Deployed Engineer × the security podcast

Build an AI-powered incident response system in an afternoon

Anthropic's Mythos just surfaced a 27-year-old bug in OpenBSD that no human had caught. Attacks are being automated faster than any analyst team can respond. Your attackers are already automated — your defense probably isn't.

Get the complete n8n workflow and repository for a production-shaped incident response harness: webhook in, a structured runbook out, with humans kept firmly in the loop.

  • Full n8n template plus the GitHub repo
  • RAG over your playbooks and past incidents
  • Plug-and-play model — local or cloud
Viraj Ratnalikar Forward deployed engineer · ex-n8n
Dylan Watkins Host · the podcast
Free download

Send me the incident response workflow

Drop your details and we'll unlock the repo. Watch the walkthrough below to see exactly what you're getting.

No spam. We'll only email about this release and, if you opt in, n8n product news.

The walkthrough

See the system before you build it

Viraj walks through the full incident response harness live — how a raw alert becomes a sourced, human-ready runbook, and where you keep the AI on a tight leash.

Get the workflow

What's inside

A harness, not a black box

One webhook triggers three retrievals in parallel, then a synthesis agent turns them into a structured runbook. The principle is reuse, not reinvention — the model organizes what your team already knows.

01

Playbook retrieval

Your reference playbooks, chunked and vectorized. A new incident runs semantic search against them. Low-confidence matches get flagged — the agent never pretends it found a strong one.

02

Historical incidents

Resolved cases with real remediation notes. Similarity search surfaces what happened last time, what contained it, and what took longer than expected.

03

Threat intelligence

Current advisories pulled from the web by alert type and TTPs. In production you swap in your own threat intelligence platform. The lowest priority lane, easy to turn off.

Synthesis agent → structured runbook

All three lanes merge into one agent that produces immediate actions, containment steps, extracted indicators of compromise, assumptions stated explicitly, and confidence levels where certainty is low. Every recommendation is labeled with its source, so analysts always know what is organizational precedent and what the model filled in.

  • Source: Playbook
  • Source: Internal precedent
  • Source: External intel
  • General knowledge — not sourced

Built to stay evergreen

The model is plug-and-play. When a stronger one ships, you change one config value and the rest of the workflow stays untouched. Any OpenAI-compatible endpoint works — including Ollama or vLLM for fully local inference when incident data can't leave your environment.

  • Set up in about 30 minutes with the demo data
  • 13 test incidents across ransomware, phishing, brute-force and more
  • Separate ingestion pipeline to grow your vector store over time
  • Structured JSON and a markdown runbook from the same run

The stack

  • Orchestrationn8n
  • Vector + relational storeSupabase
  • EmbeddingsGemini (swappable)
  • Model routingOpenRouter
  • Threat intel searchTavily

Fight automation with automation

A human analyst can't review every incident anymore. Give them a harness that does the rote work and keeps the judgment calls human. Grab the workflow and the repo, free.

Send me the workflow