \"description or null\",\n \"blastRadius\": \"brief description of lateral movement risk\",\n \"immediateActions\": [\"ordered action list\"],\n \"remediationSteps\": [\"technical remediation steps\"],\n \"detectionRules\": [\"SIEM/IDS detection suggestions\"],\n \"mitreTechniques\": [\"T1190\", \"T1068\"],\n \"threatSummary\": \"2-sentence threat summary\"\n }\n ],\n \"topPriorityThreats\": [\"CVE-XXXX-XXXXX\"],\n \"globalRemediationPriority\": [\"ordered list of org-wide actions to take right now\"],\n \"threatLandscapeSummary\": \"paragraph on current threat landscape context\"\n}",
"options": {
"systemMessage": "You are a threat intelligence expert. Return JSON only \u2014 no markdown, no code blocks, no preamble. Sort threatAssessments by urgencyScore descending. Be specific about attack paths and remediation. Every CRITICAL threat must have an immediateActions list that an engineer can execute within the hour. Do not inflate scores \u2014 accuracy saves lives."
},
"promptType": "define"
},
"typeVersion": 1.6
},
{
"id": "35456c82-8d41-4c7b-ba19-f5910050244a",
"name": "Claude AI Model",
"type": "@n8n/n8n-nodes-langchain.lmChatAnthropic",
"position": [
2608,
1120
],
"parameters": {
"model": "=claude-sonnet-4-20250514",
"options": {
"temperature": 0.1
}
},
"credentials": {
"anthropicApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "49643df7-751c-4782-a2fc-affa54fef006",
"name": "Parse & Validate AI Assessment",
"type": "n8n-nodes-base.code",
"position": [
2880,
896
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "const aiResp = $input.item.json;\nlet aiText = aiResp.response || aiResp.output || aiResp.text || '';\nif (aiResp.content && Array.isArray(aiResp.content)) aiText = aiResp.content[0]?.text || '';\n\nconst clean = aiText.replace(/```json\\s*/g,'').replace(/```\\s*/g,'').trim();\nlet assessment;\ntry {\n assessment = JSON.parse(clean);\n} catch(e) {\n const m = clean.match(/\\{[\\s\\S]*\\}/);\n try { assessment = m ? JSON.parse(m[0]) : null; } catch(e2) { assessment = null; }\n if (!assessment) {\n assessment = {\n overallThreatLevel: 'HIGH',\n executiveSummary: 'Threat assessment processing error \u2014 manual review required.',\n threatAssessments: [], immediateActionRequired: true,\n topPriorityThreats: [], globalRemediationPriority: ['Review raw CVE data manually'],\n threatLandscapeSummary: 'Unable to complete automated assessment.'\n };\n }\n}\n\nconst upstream = $('Normalise, Deduplicate & Correlate').first().json;\n\n// Sort by urgency score\nconst sorted = (assessment.threatAssessments || []).sort((a,b) => (b.urgencyScore||0) - (a.urgencyScore||0));\n\nconst criticalCount = sorted.filter(t => t.severity === 'CRITICAL').length;\nconst highCount = sorted.filter(t => t.severity === 'HIGH').length;\nconst activelyExploitedCount = sorted.filter(t => t.isActivelyExploited).length;\nconst kevCount = sorted.filter(t => t.isCisaKev).length;\nconst patchAvailableCount = sorted.filter(t => t.patchAvailable).length;\n\nreturn {\n json: {\n scanRunId: upstream.scanRunId,\n scanContext: upstream.scanContext,\n assets: upstream.assets,\n rawThreats: upstream.threats,\n assessment: { ...assessment, threatAssessments: sorted },\n summary: {\n overallThreatLevel: assessment.overallThreatLevel,\n totalAssessed: sorted.length,\n criticalCount, highCount,\n mediumCount: sorted.filter(t => t.severity === 'MEDIUM').length,\n lowCount: sorted.filter(t => t.severity === 'LOW').length,\n activelyExploitedCount, kevCount, patchAvailableCount,\n immediateActionRequired: assessment.immediateActionRequired\n },\n criticalAndHighThreats: sorted.filter(t => ['CRITICAL','HIGH'].includes(t.severity)),\n assessedAt: new Date().toISOString()\n }\n};"
},
"typeVersion": 2
},
{
"id": "92a36ab2-f6d3-4d46-bde6-da8905df2358",
"name": "Filter Above Risk Threshold",
"type": "n8n-nodes-base.filter",
"position": [
3104,
896
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"operator": {
"type": "number",
"operation": "gte"
},
"leftValue": "={{ $json.summary.criticalCount }}",
"rightValue": 1
},
{
"operator": {
"type": "number",
"operation": "gte"
},
"leftValue": "={{ $json.summary.highCount }}",
"rightValue": 1
},
{
"operator": {
"type": "boolean",
"operation": "true"
},
"leftValue": "={{ $json.summary.immediateActionRequired }}"
}
]
}
},
"typeVersion": 2.2
},
{
"id": "fe90a723-97ca-4cff-9e1b-e7988289af58",
"name": "Route by Overall Threat Level",
"type": "n8n-nodes-base.switch",
"position": [
3536,
864
],
"parameters": {
"mode": "expression",
"output": "={{ $json.summary.overallThreatLevel }}"
},
"typeVersion": 3.1
},
{
"id": "75d81c5f-ef33-4403-ab64-685cfccd6845",
"name": "Alert SOC Team on Slack",
"type": "n8n-nodes-base.httpRequest",
"position": [
3984,
592
],
"parameters": {
"url": "https://slack.com/api/chat.postMessage",
"method": "POST",
"options": {
"timeout": 10000
},
"jsonBody": "={\n \"channel\": \"{{ $json.summary.overallThreatLevel === 'CRITICAL' ? '#soc-critical' : '#soc-alerts' }}\",\n \"text\": \"\ud83d\udd34 Zero-Day Threat Intel \u2014 {{ $json.summary.overallThreatLevel }}: {{ $json.summary.criticalCount }} CRITICAL, {{ $json.summary.highCount }} HIGH\",\n \"blocks\": [\n { \"type\": \"header\", \"text\": { \"type\": \"plain_text\", \"text\": \"{{ $json.summary.overallThreatLevel === 'CRITICAL' ? '\ud83d\udd34' : '\ud83d\udfe1' }} Threat Intel \u2014 {{ $json.scanRunId }}\" } },\n {\n \"type\": \"section\",\n \"fields\": [\n { \"type\": \"mrkdwn\", \"text\": \"*Threat Level:*\\n{{ $json.summary.overallThreatLevel }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*CVEs Assessed:*\\n{{ $json.summary.totalAssessed }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*Critical / High:*\\n{{ $json.summary.criticalCount }} / {{ $json.summary.highCount }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*CISA KEV Matches:*\\n{{ $json.summary.kevCount }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*Actively Exploited:*\\n{{ $json.summary.activelyExploitedCount }}\" },\n { \"type\": \"mrkdwn\", \"text\": \"*Patches Available:*\\n{{ $json.summary.patchAvailableCount }} / {{ $json.summary.totalAssessed }}\" }\n ]\n },\n { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Executive Summary:*\\n{{ $json.assessment.executiveSummary }}\" } },\n { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Top Priority CVE:*\\n*{{ $json.criticalAndHighThreats[0]?.cveId }}* \u2014 {{ $json.criticalAndHighThreats[0]?.threatName }}\\nUrgency: {{ $json.criticalAndHighThreats[0]?.urgencyScore }}/100 | CVSS: {{ $json.criticalAndHighThreats[0]?.cvssScore }} | EPSS: {{ ((($json.criticalAndHighThreats[0]?.epssScore||0)*100)).toFixed(0) }}%\" } },\n { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Immediate Action #1:*\\n{{ $json.assessment.globalRemediationPriority?.[0] || 'See full report' }}\" } },\n {{ $json.summary.kevCount > 0 ? JSON.stringify({ type: 'section', text: { type: 'mrkdwn', text: '\u26a0\ufe0f *CISA KEV ALERT:* ' + $json.summary.kevCount + ' CVE(s) on the Known Exploited Vulnerabilities catalogue \u2014 federal agencies must patch by due date.' } }) : '{ \"type\": \"divider\" }' }}\n ]\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"authentication": "predefinedCredentialType",
"nodeCredentialType": "slackApi"
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "455f0720-c154-4fef-9dcd-9b505bfcbbb9",
"name": "Create Jira Threat Tickets",
"type": "n8n-nodes-base.code",
"position": [
3632,
640
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "// Create one Jira ticket per CRITICAL/HIGH threat\nconst d = $input.item.json;\nconst threats = d.criticalAndHighThreats.slice(0, 5); // top 5\nconst results = [];\n\nfor (const threat of threats) {\n results.push({\n json: {\n jiraPayload: {\n fields: {\n project: { key: 'SEC' },\n issuetype: { name: 'Vulnerability' },\n summary: `[${threat.severity}] ${threat.cveId} \u2014 ${threat.threatName}`,\n priority: { name: threat.severity === 'CRITICAL' ? 'Highest' : 'High' },\n description: {\n type: 'doc', version: 1,\n content: [\n { type: 'paragraph', content: [{ type: 'text', text: `CVE: ${threat.cveId} | CVSS: ${threat.cvssScore} | EPSS: ${((threat.epssScore||0)*100).toFixed(1)}% | Urgency: ${threat.urgencyScore}/100` }] },\n { type: 'paragraph', content: [{ type: 'text', text: `Impact: ${threat.impactType} | Exploit Maturity: ${threat.exploitMaturity}` }] },\n { type: 'paragraph', content: [{ type: 'text', text: `Affected Assets: ${(threat.affectedAssets||[]).join(', ')}` }] },\n { type: 'paragraph', content: [{ type: 'text', text: `CISA KEV: ${threat.isCisaKev} | Actively Exploited: ${threat.isActivelyExploited}` }] },\n { type: 'paragraph', content: [{ type: 'text', text: `Summary: ${threat.threatSummary}` }] },\n { type: 'paragraph', content: [{ type: 'text', text: `Immediate Action: ${(threat.immediateActions||[]).join(' | ')}` }] },\n { type: 'paragraph', content: [{ type: 'text', text: `Patch URL: ${threat.patchURL || 'See vendor advisory'}` }] }\n ]\n },\n labels: ['zero-day', 'vulnerability', threat.severity.toLowerCase(), threat.isCisaKev ? 'cisa-kev' : 'new-threat']\n }\n },\n cveId: threat.cveId,\n severity: threat.severity,\n scanRunId: d.scanRunId\n }\n });\n}\n\nreturn results.length > 0 ? results : [{ json: { skip: true, reason: 'No CRITICAL/HIGH threats for ticketing', scanRunId: d.scanRunId } }];"
},
"typeVersion": 2
},
{
"id": "6bff06bf-4637-4e30-bdd3-3dc2e1a0a63c",
"name": "Submit Jira Issues via API",
"type": "n8n-nodes-base.httpRequest",
"position": [
3984,
784
],
"parameters": {
"url": "https://YOUR_JIRA_DOMAIN.atlassian.net/rest/api/3/issue",
"method": "POST",
"options": {
"timeout": 15000
},
"jsonBody": "={{ JSON.stringify($json.jiraPayload) }}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"authentication": "predefinedCredentialType",
"nodeCredentialType": "jiraSoftwareCloudApi"
},
"credentials": {
"jiraSoftwareCloudApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "9255330c-cef9-4ff8-9726-527a0790d288",
"name": "Send Threat Brief to Security Team",
"type": "n8n-nodes-base.emailSend",
"position": [
3760,
1200
],
"parameters": {
"html": "=<html><body style=\"font-family:Arial,sans-serif;max-width:750px;margin:0 auto;padding:0;color:#222;\">\n<div style=\"background:linear-gradient(135deg,#0d0d0d 0%,#1a0a2e 50%,#0d1b2a 100%);padding:30px;\">\n <h1 style=\"color:#ff4d4d;margin:0;font-size:1.5em;letter-spacing:1px;\">\u26a1 THREAT INTELLIGENCE BRIEF</h1>\n <p style=\"color:#888;margin:8px 0 0;font-size:0.9em;\">{{ $json.scanRunId }} • {{ new Date($json.assessedAt).toUTCString() }}</p>\n</div>\n<div style=\"background:white;padding:24px;border:1px solid #e0e0e0;\">\n <div style=\"background:{{ $json.summary.overallThreatLevel === 'CRITICAL' ? '#fff0f0' : '#fff8e1' }};border-left:5px solid {{ $json.summary.overallThreatLevel === 'CRITICAL' ? '#ff4d4d' : '#ffa500' }};border-radius:4px;padding:16px;margin-bottom:20px;\">\n <h2 style=\"margin:0;color:{{ $json.summary.overallThreatLevel === 'CRITICAL' ? '#cc0000' : '#e65c00' }};\">{{ $json.summary.overallThreatLevel }} THREAT LEVEL</h2>\n <p style=\"margin:8px 0 0;color:#555;\">{{ $json.assessment.executiveSummary }}</p>\n </div>\n <table style=\"width:100%;border-collapse:collapse;margin-bottom:20px;font-size:0.9em;\">\n <tr style=\"background:#f5f5f5;\"><td style=\"padding:8px;border:1px solid #ddd;\"><strong>CVEs Assessed</strong></td><td style=\"padding:8px;border:1px solid #ddd;\">{{ $json.summary.totalAssessed }}</td><td style=\"padding:8px;border:1px solid #ddd;\"><strong>CISA KEV</strong></td><td style=\"padding:8px;border:1px solid #ddd;\">{{ $json.summary.kevCount }}</td></tr>\n <tr><td style=\"padding:8px;border:1px solid #ddd;\"><strong>Critical</strong></td><td style=\"padding:8px;border:1px solid #ddd;color:#cc0000;\"><strong>{{ $json.summary.criticalCount }}</strong></td><td style=\"padding:8px;border:1px solid #ddd;\"><strong>Actively Exploited</strong></td><td style=\"padding:8px;border:1px solid #ddd;color:#e65c00;\">{{ $json.summary.activelyExploitedCount }}</td></tr>\n <tr style=\"background:#f5f5f5;\"><td style=\"padding:8px;border:1px solid #ddd;\"><strong>High</strong></td><td style=\"padding:8px;border:1px solid #ddd;\">{{ $json.summary.highCount }}</td><td style=\"padding:8px;border:1px solid #ddd;\"><strong>Patches Available</strong></td><td style=\"padding:8px;border:1px solid #ddd;color:#28a745;\">{{ $json.summary.patchAvailableCount }} / {{ $json.summary.totalAssessed }}</td></tr>\n </table>\n <h3 style=\"color:#0d1b2a;border-bottom:2px solid #ff4d4d;padding-bottom:6px;\">Threat Assessments</h3>\n {{ ($json.criticalAndHighThreats || []).map(t => '<div style=\"border:1px solid #ddd;border-left:5px solid ' + (t.severity === 'CRITICAL' ? '#ff4d4d' : '#ffa500') + ';border-radius:4px;padding:14px;margin:12px 0;\"><div style=\"display:flex;justify-content:space-between;\"><div><strong style=\"font-size:1.05em;\">' + t.cveId + '</strong> <span style=\"background:' + (t.severity === 'CRITICAL' ? '#ff4d4d' : '#ffa500') + ';color:white;padding:2px 8px;border-radius:3px;font-size:0.8em;\">' + t.severity + '</span>' + (t.isCisaKev ? ' <span style=\"background:#7b2d8b;color:white;padding:2px 6px;border-radius:3px;font-size:0.75em;\">CISA KEV</span>' : '') + (t.isActivelyExploited ? ' <span style=\"background:#cc0000;color:white;padding:2px 6px;border-radius:3px;font-size:0.75em;\">EXPLOITED</span>' : '') + '</div><div style=\"text-align:right;\"><strong>Urgency: ' + t.urgencyScore + '/100</strong><br/><small>CVSS: ' + t.cvssScore + ' | EPSS: ' + ((t.epssScore||0)*100).toFixed(0) + '%</small></div></div><p style=\"margin:8px 0;font-size:0.9em;color:#333;\">' + t.threatSummary + '</p><p style=\"margin:4px 0;font-size:0.85em;\"><strong>Affected:</strong> ' + (t.affectedAssets||[]).join(', ') + ' | <strong>Impact:</strong> ' + t.impactType + ' | <strong>Exploit:</strong> ' + t.exploitMaturity + '</p>' + (t.immediateActions?.length > 0 ? '<div style=\"background:#fff0f0;border-radius:4px;padding:10px;margin-top:8px;\"><strong>\u26a1 Immediate Actions:</strong><ol style=\"margin:4px 0;\">' + t.immediateActions.slice(0,3).map(a => '<li style=\"font-size:0.85em;\">' + a + '</li>').join('') + '</ol></div>' : '') + '</div>').join('') }}\n <h3 style=\"color:#0d1b2a;\">Global Remediation Priority</h3>\n <ol>{{ ($json.assessment.globalRemediationPriority || []).map(a => '<li style=\"margin:6px 0;\">' + a + '</li>').join('') }}</ol>\n <div style=\"background:#f0f0f0;border-radius:4px;padding:14px;margin-top:16px;\">\n <strong>Threat Landscape:</strong><p style=\"margin:6px 0 0;font-size:0.9em;\">{{ $json.assessment.threatLandscapeSummary }}</p>\n </div>\n <p style=\"font-size:0.75em;color:#999;margin-top:20px;\">Automated threat intelligence \u2014 verify findings before actioning. This does not replace human analyst review for complex threats.</p>\n</div>\n<div style=\"background:#0d0d0d;padding:14px 24px;text-align:center;\"><p style=\"color:#555;font-size:0.8em;margin:0;\">AI Zero-Day Threat Intelligence Monitor • {{ $json.scanRunId }}</p></div>\n</body></html>",
"options": {
"appendAttribution": false
},
"subject": "={{ '\ud83d\udd34 [' + $json.summary.overallThreatLevel + '] Zero-Day Threat Intel \u2014 ' + $json.summary.criticalCount + ' Critical, ' + $json.summary.highCount + ' High | ' + $json.scanRunId }}",
"toEmail": "user@example.com",
"fromEmail": "="
},
"credentials": {
"smtp": {
"name": "<your credential>"
}
},
"typeVersion": 2.1,
"continueOnFail": true
},
{
"id": "7c3e99be-cf46-4c95-8b67-c47367d69e5e",
"name": "Trigger Patch Management System",
"type": "n8n-nodes-base.httpRequest",
"position": [
3984,
1136
],
"parameters": {
"url": "https://YOUR_PATCH_MANAGEMENT_URL/api/v1/patch-jobs",
"method": "POST",
"options": {
"timeout": 12000
},
"jsonBody": "={\n \"scanRunId\": \"{{ $json.scanRunId }}\",\n \"priority\": \"{{ $json.summary.overallThreatLevel }}\",\n \"urgentPatches\": {{ JSON.stringify($json.criticalAndHighThreats.filter(t => t.patchAvailable).map(t => ({ cveId: t.cveId, severity: t.severity, urgencyScore: t.urgencyScore, affectedAssets: t.affectedAssets, patchURL: t.patchURL, mitreTechniques: t.mitreTechniques }))) }},\n \"triggeredAt\": \"{{ new Date().toISOString() }}\",\n \"triggeredBy\": \"n8n-threat-monitor\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "6dc269bd-9036-401a-8c93-007f7273828e",
"name": "Append to Threat Intelligence Log",
"type": "n8n-nodes-base.googleSheets",
"position": [
4240,
848
],
"parameters": {
"columns": {
"value": {},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [],
"attemptToConvertTypes": false,
"convertFieldsToString": true
},
"options": {},
"operation": "append",
"sheetName": {
"__rl": true,
"mode": "id",
"value": "=YOUR_SHEET_TAB_ID"
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "=YOUR_GOOGLE_SHEET_ID"
},
"authentication": "serviceAccount"
},
"credentials": {
"googleApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
},
{
"id": "4bc6c2aa-a237-4c5d-bd66-b9e19e9a2b44",
"name": "Build SIEM-Ready JSON Response",
"type": "n8n-nodes-base.code",
"position": [
4432,
848
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "const d = $input.item.json;\nreturn {\n json: {\n success: true,\n scanRunId: d.scanRunId,\n timestamp: d.assessedAt,\n overallThreatLevel: d.summary.overallThreatLevel,\n immediateActionRequired: d.summary.immediateActionRequired,\n summary: d.summary,\n executiveSummary: d.assessment.executiveSummary,\n topPriorityThreats: (d.assessment.topPriorityThreats || []),\n criticalThreats: d.criticalAndHighThreats.filter(t => t.severity === 'CRITICAL').map(t => ({\n cveId: t.cveId, threatName: t.threatName, urgencyScore: t.urgencyScore,\n cvssScore: t.cvssScore, epssScore: t.epssScore, isCisaKev: t.isCisaKev,\n affectedAssets: t.affectedAssets, impactType: t.impactType,\n exploitMaturity: t.exploitMaturity, patchAvailable: t.patchAvailable,\n patchURL: t.patchURL, immediateActions: t.immediateActions,\n mitreTechniques: t.mitreTechniques\n })),\n highThreats: d.criticalAndHighThreats.filter(t => t.severity === 'HIGH').map(t => ({\n cveId: t.cveId, threatName: t.threatName, urgencyScore: t.urgencyScore,\n cvssScore: t.cvssScore, affectedAssets: t.affectedAssets, impactType: t.impactType\n })),\n globalRemediationPriority: d.assessment.globalRemediationPriority,\n threatLandscapeSummary: d.assessment.threatLandscapeSummary\n }\n};"
},
"typeVersion": 2
},
{
"id": "83da09e7-6469-4a20-989b-e50d1a751aa7",
"name": "Return Threat Intel to Caller",
"type": "n8n-nodes-base.respondToWebhook",
"position": [
4656,
848
],
"parameters": {
"options": {
"responseHeaders": {
"entries": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"respondWith": "json",
"responseBody": "={{ JSON.stringify($json, null, 2) }}"
},
"typeVersion": 1
},
{
"id": "90f81122-44c5-4e98-9f12-54bab8030111",
"name": "Wait For Result",
"type": "n8n-nodes-base.wait",
"position": [
3344,
896
],
"parameters": {},
"typeVersion": 1.1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "40017b5b-f38b-439f-a44a-fbcdaebe4c7f",
"connections": {
"Claude AI Model": {
"ai_languageModel": [
[
{
"node": "AI Threat Assessment & Prioritisation",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Wait For Result": {
"main": [
[
{
"node": "Route by Overall Threat Level",
"type": "main",
"index": 0
}
]
]
},
"On-Demand Scan Webhook": {
"main": [
[
{
"node": "Load Asset & Software Inventory",
"type": "main",
"index": 0
}
]
]
},
"Query NVD CVE Database": {
"main": [
[
{
"node": "Merge All Threat Feed Results",
"type": "main",
"index": 0
}
]
]
},
"Alert SOC Team on Slack": {
"main": [
[
{
"node": "Append to Threat Intelligence Log",
"type": "main",
"index": 0
}
]
]
},
"Create Jira Threat Tickets": {
"main": [
[
{
"node": "Submit Jira Issues via API",
"type": "main",
"index": 0
}
]
]
},
"Submit Jira Issues via API": {
"main": [
[
{
"node": "Append to Threat Intelligence Log",
"type": "main",
"index": 0
}
]
]
},
"Fetch AlienVault OTX Pulses": {
"main": [
[
{
"node": "Merge All Threat Feed Results",
"type": "main",
"index": 1
}
]
]
},
"Filter Above Risk Threshold": {
"main": [
[
{
"node": "Wait For Result",
"type": "main",
"index": 0
}
]
]
},
"Hourly Threat Scan Schedule": {
"main": [
[
{
"node": "Load Asset & Software Inventory",
"type": "main",
"index": 0
}
]
]
},
"Merge All Threat Feed Results": {
"main": [
[
{
"node": "Normalise, Deduplicate & Correlate",
"type": "main",
"index": 0
}
]
]
},
"Route by Overall Threat Level": {
"main": [
[
{
"node": "Alert SOC Team on Slack",
"type": "main",
"index": 0
},
{
"node": "Create Jira Threat Tickets",
"type": "main",
"index": 0
},
{
"node": "Send Threat Brief to Security Team",
"type": "main",
"index": 0
},
{
"node": "Trigger Patch Management System",
"type": "main",
"index": 0
}
],
[
{
"node": "Alert SOC Team on Slack",
"type": "main",
"index": 0
},
{
"node": "Create Jira Threat Tickets",
"type": "main",
"index": 0
},
{
"node": "Send Threat Brief to Security Team",
"type": "main",
"index": 0
},
{
"node": "Trigger Patch Management System",
"type": "main",
"index": 0
}
],
[
{
"node": "Send Threat Brief to Security Team",
"type": "main",
"index": 0
},
{
"node": "Append to Threat Intelligence Log",
"type": "main",
"index": 0
}
]
]
},
"Build SIEM-Ready JSON Response": {
"main": [
[
{
"node": "Return Threat Intel to Caller",
"type": "main",
"index": 0
}
]
]
},
"Parse & Validate AI Assessment": {
"main": [
[
{
"node": "Filter Above Risk Threshold",
"type": "main",
"index": 0
}
]
]
},
"Load Asset & Software Inventory": {
"main": [
[
{
"node": "Build Scan Context & Search Terms",
"type": "main",
"index": 0
}
]
]
},
"Trigger Patch Management System": {
"main": [
[
{
"node": "Append to Threat Intelligence Log",
"type": "main",
"index": 0
}
]
]
},
"Fetch CISA Known Exploited Vulns": {
"main": [
[
{
"node": "Merge All Threat Feed Results",
"type": "main",
"index": 1
}
]
]
},
"Query GitHub Security Advisories": {
"main": [
[
{
"node": "Merge All Threat Feed Results",
"type": "main",
"index": 1
}
]
]
},
"Append to Threat Intelligence Log": {
"main": [
[
{
"node": "Build SIEM-Ready JSON Response",
"type": "main",
"index": 0
}
]
]
},
"Build Scan Context & Search Terms": {
"main": [
[
{
"nod
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
airtableTokenApianthropicApigoogleApijiraSoftwareCloudApislackApismtp
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow continuously monitors CVE databases, threat intelligence feeds, and public security advisories to surface emerging zero-day threats, correlates them against your registered infrastructure assets and software inventory, and uses Claude AI to score exploitability,…
Source: https://n8n.io/workflows/13692/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This workflow monitors active construction projects in real time, ingests weather forecasts, supplier delivery statuses, and crew/resource availability, then uses Claude AI to predict delay risk, esti
Airtable, HTTP Request, Agent +3
This workflow ingests student profiles from a form submission or CRM, loads the active scholarship catalogue, uses Claude AI to score each student's eligibility against every available scholarship, fi
Airtable, Agent, Anthropic Chat +3
Automatically transforms your travel photos and notes into beautiful journals, highlight reels, and review drafts using Claude's vision and language capabilities. Trip Completion Trigger - Webhook or
HTTP Request, Google Sheets, Agent +3
This workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response. File System Monitoring - Continuously monitors file
Agent, Anthropic Chat, HTTP Request +3
This workflow provides personalized travel destination recommendations by analyzing past trip history, user preferences, travel behavior patterns, and current trends. It uses Claude AI to generate int
Google Sheets, Agent, Anthropic Chat +2