FlowRunner
Pricing
Theme
The reality

The work that never stops

Your team lives in a queue that never empties. Phishing reports pile up in a shared mailbox. Access requests wait on someone to check the right group. New hires need provisioning today and leavers needed deprovisioning an hour ago. Every SIEM alert could be nothing or could be the one that matters, and the only way to know is to enrich it by hand across six consoles.

The tools are not the problem. You already run Okta or Entra, a SIEM, a case manager, threat intel, and a dozen others. The problem is the manual glue between them, and the fact that the risky work, the deprovision, the domain block, the privilege grant, is exactly the work you cannot hand to a script that does not know when to stop.

  • Phishing reports pile up in a shared mailbox.
  • Access requests wait on someone to check the right group.
  • New hires need provisioning today; leavers needed it an hour ago.
  • Every alert gets enriched by hand across six consoles.
  • The risky work is exactly what a blind script should not touch.
Automations

What you can automate

Each of these runs as a flow. The agent does the enrichment and the routine steps on its own. It stops and asks a human at the one point where a wrong move is expensive or irreversible. Every tool named here is a FlowRunner connector, built and verified against the vendor's official API.

  1. 01

    Phishing report triage

    Reports arrive investigated. The purge waits for a human.

    Trigger

    An employee reports a suspicious email, or one lands in the phishing mailbox.

    Agent

    The agent pulls the URLs and sender, detonates the links with urlscan.io, runs the indicators through your Cortex analyzers, correlates them against your MISP threat intel, and opens a TheHive case with the enriched observables and a provisional verdict.

    Human checkpoint

    Obvious spam it closes on its own. When the verdict is malicious and the blast radius is more than a handful of mailboxes, it stops before it purges the message org-wide or blocks the sender domain, and hands the fully-enriched case to the on-call analyst.

    Result

    Analysts stop triaging raw reports by hand and open cases that are already investigated, with the destructive step gated behind a human.

  2. 02

    Access provisioning for joiners

    Standard access is instant. Privileged access always has a name behind it.

    Trigger

    A new hire or an access request arrives from HR, your ITSM, or an intake form.

    Agent

    The agent checks the requested role against policy, resolves the right groups in Okta or Microsoft Entra, confirms the manager approval, and provisions standard birthright access.

    Human checkpoint

    Standard access goes through automatically. Anything privileged, an admin role, a production group, a security group, stops for an approver who sees the requester, the exact entitlement, and the justification before it is granted.

    Result

    Routine access is instant and consistent with policy; privileged access always has a named human behind it, captured in the audit trail.

  3. 03

    Offboarding the moment someone leaves

    Access is cut in one flow run. The destructive delete still waits.

    Trigger

    HR marks a departure, or an offboarding ticket fires.

    Agent

    The agent immediately runs the reversible containment: revoke active sessions and OAuth grants, disable SSO, and remove group memberships across Okta, Entra, and Google Workspace.

    Human checkpoint

    Full account deletion and mailbox or data reassignment are hard to undo, so the agent stages them and waits for IT to confirm rather than deleting on autopilot.

    Result

    The dangerous gap between a departure and cut access closes to the length of one flow run, without a destructive delete ever happening unsupervised.

  4. 04

    Alert triage and escalation

    Analysts get enriched cases, not raw alerts. Only real incidents page a person.

    Trigger

    A detection fires in Splunk, or a scheduled search crosses a threshold.

    Agent

    The agent enriches the alert, correlates the entities against recent activity and threat intel, sets a provisional severity, and opens or updates the case.

    Human checkpoint

    It pages the on-call engineer through PagerDuty only when confidence crosses the bar you set, and it never runs a production containment action until a human acknowledges.

    Result

    The queue of raw alerts becomes a short list of enriched, correlated cases. A real incident pages a person; noise does not.

  5. 05

    Access reviews and certification

    The review compiles itself. The revocations wait for a sign-off.

    Trigger

    A scheduled quarterly review, or an ad-hoc audit request.

    Agent

    The agent pulls entitlements across Okta, Entra, and Google Workspace, flags the anomalies, dormant admins, orphaned accounts, standing privileged access, and compiles the review package.

    Human checkpoint

    It proposes the revocations and waits. A reviewer signs off, and only then does the agent apply them, with every decision and approver written to the log.

    Result

    Access reviews stop being a spreadsheet marathon, and the sign-off plus the revocations come out audit-ready.

Why it is safe to automate

The pattern that makes it safe to automate

Security automation fails when a script does something it should not. FlowRunner's answer is the digital andon cord: the agent runs the line and pulls it the instant a step carries real consequence. It enriches, correlates, and stages the routine work on its own. Deactivating an account, blocking a domain, escalating a privilege, or erasing data on request always stops and routes to a person through the channel they already watch, with everything the agent found attached. Reversible containment happens immediately; the irreversible action waits for a human. That is the difference between automation your team trusts with production and automation it does not.

The digital andon cord →
Outcomes

What your team gets

Close the offboarding gap

Access is contained the moment someone leaves, in one flow run, instead of sitting in a ticket queue while a former employee still has a live session.

End alert fatigue

Analysts open enriched, correlated cases instead of raw alerts and reports. The routine triage is done before a human ever looks.

Consistent, policy-driven access

Every grant follows the same policy check and approval path, so provisioning stops depending on who picked up the ticket.

Audit-ready by default

Every access change and every decision is logged with the approver and a timestamp, so access reviews and audits pull from a record that already exists.

No unsupervised destructive actions

An agent never deletes an account, blocks a domain, or purges mail on its own. The consequential move always has a named human behind it.

No coverage gaps

The agent connects to the stack you already run, every connector verified against the vendor API, so there is no tool it cannot reach.

Controls

Built for security's requirements

The controls your own team would demand of any automation touching identity and access are native to the platform, not add-ons.

Complete audit trail

Every action, the user or agent that took it, the approver, and the timestamp, recorded and exportable for review.

RBAC and SSO/SAML

Role-based access to the platform itself, with SSO and SAML so your identity provider stays the source of truth.

Bring your own keys

Your model providers, your keys. Inference runs on credentials you control, and you pay the provider directly.

Self-hosted option

Deploy inside your own infrastructure so sensitive identity and security data never leaves your environment.

The stack

The complete SOC and identity stack

Identity providers, directories, threat intelligence, case management, detonation, and posture scoring, from Okta and Microsoft Entra to MISP, TheHive, Cortex, and urlscan. Every connector is built and verified against the vendor's official API, so an agent calls it the way the vendor's API actually allows.

Every connector verified against each vendor's official API.

Put your security operations on autopilot, safely

$100 in credits. No card required. Every integration here is built and verified against the vendor's official API, with a human in the loop where it counts.