🎯 Threat Intelligence
======================

🛠️ Tool

Executive summary: A curated catalog of 100 n8n workflow ideas
targeting Red Team, Blue Team (SOC/DFIR/TI), AppSec/DevSecOps and
general platform security. Each entry maps a specific objective to
integrations and a node-level flow outline suitable for direct
implementation in n8n.

Technical scope and components: The collection spans reconnaissance
(subfinder, amass, DNSDB), active scanning (nmap, naabu, masscan),
telemetry enrichment (Shodan, Censys, GeoIP, AbuseIPDB), offensive
tooling orchestration (GoPhish, custom IdP for lab credential sprays),
artifact lifecycle (S3/TimescaleDB/PostgreSQL), and C2/event
forwarding (CS/Havoc/Sliver webhooks). Flows consistently use common
n8n primitives: Cron/Webhook triggers, Exec/HTTP request nodes,
IF/Switch logic, database upserts, and batching/merge nodes for scale.

Implementation considerations: Several ideas assume controlled lab
environments (credential spraying, EDR evasion tests, malicious macro
builders). The patterns emphasize separation of concerns:
scanning/extraction → enrichment → dedupe/persistence → alerting/issue
creation. Integrations call for credential handling via secret stores
and rate-limiting (delay/wait nodes) to avoid false positives and
service throttling.

Detection and defensive value: For Blue Team use-cases, flows include
automated ingestion of C2 events, decoy link tracking with GeoIP and
reputation scoring, exfiltration simulation to cloud storage for DLP
tuning, and continuous attack-surface change detection that creates
tickets for new/changed hosts or open ports. These provide repeatable
pipelines for measurement and tuning of SOC detections.

Operational risks and guardrails: Several recipes are explicitly
offensive and must remain confined to testbeds. Logging and artifact
management recommendations include hashing artifacts at ingest,
storing evidence in immutable buckets, and tagging DB records with
provenance to support IR workflows.

Concluding assessment: This collection is a practical playbook for
security teams seeking to automate repetitive reconnaissance, testing
and monitoring tasks using n8n. It lowers implementation friction by
providing ready-to-adapt node sequences and integration patterns.

🔹 n8n #automation #subfinder #gophish #bookmark

🔗 Source: https://github.com/CyberSecurityUP/n8n-CyberSecurity-Workflows