🚀 100 n8n Cybersecurity Workflow Ideas

Automation blueprints for Red Team & Pentest, Blue Team (SOC/DFIR/TI), Application Security (AppSec/DevSecOps), and Platform/General Security — all using n8n.

Each idea lists Purpose, Integrations, and a Flow Outline you can translate into n8n nodes (HTTP Request, Execute Command, IF/Switch, Function, Code, Split In Batches, Merge, Set, Move Binary Data, Wait, Cron, Webhook, Email/Slack/Teams, PostgreSQL/MongoDB/Redis, AWS, GCP, Azure, RabbitMQ, Kafka, etc.).

A. Red Team & Pentest (30)

Automated Subdomain Recon Hub
Purpose: Consolidate subdomain intel continuously.
Integrations: Subfinder/Amass (Exec), DNSDB/PassiveTotal (HTTP), Shodan/Censys, Slack, PostgreSQL.
Flow: Cron → Exec(Subfinder/Amass) → HTTP(DNS/Passive) → HTTP(Shodan/Censys) → Merge/Unique → DB upsert → Slack summary.
Attack Surface Change Detector
Purpose: Detect new hosts/ports/services vs last run.
Integrations: Nmap/Naabu/Masscan (Exec), Diff (Function), Jira/Slack.
Flow: Cron → Exec(scan) → Compare with last snapshot (DB) → Create Jira issues per delta → Slack alert.
Cloud Bucket Finder (S3/GCS/Azure)
Purpose: Enumerate public buckets & misconfigs.
Integrations: AWS/GCP/Azure APIs, HTTP HEAD/GET, Slack, CSV export.
Flow: Cron → List buckets → Check ACL/public URLs → IF public → notify Slack + write CSV to S3.
Credential Spraying Orchestrator (Lab/Test Only)
Purpose: Controlled spray against lab IdP for detection tuning.
Integrations: Custom IdP/API, Delay/Rate-limit, Secret store.
Flow: Webhook list → Split → Wait between attempts → HTTP(Auth) → Collect results → Red/Blue joint report.
GoPhish Campaign Launcher
Purpose: Spin phishing tests end-to-end.
Integrations: GoPhish API, Google Sheets (targets), Slack/Email, S3 for evidence.
Flow: Trigger → Fetch targets → GoPhish API(create campaign) → Poll stats → Export CSV/PDF → Send digest.
Malicious Macro Build Conveyor (PoC)
Purpose: Generate PoC docs for awareness labs.
Integrations: Dockerized builder, Git repo, Hashing node, VT private sandbox (optional).
Flow: Webhook payload → Build (Docker) → Hash → Store to S3 → Share link + Slack.
Payload Inventory & Hash Tracker
Purpose: Track artifacts, hashes, and usage.
Integrations: S3, PostgreSQL, Slack.
Flow: Upload webhook → Compute SHA256 → DB upsert (who/when/use) → Notify Slack.
C2 Beacon Event Forwarder
Purpose: Stream C2 events to collab channels.
Integrations: CS/Havoc/Sliver webhooks, Slack/Discord, TimescaleDB.
Flow: Webhook(C2) → Transform → Insert DB → Slack threaded updates per host.
Initial Access Monitor (Decoy Links)
Purpose: Observe clicks, IPs, User-Agents.
Integrations: n8n Webhook, GeoIP, AbuseIPDB.
Flow: Webhook click → Enrich(GeoIP/ASN) → IF(bad reputation) → tag IOC → Push to TI DB.
Exfiltration Simulation to Cloud
Purpose: Test DLP detection.
Integrations: S3/GDrive/Dropbox, Slack, Timer.
Flow: Cron → Upload decoy file → Verify receipt → Notify SOC channel.
AV/EDR Evasion Test Matrix Runner (Lab)
Purpose: Run known OPSEC variations against lab EDR.
Integrations: Exec, Git repo of samples, Jira.
Flow: Schedule → Execute cases → Collect detections → Auto-create Jira tasks for misses.
TLS/Cert Recon Harvester
Purpose: Track cert issuance & SANs.
Integrations: crt.sh, Censys, DB, Email.
Flow: Cron → Query certs → Diff vs history → Email changes.
Shadow IT Finder (App Enumeration)
Purpose: Identify unmanaged domains/apps.
Integrations: SecurityTrails, Shodan, HTTP banner grabs.
Flow: Fetch domains → HTTP checks → Tag suspicious → Report.
Vuln Exploit Window Notifier
Purpose: Alert when a new PoC drops for in-scope CVE.
Integrations: GitHub RSS, NVD, Exploit-DB, Slack.
Flow: Poll feeds → Filter by CVEs seen in scans → Slack “exploit available” ping.
Password Dump Honeytoken Telemetry
Purpose: Detect credential reuse events.
Integrations: Canarytokens, Webhook, TI DB.
Flow: Honeytoken fire → Enrich IP → Store IOC → Notify.
Adversary Path Builder (ATT&CK)
Purpose: Compose ordered technique runs.
Integrations: JSON (technique sets), Exec scripts, Confluence export.
Flow: Select profile → Iterate techniques → Log output → Publish runbook.
Browser Exploit Canary (XSS)
Purpose: Receive callbacks for injected beacons.
Integrations: Webhook, Slack, urlscan.io.
Flow: Host payload → When fired → Slack + store evidence.
SSRF Canary Endpoint
Purpose: Detect SSRF attempts during tests.
Integrations: Webhook, GeoIP, Headers parser.
Flow: Receive hits → Parse metadata → Map source app → Report.
Perimeter Tech Stack Mapper
Purpose: WhatWeb/Wappalyzer at scale.
Integrations: Exec(whatweb) or HTTP(Wappalyzer), DB.
Flow: Enumerate targets → Fingerprint → Store/Trend.
Default Creds Sweep (Lab)
Purpose: Validate controls block weak creds.
Integrations: HTTP basic/digest, SSH, SNMP, Slack.
Flow: Parametrized list → Parallel attempts → Results table → Slack.
API Fuzzing Loop (Dev/Test)
Purpose: Fuzz endpoints nightly.
Integrations: ZAP/Ffuf/Katana, CI callbacks.
Flow: Cron → Discover → Fuzz → Deduplicate → File Jira bugs.
Email Security Bypass Lab Orchestrator
Purpose: Test mail controls (EOP/GWS).
Integrations: SMTP, IMAP/Gmail API, VirusTotal.
Flow: Send test set → Pull verdicts → Score bypass rate → Report.
Windows Lateral Movement Lab Runner
Purpose: Practice PSRemoting/WMI/SMB.
Integrations: WinRM node/SSH to jump host, Logging DB.
Flow: Task list → Execute → Capture outputs → Heatmap.
Phishing Landing Page Telemetry
Purpose: High-fidelity user behavior.
Integrations: Webhook (form), Device fingerprint, GeoIP.
Flow: Capture → Normalize → Risk scoring → Export CSV.
Recon to Report (One-Click)
Purpose: Draft recon PDF from data.
Integrations: DB → Markdown → PDF, Confluence.
Flow: Query latest intel → Render Markdown → Convert PDF → Publish.
Bluetooth/IoT Discovery (Lab)
Purpose: Detect BLE beacons, rogue IoT.
Integrations: Custom sensor API, DB, Slack.
Flow: Poll sensors → New MACs? → Alert + tag.
WIFI Evil Twin Drill Tracker
Purpose: Simulate & log detections.
Integrations: Exec(hostapd/airmon-ng), Slack, Timeline.
Flow: Start/stop runs → Record detections → Timeline report.
Red Team Debrief Packager
Purpose: Bundle artifacts + timelines.
Integrations: S3, Zip, Confluence/Jira.
Flow: Select engagement → Pull logs → Zip → Upload & link.
OpSec Sanity Checker
Purpose: Check infra hygiene before ops.
Integrations: DNS/WHOIS, CDN, IP rep, Cloud SG.
Flow: Validate → IF leaks/misconfigs → Blocker alert.
C2 Infra Expiry & Burn Plan
Purpose: Auto-retire infra on schedule.
Integrations: Cloud APIs, DNS API, Slack.
Flow: Daily check → If TTL reached → Destroy resources → Log.

B. Blue Team / SOC / DFIR (35)

Threat Intel Ingest & Normalize
Purpose: Aggregate OTX/MISP/VT/AbuseIPDB.
Integrations: HTTP, CSV/JSON, PostgreSQL/Elastic.
Flow: Cron → Fetch feeds → Map fields (STIX-ish) → Upsert → De-dup metrics.
IOC Enrichment Micro-SOAR
Purpose: On-demand IP/URL/hash enrichment.
Integrations: VirusTotal, urlscan.io, WHOIS, Shodan.
Flow: Webhook IOC → Parallel enrich → Confidence score → Respond with JSON.
Impossible Travel Detector
Purpose: Geo-anomalies in IdP logins.
Integrations: Okta/Azure AD, GeoIP, Slack/Jira.
Flow: Pull events → Sort by user → Velocity calc → Alert.
OAuth App Risk Auditor
Purpose: Risky third-party OAuth grants.
Integrations: Google/M365 Graph, Sheets, Slack.
Flow: Pull grants → Score scopes → Notify owners.
SIEM → Slack Alert Router
Purpose: Targeted, deduped alerting.
Integrations: Splunk/Elastic API, Slack threads.
Flow: Poll alerts → IF severity+not seen → Post thread per incident.
EDR Noise Tamer
Purpose: Suppress known benigns, highlight real.
Integrations: CrowdStrike/Defender API, Redis cache.
Flow: Ingest → Check allowlist cache → IF new → escalate.
Phishing Auto-Triage
Purpose: Classify, detonate, verdict.
Integrations: Gmail/Graph, VT/AnyRun, Jira.
Flow: Fetch reported → Extract URLs/attachments → Sandbox → Verdict → Ticket.
Ransomware Canary Tripwire
Purpose: Early encryption detection.
Integrations: SMB share watch, Slack, IR runbook link.
Flow: Monitor canary changes → IF entropy spike → Page on-call.
DNS Tunneling Heuristics
Purpose: Spot long, frequent queries.
Integrations: DNS logs (Elastic), Function scoring.
Flow: Daily job → Flag FQDNs → TI cross-check → Alert.
Beaconing Periodicity Detector
Purpose: C2-like intervals.
Integrations: Proxy/NetFlow, FFT periodicity (Function/Code).
Flow: Pull flows → Compute periodogram → Alert candidates.
URL Detonation Pipeline
Purpose: Classify links from alerts.
Integrations: urlscan.io, VT, Screenshot API, S3.
Flow: For each URL → Scan → Take screenshot → Store & return verdict.
Abuse Mailbox Automation
Purpose: Triage employee-reported spam.
Integrations: IMAP, Regex extractor, Jira.
Flow: Read inbox → Extract IOCs → Enrich → Auto-close or escalate.
Threat Actor Tracker
Purpose: Follow APT infra changes.
Integrations: TI feeds, ASN/IP whois.
Flow: Monitor named actor sets → Update watchlists → Digest.
SOAR Containment Buttons
Purpose: Semi-auto block actions.
Integrations: EDR isolate, FW/WAF IP block, Okta suspend.
Flow: Slack action → n8n webhook → Execute API call → Confirm.
Cloud Config Drift Watch
Purpose: Detect risky cloud changes.
Integrations: AWS/GCP/Azure config APIs, Jira.
Flow: Hourly diff → If public/privilege escalation → Ticket.
S3 Public Object Sentinel
Purpose: Alert on public ACLs.
Integrations: AWS S3, Slack.
Flow: ListObjectsV2 → Check ACL → Alert + Fix suggestion.
Exposed Secret Honeypot
Purpose: Leak detector.
Integrations: Canarytokens webhook, TI DB.
Flow: Receive trigger → Enrich → Block list update.
Endpoint Tamper Watch
Purpose: Detect EDR kill/disable.
Integrations: EDR events, Slack paging.
Flow: Subscribe → IF tamper → Page & open incident.
Macro Risk Scorer
Purpose: Rate Office attachments.
Integrations: O365/Google, OLE parser (Function), VT.
Flow: Download → Analyze → Score → Verdict email.
Okta MFA Fatigue Monitor
Purpose: MFA spam pattern detection.
Integrations: Okta logs, Slack/Jira.
Flow: Count prompts/user window → If abnormal → Alert.
Brute-Force Heatmap
Purpose: Visualize auth failures.
Integrations: SIEM query, Grafana/Looker.
Flow: Daily extract → Aggregate → Publish dashboard.
Insider Data Egress Guard
Purpose: Sensitive files egress spikes.
Integrations: DLP logs, Drive/OneDrive APIs.
Flow: Pull file events → Thresholds → Escalate.
Malspam Campaign Correlator
Purpose: Cluster similar emails.
Integrations: IMAP, TLS certs, Sending IP.
Flow: Group by features → Label clusters → Report.
IR War Room Orchestrator
Purpose: Spin up channel + checklist.
Integrations: Slack/Teams, Confluence, PagerDuty.
Flow: Webhook incident → Create channel → Post runbook → Page roles.
Asset Risk Joiner
Purpose: Merge asset CMDB + vuln + EDR.
Integrations: ServiceNow, Qualys/Tenable, EDR.
Flow: Nightly join → Ownership mapping → Top 10 risky assets.
Threat Hunt Notebook Seeds
Purpose: Push IOCs to detections.
Integrations: SAVED searches, Jupyter links.
Flow: TI change → Generate hunt queries → Post to SOC channel.
GeoIP Block Auto-Update
Purpose: Keep geo blocks fresh.
Integrations: Firewall API, GeoIP DB.
Flow: Monthly refresh → Apply policy → Verify.
Password Leak Monitor
Purpose: Compromised creds watch.
Integrations: HaveIBeenPwned (k-Anon), HR DB, Email.
Flow: Hash search → If match → Notify user + force reset.
Public Paste Scraper
Purpose: Keys/emails leaks.
Integrations: Pastebin/GitHub search, Regex, Jira.
Flow: Crawl → Extract → De-dupe → Tickets.
SOC Daily Briefing Builder
Purpose: Morning digest.
Integrations: SIEM top alerts, TI deltas, Open incidents.
Flow: 07:30 Cron → Compile → Email/Slack brief.
Endpoint Golden Image Drift
Purpose: Detect drift from baseline.
Integrations: EDR inventory, Hash lists.
Flow: Weekly compare → Deviations → Fix tasks.
VPN Anomaly Detector
Purpose: Abnormal session length/volume.
Integrations: VPN logs, Function.
Flow: Aggregate → Z-score outliers → Alert.
Shadow Admin Finder
Purpose: Hidden/high-priv accounts.
Integrations: AD/Azure AD, IAM APIs.
Flow: Enumerate roles → Diff vs registry → Notify.
Email Auth Health (SPF/DKIM/DMARC)
Purpose: Prevent spoofing.
Integrations: DNS checks, DMARC reports parse.
Flow: Weekly check → Score → Action items.
Webhook Abuse Sentinel
Purpose: Detect mass webhook fires.
Integrations: API gateways, Rate metrics.
Flow: Monitor → Threshold → Block rule.
Printer/OT Device Watch
Purpose: OT anomalies.
Integrations: Syslog/NetFlow, OT vendor API.
Flow: Collect → Rules → Notify OT team.
SSL/TLS Weak Cipher Patrol
Purpose: Find weak suites.
Integrations: sslscan/sslyze, DB.
Flow: Scan → Parse → Jira tasks.

C. Application Security / DevSecOps (25)

SAST on PR with Semgrep
Purpose: PR-time static analysis.
Integrations: GitHub/GitLab, Semgrep (Docker), Jira.
Flow: Webhook PR → Run Semgrep → Annotate checks → Fail/Pass → Ticket.
DAST Nightly with ZAP
Purpose: Crawl/scan staging.
Integrations: ZAP API, Slack, HTML report to S3.
Flow: Cron → ZAP Spider+Active → Threshold → Notify.
Software Composition Analysis
Purpose: Dependency vulns.
Integrations: Trivy/Grype, GH Dependabot API.
Flow: Build event → Scan → SBOM → Gate release.
Container Image Policy Gate
Purpose: Block critical CVEs.
Integrations: Trivy, Registry API, ArgoCD.
Flow: Push → Scan → If critical → Block tag → Notify.
IaC Misconfig Scanner
Purpose: Terraform/K8s checks.
Integrations: Checkov/Terraform Cloud, Jira.
Flow: PR → Scan → Inline findings → Ticket.
Secrets Scanner
Purpose: Prevent key leaks.
Integrations: TruffleHog/Gitleaks, Slack.
Flow: Commit hook → Scan → Quarantine secrets → Rotate reminder.
CICD SBOM + Provenance
Purpose: SLSA-ish attestations.
Integrations: Syft, Cosign, Registry.
Flow: Build → SBOM → Sign → Attach to artifact.
API Contract Drift Guard
Purpose: OpenAPI drift alerts.
Integrations: SwaggerHub/Postman, ZAP passive.
Flow: PR → Diff OpenAPI → Raise change approvals.
GraphQL Introspection Guard
Purpose: Block introspection in prod.
Integrations: HTTP check, WAF rule.
Flow: Daily check → If enabled → Open ticket → Push WAF fix.
CSP/Headers Compliance
Purpose: Security headers baseline.
Integrations: HTTP HEAD, Report-Only evaluation.
Flow: Crawl → Evaluate headers → Gap report.
File Upload Abuse Tests
Purpose: MIME bypass, polyglots.
Integrations: ZAP/Custom scripts, S3.
Flow: Test set → Upload → Analyze response → Raise bugs.
SSRF Canary Test Pack
Purpose: Validate egress filters.
Integrations: Canary endpoint, Logs.
Flow: Send crafted URLs → Check callbacks → Report.
Rate Limit & AuthZ Fuzzer
Purpose: Business logic flaws.
Integrations: Ffuf/Katana, Test users.
Flow: Scenario runner → Detect 429/401 gaps → Ticket.
Mobile AppSec via MobSF
Purpose: APK/IPA scans.
Integrations: MobSF API, Slack.
Flow: Upload build → Scan → Risk grade → Gating.
Dependency Auto-PR Remediator
Purpose: Auto-bump libs.
Integrations: Renovate/Bot, CI checks.
Flow: Nightly → Raise PRs → Tag owners → Merge if green.
Static Secrets Rotation Helper
Purpose: Track key ages.
Integrations: Vault/Secrets Manager, Git repos.
Flow: Inventory secrets → Age calc → Reminders.
App Attack Telemetry Loop
Purpose: Replay prod attacks in staging.
Integrations: WAF logs, ZAP replay.
Flow: Extract patterns → Generate cases → Scan staging.
Compliance Pack (PCI/SOC2)
Purpose: Control checks evidence.
Integrations: Cloud APIs, CI logs, Jira.
Flow: Monthly pull → Evidence bundle → Confluence.
Feature-Flag Abuse Tests
Purpose: Access control around flags.
Integrations: FF platform API, Test scripts.
Flow: Enumerate flags → Try cross-role access → Report.
CORS/Redirect Weakness Finder
Purpose: Misconfig combos.
Integrations: HTTP checks, Regex rules.
Flow: Crawl → Test origins → Flag dangerous combos.
Session Management Validations
Purpose: Cookie scope, rotation.
Integrations: HTTP, ZAP scripts.
Flow: Login → Action → Invalidate → Verify.
CI Artifact Leakage Guard
Purpose: Private artifact exposure.
Integrations: CI API, Bucket scans.
Flow: Enumerate → Try fetch unauth → Ticket.
Access Tokens Exposure Watch
Purpose: Public repo/token sprawl.
Integrations: GH/GitLab search API, Regex.
Flow: Search org → Alert → Revoke/rotate tasks.
SCA License Compliance
Purpose: License policies.
Integrations: FOSSology/Trivy, Jira.
Flow: Analyze SBOM → Violations → Tickets.
Perf & Sec Regression Join
Purpose: Correlate perf + sec.
Integrations: k6/Gatling, ZAP.
Flow: Run both → Correlate regressions with vulns → Gate release.

D. Platform & General Security (10)

Vuln Digest with Prioritization
Purpose: CVEs → asset exposure → exploitability.
Integrations: NVD, EPSS/KEV, CMDB, Jira.
Flow: Fetch CVEs → Join assets → Score(EPSS+KEV) → Ticket.
TLS Expiry & Rotation Planner
Purpose: No surprise expirations.
Integrations: crt.sh, Cert managers, Calendar.
Flow: Gather expiring → Create rotation plan → Email owners.
Risk Register Auto-Curator
Purpose: Keep risks current.
Integrations: Jira/ServiceNow, Sheets.
Flow: Weekly sync → Archive stale → Nudge owners.
Backup Integrity & RPO Check
Purpose: Validate backup SLAs.
Integrations: Backup API, Hashing, Slack.
Flow: Verify jobs → Sample restore hash → Report.
Data Classification Guardrails
Purpose: Tag data & control spread.
Integrations: DLP, Drive/SharePoint APIs.
Flow: Scan labels → If sensitive in public → Auto-restrict.
Geo Blocklist Lifecycle
Purpose: Maintain geo policy.
Integrations: GeoIP, FW APIs.
Flow: Quarterly review → Update rules → Validate reachability.
Security Awareness Insights
Purpose: Trend training vs incidents.
Integrations: LMS, SIEM, BI tool.
Flow: Join datasets → KPI report → Exec summary.
Red↔Blue Exercise Loop (Purple)
Purpose: Simulate, detect, improve.
Integrations: ATT&CK set, ZAP/Caldera/Atomic, SIEM/EDR.
Flow: Plan techniques → Execute → Collect detections → Create engineering tasks.

E. Reference Integrations

Recon/Offensive: Subfinder, Amass, Naabu, Nmap, Masscan, Shodan, Censys, WhatWeb/Wappalyzer, ffuf, ZAP, Katana, Metasploit, Sliver, Havoc, Cobalt Strike (events).
Blue/SOC: Splunk, Elastic, CrowdStrike, Defender for Endpoint, Okta/Azure AD/Google Workspace, MISP, AlienVault OTX, VirusTotal, AbuseIPDB, urlscan.io, AnyRun/Cuckoo.
AppSec/DevSecOps: Semgrep, Trivy/Grype, Checkov, MobSF, Syft/Cosign, Renovate, Dependabot, SwaggerHub/Postman.
Cloud/Infra: AWS (S3, IAM, Config), GCP (Storage, IAM, SCC), Azure (Blob, Graph), Vault/Secrets Manager.
Collab/Ticketing: Slack, Microsoft Teams, Jira, ServiceNow, Confluence, Gmail/Outlook.
Data/Storage: PostgreSQL, TimescaleDB, Elastic, MongoDB, S3/GCS/Azure Blob, Google Sheets.

F. Import & Build Tips

Node choices: Prefer HTTP Request for APIs, Execute Command for scanners, Function/Code for glue logic, IF/Switch for decisions, Split In Batches for lists, Merge for joins, Wait for pacing/rate-limits.
Credentials: Use n8n Credentials securely; never hard-code secrets in Function nodes.
Idempotency: Upsert to DB and include de-dupe keys (hashes, IOC values, domain).
Observability: Add Run IDs, trace context, and metrics counters (success/fail, new/duplicate).
Safety: Offensive workflows must run only in authorized scope

n8n-CyberSecurity-Workflows

About n8n-CyberSecurity-Workflows

Platforms

Links

README.md