{"catalog":{"last_reviewed":"2026-05-05","market_signals":[{"date":"2025-07-21","signal":"Security teams increasingly expect scanner outputs to land in a common interchange format, which makes browser-side SARIF and JSON normalization a practical baseline instead of a niche feature.","source":"Harness STO SARIF ingestion","url":"https://developer.harness.io/docs/security-testing-orchestration/custom-scanning/ingest-sarif-data"},{"date":"2026-02-26","signal":"Enterprises now expect large governed integration catalogs with change detection, version pinning, and audit logging.","source":"Airia MCP Gateway","url":"https://airia.com/airias-mcp-gateway-surpasses-1000-pre-configured-integrations-delivering-the-largest-enterprise-ready-mcp-catalog/"},{"date":"2026-01-28","signal":"Security marketplaces now treat version history plus required and optional pack dependencies as first-class operating constraints, which supports explicit pack governance and dependency health in the browser marketplace.","source":"Cortex XSOAR content pack installation","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Content-Pack-Installation"},{"date":"2026-04-29","signal":"Security teams want AI investigation and remediation surfaces that can slot into existing pipelines instead of forcing a greenfield workflow.","source":"Command Zero APIs + MCP","url":"https://www.prnewswire.com/news-releases/command-zero-accelerates-secops-pipelines-with-apis-and-mcp-server-302755893.html"},{"date":"2026-04-29","signal":"AI is now core operational infrastructure, 2026 is the year of integration, and agents plus MCP servers have become a new control-plane attack surface that needs explicit governance.","source":"Wiz State of AI in the Cloud 2026","url":"https://www.wiz.io/reports/state-of-ai-in-the-cloud-2026"},{"date":"2026-01-28","signal":"Security teams still spend large amounts of time on repetitive manual work, which increases the value of normalized report bundles and reusable workflow templates that fit existing handoff systems.","source":"Tines Voice of Security 2026","url":"https://www.tines.com/downloads/Tines-Voice-Of-Security-2026-Report.pdf"},{"date":"2026-04-08","signal":"APIs, MCP servers, and data access now form one attack surface, so scan/report/output contracts need to be explicit and inspectable.","source":"Salt Security 1H 2026 report","url":"https://www.prnewswire.com/news-releases/salt-security-research-as-ai-agents-outpace-security-most-organizations-face-an-unsecured-api-surge-302736506.html"},{"date":"2026-03-06","signal":"The browser is a meaningful AI operating surface, which supports a client-side BYO-token model but requires clear guardrails around extensions, personal accounts, and data egress.","source":"2026 State of Browser Security","url":"https://www.scworld.com/brief/2026-state-of-browser-security-report-highlights-ai-integration-and-evolving-threats"},{"date":"2026-05-04","signal":"Public and private reusable templates are now a product baseline, which supports private local pack labs before public contribution.","source":"Tines templates docs","url":"https://explained.tines.com/en/articles/12709787-templates-in-tines"},{"date":"2026-05-04","signal":"Security platforms now treat report templates as importable and exportable JSON artifacts, which supports making report profiles first-class browser-authored marketplace contracts instead of leaving output shape hard-coded.","source":"Cortex XDR report templates","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-5.x-Documentation/Run-or-schedule-reports"},{"date":"2026-01-15","signal":"Security Copilot now exposes explicit export contracts for prompts, responses, and sessions, which supports treating browser-local session packs and report handoffs as durable artifacts instead of disposable UI state.","source":"Microsoft Security Copilot Export Activity API","url":"https://learn.microsoft.com/en-us/copilot/security/activity-export-api"},{"date":"2026-05-04","signal":"Security operators expect integration and workflow bundles to be contributed, reviewed, and optionally downloaded for Git-backed submission rather than authored only in a vendor-managed marketplace.","source":"Cortex XSOAR content pack contributions","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.10/Cortex-XSOAR-On-prem-Documentation/Content-pack-contributions"},{"date":"2026-05-05","signal":"Cortex XSOAR still exposes direct incident creation with API key plus x-xdr-auth-id headers and a createInvestigation switch, which supports a BYO-token browser route instead of keeping XSOAR at starter-contract status.","source":"Cortex XSOAR create or update incident API","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR-8-API/Create-or-update-an-incident"},{"date":"2025-09-02","signal":"Splunk SOAR still documents ph-auth-token authentication together with POST /rest/container, which keeps a BYO-token browser container route feasible for reviewed remediation and incident packets.","source":"Using the Splunk SOAR REST API","url":"https://help.splunk.com/en/splunk-soar/soar-on-premises/rest-api-reference/6.4.0/using-the-splunk-soar-rest-api/using-the-rest-api-reference-for-splunk-soar-on-premises"},{"date":"2026-05-04","signal":"Custom integration builders now expose auth parameters, documentation links, and test setup as first-class authoring inputs, which supports adding a browser-side input/output pack studio instead of hard-coding only vendor-owned routes.","source":"Torq integration builder docs","url":"https://kb.torq.io/en/articles/10662506-integration-builder-create-custom-integrations"},{"date":"2026-04-12","signal":"Marketplace contribution systems now treat validation as part of authoring, including pre-submit checks and exportable raw error details, which supports schema-backed browser validation before a SecurityRecipes marketplace PR.","source":"Cortex XSOAR content validation","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.10/Cortex-XSOAR-On-prem-Documentation/Content-pack-contributions"},{"date":"2026-05-04","signal":"Modern security workbenches treat cases as the place to collect investigation context, metrics, attachments, and external escalations, which supports adding a browser-local Caseboard instead of leaving runs stranded as one-off prompts.","source":"Elastic Security cases docs","url":"https://www.elastic.co/docs/solutions/security/investigate/security-cases"},{"date":"2026-04-26","signal":"Incident handling products continue to emphasize an audit trail of automatic and manual actions inside each investigation, which supports capturing browser-run timelines and delivery events as first-class local case history.","source":"Cortex XSOAR War Room docs","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-SaaS-Documentation/Use-the-War-Room-in-an-investigation"},{"date":"2026-04-27","signal":"Major SecOps workbenches keep automatic and manual actions tied to one incident-local audit trail, which supports surfacing saved-case handoff drift and revalidation work directly inside the browser case and report surfaces.","source":"Cortex XSIAM War Room docs","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Use-the-War-Room-in-an-investigation"},{"date":"2026-05-04","signal":"SecOps platforms still differentiate on giving analysts one place to review the chronology, evidence, and task context of an investigation, which supports making SecurityRecipes feel like a complete application rather than just a chat surface.","source":"Microsoft Sentinel incident investigation docs","url":"https://learn.microsoft.com/en-us/azure/sentinel/incident-investigation"},{"date":"2026-03-23","signal":"Security platforms are increasingly collapsing alerts, investigations, workflows, and response into one surface, which supports treating portable case libraries and replayable run context as first-class application primitives instead of disposable chat output.","source":"Elastic Workflows launch","url":"https://www.elastic.co/blog/workflows-soar"},{"date":"2026-05-04","signal":"Exposure-management platforms now differentiate by correlating findings across tools, removing alert silos, and turning prioritized risk into owner-ready action, which supports adding a browser-local Exposure Board on top of the existing scanner and case primitives.","source":"Wiz Exposure Management","url":"https://www.wiz.io/solutions/exposure-management"},{"date":"2026-05-04","signal":"Attack-surface and exposure products now explicitly promise business-impact and owner-aware prioritization, which supports adding a browser-local asset and ownership layer instead of leaving queue items detached from the team that should fix them.","source":"Wiz ASM","url":"https://www.wiz.io/solutions/asm"},{"date":"2025-09-08","signal":"Critical-asset programs now combine cyber-role, production context, and system importance to drive prioritization, which supports capturing local asset criticality and environment metadata alongside browser-first remediation queues.","source":"Microsoft Security Exposure Management critical assets","url":"https://learn.microsoft.com/en-us/security-exposure-management/classify-critical-assets"},{"date":"2025-01-13","signal":"Exposure programs now expose state, progress, affected assets, weighted impact, and linked recommendations in one scored initiative view, which supports deriving a browser-local portfolio coverage score and gap snapshot instead of leaving service maps as passive reference data.","source":"Microsoft Security Exposure Management initiative metrics","url":"https://learn.microsoft.com/en-gb/security-exposure-management/security-metrics"},{"date":"2026-05-04","signal":"Mature SecOps tools now bulk-import criticality from inventory files and enrich downstream alerts with that context, which supports schema-backed browser import/export for asset ownership and criticality libraries.","source":"Elastic asset criticality","url":"https://www.elastic.co/docs/solutions/security/advanced-entity-analytics/asset-criticality"},{"date":"2026-05-04","signal":"Risk engines increasingly combine alerts and asset criticality into a recurring service or entity score, which supports adding portfolio coverage scoring that blends exposure queue state, owner gaps, and route readiness inside the browser workbench.","source":"Elastic entity risk scoring","url":"https://www.elastic.co/docs/solutions/security/advanced-entity-analytics/entity-risk-scoring"},{"date":"2026-03-12","signal":"Service mapping products now expect application services to be derived from related hosts, traffic, and dependency context, which supports adding lightweight browser-local portfolio and relationship fields instead of treating every asset as an isolated record.","source":"ServiceNow CMDB-based mapping","url":"https://www.servicenow.com/docs/r/it-operations-management/service-mapping/cmdb-based-mapping.html"},{"date":"2026-03-12","signal":"Application-service maps now explicitly model service-to-service dependencies for impact monitoring, which supports deriving dependency fan-out and downstream blast radius from linked browser-local portfolios instead of only scoring each service in isolation.","source":"ServiceNow link application services","url":"https://www.servicenow.com/docs/r/servicenow-platform/configuration-management-database-cmdb/link-services-to-services.html"},{"date":"2026-05-04","signal":"Asset-management surfaces now emphasize linking incidents and changes to the relationships between applications, services, infrastructure, and dependencies, which supports surfacing a portfolio-aware service map directly in the browser workbench.","source":"Atlassian Assets","url":"https://support.atlassian.com/assets/docs/what-is-assets-in-jira-service-management-cloud/"},{"date":"2025-09-15","signal":"Exposure-management platforms continue to differentiate on exploring asset connections, critical paths, and choke points in one map view, which supports adding dependency-aware route coverage and fan-out analytics to the browser Router instead of only listing flat queue counts.","source":"Microsoft Security Exposure Management attack surface map","url":"https://learn.microsoft.com/en-us/security-exposure-management/enterprise-exposure-map"},{"date":"2026-05-04","signal":"Mainstream SecOps tools now centralize trigger, condition, owner-assignment, severity-change, and playbook-routing logic in one automation layer, which supports adding browser-local routing policies instead of leaving downstream handling fully manual.","source":"Microsoft Sentinel automation rules","url":"https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules"},{"date":"2026-05-04","signal":"Security workflow surfaces now explicitly combine automatic response, case creation, severity-based notification routing, and AI-assisted investigation, which supports treating routing defaults as a first-class control-plane layer between exposures, cases, and downstream outputs.","source":"Elastic security workflows","url":"https://www.elastic.co/docs/explore-analyze/workflows/use-cases/security"},{"date":"2026-05-04","signal":"Mainstream workflow platforms expose runtime state, input and output values, and execution logs in a dedicated audit view, which supports surfacing routing match reasons, default injection, and readiness blockers directly in the browser planner.","source":"ServiceNow flow execution details","url":"https://www.servicenow.com/docs/r/build-workflows/workflow-studio/flow-execution-details.html?contentId=TQmEZT4017Q7XcTIkebtNA"},{"date":"2026-05-04","signal":"Tines now explicitly positions deterministic workflows as the right surface for triage, routing, and explainability, which supports adding a first-class routing audit layer instead of treating browser-local policy matches as hidden background logic.","source":"Tines intelligent workflow platform","url":"https://www.tines.com/"},{"date":"2026-03-18","signal":"Security AI platforms now expose plugin and tool catalogs directly to operators, including enablement state and purchased capabilities, which supports a public readiness matrix instead of burying integration prerequisites inside hidden setup flows.","source":"Microsoft Security Copilot plugins overview","url":"https://learn.microsoft.com/en-us/copilot/security/plugin-overview"},{"date":"2026-03-18","signal":"Security AI products now surface reusable promptbooks and role-based starting flows directly from the home experience, which supports adding a first-class mission-control layer instead of hiding daily work behind separate tabs.","source":"Microsoft Security Copilot prompting and promptbooks","url":"https://learn.microsoft.com/en-us/copilot/security/prompting-security-copilot"},{"date":"2025-11-25","signal":"Exposure-management products now document explicit freshness windows and current-snapshot retention for connector-driven graph data, which supports showing stale-source warnings and navigator refresh actions instead of assuming imported context stays trustworthy forever.","source":"Microsoft Security Exposure Management prerequisites","url":"https://learn.microsoft.com/en-us/security-exposure-management/prerequisites"},{"date":"2026-01-07","signal":"Modern SecOps consoles now centralize failed sources, ingestion health, and remediation context in one health surface, which supports combining source recovery, freshness, and daily-ops triage inside the navigator.","source":"Google SecOps Health Hub","url":"https://docs.cloud.google.com/chronicle/docs/reports/data-health-monitoring-and-troubleshooting-dashboard"},{"date":"2026-05-02","signal":"AI security workflows now routinely combine scheduled discoveries, saved review state, status changes, and connector-aware notifications in one operating surface, which supports promoting SecurityRecipes from isolated panels into a browser-local mission board.","source":"Elastic Attack Discovery","url":"https://www.elastic.co/docs/solutions/security/ai/attack-discovery"},{"date":"2026-05-04","signal":"GitLab still exposes direct project issue creation with URL-encoded project paths and token-authenticated API access, which makes a browser-first BYO-token issue route feasible without inventing a separate relay product.","source":"GitLab Issues API","url":"https://docs.gitlab.com/api/issues/"},{"date":"2026-05-05","signal":"GitLab still exposes project metadata through ID or URL-encoded path, project merge requests through the REST API, and project vulnerability findings through an authenticated but unstable REST surface that GitLab recommends treating as bounded and GraphQL-adjacent. That keeps browser-side GitLab intake viable, but it should stay explicitly sampled and reviewer-visible.","source":"GitLab Projects, Merge Requests, and Vulnerability Findings APIs","url":"https://docs.gitlab.com/api/projects/"},{"date":"2026-05-04","signal":"Azure DevOps continues to recommend Microsoft Entra tokens for production while still documenting PATs as simple auth and the Work Item Tracking create endpoint as JSON Patch, which supports a browser-local BYO-token route that remains `live_or_copy` rather than pretending every tenant should allow direct writes.","source":"Azure DevOps REST auth and work item create docs","url":"https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/rest/samples?view=azure-devops"},{"date":"2026-05-01","signal":"Microsoft now treats Azure DevOps public projects as retired and says remaining public projects convert to private in 2027, which reinforces an authenticated browser-side enterprise intake model instead of designing around anonymous repository access.","source":"Azure DevOps public projects retirement","url":"https://learn.microsoft.com/en-us/azure/devops/organizations/projects/public-projects-retirement?view=azure-devops"},{"date":"2026-05-01","signal":"Microsoft now treats process-log visibility during response generation as a first-class operator surface, which supports exposing browser-local AI run chronology instead of leaving provider actions opaque.","source":"Microsoft Security Copilot prompting","url":"https://learn.microsoft.com/en-us/copilot/security/prompting-security-copilot"},{"date":"2025-12-05","signal":"Security Copilot now exposes a dedicated History view plus process logs in the main workflow, which supports making Navigator carry both local session history and current operational context.","source":"Microsoft Security Copilot navigation","url":"https://learn.microsoft.com/en-us/copilot/security/navigating-security-copilot"},{"date":"2026-03-04","signal":"Cortex XSOAR continues to frame incident investigation as one place to review status, timeline, and escalations together, which supports exporting grouped browser-local investigation sessions instead of leaving only isolated event records.","source":"Cortex XSOAR incident management","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Incident-Management"},{"date":"2026-01-16","signal":"Microsoft explicitly frames prompt, response, and activity metadata as audit artifacts, which supports giving the browser workbench a portable operations-history contract instead of treating AI work as disposable UI state.","source":"Microsoft Security Copilot audit log","url":"https://learn.microsoft.com/en-us/copilot/security/audit-log"},{"date":"2026-04-26","signal":"Cortex XSOAR continues to position the investigation timeline as the place to document automatic and manual actions in one source, which reinforces adding a browser-local SecOps chronology on top of chat, cases, and routes.","source":"Cortex XSOAR War Room","url":"https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-SaaS-Documentation/Use-the-War-Room-in-an-investigation"},{"date":"2026-05-05","signal":"Elastic now treats AI discoveries as saved artifacts for later review, reporting, tracking, and search/filter workflows, which supports adding a filterable replay-friendly operations ledger instead of limiting browser history to a short recent list.","source":"Elastic Attack Discovery saved discoveries","url":"https://www.elastic.co/docs/solutions/security/ai/attack-discovery"},{"date":"2025-10-20","signal":"Microsoft now exposes plugin state filters and per-plugin personalization settings such as default Sentinel workspaces, which supports treating launch-readiness and connector defaults as a first-class operator surface instead of burying them behind scattered setup forms.","source":"Use plugins in Microsoft Security Copilot","url":"https://learn.microsoft.com/en-us/copilot/security/use-plugins"},{"date":"2026-03-18","signal":"Microsoft now frames discovering agents, configuring plugins, and reviewing agent success as one workflow, which supports adding a planner-side readiness gate before analysts generate a run or attempt downstream delivery.","source":"Microsoft Security Copilot in your workflows","url":"https://learn.microsoft.com/en-us/copilot/security/workflows-overview"}],"positioning":{"browser_model":"Provider credentials, connector settings, and selected workflow state stay in browser storage. Recipes and marketplace templates are open Hugo content. Live API calls are explicit and same-origin or direct-to-provider/direct-to-approved-SaaS APIs from the browser.","contribution_model":"Marketplace entries are Hugo data files and docs content so teams can fork, contribute, review, and publish new channels and workflows through normal pull requests.","name":"SecurityRecipes client-side marketplace","summary":"A BYO-token browser control plane for AI security work: connect GitHub, GitLab, Azure DevOps, local scan artifacts, Snyk issues, Defender XDR incidents, Sentinel incidents, DefectDojo findings, Tenable exports, CrowdStrike detections, Prisma Cloud alerts, Security Hub findings, Confluence runbooks, and recipe context; surface source freshness, classify source failures, refresh browser-safe sources inline, and route manual uploads back to local setup before the next run; surface navigator mission-control cards for due schedules, queue head, source issues, open cases, portfolio gaps, and saved-case handoff drift; export a browser-local daily ops brief as markdown or JSON; keep a browser-local operations ledger for source syncs, chat sessions, agent runs, case actions, and report exports; group correlated source pulls, AI runs, case captures, and handoff exports into browser-local investigation sessions; filter the ledger by category, state, or free-text; inspect either one record or one grouped session as JSON; and jump back into the linked browser surface without leaving the navigator; register browser-local assets, owner teams, criticality, service portfolios, and lightweight asset relationships; turn imported findings into a prioritized browser-local Exposure Board; roll related repositories, services, APIs, and data stores into a portfolio-aware service map; score each service portfolio by owner coverage, case coverage, routing coverage, and live-delivery blockers; open a Reports desk that can seed a normalized handoff packet from a saved case, exposure queue item, or grouped investigation session; generate normalized reports with both current handoff readiness and source-case readiness provenance, and compare the current handoff context to the captured run before anything is routed downstream; hand results to downstream systems like Teams, ServiceNow, Linear, GitLab, Azure DevOps, Splunk, Elastic, PagerDuty, Google Chat, Cortex XSOAR, IBM SOAR, Sentinel playbooks, or custom webhooks without server-side secret storage; author private workflow, report, or integration packs locally with schema-backed validation; carry versioned pack governance, docs linkage, review cadence, and explicit pack dependencies alongside those contracts; capture reviewed runs as reusable browser-local case files with evidence timeline, replayable planner state, and captured launch-readiness provenance; author owner-aware and portfolio-aware routing policies that prefill downstream routes, approvals, and ticket metadata; inspect auditable routing analysis that shows which policy matched, which defaults were recommended, and where the planner still diverges before anything leaves the browser; audit the active planner for missing provider credentials, target-scope gaps, stale evidence, workflow-pack blockers, and route prerequisites before a run is generated; export portfolio coverage evidence alongside normalized report bundles so downstream review can see which services are still unrouted or only handoff-ready; and move validated case, asset, routing, marketplace, operations-history, or operations-session libraries between browser profiles before contributing anything back to Hugo."},"schema_version":"1.0","strategic_tracks":[{"id":"appsec-code-intake","label":"AppSec and code intake","market_signal_sources":["Harness STO SARIF ingestion","GitLab Projects, Merge Requests, and Vulnerability Findings APIs","Microsoft Security Copilot plugins overview"],"next_focus":["Promote GitHub code scanning and at least one dedicated AppSec platform feed from reviewed starter contract to browser-live intake.","Keep SARIF as the universal fallback when vendor APIs, scopes, or CORS policies block direct browser pulls."],"pack_ids":["github-code-scanning-alerts","gitlab-vulnerability-findings","semgrep-appsec-findings","sonarqube-issues","checkmarx-one-findings","veracode-findings","sarif-manual-import"],"priority":"now","summary":"Close the major AppSec intake gaps so the browser planner can start from first-party scanner state instead of only manual uploads and generic artifacts."},{"id":"cloud-exposure-intake","label":"Cloud and exposure intake","market_signal_sources":["Wiz State of AI in the Cloud 2026","Salt Security 1H 2026 report","Microsoft Security Exposure Management prerequisites"],"next_focus":["Group posture, runtime, and API-exposure evidence into one normalized queue so portfolios and cases stop depending on one vendor at a time.","Keep cloud-provider starter packs honest about request signing and delegated auth until the browser flow is proven end to end."],"pack_ids":["wiz-findings-api","security-hub-api","aws-inspector-findings","prisma-cloud-alerts","orca-security-alerts","lacework-alerts","google-cloud-scc-findings"],"priority":"now","summary":"Make cloud posture, CNAPP, and exposure feeds feel native by covering the attack-surface and runtime platforms that security teams already triage every day."},{"id":"secops-detection-intake","label":"SecOps detection intake","market_signal_sources":["Google SecOps Health Hub","Elastic Attack Discovery","2026 State of Browser Security"],"next_focus":["Promote one non-Microsoft detection feed to live browser pull so the queue is clearly multi-platform rather than Microsoft-centric.","Use freshness and queue-state labels to show when a detection feed is sampled, stale, or only available through a starter contract."],"pack_ids":["microsoft-defender-xdr-incidents","microsoft-sentinel-incidents","crowdstrike-detections","tenable-vulnerability-management","rapid7-insightvm-vulnerabilities"],"priority":"next","summary":"Broaden detection and vulnerability intake beyond Microsoft so the queue proves it is usable for MSSP, IR, and enterprise operations teams with mixed stacks."},{"id":"orchestration-and-delivery","label":"Orchestration and delivery","market_signal_sources":["Cortex XSOAR content pack contributions","Cortex XSOAR create or update incident API","Using the Splunk SOAR REST API","Torq integration builder docs","Tines templates docs","Tines intelligent workflow platform"],"next_focus":["Build on the live Tines, Torq, Cortex XSOAR, and Splunk SOAR routes by promoting Swimlane or IBM SOAR next so the browser workbench covers both container and case-record handoff patterns.","Keep route-specific payload shaping and copy-safe handoff packets first-class so blocked writes do not collapse the operator workflow."],"pack_ids":["jira-ticket","servicenow-incident","gitlab-issue","azure-devops-work-item","cortex-xsoar-incident","ibm-soar-incident","microsoft-sentinel-playbook","tines-webhook","torq-webhook","splunk-soar-incident","swimlane-case","pagerduty-events-v2"],"priority":"now","summary":"Meet the baseline expectation that a security workbench can hand reviewed output into the ticketing, SOAR, and workflow systems already running the team."}]},"feeds":{"catalog":"/marketplace-catalog.json","input_channels":"/marketplace-input-channels.json","manifest":"/marketplace-control-plane.json","output_channels":"/marketplace-output-channels.json","readiness":"/marketplace-readiness.json","report_profiles":"/marketplace-report-profiles.json","workflow_templates":"/marketplace-workflow-templates.json"},"generated_at":"2026-05-06T06:25:45Z","input_channels":{"channels":[{"auth_modes":["none"],"category":"Local browser context","config":{"include_headings":true,"include_matches":true,"max_chars":4200,"source":"active_document","type":"page_context"},"description":"Sends the current page title, headings, and bounded body text to the model.","id":"page-context","label":"Current page context","runtime_support":"live","status":"native"},{"auth_modes":["none"],"category":"Local browser context","config":{"sections":["prompt-library","security-remediation","automation","docs"],"source":"/recipes-index.json","top_k":5,"type":"recipes_index"},"description":"Searches the generated recipe index and attaches the most relevant docs, prompts, and remediation pages.","id":"recipe-index","label":"SecurityRecipes search index","runtime_support":"live","status":"native"},{"auth_modes":["public","pat","oauth"],"category":"Code and findings sources","config":{"include":["readme","security","contributing","manifests","issues","pull_requests"],"max_chars_per_file":1600,"max_files":18,"repository":"owner/repo","type":"github_repository"},"description":"Pulls bounded public or authenticated GitHub repo metadata, manifest files, open issues, and pull requests.","id":"github-repository","label":"GitHub repository context","runtime_support":"live","status":"native"},{"auth_modes":["public","pat","oauth"],"category":"Code and findings sources","config":{"include":["sbom_packages","advisories","cvss","aliases"],"max_advisories":12,"max_packages":40,"repository":"owner/repo","type":"deps_dev_lookup"},"description":"Checks public GitHub Dependency Graph SBOM packages against deps.dev advisory metadata.","id":"deps-dev-advisories","label":"deps.dev advisory context","runtime_support":"live","status":"native"},{"auth_modes":["public","pat","oauth"],"category":"Code and findings sources","config":{"base_url":"https://gitlab.com/api/v4","include":["project","readme","default_branch","issues","merge_requests","vulnerability_findings"],"max_items":20,"project":"group/project","type":"gitlab_project_context"},"description":"Pulls bounded GitLab project metadata, useful repository files, open issues, and open merge requests directly in the browser for GitLab-centered remediation work.","id":"gitlab-project-context","label":"GitLab project context","runtime_support":"live","status":"native"},{"auth_modes":["oauth","pat"],"category":"Code and findings sources","config":{"api_version":"7.1","base_url":"https://dev.azure.com","include":["repository","default_branch","readme","security","contributing","manifests","pull_requests","work_items"],"max_chars_per_file":1600,"max_files":18,"organization":"example-org","project":"security-platform","repository":"payments-api","type":"azure_devops_repository"},"description":"Pulls bounded Azure DevOps repository metadata, useful repo files, active pull requests, and recent open work items directly in the browser for remediation planning.","id":"azure-devops-repository","label":"Azure DevOps repository context","runtime_support":"live","status":"native"},{"auth_modes":["none"],"category":"Scanner findings","config":{"accepted_formats":["sarif-2.1.0-json"],"expected_files":["findings.sarif.json"],"normalization":{"max_results":250,"severity_map":"sarif_default"},"required_fields":["runs[].tool.driver.name","runs[].results[].ruleId","runs[].results[].level"],"source":"local_file","type":"sarif_bundle"},"description":"Uploads a local SARIF 2.1.0 file in the browser, normalizes the findings, and attaches a bounded summary to prompts and agent runs.","id":"sarif-manual-import","label":"SARIF upload","runtime_support":"live","status":"native"},{"auth_modes":["none"],"category":"Scanner findings","config":{"accepted_formats":["cyclonedx-json","spdx-json"],"format_markers":["bomFormat=CycloneDX","spdxVersion"],"normalization":{"infer_ecosystem":true,"max_components":5e3},"source":"local_file","type":"sbom_bundle"},"description":"Uploads a local CycloneDX or SPDX JSON SBOM in the browser and attaches a bounded package, dependency, and vulnerability summary to prompts.","id":"sbom-manual-import","label":"SBOM upload","runtime_support":"live","status":"native"},{"auth_modes":["none"],"category":"Scanner findings","config":{"accepted_formats":["aws-security-hub-asff","tenable-vulnerability-export","defectdojo-findings-json","generic-findings-array-json"],"normalization":{"max_files":12,"max_findings":1500,"max_sample_findings":12},"source":"local_file","type":"scanner_export_bundle"},"description":"Uploads major scanner and findings-platform JSON exports in the browser, normalizes them into a bounded summary, and feeds the exposure queue plus downstream reports without any server-side secret handling.","id":"scanner-export-bundle","label":"Major scanner JSON exports","runtime_support":"live","status":"native"},{"auth_modes":["api_key","oauth"],"category":"Scanner findings","config":{"base_url":"https://api.us1.app.wiz.io/graphql","filters":{"severity":["CRITICAL","HIGH"],"status":["OPEN"]},"pagination":{"page_size":100},"scopes":["issues:read"],"type":"wiz_findings"},"description":"Pre-populated browser-side config for pulling cloud and workload findings from Wiz when a customer enables direct API access.","id":"wiz-findings-api","label":"Wiz findings API","runtime_support":"planned","status":"template"},{"auth_modes":["api_token"],"category":"Scanner findings","config":{"base_url":"https://api.snyk.io/rest","filters":{"effective_severity_level":["high","critical"],"status":["open"]},"type":"snyk_issues","version":"2024-10-15"},"description":"Pulls a bounded first page of high-priority Snyk organization issues directly in the browser for scanner-aware triage and remediation planning.","id":"snyk-issues-api","label":"Snyk issues API","runtime_support":"live","status":"native"},{"auth_modes":["aws_sigv4"],"category":"Scanner findings","config":{"filters":{"RecordState":["ACTIVE"],"SeverityLabel":["HIGH","CRITICAL"]},"region":"us-east-1","type":"aws_security_hub"},"description":"Config profile for pulling ASFF findings into remediation reports and downstream workflow packs.","id":"security-hub-api","label":"AWS Security Hub","runtime_support":"planned","status":"template"},{"auth_modes":["oauth"],"category":"Scanner findings","config":{"base_url":"https://api.security.microsoft.com/api/incidents","filters":{"severity":["High","Medium"],"status":["Active"]},"pagination":{"top":50},"scopes":["Incident.Read.All"],"type":"microsoft_defender_xdr_incidents"},"description":"Pulls a bounded Microsoft Defender XDR incident sample directly in the browser with local severity and status filters for queueing, reporting, and remediation planning.","id":"microsoft-defender-xdr-incidents","label":"Microsoft Defender XDR incidents","runtime_support":"live","status":"native"},{"auth_modes":["oauth"],"category":"Scanner findings","config":{"api_version":"2025-09-01","base_url":"https://management.azure.com","filters":{"severity":["High","Medium"],"status":["New","Active"]},"include":["incidents"],"pagination":{"top":50},"resource_path":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents","type":"microsoft_sentinel_incidents"},"description":"Pulls a bounded Microsoft Sentinel workspace incident sample directly in the browser with local severity and status filters for queueing, reporting, and remediation planning.","id":"microsoft-sentinel-incidents","label":"Microsoft Sentinel incidents","runtime_support":"live","status":"native"},{"auth_modes":["pat","oauth"],"category":"Scanner findings","config":{"base_url":"https://gitlab.com/api/v4","endpoint":"/projects/:id/vulnerability_findings","filters":{"report_type":["dependency_scanning","sast"],"severity":["high","critical"],"state":["detected","confirmed"]},"project":"group/project","type":"gitlab_vulnerability_findings"},"description":"Pulls a bounded first page of GitLab project vulnerability findings directly in the browser when AppSec findings and fix ownership live in the same GitLab namespace.","id":"gitlab-vulnerability-findings","label":"GitLab vulnerability findings","runtime_support":"live","status":"native"},{"auth_modes":["oauth","api_key"],"category":"Scanner findings","config":{"base_url":"https://api.crowdstrike.com","endpoint":"/detects/queries/detects/v1","filters":{"severity":["high","critical"],"status":["new","in_progress"]},"type":"crowdstrike_detections"},"description":"Starter config for bounded CrowdStrike Falcon detection intake into browser-side triage and response workflows.","id":"crowdstrike-detections","label":"CrowdStrike detections","runtime_support":"planned","status":"template"},{"auth_modes":["api_key"],"category":"Scanner findings","config":{"base_url":"https://cloud.tenable.com","export_path":"/vulns/export","filters":{"severity":["high","critical"],"state":["OPEN","REOPENED"]},"type":"tenable_vuln_export"},"description":"Starter config for exporting high-severity Tenable vulnerabilities into remediation and report workflows.","id":"tenable-vulnerability-management","label":"Tenable vulnerability management","runtime_support":"planned","status":"template"},{"auth_modes":["api_token","oauth"],"category":"Scanner findings","config":{"base_url":"https://dojo.example.com/api/v2","endpoint":"/findings","filters":{"active":true,"severity":["Critical","High"]},"include":["product","engagement","test","finding"],"type":"defectdojo_findings"},"description":"Starter config for pulling active high-severity DefectDojo findings with enough context for analyst routing and ticket creation.","id":"defectdojo-findings","label":"DefectDojo findings","runtime_support":"planned","status":"template"},{"auth_modes":["access_key"],"category":"Scanner findings","config":{"base_url":"https://api.prismacloud.io","filters":{"alert_status":["open"],"policy_severity":["high","critical"]},"resource":"/alert","type":"prisma_cloud_alerts"},"description":"Starter config for Prisma Cloud alert intake across posture and runtime findings.","id":"prisma-cloud-alerts","label":"Prisma Cloud alerts","runtime_support":"planned","status":"template"},{"auth_modes":["oauth"],"category":"Scanner findings","config":{"base_url":"https://securitycenter.googleapis.com","filters":{"severity":["HIGH","CRITICAL"],"state":["ACTIVE"]},"resource":"organizations/{organizationId}/sources/-/findings","type":"google_cloud_scc_findings"},"description":"Starter config for Security Command Center findings when cloud exposures need browser-side triage and routing.","id":"google-cloud-scc-findings","label":"Google Cloud SCC findings","runtime_support":"planned","status":"template"},{"auth_modes":["pat","oauth"],"category":"Scanner findings","config":{"base_url":"https://api.github.com","endpoint":"/repos/{owner}/{repo}/code-scanning/alerts","filters":{"severity":["high","critical"],"state":["open"]},"repository":"owner/repo","type":"github_code_scanning_alerts"},"description":"Starter config for pulling open high-severity GitHub code scanning alerts into browser-side triage and remediation planning.","id":"github-code-scanning-alerts","label":"GitHub code scanning alerts","runtime_support":"planned","status":"template"},{"auth_modes":["api_token"],"category":"Scanner findings","config":{"base_url":"https://semgrep.dev/api/v1","filters":{"severity":["high","critical"],"state":["open","triaged"]},"resource":"/deployments/{deploymentId}/findings","type":"semgrep_appsec_findings"},"description":"Starter config for bringing bounded Semgrep AppSec findings into browser-side reviewer queues and remediation handoffs.","id":"semgrep-appsec-findings","label":"Semgrep AppSec findings","runtime_support":"planned","status":"template"},{"auth_modes":["api_token"],"category":"Scanner findings","config":{"base_url":"https://sonarqube.example.com/api","endpoint":"/issues/search","filters":{"severities":["CRITICAL","BLOCKER"],"statuses":["OPEN","CONFIRMED","REOPENED"],"types":["VULNERABILITY","SECURITY_HOTSPOT"]},"type":"sonarqube_issues"},"description":"Starter config for pulling open SonarQube vulnerabilities and security hotspots into a browser-local remediation queue.","id":"sonarqube-issues","label":"SonarQube security issues","runtime_support":"planned","status":"template"},{"auth_modes":["oauth","api_key"],"category":"Scanner findings","config":{"base_url":"https://ast.checkmarx.net/api","filters":{"severity":["HIGH","CRITICAL"],"state":["NEW","TO_VERIFY"]},"resource":"/findings","type":"checkmarx_one_findings"},"description":"Starter config for pulling high-severity Checkmarx One findings into browser-side triage and routed handoff workflows.","id":"checkmarx-one-findings","label":"Checkmarx One findings","runtime_support":"planned","status":"template"},{"auth_modes":["api_key"],"category":"Scanner findings","config":{"base_url":"https://api.veracode.com/appsec/v1","filters":{"scan_status":["OPEN"],"severity":["HIGH","VERY_HIGH"]},"resource":"/findings","type":"veracode_findings"},"description":"Starter config for pulling actionable Veracode findings into a browser-local remediation and reporting workflow.","id":"veracode-findings","label":"Veracode findings","runtime_support":"planned","status":"template"},{"auth_modes":["aws_sigv4"],"category":"Scanner findings","config":{"base_url":"https://inspector2.us-east-1.amazonaws.com","filters":{"finding_status":["ACTIVE"],"severity":["HIGH","CRITICAL"]},"resource":"/findings/list","type":"aws_inspector_findings"},"description":"Starter config for pulling Amazon Inspector findings into browser-side prioritization, reporting, and downstream routing.","id":"aws-inspector-findings","label":"AWS Inspector findings","runtime_support":"planned","status":"template"},{"auth_modes":["api_key"],"category":"Scanner findings","config":{"base_url":"https://console.insight.rapid7.com/api/3","filters":{"severity":["Severe","Critical"],"status":["active"]},"resource":"/vulnerabilities","type":"rapid7_insightvm_vulnerabilities"},"description":"Starter config for pulling high-risk Rapid7 InsightVM vulnerabilities into browser-side triage and routing workflows.","id":"rapid7-insightvm-vulnerabilities","label":"Rapid7 InsightVM vulnerabilities","runtime_support":"planned","status":"template"},{"auth_modes":["api_token"],"category":"Scanner findings","config":{"base_url":"https://api.orcasecurity.io","filters":{"severity":["high","critical"],"state":["open"]},"resource":"/api/alerts","type":"orca_security_alerts"},"description":"Starter config for Orca alert intake when cloud exposure and workload findings need browser-side case and report handling.","id":"orca-security-alerts","label":"Orca Security alerts","runtime_support":"planned","status":"template"},{"auth_modes":["api_key"],"category":"Scanner findings","config":{"base_url":"https://api.lacework.net","filters":{"severity":["High","Critical"],"status":["Open"]},"resource":"/api/v2/Alerts/Search","type":"lacework_alerts"},"description":"Starter config for pulling open high-severity Lacework alerts into browser-side remediation and escalation planning.","id":"lacework-alerts","label":"Lacework alerts","runtime_support":"planned","status":"template"},{"auth_modes":["api_token","oauth"],"category":"Knowledge sources","config":{"base_url":"https://example.atlassian.net/wiki","max_pages":10,"spaces":["SEC","ENG"],"type":"confluence_search"},"description":"Searches Confluence Cloud pages in the browser to bring internal runbooks, exception notes, and operational context into a scoped agent session.","id":"confluence-knowledge","label":"Confluence runbook context","runtime_support":"live","status":"native"}]},"output_channels":{"channels":[{"browser_delivery":true,"category":"Code handoff","config":{"labels":["security-remediation","ai-agent-draft"],"required_sections":["branch_name","pr_title","pr_body","test_plan","rollback","reviewer_checklist"],"type":"draft_pr_packet"},"description":"Reviewer-ready markdown and metadata for a pull request without writing to the source host.","driver":"draft-pr","id":"draft-pr-packet","label":"Draft PR packet","requirement":"No GitHub write required. Produces branch name, PR body, tests, rollback, and reviewer checklist.","runtime_support":"copy_only","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"issue_type":"Task","labels":["security-remediation","ai-agent-draft"],"repository":"owner/repo","type":"github_issue"},"description":"Creates a GitHub issue with a normalized remediation or scan handoff body.","driver":"github-issue","id":"github-issue","label":"GitHub issue","requirement":"Requires GitHub PAT or OAuth token with issues write access.","runtime_support":"live","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"include_fields":["title","severity","scope","next_steps"],"message_format":"mrkdwn","type":"slack_webhook","webhook_url":"https://hooks.slack.com/services/..."},"description":"Posts the report or remediation handoff into a Slack channel using an incoming webhook.","driver":"slack","id":"slack-webhook","label":"Slack webhook","requirement":"Requires an incoming Slack webhook URL.","runtime_support":"live","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"relay_url":"","subject_prefix":"[SecurityRecipes]","to":["security@example.com"],"type":"email_handoff"},"description":"Generates a browser mail draft or sends through a configured relay endpoint.","driver":"email","id":"email-handoff","label":"Email handoff","requirement":"Uses a local mailto draft, or a configured CORS-enabled email relay URL.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"base_url":"https://example.atlassian.net","issue_type":"Task","project_key":"SEC","type":"jira_issue"},"description":"Creates a Jira task with a structured remediation or scan summary.","driver":"jira","id":"jira-ticket","label":"Jira ticket","requirement":"Requires Jira base URL, account email, API token, and project key.","runtime_support":"live","status":"native"},{"browser_delivery":true,"category":"Reports and evidence","config":{"required_sections":["scope","steps","evidence","stop_conditions","rollback"],"type":"runbook_receipt"},"description":"Clipboard-friendly markdown for human execution with stop conditions and rollback.","driver":"runbook","id":"runbook-receipt","label":"Runbook receipt","requirement":"No external auth required. Produces copyable steps and evidence.","runtime_support":"copy_only","status":"native"},{"browser_delivery":true,"category":"Reports and evidence","config":{"required_sections":["change_window","commands","verification","rollback"],"type":"server_runbook"},"description":"Operations-focused handoff for patching or validation during a maintenance window.","driver":"server-runbook","id":"server-runbook","label":"Server runbook","requirement":"No automatic server changes. Produces commands for a human-run maintenance window.","runtime_support":"copy_only","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"include_fields":["title","severity","scope","recommendation","links"],"payload_shape":"text_or_adaptive_card","type":"teams_workflows_webhook","webhook_url":"https://prod-00.westus.logic.azure.com/workflows/..."},"description":"Posts a browser-generated handoff to a Microsoft Teams channel or chat through a Workflows webhook.","driver":"teams","id":"teams-workflow-webhook","label":"Microsoft Teams workflow webhook","requirement":"Requires a Teams Workflows webhook URL. Microsoft 365 connectors are nearing deprecation, so prefer a Workflows-owned webhook.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"instance_url":"https://example.service-now.com","priority_map":{"critical":"1","high":"2","medium":"3"},"table":"incident","type":"servicenow_incident"},"description":"Creates a ServiceNow incident or task record with a normalized remediation or scan summary.","driver":"servicenow","id":"servicenow-incident","label":"ServiceNow incident","requirement":"Requires a ServiceNow instance URL, table name, and OAuth bearer token with create access to the target table.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"labels":["security-remediation","ai-agent"],"state":"Backlog","team_id":"9cfb482a-81e3-4154-b5b9-2c805e70a02d","type":"linear_issue"},"description":"Creates a Linear issue through the GraphQL API for security engineering or platform backlog handoff.","driver":"linear","id":"linear-issue","label":"Linear issue","requirement":"Requires a Linear personal API key and a target team ID.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SIEM and analytics","config":{"hec_url":"https://splunk.example.com:8088/services/collector","index":"secops","sourcetype":"securityrecipes:report","type":"splunk_hec"},"description":"Posts the normalized report bundle directly to Splunk HTTP Event Collector for SIEM or analytics use.","driver":"splunk-hec","id":"splunk-hec","label":"Splunk HEC event","requirement":"Requires a Splunk HEC URL and HEC token.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SIEM and analytics","config":{"owner":"securitySolution","space_id":"default","tags":["security-remediation","browser-agent"],"type":"elastic_security_case"},"description":"Creates an Elastic case with the generated remediation or scan summary.","driver":"elastic-case","id":"elastic-security-case","label":"Elastic Security case","requirement":"Requires a Kibana base URL and Elastic API key with Cases write access.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Incident response","config":{"dedup_key_template":"securityrecipes-{{asset_id}}-{{finding_key}}","event_action":"trigger","events_api_url":"https://events.pagerduty.com/v2/enqueue","payload_class":"security_remediation","type":"pagerduty_events_v2"},"description":"Starter browser-side route for escalating a high-confidence incident or remediation brief into PagerDuty event orchestration.","driver":"pagerduty","id":"pagerduty-events-v2","label":"PagerDuty Events API v2","requirement":"Requires a PagerDuty Events API v2 routing key or service integration configured for the target escalation path.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"include_fields":["title","severity","scope","next_steps","links"],"type":"google_chat_webhook","webhook_url":"https://chat.googleapis.com/v1/spaces/SPACE_ID/messages?key=KEY\u0026token=TOKEN"},"description":"Starter browser-side route for posting a normalized remediation or incident brief into a Google Chat space.","driver":"google-chat","id":"google-chat-webhook","label":"Google Chat webhook","requirement":"Requires a Google Chat incoming webhook URL for the destination space.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"api_version":"7.1","base_url":"https://dev.azure.com","project":"security-platform","type":"azure_devops_work_item","work_item_type":"Issue"},"description":"Browser-side route for creating an Azure DevOps work item from a normalized remediation or scan handoff, with local preview fallback when direct delivery is blocked.","driver":"azure-devops","id":"azure-devops-work-item","label":"Azure DevOps work item","requirement":"Requires an Azure DevOps organization, project, work item type, and a PAT or bearer token with Work Items write scope.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"base_url":"https://gitlab.com/api/v4","issue_type":"issue","labels":["security-remediation","ai-agent"],"project":"group/project","type":"gitlab_issue"},"description":"Browser-side route for creating a GitLab issue with a normalized remediation or triage brief, with local preview fallback when direct delivery is blocked.","driver":"gitlab-issue","id":"gitlab-issue","label":"GitLab issue","requirement":"Requires a GitLab project path or ID plus a personal access token or bearer token. GitLab.com works out of the box; self-managed hosts need a browser-allowed API base URL.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"api_key_header":"Authorization","api_key_id_header":"x-xdr-auth-id","base_url":"https://xsoar.example.com/xsoar/public/v1/incident","create_investigation":true,"incident_type":"Security","include_fields":["name","type","severity","details","rawJSON"],"type":"cortex_xsoar_incident"},"description":"Browser-side route for creating a Cortex XSOAR incident from a reviewed SecurityRecipes packet, with incident-shaped payloads and local preview fallback when direct delivery is blocked.","driver":"xsoar","id":"cortex-xsoar-incident","label":"Cortex XSOAR incident","requirement":"Requires a Cortex XSOAR tenant URL or incident endpoint plus API key ID and API key with incident create access. Direct browser delivery still depends on tenant CORS and any mandatory incident fields.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"base_url":"https://soar.example.com/rest/orgs/{orgId}/incidents","handle_format":"names","incident_type_ids":[123],"type":"ibm_soar_incident"},"description":"Starter browser-side route for creating an IBM SOAR incident from a structured SecurityRecipes packet.","driver":"ibm-soar","id":"ibm-soar-incident","label":"IBM SOAR incident","requirement":"Requires an IBM SOAR organization URL and API credentials with incident create access.","runtime_support":"planned","status":"template"},{"browser_delivery":true,"category":"SOAR and case management","config":{"api_version":"2025-09-01","base_url":"https://management.azure.com","resource_path":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentIdentifier}/runPlaybook","type":"microsoft_sentinel_playbook"},"description":"Starter browser-side route for forwarding a reviewed packet into a Microsoft Sentinel incident playbook.","driver":"sentinel-playbook","id":"microsoft-sentinel-playbook","label":"Microsoft Sentinel playbook trigger","requirement":"Requires Azure subscription and workspace identifiers plus an OAuth token permitted to run Sentinel playbooks.","runtime_support":"planned","status":"template"},{"browser_delivery":true,"category":"SOAR and case management","config":{"include_fields":["title","severity","scope","report","links"],"story":"SecurityRecipes downstream orchestration","type":"tines_webhook","webhook_url":"https://tenant.tines.com/webhook/..."},"description":"Browser-side route for forwarding a reviewed SecurityRecipes packet into a Tines story or event-driven workflow, with local preview fallback when direct delivery is blocked.","driver":"tines","id":"tines-webhook","label":"Tines webhook","requirement":"Requires a Tines webhook or HTTP Request action endpoint approved for browser-triggered incident or remediation intake, with any optional auth header or custom headers configured in the browser.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"include_fields":["title","severity","scope","recommendation","artifacts"],"type":"torq_webhook","webhook_url":"https://api.torq.io/webhooks/...","workflow":"SecurityRecipes handoff"},"description":"Browser-side route for sending a reviewed remediation or incident packet into a Torq automation workflow, with local preview fallback when direct delivery is blocked.","driver":"torq","id":"torq-webhook","label":"Torq workflow webhook","requirement":"Requires a Torq webhook or API-triggered workflow endpoint plus any auth header or secret material approved for browser-side use.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"auth_header":"ph-auth-token","base_url":"https://phantom.example.com/rest/container","container_type":"case","include_fields":["name","label","description","severity","sensitivity","source_data_identifier","data"],"label":"events","type":"splunk_soar_container"},"description":"Browser-side route for creating a Splunk SOAR container from a reviewed SecurityRecipes packet, with container-shaped payloads and local preview fallback when direct delivery is blocked.","driver":"splunk-soar","id":"splunk-soar-incident","label":"Splunk SOAR incident","requirement":"Requires a Splunk SOAR or Phantom tenant URL or /rest/container endpoint plus a ph-auth-token for an automation user with container create access. Direct browser delivery still depends on tenant CORS and label permissions.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"app":"Security Cases","base_url":"https://swimlane.example.com/api","record_type":"case","type":"swimlane_record"},"description":"Starter browser-side route for creating a Swimlane case or work item from a reviewed SecurityRecipes packet.","driver":"swimlane","id":"swimlane-case","label":"Swimlane case","requirement":"Requires a Swimlane environment URL, app identifier, and API token with record create access for the target case app.","runtime_support":"planned","status":"template"},{"browser_delivery":true,"category":"Custom integrations","config":{"headers":{"Content-Type":"application/json"},"method":"POST","type":"generic_webhook","url":"https://example.internal/hooks/security-recipes"},"description":"Posts the full SecurityRecipes delivery envelope to a custom SOAR, queue, or workflow endpoint.","driver":"generic-webhook","id":"generic-webhook","label":"Generic webhook","requirement":"Requires a browser-reachable webhook URL and any required headers or bearer token.","runtime_support":"live_or_copy","status":"native"}]},"readiness_profiles":{"auth_mode_details":{"access_key":"The pack needs provider access-key style credentials and should only be promoted when the browser flow can keep those values bounded and explicit.","api_key":"The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.","api_token":"The operator must supply a provider token or service token in browser storage before this pack can run.","aws_sigv4":"The browser runtime needs real AWS SigV4 request signing and short-lived credentials before the provider API can be called honestly from the browser.","none":"No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.","oauth":"The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.","pat":"A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.","public":"The pack can rely on public or anonymously readable data, but the browser still needs a bounded repository, tenant, or document target.","webhook":"The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly."},"auth_mode_labels":{"access_key":"Access key pair","api_key":"API key","api_token":"API token","aws_sigv4":"AWS SigV4 signing","none":"No external auth","oauth":"OAuth delegated token","pat":"Personal access token","public":"Public access","webhook":"Webhook secret or URL"},"output_driver_auth_modes":{"azure-devops":["pat","oauth"],"draft-pr":["none"],"elastic-case":["api_key"],"email":["none"],"generic-webhook":["webhook"],"github-issue":["pat","oauth"],"gitlab-issue":["pat","oauth"],"google-chat":["webhook"],"ibm-soar":["api_key"],"jira":["api_token"],"linear":["api_key"],"pagerduty":["api_key"],"runbook":["none"],"sentinel-playbook":["oauth"],"server-runbook":["none"],"servicenow":["oauth"],"slack":["webhook"],"splunk-hec":["api_token"],"splunk-soar":["api_token"],"swimlane":["api_token"],"teams":["webhook"],"tines":["webhook"],"torq":["webhook"],"xsoar":["api_key"]},"runtime_blockers":{"config_only":["Only the configuration contract is published today; the browser runtime has not been implemented yet."],"contract":["This pack shapes the workflow, but it is not itself a connector."],"copy_only":["No external write path exists by design, so a reviewer or downstream tool must copy, download, or relay the generated payload."],"live":[],"live_or_copy":["Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.","Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design."],"planned":["The runtime path has not been promoted from starter contract to live browser flow yet.","Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider."]},"runtime_labels":{"config_only":"Config contract only","contract":"Contract only","copy_only":"Local copy only","live":"Browser live","live_or_copy":"Live with copy fallback","planned":"Reviewed starter contract"},"runtime_requirements":{"config_only":"The contract shape is published for authoring and validation, but the browser runtime is not shipped.","contract":"This entry is a reusable contract rather than a direct connector runtime.","copy_only":"This pack intentionally stops at a local contract and never performs the external write for the operator.","live":"The browser workbench already has a direct BYO-token runtime path for this pack today.","live_or_copy":"The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.","planned":"This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion."}},"report_profiles":{"profiles":[{"category":"Remediation","description":"Reviewer-ready packet for a code or configuration fix that stops at draft stage.","example_output":{"evidence":["scanner_before","scanner_after","tests","reviewers"],"report_type":"remediation_pr_packet","risk_level":"high","status":"draft"},"format":"markdown+json","id":"remediation-pr-packet","label":"Remediation PR packet","sections":["executive_summary","scope","root_cause","proposed_change","validation","rollback","approvals"],"status":"native"},{"category":"Scanning","description":"Normalized browser-side report for imported SARIF, SBOM, and scanner context that can be copied or exported downstream as JSON.","example_output":{"critical":2,"finding_count":12,"high":5,"recommended_workflows":["dependency","sast","sensitive-data"],"report_type":"scan_findings_bundle","scanner_artifacts":["findings.sarif.json","bom.cdx.json"]},"format":"json","id":"scan-findings-bundle","label":"Scan findings bundle","sections":["metadata","source","summary","findings","severity_counts","recommended_workflows","artifacts"],"status":"native"},{"category":"Operational handoff","description":"Compact summary optimized for Jira, GitHub Issues, ServiceNow, Linear, or GitLab.","example_output":{"destination":"jira","priority":"high","report_type":"ticket_ready_brief"},"format":"markdown","id":"ticket-ready-brief","label":"Ticket-ready brief","sections":["title","impact","scope","actions","owner_notes","links"],"status":"native"},{"category":"Reporting","description":"Short-form leadership update for weekly risk review or board prep.","example_output":{"decision_needed":"approve_connector_review","report_type":"exec_risk_brief","top_risk_theme":"agentic_api_exposure"},"format":"markdown+json","id":"exec-risk-brief","label":"Executive risk brief","sections":["risk_statement","trend","top_findings","business_impact","next_actions"],"status":"native"},{"category":"Evidence","description":"Evidence-oriented receipt for a browser-run investigation or remediation planning session.","example_output":{"byo_tokens":true,"human_review_required":true,"report_type":"run_receipt","runtime":"browser"},"format":"json","id":"run-receipt","label":"Run receipt","sections":["run_metadata","inputs","decisions","outputs","operator_notes"],"status":"native"},{"category":"Evidence","description":"Grouped browser-local investigation session export with timeline, linked case reference, and handoff guidance.","example_output":{"linked_case_id":"case-dependency-fix-payments-api","record_count":9,"report_type":"investigation_session_packet","session_kind":"agent_run"},"format":"json","id":"investigation-session-packet","label":"Investigation session packet","sections":["investigation_session","session","timeline","linked_case","next_actions"],"status":"native"},{"category":"Governance","description":"Structured approval, hold, or deny pack for new MCP or API integration candidates.","example_output":{"decision":"hold_for_review","report_type":"connector_intake_decision","required_controls":["token_audience_validation","audit_every_tool_call"]},"format":"json","id":"connector-intake-decision","label":"Connector intake decision","sections":["candidate","auth","egress","tool_surface","decision","required_controls"],"status":"native"},{"category":"Incident response","description":"Short-form incident commander brief for XDR, SIEM, and responder escalation workflows.","example_output":{"incident_severity":"high","recommended_escalation":"pagerduty","report_type":"incident_response_brief"},"format":"markdown+json","id":"incident-response-brief","label":"Incident response brief","sections":["incident_summary","triage","impacted_assets","containment","owner_handoff","evidence_links"],"status":"native"},{"category":"Case management","description":"Structured case payload optimized for SOAR and case-management systems that want fields instead of freeform prose.","example_output":{"case_template":"cloud_exposure","destination":"xsoar","report_type":"case_management_packet"},"format":"json","id":"case-management-packet","label":"Case management packet","sections":["title","severity","scope","tasks","entities","references","custom_fields"],"status":"native"},{"category":"Telemetry","description":"Normalized telemetry envelope for SIEM, webhook, and downstream analytics ingestion paths.","example_output":{"destination":"splunk","event_count":1,"report_type":"siem_forwarding_envelope"},"format":"json","id":"siem-forwarding-envelope","label":"SIEM forwarding envelope","sections":["metadata","routing","summary","findings","entities","observables","artifacts"],"status":"native"}]},"schemas":{"asset_library":"/marketplace-schemas/asset-library.schema.json","case_file":"/marketplace-schemas/case-file.schema.json","case_library":"/marketplace-schemas/case-library.schema.json","index":"/marketplace-schemas/index.json","input_channel_contribution":"/marketplace-schemas/input-channel-contribution.schema.json","local_library":"/marketplace-schemas/local-library.schema.json","operations_history":"/marketplace-schemas/operations-history.schema.json","operations_session":"/marketplace-schemas/operations-session.schema.json","output_channel_contribution":"/marketplace-schemas/output-channel-contribution.schema.json","report_profile_contribution":"/marketplace-schemas/report-profile-contribution.schema.json","routing_library":"/marketplace-schemas/routing-library.schema.json","routing_policy":"/marketplace-schemas/routing-policy.schema.json","workflow_template_contribution":"/marketplace-schemas/workflow-template-contribution.schema.json"},"workflow_templates":{"templates":[{"default_approval_gate":"Security reviewer required","default_cadence":"Manual approval","default_context_pack":"Secure context trust pack","default_input_channel_ids":["page-context","recipe-index","github-repository","deps-dev-advisories"],"default_output_channel_id":"draft-pr-packet","default_recipe_query":"vulnerable dependency remediation","default_report_profile_id":"remediation-pr-packet","description":"Use GitHub repo + deps.dev context to draft a narrow dependency remediation packet for human review.","id":"github-dependency-pr-handoff","label":"GitHub dependency PR handoff","status":"curated","target_hint":"owner/repo package/CVE","workflow_value":"dependency"},{"default_approval_gate":"Code owner required","default_cadence":"Manual approval","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","sarif-manual-import"],"default_output_channel_id":"jira-ticket","default_recipe_query":"SAST finding triage","default_report_profile_id":"ticket-ready-brief","description":"Bundle bounded SAST findings into a Jira-ready brief and route the follow-up through a governed ticket.","id":"sast-triage-to-jira","label":"SAST triage to Jira","status":"curated","target_hint":"service/module SARIF upload","workflow_value":"sast"},{"default_approval_gate":"Two-person review","default_cadence":"Manual approval","default_context_pack":"MCP gateway policy","default_input_channel_ids":["page-context","recipe-index","confluence-knowledge"],"default_output_channel_id":"runbook-receipt","default_recipe_query":"MCP connector intake scanner","default_report_profile_id":"connector-intake-decision","description":"Score a proposed connector, produce a hold/allow decision pack, and route it to governance stakeholders.","id":"mcp-connector-intake-review","label":"MCP connector intake review","status":"curated","target_hint":"connector name / namespace","workflow_value":"mcp-guardrail"},{"default_approval_gate":"Security reviewer required","default_cadence":"Weekly sweep","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["page-context","security-hub-api"],"default_output_channel_id":"slack-webhook","default_recipe_query":"agentic risk review","default_report_profile_id":"exec-risk-brief","description":"Aggregate cloud findings into an executive summary and downstream analyst brief.","id":"security-hub-risk-brief","label":"Security Hub risk brief","status":"curated","target_hint":"account / business unit / region","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"Daily review queue","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["recipe-index","snyk-issues-api","confluence-knowledge"],"default_output_channel_id":"jira-ticket","default_recipe_query":"agentic risk review","default_report_profile_id":"ticket-ready-brief","description":"Pull bounded Snyk issues plus Confluence runbooks into a reviewer-ready remediation or triage brief.","id":"snyk-triage-with-runbooks","label":"Snyk triage with runbooks","status":"curated","target_hint":"org / product / initiative","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"Manual approval","default_context_pack":"Secure context trust pack","default_input_channel_ids":["page-context","recipe-index"],"default_output_channel_id":"runbook-receipt","default_recipe_query":"Run receipt","default_report_profile_id":"run-receipt","description":"Document a BYO-token browser investigation or planning session with an evidence-first receipt.","id":"browser-run-receipt","label":"Browser run receipt","status":"curated","target_hint":"workflow / incident / repo","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","microsoft-defender-xdr-incidents","confluence-knowledge"],"default_output_channel_id":"servicenow-incident","default_recipe_query":"incident triage and containment","default_report_profile_id":"incident-response-brief","description":"Pull a bounded Defender XDR incident, align containment with internal runbooks, and draft a ServiceNow follow-up.","id":"defender-xdr-incident-to-servicenow","label":"Defender XDR incident to ServiceNow","status":"curated","target_hint":"incident / device / user","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","microsoft-sentinel-incidents","confluence-knowledge"],"default_output_channel_id":"pagerduty-events-v2","default_recipe_query":"incident triage and containment","default_report_profile_id":"incident-response-brief","description":"Summarize a live Sentinel incident and escalate a high-confidence response brief into PagerDuty.","id":"sentinel-incident-to-pagerduty","label":"Sentinel incident to PagerDuty","status":"community","target_hint":"subscription / workspace / incident","workflow_value":"recipe-runbook"},{"default_approval_gate":"Code owner required","default_cadence":"Manual approval","default_context_pack":"Secure context trust pack","default_input_channel_ids":["recipe-index","gitlab-project-context","gitlab-vulnerability-findings","sbom-manual-import"],"default_output_channel_id":"gitlab-issue","default_recipe_query":"vulnerable dependency remediation","default_report_profile_id":"ticket-ready-brief","description":"Turn GitLab vulnerability findings into a reviewer-ready fix plan and open a GitLab issue in the same project.","id":"gitlab-vulnerability-to-gitlab-issue","label":"GitLab vulnerability to GitLab issue","status":"community","target_hint":"group/project vulnerability","workflow_value":"dependency"},{"default_approval_gate":"Code owner required","default_cadence":"Manual approval","default_context_pack":"Secure context trust pack","default_input_channel_ids":["page-context","recipe-index","azure-devops-repository","sarif-manual-import","sbom-manual-import"],"default_output_channel_id":"azure-devops-work-item","default_recipe_query":"vulnerable dependency remediation","default_report_profile_id":"ticket-ready-brief","description":"Use Azure DevOps repo context plus imported scanner artifacts to generate a governed remediation work item.","id":"azure-devops-remediation-to-work-item","label":"Azure DevOps remediation to work item","status":"community","target_hint":"organization / project / repo","workflow_value":"dependency"},{"default_approval_gate":"Security reviewer required","default_cadence":"Daily review queue","default_context_pack":"Runtime controls","default_input_channel_ids":["recipe-index","defectdojo-findings","confluence-knowledge"],"default_output_channel_id":"jira-ticket","default_recipe_query":"SAST finding triage","default_report_profile_id":"ticket-ready-brief","description":"Bundle active DefectDojo findings into a Jira-ready analyst brief with recipe-backed remediation steps.","id":"defectdojo-findings-to-jira","label":"DefectDojo findings to Jira","status":"community","target_hint":"product / engagement / finding set","workflow_value":"sast"},{"default_approval_gate":"Two-person review","default_cadence":"On new finding","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["recipe-index","wiz-findings-api","prisma-cloud-alerts","security-hub-api"],"default_output_channel_id":"cortex-xsoar-incident","default_recipe_query":"agentic risk review","default_report_profile_id":"case-management-packet","description":"Aggregate Wiz, Prisma Cloud, or Security Hub findings into a structured case payload for Cortex XSOAR.","id":"cloud-alerts-to-xsoar-case","label":"Cloud alerts to XSOAR case","status":"community","target_hint":"account / subscription / tenant","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","microsoft-defender-xdr-incidents","crowdstrike-detections"],"default_output_channel_id":"google-chat-webhook","default_recipe_query":"incident triage and containment","default_report_profile_id":"incident-response-brief","description":"Post a compact high-severity detection brief to Google Chat for cross-functional review without leaving the browser runtime.","id":"high-severity-detection-to-google-chat","label":"High-severity detection to Google Chat","status":"community","target_hint":"chat space / responder group","workflow_value":"recipe-runbook"},{"default_approval_gate":"Ticket required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["sarif-manual-import","sbom-manual-import"],"default_output_channel_id":"splunk-hec","default_recipe_query":"scan findings bundle","default_report_profile_id":"scan-findings-bundle","description":"Example community-submitted profile for normalizing scan outputs before forwarding them to a SIEM pipeline.","id":"community-scan-to-siem","label":"Community scan to SIEM","status":"community","target_hint":"scanner / tenant / environment","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","scanner-export-bundle","confluence-knowledge"],"default_output_channel_id":"servicenow-incident","default_recipe_query":"scan findings bundle","default_report_profile_id":"incident-response-brief","description":"Normalize a browser-local scanner export bundle into a reviewer-ready incident or remediation handoff for ServiceNow.","id":"scanner-export-to-servicenow","label":"Scanner export to ServiceNow","status":"curated","target_hint":"scanner export / environment / service owner","workflow_value":"recipe-runbook"},{"default_approval_gate":"Ticket required","default_cadence":"On new finding","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["scanner-export-bundle","sarif-manual-import","sbom-manual-import"],"default_output_channel_id":"splunk-hec","default_recipe_query":"scan findings bundle","default_report_profile_id":"siem-forwarding-envelope","description":"Forward normalized browser-local scanner export findings into a SIEM-ready envelope for Splunk or another downstream analytics pipeline.","id":"scanner-export-to-splunk","label":"Scanner export to Splunk","status":"community","target_hint":"scanner export / index / environment","workflow_value":"recipe-runbook"},{"default_approval_gate":"Ticket required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","sarif-manual-import"],"default_output_channel_id":"servicenow-incident","default_recipe_query":"SAST finding triage","default_report_profile_id":"ticket-ready-brief","description":"Turn imported SARIF findings into a governed ServiceNow incident for SecOps or platform follow-up.","id":"sarif-to-servicenow-incident","label":"SARIF to ServiceNow incident","status":"curated","target_hint":"service / module / SARIF upload","workflow_value":"sast"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["sarif-manual-import","sbom-manual-import"],"default_output_channel_id":"elastic-security-case","default_recipe_query":"scan findings bundle","default_report_profile_id":"scan-findings-bundle","description":"Normalize imported scanner evidence into a browser-side report bundle, then open an Elastic Security case.","id":"scan-bundle-to-elastic-case","label":"Scan bundle to Elastic case","status":"community","target_hint":"scanner / cluster / environment","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"Weekly sweep","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["page-context","recipe-index","sarif-manual-import","sbom-manual-import"],"default_output_channel_id":"teams-workflow-webhook","default_recipe_query":"agentic risk review","default_report_profile_id":"exec-risk-brief","description":"Assemble a review-ready risk brief from imported findings and route it to a Teams channel through a workflow webhook.","id":"weekly-risk-brief-to-teams","label":"Weekly risk brief to Teams","status":"community","target_hint":"business unit / leadership channel / finding set","workflow_value":"recipe-runbook"},{"default_approval_gate":"Code owner required","default_cadence":"Manual approval","default_context_pack":"Secure context trust pack","default_input_channel_ids":["page-context","recipe-index","github-repository","deps-dev-advisories","sbom-manual-import"],"default_output_channel_id":"linear-issue","default_recipe_query":"vulnerable dependency remediation","default_report_profile_id":"ticket-ready-brief","description":"Draft a reviewer-ready dependency remediation handoff and create a Linear issue for platform backlog tracking.","id":"dependency-fix-to-linear","label":"Dependency fix to Linear","status":"community","target_hint":"owner/repo package / team ID","workflow_value":"dependency"},{"default_approval_gate":"Code owner required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","github-repository","github-code-scanning-alerts"],"default_output_channel_id":"jira-ticket","default_recipe_query":"SAST finding triage","default_report_profile_id":"ticket-ready-brief","description":"Turn GitHub code scanning alerts into a reviewer-ready Jira handoff that keeps repository context and remediation prompts together.","id":"github-code-scanning-to-jira","label":"GitHub code scanning to Jira","status":"community","target_hint":"owner/repo alert number / branch","workflow_value":"sast"},{"default_approval_gate":"Security reviewer required","default_cadence":"Daily review queue","default_context_pack":"Runtime controls","default_input_channel_ids":["recipe-index","semgrep-appsec-findings","confluence-knowledge"],"default_output_channel_id":"linear-issue","default_recipe_query":"SAST finding triage","default_report_profile_id":"ticket-ready-brief","description":"Use Semgrep AppSec findings plus recipe context to create a platform-ready Linear issue without leaving the browser workbench.","id":"semgrep-findings-to-linear","label":"Semgrep findings to Linear","status":"community","target_hint":"deployment / project / rule set","workflow_value":"sast"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["recipe-index","aws-inspector-findings","confluence-knowledge"],"default_output_channel_id":"servicenow-incident","default_recipe_query":"scan findings bundle","default_report_profile_id":"incident-response-brief","description":"Pull AWS Inspector findings into a reviewed ServiceNow-ready incident or remediation handoff for cloud and platform teams.","id":"aws-inspector-to-servicenow","label":"AWS Inspector to ServiceNow","status":"community","target_hint":"account / region / workload","workflow_value":"recipe-runbook"},{"default_approval_gate":"Ticket required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["recipe-index","rapid7-insightvm-vulnerabilities","confluence-knowledge"],"default_output_channel_id":"swimlane-case","default_recipe_query":"scan findings bundle","default_report_profile_id":"case-management-packet","description":"Turn Rapid7 InsightVM vulnerabilities into a structured Swimlane case packet for downstream coordination and response.","id":"rapid7-vulnerability-to-swimlane","label":"Rapid7 vulnerability to Swimlane","status":"community","target_hint":"site / asset group / vulnerability set","workflow_value":"recipe-runbook"},{"default_approval_gate":"Two-person review","default_cadence":"On new finding","default_context_pack":"Agentic assurance pack","default_input_channel_ids":["recipe-index","orca-security-alerts","prisma-cloud-alerts"],"default_output_channel_id":"tines-webhook","default_recipe_query":"agentic risk review","default_report_profile_id":"case-management-packet","description":"Normalize Orca alerts into a Tines-ready payload so cloud exposure review can move straight into deterministic workflow automation.","id":"orca-alerts-to-tines","label":"Orca alerts to Tines","status":"community","target_hint":"cloud account / exposure cluster / Tines story","workflow_value":"recipe-runbook"},{"default_approval_gate":"Security reviewer required","default_cadence":"Daily review queue","default_context_pack":"Runtime controls","default_input_channel_ids":["recipe-index","veracode-findings","confluence-knowledge"],"default_output_channel_id":"torq-webhook","default_recipe_query":"SAST finding triage","default_report_profile_id":"case-management-packet","description":"Route reviewed Veracode findings into a Torq workflow for coordinated remediation, approvals, or exception handling.","id":"veracode-review-to-torq","label":"Veracode review to Torq","status":"community","target_hint":"application profile / finding set / Torq workflow","workflow_value":"sast"},{"default_approval_gate":"Security reviewer required","default_cadence":"On new finding","default_context_pack":"Runtime controls","default_input_channel_ids":["page-context","recipe-index","microsoft-defender-xdr-incidents","confluence-knowledge"],"default_output_channel_id":"splunk-soar-incident","default_recipe_query":"incident triage and containment","default_report_profile_id":"case-management-packet","description":"Take a bounded Defender XDR incident, attach recipe and runbook context, and package it for a Splunk SOAR container.","id":"defender-xdr-to-splunk-soar","label":"Defender XDR to Splunk SOAR","status":"community","target_hint":"incident / device / Splunk SOAR container","workflow_value":"recipe-runbook"}]}}