Monitor zero-day threats with Anthropic Claude, Airtable, Slack and Jira

Created by

Oneclick AI Squad

Last update

Last update 2 hours ago

How it works

Trigger — Hourly schedule or on-demand webhook for immediate threat scans
Load Asset Inventory — Fetches registered infrastructure (IPs, hostnames, software, versions) from Airtable
Scrape CVE Sources — Queries NVD API, CISA KEV, and GitHub Security Advisories in parallel
Fetch Threat Feeds — Pulls OSINT feeds (AlienVault OTX, abuse.ch, Shodan) for active exploitation signals
Normalise & Deduplicate — Merges all findings, deduplicates by CVE ID, enriches with CVSS scores
Correlate with Assets — Matches CVEs to your specific software/version inventory
AI Threat Assessment — Claude AI scores exploitability, blast radius, and urgency per matched threat
Filter Critical Findings — Keeps only threats scoring above configurable risk threshold
Route by Severity — Branches CRITICAL / HIGH / MEDIUM for different response paths
Alert SOC via Slack — Immediate notification with threat summary and patch status
Create Incident Tickets — Auto-opens Jira/ServiceNow issues for CRITICAL and HIGH threats
Email Security Team — Detailed HTML threat brief with CVE details and remediation steps
Update Threat Register — Appends findings to Google Sheets threat intelligence log
Trigger Patch Workflow — Webhooks downstream patch management system for auto-remediation
Return API Response — Structured JSON result for SIEM/SOAR integration

Setup Steps

Import workflow into n8n
Configure credentials:
- Anthropic API — Claude AI for threat assessment
- NVD API Key — NIST National Vulnerability Database
- CISA KEV — Known Exploited Vulnerabilities catalogue (public)
- AlienVault OTX API — Open Threat Exchange pulses
- Shodan API — Internet exposure checks
- Airtable — Asset/software inventory
- Google Sheets OAuth — Threat intelligence log
- Slack OAuth — SOC alerts
- Jira API — Incident ticket creation
- SendGrid / SMTP — Security team email digests
Register your asset inventory in Airtable (hostnames, IPs, software, versions)
Set your risk score threshold (default: 65) in the filter node
Set your Slack SOC channel IDs
Configure downstream patch webhook URL
Activate the workflow

Sample Webhook Payload (On-Demand Scan)

{
  "scanType": "targeted",
  "software": "Apache HTTP Server",
  "version": "2.4.51",
  "urgency": "high",
  "requestedBy": "[email protected]"
}

Threat Sources Monitored

NVD (NIST) — Full CVE database with CVSS v3.1 scores
CISA KEV — Actively exploited vulnerabilities catalogue
GitHub Security Advisories — Open source dependency vulnerabilities
AlienVault OTX — Community threat intelligence pulses
abuse.ch URLhaus — Malware distribution and C2 URLs
Shodan — Internet-exposed asset enumeration
EPSS — Exploit Prediction Scoring System probabilities

AI Assessment Dimensions

CVSS Score — Base, temporal, and environmental scoring
EPSS Probability — Likelihood of exploitation in the wild
Asset Exposure — Internal vs external facing, attack surface
Patch Availability — Vendor patch, workaround, or no fix status
Active Exploitation — CISA KEV / OTX confirmation
Business Impact — Confidentiality, integrity, availability impact
Blast Radius — Number of affected assets and systems
Urgency Score — Composite prioritisation score (0–100)

Features

Multi-source CVE aggregation with deduplication
Asset correlation against software/version inventory
EPSS-weighted AI exploitability scoring
Automated CRITICAL/HIGH/MEDIUM severity routing
Jira ticket creation with full CVE context
Patch management webhook integration
Full threat intelligence audit log
SIEM/SOAR-ready JSON output

Explore More Automation:
Contact us to design AI-powered lead nurturing, content engagement, and multi-platform reply workflows tailored to your growth strategy.