FlowRunner for security teams
Automate the identity, triage, and response work that eats your team's day, with an agent that runs the investigation and a human who owns every action that changes access or cannot be undone.
The work that never stops
Your team lives in a queue that never empties. Phishing reports pile up in a shared mailbox. Access requests wait on someone to check the right group. New hires need provisioning today and leavers needed deprovisioning an hour ago. Every SIEM alert could be nothing or could be the one that matters, and the only way to know is to enrich it by hand across six consoles.
The tools are not the problem. You already run Okta or Entra, a SIEM, a case manager, threat intel, and a dozen others. The problem is the manual glue between them, and the fact that the risky work, the deprovision, the domain block, the privilege grant, is exactly the work you cannot hand to a script that does not know when to stop.
- Phishing reports pile up in a shared mailbox.
- Access requests wait on someone to check the right group.
- New hires need provisioning today; leavers needed it an hour ago.
- Every alert gets enriched by hand across six consoles.
- The risky work is exactly what a blind script should not touch.
What you can automate
Each of these runs as a flow. The agent does the enrichment and the routine steps on its own. It stops and asks a human at the one point where a wrong move is expensive or irreversible. Every tool named here is a FlowRunner connector, built and verified against the vendor's official API.
-
Reports arrive investigated. The purge waits for a human.
TriggerAn employee reports a suspicious email, or one lands in the phishing mailbox.
AgentThe agent pulls the URLs and sender, detonates the links with urlscan.io, runs the indicators through your Cortex analyzers, correlates them against your MISP threat intel, and opens a TheHive case with the enriched observables and a provisional verdict.
Human checkpointObvious spam it closes on its own. When the verdict is malicious and the blast radius is more than a handful of mailboxes, it stops before it purges the message org-wide or blocks the sender domain, and hands the fully-enriched case to the on-call analyst.
ResultAnalysts stop triaging raw reports by hand and open cases that are already investigated, with the destructive step gated behind a human.
-
Standard access is instant. Privileged access always has a name behind it.
TriggerA new hire or an access request arrives from HR, your ITSM, or an intake form.
AgentThe agent checks the requested role against policy, resolves the right groups in Okta or Microsoft Entra, confirms the manager approval, and provisions standard birthright access.
Human checkpointStandard access goes through automatically. Anything privileged, an admin role, a production group, a security group, stops for an approver who sees the requester, the exact entitlement, and the justification before it is granted.
ResultRoutine access is instant and consistent with policy; privileged access always has a named human behind it, captured in the audit trail.
-
Access is cut in one flow run. The destructive delete still waits.
TriggerHR marks a departure, or an offboarding ticket fires.
AgentThe agent immediately runs the reversible containment: revoke active sessions and OAuth grants, disable SSO, and remove group memberships across Okta, Entra, and Google Workspace.
Human checkpointFull account deletion and mailbox or data reassignment are hard to undo, so the agent stages them and waits for IT to confirm rather than deleting on autopilot.
ResultThe dangerous gap between a departure and cut access closes to the length of one flow run, without a destructive delete ever happening unsupervised.
-
Analysts get enriched cases, not raw alerts. Only real incidents page a person.
TriggerA detection fires in Splunk, or a scheduled search crosses a threshold.
AgentThe agent enriches the alert, correlates the entities against recent activity and threat intel, sets a provisional severity, and opens or updates the case.
Human checkpointIt pages the on-call engineer through PagerDuty only when confidence crosses the bar you set, and it never runs a production containment action until a human acknowledges.
ResultThe queue of raw alerts becomes a short list of enriched, correlated cases. A real incident pages a person; noise does not.
-
The review compiles itself. The revocations wait for a sign-off.
TriggerA scheduled quarterly review, or an ad-hoc audit request.
AgentThe agent pulls entitlements across Okta, Entra, and Google Workspace, flags the anomalies, dormant admins, orphaned accounts, standing privileged access, and compiles the review package.
Human checkpointIt proposes the revocations and waits. A reviewer signs off, and only then does the agent apply them, with every decision and approver written to the log.
ResultAccess reviews stop being a spreadsheet marathon, and the sign-off plus the revocations come out audit-ready.
The pattern that makes it safe to automate
Security automation fails when a script does something it should not. FlowRunner's answer is the digital andon cord: the agent runs the line and pulls it the instant a step carries real consequence. It enriches, correlates, and stages the routine work on its own. Deactivating an account, blocking a domain, escalating a privilege, or erasing data on request always stops and routes to a person through the channel they already watch, with everything the agent found attached. Reversible containment happens immediately; the irreversible action waits for a human. That is the difference between automation your team trusts with production and automation it does not.
The digital andon cord →What your team gets
Close the offboarding gap
Access is contained the moment someone leaves, in one flow run, instead of sitting in a ticket queue while a former employee still has a live session.
End alert fatigue
Analysts open enriched, correlated cases instead of raw alerts and reports. The routine triage is done before a human ever looks.
Consistent, policy-driven access
Every grant follows the same policy check and approval path, so provisioning stops depending on who picked up the ticket.
Audit-ready by default
Every access change and every decision is logged with the approver and a timestamp, so access reviews and audits pull from a record that already exists.
No unsupervised destructive actions
An agent never deletes an account, blocks a domain, or purges mail on its own. The consequential move always has a named human behind it.
No coverage gaps
The agent connects to the stack you already run, every connector verified against the vendor API, so there is no tool it cannot reach.
Built for security's requirements
The controls your own team would demand of any automation touching identity and access are native to the platform, not add-ons.
Complete audit trail
Every action, the user or agent that took it, the approver, and the timestamp, recorded and exportable for review.
RBAC and SSO/SAML
Role-based access to the platform itself, with SSO and SAML so your identity provider stays the source of truth.
Bring your own keys
Your model providers, your keys. Inference runs on credentials you control, and you pay the provider directly.
Self-hosted option
Deploy inside your own infrastructure so sensitive identity and security data never leaves your environment.
The complete SOC and identity stack
Identity providers, directories, threat intelligence, case management, detonation, and posture scoring, from Okta and Microsoft Entra to MISP, TheHive, Cortex, and urlscan. Every connector is built and verified against the vendor's official API, so an agent calls it the way the vendor's API actually allows.
Every connector verified against each vendor's official API.
Put your security operations on autopilot, safely
$100 in credits. No card required. Every integration here is built and verified against the vendor's official API, with a human in the loop where it counts.