Monitor zero-day threats with Anthropic Claude, Airtable, Slack and Jira

This workflow continuously monitors CVE databases, threat intelligence feeds, and public security advisories to surface emerging zero-day threats, correlates them against your registered infrastructure assets and software inventory, and uses Claude AI to score exploitability, assess business impact, and generate actionable remediation playbooks — all before attackers can operationalise the vulnerability.

How it works

Trigger — Hourly schedule or on-demand webhook for immediate threat scans Load Asset Inventory — Fetches registered infrastructure (IPs, hostnames, software, versions) from Airtable Scrape CVE Sources — Queries NVD API, CISA KEV, and GitHub Security Advisories in parallel Fetch Threat Feeds — Pulls OSINT feeds (AlienVault OTX, abuse.ch, Shodan) for active exploitation signals Normalise & Deduplicate — Merges all findings, deduplicates by CVE ID, enriches with CVSS scores Correlate with Assets — Matches CVEs to your specific software/version inventory AI Threat Assessment — Claude AI scores exploitability, blast radius, and urgency per matched threat Filter Critical Findings — Keeps only threats scoring above configurable risk threshold Route by Severity — Branches CRITICAL / HIGH / MEDIUM for different response paths Alert SOC via Slack — Immediate notification with threat summary and patch status Create Incident Tickets — Auto-opens Jira/ServiceNow issues for CRITICAL and HIGH threats Email Security Team — Detailed HTML threat brief with CVE details and remediation steps Update Threat Register — Appends findings to Google Sheets threat intelligence log Trigger Patch Workflow — Webhooks downstream patch management system for auto-remediation Return API Response — Structured JSON result for SIEM/SOAR integration

Setup Steps

Import workflow into n8n Configure credentials: Anthropic API — Claude AI for threat assessment NVD API Key — NIST National Vulnerability Database CISA KEV — Known Exploited Vulnerabilities catalogue (public) AlienVault OTX API — Open Threat Exchange pulses Shodan API — Internet exposure checks Airtable — Asset/software inventory Google Sheets OAuth — Threat intelligence log Slack OAuth — SOC alerts Jira API — Incident ticket creation SendGrid / SMTP — Security team email digests Register your asset inventory in Airtable (hostnames, IPs, software, versions) Set your risk score threshold (default: 65) in the filter node Set your Slack SOC channel IDs Configure downstream patch webhook URL Activate the workflow

Sample Webhook Payload (On-Demand Scan) { "scanType": "targeted", "software": "Apache HTTP Server", "version": "2.4.51", "urgency": "high", "requestedBy": "soc-analyst@company.com" }

Threat Sources Monitored NVD (NIST)** — Full CVE database with CVSS v3.1 scores CISA KEV** — Actively exploited vulnerabilities catalogue GitHub Security Advisories** — Open source dependency vulnerabilities AlienVault OTX** — Community threat intelligence pulses abuse.ch URLhaus** — Malware distribution and C2 URLs Shodan** — Internet-exposed asset enumeration EPSS** — Exploit Prediction Scoring System probabilities

AI Assessment Dimensions CVSS Score** — Base, temporal, and environmental scoring EPSS Probability** — Likelihood of exploitation in the wild Asset Exposure** — Internal vs external facing, attack surface Patch Availability** — Vendor patch, workaround, or no fix status Active Exploitation** — CISA KEV / OTX confirmation Business Impact** — Confidentiality, integrity, availability impact Blast Radius** — Number of affected assets and systems Urgency Score** — Composite prioritisation score (0–100)

Features Multi-source CVE aggregation with deduplication Asset correlation against software/version inventory EPSS-weighted AI exploitability scoring Automated CRITICAL/HIGH/MEDIUM severity routing Jira ticket creation with full CVE context Patch management webhook integration Full threat intelligence audit log SIEM/SOAR-ready JSON output

Explore More Automation:
Contact us to design AI-powered lead nurturing, content engagement, and multi-platform reply workflows tailored to your growth strategy.