If you sell cybersecurity or InfoSec software, you have a problem that no other vertical faces: you are your own first case study. Your SOC2 audit, your CMMC boundary, your FedRAMP continuous monitoring package — every one of them puts your own automation stack in scope. Routing customer security telemetry, incident data, or vulnerability intelligence through a cloud iPaaS like Zapier or Make doesn't just create a vendor risk. For defense contractors, it's a CMMC boundary violation. For publicly traded companies, it's pre-disclosure MNPI outside your disclosure controls. For federal vendors, it's a FedRAMP boundary expansion event.
Here are 5 production-ready n8n workflows for CyberSecurity and InfoSec SaaS vendors — covering CMMC 2.0 (32 CFR Part 170), FedRAMP Continuous Monitoring, NIST CSF 2.0, SEC Rule 13a-15 (Form 8-K Item 1.05), DFARS 252.204-7012, and CISA KEV remediation deadlines.
Who This Is For
| Customer Tier | Compliance Profile |
|---|---|
| ENTERPRISE_MSSP | SOC2 Type II + client CUI boundary + DFARS if DoD clients |
| FEDERAL_DEFENSE_CONTRACTOR | CMMC Level 2-3 (32 CFR Part 170) + DFARS 252.204-7012 + FedRAMP if SaaS |
| SOC_AS_A_SERVICE | SOC2 + client incident data = DFARS if DIB clients |
| IDENTITY_SECURITY_SAAS | NIST SP 800-63B AAL2/AAL3 + SOC2 + CMMC AC.L2-3.5.3 |
| ENDPOINT_DETECTION_SAAS | CMMC SI.L2-3.14.7 + FedRAMP SI-3 + DFARS for defense clients |
| CLOUD_SECURITY_POSTURE_SAAS | SOC2 + CSPM data = MNPI for public company clients (SEC Rule 13a-15) |
| CYBERSECURITY_STARTUP | SOC2 Type II foundation + NIST CSF 2.0 self-assessment |
Compliance flags injected at signup: CMMC_L2_L3_REQUIRED, FEDRAMP_AUTHORIZED, NIST_CSF_2_SUBJECT, SEC_CYBER_DISCLOSURE_REQUIRED, DFARS_7012_APPLICABLE, CISA_KEV_SUBSCRIBER, SOC2_REQUIRED.
Workflow 1: Multi-Tier Customer Onboarding Drip
Detects customer tier and compliance flags at signup. Injects CMMC boundary documentation notes for defense contractors, FedRAMP ConMon configuration notes for authorized vendors, and SEC disclosure control reminders for public companies — all on Day 0, before they touch any integration.
{
"name": "CyberSec SaaS: Multi-Tier Customer Onboarding Drip",
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "cybersec-onboard",
"responseMode": "responseNode",
"options": {}
},
"id": "n1",
"name": "New Customer Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
200,
300
]
},
{
"parameters": {
"jsCode": "\nconst customer = $json;\nconst tier = customer.tier || 'CYBERSECURITY_STARTUP';\nconst flags = customer.compliance_flags || [];\n\nconst tierMessages = {\n ENTERPRISE_MSSP: 'As a managed security service provider, your SOC workflows and client CUI flows must stay inside your secure boundary. Day 0: here is your MSSP-specific API guide.',\n FEDERAL_DEFENSE_CONTRACTOR: 'CMMC 2.0 Level 2 requires all CUI-touching automation to stay within your assessed boundary \u2014 cloud iPaaS nodes outside that boundary are a Level 2 practice gap. Day 0: CMMC boundary integration guide attached.',\n SOC_AS_A_SERVICE: 'Your SOC-as-a-Service workflows process client alert data 24/7. Routing telemetry through a cloud iPaaS creates an undocumented data egress path. Day 0: SOC workflow architecture guide.',\n IDENTITY_SECURITY_SAAS: 'Identity event data (auth attempts, MFA challenges, token flows) is among the most sensitive telemetry you handle. Day 0: identity event pipeline guide.',\n ENDPOINT_DETECTION_SAAS: 'EDR telemetry and threat intel feeds are DFARS-controlled for defense clients. Day 0: endpoint workflow integration guide.',\n CLOUD_SECURITY_POSTURE_SAAS: 'CSPM misconfiguration data is pre-disclosure MNPI for your publicly traded clients under SEC Rule 13a-15. Day 0: CSPM integration guide.',\n CYBERSECURITY_STARTUP: 'Your SOC2 Type II audit trail starts now. Every workflow that touches customer security data is in scope. Day 0: quick-start guide attached.',\n};\nconst fedrampNote = flags.includes('FEDRAMP_AUTHORIZED')\n ? ' NOTE: FedRAMP ConMon requires monthly attestation \u2014 we will configure your automated evidence package on Day 7.'\n : '';\nconst cmmcNote = flags.includes('CMMC_L2_L3_REQUIRED')\n ? ' NOTE: CMMC Level 2 assessment scope includes your automation boundary \u2014 review boundary documentation before Day 3 check-in.'\n : '';\nconst secNote = flags.includes('SEC_CYBER_DISCLOSURE_REQUIRED')\n ? ' NOTE: SEC Rule 13a-15 requires material incident disclosure within 4 business days \u2014 your workflow incident pipeline should be configured in Week 1.'\n : '';\n\nreturn [{\n ...customer,\n tier,\n compliance_flags: flags,\n day0_message: (tierMessages[tier] || tierMessages.CYBERSECURITY_STARTUP) + fedrampNote + cmmcNote + secNote,\n onboarding_started: new Date().toISOString(),\n}];\n"
},
"id": "n2",
"name": "Tier + Compliance Detect",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
450,
300
]
},
{
"parameters": {
"fromEmail": "ops@flowkit.io",
"toEmail": "={{ $json.email }}",
"subject": "Welcome to FlowKit \u2014 Your CyberSec Workflow Quick-Start [Day 0]",
"message": "={{ $json.day0_message }} \u2014 Your store: https://stripeai.gumroad.com",
"options": {}
},
"id": "n3",
"name": "Day 0 Welcome Email",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
700,
300
]
},
{
"parameters": {
"unit": "days",
"amount": 3
},
"id": "n4",
"name": "Wait 3 Days",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
700,
450
]
},
{
"parameters": {
"fromEmail": "ops@flowkit.io",
"toEmail": "={{ $json.email }}",
"subject": "Day 3: Is your security workflow boundary documented?",
"message": "Hi {{ $json.company_name }} team \u2014 quick Day 3 check-in. The most common CMMC/FedRAMP gap we see is undocumented automation nodes in the compliance boundary. Reply if you need help mapping your workflow topology. Full template library: https://stripeai.gumroad.com",
"options": {}
},
"id": "n5",
"name": "Day 3 Check-In",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
950,
450
]
},
{
"parameters": {
"unit": "days",
"amount": 4
},
"id": "n6",
"name": "Wait 4 Days",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
950,
600
]
},
{
"parameters": {
"fromEmail": "ops@flowkit.io",
"toEmail": "={{ $json.email }}",
"subject": "Day 7: Your 5 must-have CyberSec automation workflows",
"message": "Here are the 5 workflows every InfoSec SaaS vendor needs: (1) CMMC/FedRAMP deadline tracker, (2) Security API health monitor, (3) Incident response pipeline, (4) SOC2 evidence collection, (5) Weekly security KPI briefing. All available at: https://stripeai.gumroad.com",
"options": {}
},
"id": "n7",
"name": "Day 7 Feature Guide",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
1200,
600
]
},
{
"parameters": {
"operation": "appendOrUpdate",
"documentId": {
"__rl": true,
"value": "your-sheet-id",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "Onboarding",
"mode": "name"
},
"columns": {
"mappingMode": "autoMapInputData",
"value": {},
"matchingColumns": [
"email"
],
"schema": []
},
"options": {}
},
"id": "n8",
"name": "Log Onboarding",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
1450,
600
]
}
],
"connections": {
"New Customer Webhook": {
"main": [
[
{
"node": "Tier + Compliance Detect",
"type": "main",
"index": 0
}
]
]
},
"Tier + Compliance Detect": {
"main": [
[
{
"node": "Day 0 Welcome Email",
"type": "main",
"index": 0
}
]
]
},
"Day 0 Welcome Email": {
"main": [
[
{
"node": "Wait 3 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 3 Days": {
"main": [
[
{
"node": "Day 3 Check-In",
"type": "main",
"index": 0
}
]
]
},
"Day 3 Check-In": {
"main": [
[
{
"node": "Wait 4 Days",
"type": "main",
"index": 0
}
]
]
},
"Wait 4 Days": {
"main": [
[
{
"node": "Day 7 Feature Guide",
"type": "main",
"index": 0
}
]
]
},
"Day 7 Feature Guide": {
"main": [
[
{
"node": "Log Onboarding",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: CMMC / FedRAMP / NIST / SEC Deadline Tracker
Runs daily at 7AM. Classifies 12 compliance deadline types across CMMC Level 2/3 PAO assessments, FedRAMP ConMon monthly packages, NIST CSF 2.0 annual self-assessments, DFARS SSP annual reviews, SEC disclosure controls testing, CISA KEV 14-day FCEB remediation windows, SOC2 Type II renewals, ISO 27001 surveillance audits, annual penetration tests, and DISA STIG quarterly reviews.
{
"name": "CyberSec SaaS: CMMC/FedRAMP/NIST/SEC Compliance Deadline Tracker",
"nodes": [
{
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 7 * * *"
}
]
}
},
"id": "n1",
"name": "Daily 7AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
200,
300
]
},
{
"parameters": {
"operation": "getAll",
"documentId": {
"__rl": true,
"value": "your-sheet-id",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "ComplianceDeadlines",
"mode": "name"
},
"options": {}
},
"id": "n2",
"name": "Load Deadlines",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
450,
300
]
},
{
"parameters": {
"jsCode": "\nconst now = new Date();\nconst results = [];\nfor (const row of $input.all()) {\n const d = row.json;\n const deadline = new Date(d.deadline_date);\n const daysUntil = Math.floor((deadline - now) / 86400000);\n let tier = null;\n if (daysUntil < 0) tier = 'OVERDUE';\n else if (daysUntil <= 3) tier = 'CRITICAL';\n else if (daysUntil <= 7) tier = 'URGENT';\n else if (daysUntil <= 21) tier = 'WARNING';\n else if (daysUntil <= 45) tier = 'NOTICE';\n if (tier) results.push({ ...d, tier, days_until: daysUntil,\n deadline_type: d.deadline_type,\n // Known deadline types:\n // CMMC_L2_C3_PAO_ASSESSMENT_ANNUAL \u2014 C3PAO assessment window must be scheduled 90d out\n // CMMC_L2_ANNUAL_SELF_ASSESSMENT \u2014 DoD SPRS submission due\n // FEDRAMP_CONTINUOUS_MONITORING_MONTHLY \u2014 ConMon package to AO\n // FEDRAMP_ANNUAL_ASSESSMENT_3PAO \u2014 3PAO scheduled assessment\n // NIST_CSF_2_SELF_ASSESSMENT_ANNUAL \u2014 governance review\n // DFARS_7012_SYSTEM_SECURITY_PLAN_ANNUAL \u2014 SSP review + SPRS score update\n // SEC_8K_MATERIAL_CYBER_REVIEW_QUARTERLY \u2014 disclosure controls test\n // CISA_KEV_FCEB_14_DAY_REMEDIATION \u2014 Known Exploited Vulnerability patch window\n // SOC2_TYPE2_ANNUAL_RENEWAL \u2014 auditor scheduling required 60d out\n // ISO_27001_SURVEILLANCE_AUDIT_ANNUAL\n // ANNUAL_PENETRATION_TEST \u2014 report required for CMMC/FedRAMP\n // DISA_STIG_QUARTERLY_REVIEW \u2014 STIGs for FedRAMP-in-process vendors\n });\n}\nreturn results;\n"
},
"id": "n3",
"name": "Classify Deadlines",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
700,
300
]
},
{
"parameters": {
"conditions": {
"options": {
"caseSensitive": true
},
"conditions": [
{
"leftValue": "={{ $json.tier }}",
"rightValue": "NOTICE",
"operator": {
"type": "string",
"operation": "notEquals"
}
}
]
},
"options": {}
},
"id": "n4",
"name": "Filter Actionable",
"type": "n8n-nodes-base.if",
"typeVersion": 2,
"position": [
950,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "C_COMPLIANCE_CHANNEL",
"mode": "id"
},
"text": "={{ $json.tier }}: {{ $json.deadline_type }} \u2014 {{ $json.days_until }}d remaining. Owner: {{ $json.owner_email }}. Reg: {{ $json.regulation }}.",
"otherOptions": {}
},
"id": "n5",
"name": "Slack #compliance",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1200,
200
]
},
{
"parameters": {
"fromEmail": "compliance@flowkit.io",
"toEmail": "={{ $json.owner_email }}",
"subject": "={{ $json.tier }}: {{ $json.deadline_type }} \u2014 {{ $json.days_until }} days",
"message": "Compliance deadline approaching: {{ $json.deadline_type }}\nRegulation: {{ $json.regulation }}\nDeadline: {{ $json.deadline_date }}\nDays remaining: {{ $json.days_until }}\nStatus: {{ $json.tier }}\n\nAction required: {{ $json.action_required }}",
"options": {}
},
"id": "n6",
"name": "Email Owner",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
1200,
400
]
}
],
"connections": {
"Daily 7AM": {
"main": [
[
{
"node": "Load Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Load Deadlines": {
"main": [
[
{
"node": "Classify Deadlines",
"type": "main",
"index": 0
}
]
]
},
"Classify Deadlines": {
"main": [
[
{
"node": "Filter Actionable",
"type": "main",
"index": 0
}
]
]
},
"Filter Actionable": {
"main": [
[
{
"node": "Slack #compliance",
"type": "main",
"index": 0
}
],
[
{
"node": "Email Owner",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 3: Security API Health Monitor (15-Min, DFARS-Aware)
Polls 5 critical security endpoints every 15 minutes — tighter than the DFARS 72-hour reporting clock. Each endpoint is annotated with its specific compliance consequence: CISA KEV 14-day gap, CMMC AC.L2-3.5.3 MFA failure, FedRAMP ConMon log ingestion gap, CMMC RM.L2-3.11.3 scan gap, or CMMC SI.L2-3.14.7 protection gap.
{
"name": "CyberSec SaaS: Security API Health Monitor (15-min, DFARS-aware)",
"nodes": [
{
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "*/15 * * * *"
}
]
}
},
"id": "n1",
"name": "Every 15 Min",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
200,
300
]
},
{
"parameters": {
"operation": "getAll",
"documentId": {
"__rl": true,
"value": "your-sheet-id",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "SecurityEndpoints",
"mode": "name"
},
"options": {}
},
"id": "n2",
"name": "Load API Endpoints",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
450,
300
]
},
{
"parameters": {
"method": "GET",
"url": "={{ $json.endpoint_url }}",
"options": {
"timeout": 10000,
"response": {
"response": {
"fullResponse": true
}
}
}
},
"id": "n3",
"name": "HTTP Health Check",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
700,
300
]
},
{
"parameters": {
"jsCode": "\n// Security endpoints with compliance context:\n// threat_intel_api \u2014 CISA KEV integration (14-day FCEB remediation clock, 2-week recommended)\n// identity_provider_api \u2014 NIST SP 800-63B AAL2/AAL3 (CMMC AC.L2-3.5.3 MFA)\n// siem_api \u2014 CMMC IR.L2-3.6.1 incident detection / FedRAMP ConMon log source\n// vulnerability_scanner_api \u2014 CMMC RM.L2-3.11.3 / FedRAMP RA-5 scan cadence\n// endpoint_detection_api \u2014 CMMC SI.L2-3.14.7 / FedRAMP SI-3 malicious code protection\nconst s = $json;\nconst status_code = s.statusCode || 0;\nconst response_time = s.headers?.['x-response-time'] ? parseInt(s.headers['x-response-time']) : 0;\nlet health = 'OK';\nif (status_code === 0 || status_code >= 500) health = 'DOWN';\nelse if (status_code >= 400 || response_time > 3000) health = 'DEGRADED';\nconst compliance_annotation = {\n threat_intel_api: 'CISA KEV 14-day FCEB remediation clock \u2014 downtime = unpatched KEV gap',\n identity_provider_api: 'CMMC AC.L2-3.5.3 MFA downtime = authentication control failure',\n siem_api: 'CMMC IR.L2-3.6.1 / FedRAMP ConMon log ingestion gap',\n vulnerability_scanner_api: 'CMMC RM.L2-3.11.3 scan gap = undocumented vulnerability window',\n endpoint_detection_api: 'CMMC SI.L2-3.14.7 / FedRAMP SI-3 protection gap',\n};\nreturn [{ ...s, health, response_time, compliance_note: compliance_annotation[s.endpoint_name] || '' }];\n"
},
"id": "n4",
"name": "Classify Health",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
950,
300
]
},
{
"parameters": {
"conditions": {
"options": {},
"conditions": [
{
"leftValue": "={{ $json.health }}",
"rightValue": "OK",
"operator": {
"type": "string",
"operation": "notEquals"
}
}
]
},
"options": {}
},
"id": "n5",
"name": "Filter Non-OK",
"type": "n8n-nodes-base.if",
"typeVersion": 2,
"position": [
1200,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "C_SECURITY_OPS",
"mode": "id"
},
"text": "={{ $json.health }}: {{ $json.endpoint_name }} \u2014 {{ $json.compliance_note }} | HTTP {{ $json.statusCode }} | {{ $json.response_time }}ms",
"otherOptions": {}
},
"id": "n6",
"name": "Slack #security-ops",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1450,
200
]
},
{
"parameters": {
"operation": "appendOrUpdate",
"documentId": {
"__rl": true,
"value": "your-sheet-id",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "SLALog",
"mode": "name"
},
"columns": {
"mappingMode": "autoMapInputData",
"value": {},
"matchingColumns": [
"endpoint_name"
],
"schema": []
},
"options": {}
},
"id": "n7",
"name": "Log to SLA Sheet",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
1450,
400
]
}
],
"connections": {
"Every 15 Min": {
"main": [
[
{
"node": "Load API Endpoints",
"type": "main",
"index": 0
}
]
]
},
"Load API Endpoints": {
"main": [
[
{
"node": "HTTP Health Check",
"type": "main",
"index": 0
}
]
]
},
"HTTP Health Check": {
"main": [
[
{
"node": "Classify Health",
"type": "main",
"index": 0
}
]
]
},
"Classify Health": {
"main": [
[
{
"node": "Filter Non-OK",
"type": "main",
"index": 0
}
]
]
},
"Filter Non-OK": {
"main": [
[
{
"node": "Slack #security-ops",
"type": "main",
"index": 0
}
],
[
{
"node": "Log to SLA Sheet",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 4: Incident Response Pipeline (SEC / CMMC / DFARS)
Eight incident types, each with its regulatory clock pre-loaded:
| Incident Type | SLA | Fastest Clock |
|---|---|---|
| CMMC_ASSESSMENT_TRIGGERED | IMMEDIATE | DoD may arrive on-site within days |
| SEC_CYBER_INCIDENT_MATERIAL | 4 business days | Form 8-K Item 1.05 disclosure deadline |
| DFARS_72H_INCIDENT_REPORT | 72 hours | DoD DC3 report (800-249-8431) |
| CISA_KEV_EXPLOIT_CONFIRMED | 14 days | FCEB BOD 22-01 mandatory patch |
| FEDRAMP_SIGNIFICANT_CHANGE_EVENT | IMMEDIATE | AO change request submission |
| DATA_BREACH_PII | 72 hours | GDPR Art.33 + state breach laws |
| RANSOMWARE_CUI_SYSTEMS | IMMEDIATE | CMMC IR.L2-3.6.2 + DFARS 72h starts |
| SUPPLY_CHAIN_COMPROMISE_DETECTED | IMMEDIATE | CMMC CM.L2-3.4.8 + EO 14028 |
{
"name": "CyberSec SaaS: Incident Response Pipeline (SEC/CMMC/DFARS)",
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "cybersec-incident",
"responseMode": "responseNode",
"options": {}
},
"id": "n1",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
200,
300
]
},
{
"parameters": {
"jsCode": "\nconst inc = $json;\nconst type = inc.incident_type || 'UNKNOWN';\nconst clocks = {\n // CMMC_ASSESSMENT_TRIGGERED: DoD may begin on-site within days \u2014 IMMEDIATE stop CUI sharing in non-assessed systems\n CMMC_ASSESSMENT_TRIGGERED: { sla: 'IMMEDIATE', sla_hours: 0, channel: 'C_CMMC_TEAM', note: 'CMMC Level 2 assessment \u2014 stop CUI processing in non-boundary systems, prepare SSP and POAM documentation immediately (32 CFR Part 170)' },\n // SEC_CYBER_INCIDENT_MATERIAL: 4 business days from materiality determination (Form 8-K Item 1.05) \u2014 fastest clock for public companies\n SEC_CYBER_INCIDENT_MATERIAL: { sla: '4 BUSINESS DAYS', sla_hours: 96, channel: 'C_LEGAL_CHANNEL', note: 'SEC Rule 13a-15 / Form 8-K Item 1.05 \u2014 material cybersecurity incident disclosure. Engage legal counsel immediately. Materiality assessment data is MNPI \u2014 do not route through cloud iPaaS.' },\n // DFARS_72H_INCIDENT_REPORT: 72 hours to DoD DC3 (800-249-8431) \u2014 for vendors processing CUI under 252.204-7012\n DFARS_72H_INCIDENT_REPORT: { sla: '72 HOURS', sla_hours: 72, channel: 'C_COMPLIANCE_CHANNEL', note: 'DFARS 252.204-7012 \u2014 report to DoD Cyber Crime Center DC3 (800-249-8431) and contracting officer within 72 hours. Preserve media for 90 days.' },\n // CISA_KEV_EXPLOIT_CONFIRMED: 14 days for FCEB agencies (BOD 22-01), 2 weeks recommended for all\n CISA_KEV_EXPLOIT_CONFIRMED: { sla: '14 DAYS', sla_hours: 336, channel: 'C_VULN_TEAM', note: 'CISA KEV BOD 22-01 \u2014 patch within 14 days (FCEB mandatory). Update CISA KEV tracking sheet and CMMC RM.L2-3.11.3 remediation log.' },\n // FEDRAMP_SIGNIFICANT_CHANGE_EVENT: IMMEDIATE change request submission to Authorizing Official\n FEDRAMP_SIGNIFICANT_CHANGE_EVENT: { sla: 'IMMEDIATE', sla_hours: 0, channel: 'C_FEDRAMP_TEAM', note: 'FedRAMP significant change \u2014 submit change request to AO immediately. Do not deploy without AO approval. Update ConMon artifacts.' },\n // DATA_BREACH_PII: 72h GDPR Art.33 + state law (CA CCPA 30d, NY SHIELD 30d)\n DATA_BREACH_PII: { sla: '72 HOURS GDPR', sla_hours: 72, channel: 'C_LEGAL_CHANNEL', note: 'GDPR Art.33 + state breach laws. Notify DPA within 72h if EU data involved. Prepare individual notifications (Art.34 if high risk). Document under Art.33(5).' },\n // RANSOMWARE_CUI_SYSTEMS: IMMEDIATE \u2014 CMMC + DFARS + CISA ransomware guidance\n RANSOMWARE_CUI_SYSTEMS: { sla: 'IMMEDIATE', sla_hours: 0, channel: 'C_INCIDENT_BRIDGE', note: 'CMMC IR.L2-3.6.2 + DFARS 252.204-7012 + CISA ransomware guidance. Isolate CUI systems immediately. DFARS 72h clock starts now. Preserve forensic images for DC3.' },\n // SUPPLY_CHAIN_COMPROMISE_DETECTED: IMMEDIATE \u2014 CMMC CM.L2-3.4.8 + EO 14028\n SUPPLY_CHAIN_COMPROMISE_DETECTED: { sla: 'IMMEDIATE', sla_hours: 0, channel: 'C_INCIDENT_BRIDGE', note: 'CMMC CM.L2-3.4.8 supply chain risk management + EO 14028 software supply chain security. Identify affected components, notify affected customers, update SBOM.' },\n};\nconst c = clocks[type] || { sla: 'REVIEW', sla_hours: 24, channel: 'C_SECURITY_OPS', note: 'Review incident type and escalate appropriately.' };\nreturn [{ ...inc, ...c, detected_at: new Date().toISOString() }];\n"
},
"id": "n2",
"name": "Classify Incident",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
450,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "={{ $json.channel }}",
"mode": "id"
},
"text": "INCIDENT [{{ $json.sla }}]: {{ $json.incident_type }}\n{{ $json.note }}\nDetected: {{ $json.detected_at }}\nReported by: {{ $json.reporter }}",
"otherOptions": {}
},
"id": "n3",
"name": "Slack Incident Channel",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
700,
300
]
},
{
"parameters": {
"fromEmail": "security@flowkit.io",
"toEmail": "={{ $json.incident_owner }}",
"subject": "[{{ $json.sla }}] {{ $json.incident_type }} \u2014 IMMEDIATE ACTION REQUIRED",
"message": "Incident detected: {{ $json.incident_type }}\nSLA: {{ $json.sla }}\nCompliance note: {{ $json.note }}\nDetected at: {{ $json.detected_at }}\n\nAction required within SLA window.",
"options": {}
},
"id": "n4",
"name": "Email Incident Owner",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
700,
500
]
},
{
"parameters": {
"operation": "append",
"documentId": {
"__rl": true,
"value": "your-sheet-id",
"mode": "id"
},
"sheetName": {
"__rl": true,
"value": "IncidentLog",
"mode": "name"
},
"columns": {
"mappingMode": "autoMapInputData",
"value": {},
"matchingColumns": [],
"schema": []
},
"options": {}
},
"id": "n5",
"name": "Log Incident",
"type": "n8n-nodes-base.googleSheets",
"typeVersion": 4,
"position": [
950,
400
]
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Classify Incident",
"type": "main",
"index": 0
}
]
]
},
"Classify Incident": {
"main": [
[
{
"node": "Slack Incident Channel",
"type": "main",
"index": 0
}
],
[
{
"node": "Email Incident Owner",
"type": "main",
"index": 0
}
]
]
},
"Slack Incident Channel": {
"main": [
[
{
"node": "Log Incident",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly CyberSec SaaS KPI Dashboard
Monday 8AM. Two Postgres queries (accounts by tier + incident signals), merged and built into an HTML table with WoW MRR delta. Tracks CMMC assessments open, SEC material cyber disclosures open, DFARS 72h reports in the last 30 days, and CISA KEV open count — exactly the board-level signals a cybersecurity SaaS CEO needs.
{
"name": "CyberSec SaaS: Weekly Security & Business KPI Briefing",
"nodes": [
{
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
},
"id": "n1",
"name": "Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
200,
300
]
},
{
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(*) as total_accounts, COUNT(CASE WHEN tier='ENTERPRISE_MSSP' THEN 1 END) as mssp_accounts, COUNT(CASE WHEN tier='FEDERAL_DEFENSE_CONTRACTOR' THEN 1 END) as federal_accounts, COUNT(CASE WHEN tier='SOC_AS_A_SERVICE' THEN 1 END) as soc_accounts, SUM(mrr_usd) as total_mrr, COUNT(CASE WHEN created_at > NOW()-INTERVAL '7 days' THEN 1 END) as new_this_week, COUNT(CASE WHEN churned_at > NOW()-INTERVAL '7 days' THEN 1 END) as churned_this_week FROM accounts WHERE active=true",
"options": {}
},
"id": "n2",
"name": "Account & MRR Query",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
450,
300
]
},
{
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(CASE WHEN incident_type='CMMC_ASSESSMENT_TRIGGERED' AND status='OPEN' THEN 1 END) as cmmc_assessments_open, COUNT(CASE WHEN incident_type='SEC_CYBER_INCIDENT_MATERIAL' AND status='OPEN' THEN 1 END) as sec_disclosures_open, COUNT(CASE WHEN incident_type='DFARS_72H_INCIDENT_REPORT' AND created_at > NOW()-INTERVAL '30 days' THEN 1 END) as dfars_incidents_30d, COUNT(CASE WHEN incident_type='CISA_KEV_EXPLOIT_CONFIRMED' AND status='OPEN' THEN 1 END) as cisa_kev_open, COUNT(CASE WHEN status='OPEN' THEN 1 END) as total_open FROM incident_log",
"options": {}
},
"id": "n3",
"name": "Incident Query",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
450,
500
]
},
{
"parameters": {
"mode": "combineAll",
"options": {}
},
"id": "n4",
"name": "Merge Metrics",
"type": "n8n-nodes-base.merge",
"typeVersion": 3,
"position": [
700,
400
]
},
{
"parameters": {
"jsCode": "\nconst prev = $getWorkflowStaticData('global');\nconst cur = { ...$input.first().json, ...$input.last().json };\nconst mrr = cur.total_mrr || 0;\nconst prevMrr = prev.total_mrr || mrr;\nconst mrrWoW = prevMrr > 0 ? (((mrr - prevMrr) / prevMrr) * 100).toFixed(1) : '0.0';\nObject.assign(prev, cur, { total_mrr: mrr });\nconst html = [\n '<h2>FlowKit CyberSec SaaS Weekly KPI</h2>',\n '<table border=1 cellpadding=6>',\n '<tr><th>Metric</th><th>Value</th><th>WoW</th></tr>',\n '<tr><td>Total Accounts</td><td>' + cur.total_accounts + '</td><td>\u2014</td></tr>',\n '<tr><td>MSSP Accounts</td><td>' + cur.mssp_accounts + '</td><td>\u2014</td></tr>',\n '<tr><td>Federal/Defense Accounts</td><td>' + cur.federal_accounts + '</td><td>\u2014</td></tr>',\n '<tr><td>SOC-as-a-Service</td><td>' + cur.soc_accounts + '</td><td>\u2014</td></tr>',\n '<tr><td>MRR (USD)</td><td>$' + mrr.toLocaleString() + '</td><td>' + mrrWoW + '%</td></tr>',\n '<tr><td>New This Week</td><td>' + cur.new_this_week + '</td><td>\u2014</td></tr>',\n '<tr><td>Churned This Week</td><td>' + cur.churned_this_week + '</td><td>\u2014</td></tr>',\n '<tr><th colspan=3>Compliance / Incident Signals</th></tr>',\n '<tr><td>CMMC Assessments Open</td><td>' + cur.cmmc_assessments_open + '</td><td>\u2014</td></tr>',\n '<tr><td>SEC Cyber Disclosures Open</td><td>' + cur.sec_disclosures_open + '</td><td>\u2014</td></tr>',\n '<tr><td>DFARS 72h Reports (30d)</td><td>' + cur.dfars_incidents_30d + '</td><td>\u2014</td></tr>',\n '<tr><td>CISA KEV Open</td><td>' + cur.cisa_kev_open + '</td><td>\u2014</td></tr>',\n '<tr><td>Total Open Incidents</td><td>' + cur.total_open + '</td><td>\u2014</td></tr>',\n '</table>',\n].join('');\nreturn [{ html, mrr_wow: mrrWoW, ...cur }];\n"
},
"id": "n5",
"name": "Build KPI Report",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
950,
400
]
},
{
"parameters": {
"fromEmail": "ops@flowkit.io",
"toEmail": "ceo@yourcompany.com",
"subject": "FlowKit CyberSec SaaS Weekly KPI \u2014 MRR ${{ $json.total_mrr.toLocaleString() }}",
"message": "={{ $json.html }}",
"options": {
"appendAttribution": false
}
},
"id": "n6",
"name": "Email CEO + BCC CISO",
"type": "n8n-nodes-base.gmail",
"typeVersion": 2,
"position": [
1200,
300
]
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "C_MANAGEMENT",
"mode": "id"
},
"text": "Weekly KPI: MRR ${{ $json.total_mrr }} ({{ $json.mrr_wow }}% WoW) | {{ $json.total_accounts }} accounts | {{ $json.federal_accounts }} federal | CMMC open: {{ $json.cmmc_assessments_open }} | SEC disclosures: {{ $json.sec_disclosures_open }} | KEV open: {{ $json.cisa_kev_open }}",
"otherOptions": {}
},
"id": "n7",
"name": "Slack #management",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
1200,
500
]
}
],
"connections": {
"Monday 8AM": {
"main": [
[
{
"node": "Account & MRR Query",
"type": "main",
"index": 0
}
],
[
{
"node": "Incident Query",
"type": "main",
"index": 0
}
]
]
},
"Account & MRR Query": {
"main": [
[
{
"node": "Merge Metrics",
"type": "main",
"index": 0
}
]
]
},
"Incident Query": {
"main": [
[
{
"node": "Merge Metrics",
"type": "main",
"index": 1
}
]
]
},
"Merge Metrics": {
"main": [
[
{
"node": "Build KPI Report",
"type": "main",
"index": 0
}
]
]
},
"Build KPI Report": {
"main": [
[
{
"node": "Email CEO + BCC CISO",
"type": "main",
"index": 0
}
],
[
{
"node": "Slack #management",
"type": "main",
"index": 0
}
]
]
}
}
}
Why CyberSecurity SaaS Vendors Have the Sharpest Self-Hosting Argument
| Compliance Layer | What Cloud iPaaS Breaks |
|---|---|
| CMMC 2.0 (32 CFR Part 170) | Cloud iPaaS node outside assessed boundary = undocumented Electronic Access Point — Level 2 practice gap in CMMC AC.L2-3.1.3 or SI.L2-3.14.7 |
| DFARS 252.204-7012 | CUI flowing through Zapier/Make = CUI outside your system boundary — contracting officer notification required |
| FedRAMP ConMon | Automation must stay within the FedRAMP-authorized boundary — cloud iPaaS = boundary expansion requiring AO approval |
| SEC Rule 13a-15 (Form 8-K Item 1.05) | Materiality assessment data is MNPI — routing through a cloud vendor creates a disclosure controls gap under SOX 302 |
| SOC2 CC6.1 | Routing VDP reports, CVE intelligence, or customer security questionnaires through a cloud iPaaS can appear as a data egress finding in your OWN SOC2 audit |
Self-hosted n8n in your VPC (AWS GovCloud, Azure Government, or on-premises) keeps all five of these inside a single auditable boundary.
Buyer FAQ
Q: Does CMMC 2.0 actually prohibit cloud automation tools?
Not per se — but CMMC Level 2 (110 practices from NIST SP 800-171) requires all CUI-touching systems to be documented in your System Security Plan. If your n8n instance is self-hosted inside your boundary, it's in scope and documentable. If you use Zapier and CUI flows through it, Zapier is an External Cloud Service Provider — CMMC SC.L2-3.13.5 and AC.L2-3.1.20 apply.
Q: What specifically does the SEC 4-business-day clock cover?
SEC Rule 13a-15 (effective December 2023) requires public companies to disclose material cybersecurity incidents on Form 8-K Item 1.05 within 4 business days of determining the incident is material. Materiality determination data, board communications, and breach scope assessments are MNPI. Those should not flow through a cloud iPaaS operated by a third party.
Q: CISA KEV says 14 days — does that apply to private companies?
BOD 22-01 (14-day mandatory remediation) applies to FCEB (Federal Civilian Executive Branch) agencies. For private companies, CISA calls it 'strongly recommended.' For defense contractors under DFARS 252.204-7012, CISA KEV remediations are part of your SSP patch management practice — and CMMC RM.L2-3.11.3 requires documented remediation.
Q: Can I use a cloud-hosted version of n8n (n8n.cloud)?
For non-CUI, non-PHI, non-regulated workflows — yes. For CMMC-in-scope CUI flows, DFARS-covered incidents, or FedRAMP-boundary automation — self-hosted in your assessed environment only.
Q: What's the DFARS 72-hour report process?
DFARS 252.204-7012(c) requires reporting to DoD Cyber Crime Center (DC3) at 800-249-8431 within 72 hours of discovering a cyber incident on a covered contractor information system. The incident report must include the contract numbers, facility clearance level, classification of compromised information, and a description of the techniques used.
All 5 workflows are available as import-ready JSON at stripeai.gumroad.com — copy, paste, configure your credentials, deploy.
FlowKit — n8n automation templates for B2B SaaS vendors
Top comments (0)