β All Developer Tools
Pagerduty email verification with BillionVerify
PagerDuty is an incident management and alerting platform used by operations and engineering teams. When PagerDuty incidents or on-call schedules involve email-based notifications or user provisioning, BillionVerify ensures the contact addresses on file are valid and deliverable before critical alerts are sent.
Why verify before the send
A bad email address in an on-call schedule means an engineer misses a critical alert. BillionVerify validates responder and stakeholder email addresses so your incident notifications reliably reach the right people, and so user provisioning workflows do not create records with undeliverable contacts.
Ready-to-use n8n workflow
Import this workflow into n8n β it verifies every address with BillionVerify before Pagerduty sends, so only deliverable contacts are emailed. Install the BillionVerify community node first, then add your API key. Adapted from this n8n template
verify-emails-in-pagerduty.json
{
"name": "Detect and route cybersecurity threats with SIEM, Slack, email and PagerDuty + BillionVerify",
"nodes": [
{
"id": "b20161b9-009c-4670-9563-377582851b77",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-1152,
96
],
"parameters": {
"width": 800,
"height": 800,
"content": "## Real-time threat detection & incident response\n\nScans and aggregates threat intelligence, network logs, and vulnerability data every 15 minutes to detect emerging risks across the infrastructure. Detected threats are scored by severity β critical and high issues trigger immediate multi-channel alerts and incident tickets, while medium and low threats are logged for trend analysis. Every scan closes with an executive summary posted to Slack.\n\n## How it works\n\n1. **Collect** β Fetches network logs from SIEM, vulnerability scan results, and external threat intel feeds in parallel\n2. **Merge & analyze** β Combines all data, then detects brute force attacks, malware, critical CVEs, suspicious traffic, and IOC matches\n3. **Route by severity** β Critical/High threats go to immediate alerting; Medium/Low are logged to the database\n4. **Alert** β Sends Slack alert, detailed email to SOC, creates a PagerDuty incident, and opens a ticket\n5. **Log** β Stores Medium/Low threats to SIEM and PostgreSQL for audit trail\n6. **Report** β Merges all paths and posts a scan summary to the Slack monitoring channel\n\n## Setup steps\n\n1. **SIEM** β Replace `your-siem-system.com` with your SIEM endpoint in both the log fetch and log write nodes\n2. **Vulnerability scanner** β Update the scanner URL and replace `YOUR_API_KEY` with your credentials\n3. **Threat intel** β Add your API key to the threat intelligence feed node header\n4. **PagerDuty** β Replace `YOUR_PAGERDUTY_KEY` and `YOUR_SERVICE_ID` in the PagerDuty node\n5. **Ticketing** β Update the ticket URL to your Jira or ServiceNow instance and add `YOUR_TICKET_API_KEY`\n6. **Slack** β Set the correct channel IDs in both Slack nodes (alerts channel and monitoring channel)\n7. **Email** β Configure SMTP credentials; update `from` and `to` addresses in the email node\n8. **PostgreSQL** β Ensure a `threat_log` table exists with columns: severity, type, description, timestamp, action_required"
},
"typeVersion": 1
},
{
"id": "7c9fbfd3-9663-4ad2-84d2-2dc19cf804da",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-176,
144
],
"parameters": {
"color": 4,
"width": 440,
"height": 876,
"content": "## 1. Data collection\n\nTriggers every 15 minutes and fetches network logs, vulnerability scan results, and external threat intelligence feeds in parallel before merging them for analysis."
},
"typeVersion": 1
},
{
"id": "34565425-c656-4881-928d-32f678ac9cdf",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
304,
352
],
"parameters": {
"color": 4,
"width": 436,
"height": 460,
"content": "## 2. Threat analysis\n\nMerges all collected data and runs detection logic to identify brute force attacks, malware signatures, critical vulnerabilities, suspicious traffic patterns, and IOC matches. Each threat is tagged with a severity level."
},
"typeVersion": 1
},
{
"id": "d929174b-463e-4376-89f0-5a63f282b7f8",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
800,
256
],
"parameters": {
"color": 4,
"width": 640,
"height": 860,
"content": "## 3. Alert & remediate\n\nCritical and High threats trigger a Slack alert, a detailed SOC email, a PagerDuty incident, and an incident ticket. Medium and Low threats are logged to SIEM and stored in PostgreSQL."
},
"typeVersion": 1
},
{
"id": "0a3e7f2b-d06f-45fb-a8dd-33125071246a",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
1488,
336
],
"parameters": {
"color": 4,
"width": 764,
"height": 524,
"content": "## 4. Summary report\n\nAll paths merge and a scan summary β total threats by severity and type β is posted to the Slack monitoring channel after every run."
},
"typeVersion": 1
},
{
"id": "5633b4a5-b9cf-44ea-99ea-0dad8156574c",
"name": "Schedule Trigger - Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
-144,
496
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 15
}
]
}
},
"typeVersion": 1.2
},
{
"id": "9de6147c-8a55-4613-913a-604093822d75",
"name": "Fetch Network Logs",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
384
],
"parameters": {
"url": "https://your-siem-system.com/api/logs",
"method": "POST",
"options": {},
"sendBody": true,
"sendHeaders": true,
"bodyParameters": {
"parameters": [
{
"name": "time_range",
"value": "15m"
},
{
"name": "log_types",
"value": "firewall,ids,auth"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "14354e5f-bb8c-4fa7-852c-d82621fc03bd",
"name": "Fetch Vulnerability Scan Results",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
592
],
"parameters": {
"url": "https://your-vulnerability-scanner.com/api/scan",
"method": "POST",
"options": {},
"sendBody": true,
"sendHeaders": true,
"bodyParameters": {
"parameters": [
{
"name": "scan_type",
"value": "quick"
},
{
"name": "targets",
"value": "internal_network"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "e6b1d20e-48e5-435f-bc96-621f95c6d1a5",
"name": "Fetch Threat Intelligence Feed",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
784
],
"parameters": {
"url": "https://api.threatintel.com/v1/threats/recent",
"options": {},
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "X-API-Key",
"value": "YOUR_THREAT_INTEL_KEY"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "52a555e8-19c0-4cc5-99a3-e780ac8cbc7e",
"name": "Merge All Threat Data",
"type": "n8n-nodes-base.merge",
"position": [
352,
592
],
"parameters": {},
"typeVersion": 3
},
{
"id": "2c8301ec-fa9a-4a4e-a7aa-f26357b26cef",
"name": "Analyze & Detect Threats",
"type": "n8n-nodes-base.code",
"position": [
608,
592
],
"parameters": {
"jsCode": "// Threat Detection Logic\nconst items = $input.all();\nconst threats = [];\n\nfor (const item of items) {\n const data = item.json;\n \n // Check for failed login attempts (Brute Force)\n if (data.failed_logins && data.failed_logins > 10) {\n threats.push({\n severity: 'HIGH',\n type: 'Brute Force Attack',\n source: data.source_ip || 'Unknown',\n description: `${data.failed_logins} failed login attempts detected`,\n timestamp: new Date().toISOString(),\n action_required: 'Block IP and notify SOC'\n });\n }\n \n // Check for critical vulnerabilities\n if (data.vulnerabilities) {\n const criticalVulns = data.vulnerabilities.filter(v => v.severity === 'CRITICAL');\n if (criticalVulns.length > 0) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Critical Vulnerability Detected',\n affected_systems: data.hostname || 'Multiple systems',\n description: `${criticalVulns.length} critical vulnerabilities found`,\n timestamp: new Date().toISOString(),\n action_required: 'Immediate patching required'\n });\n }\n }\n \n // Check for suspicious traffic patterns\n if (data.traffic_volume && data.traffic_volume > 10000) {\n threats.push({\n severity: 'MEDIUM',\n type: 'Suspicious Traffic Pattern',\n source: data.source_ip || 'Unknown',\n description: `Abnormal traffic volume: ${data.traffic_volume} requests`,\n timestamp: new Date().toISOString(),\n action_required: 'Investigate and monitor'\n });\n }\n \n // Check for malware signatures\n if (data.malware_detected === true) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Malware Detection',\n affected_systems: data.hostname || 'Unknown',\n description: `Malware signature: ${data.malware_name || 'Unknown'}`,\n timestamp: new Date().toISOString(),\n action_required: 'Isolate system immediately'\n });\n }\n \n // Check threat intelligence matches\n if (data.ioc_match === true) {\n threats.push({\n severity: 'HIGH',\n type: 'IOC Match',\n indicator: data.indicator || 'Unknown',\n description: `Known threat indicator detected: ${data.indicator_type}`,\n timestamp: new Date().toISOString(),\n action_required: 'Block and investigate'\n });\n }\n}\n\nreturn threats.map(threat => ({ json: threat }));"
},
"typeVersion": 2
},
{
"id": "e9494946-bdcd-41a9-b685-86cb6c5ddfd4",
"name": "Check Threat Severity",
"type": "n8n-nodes-base.if",
"position": [
848,
592
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"id": "condition-1",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severity }}",
"rightValue": "CRITICAL"
},
{
"id": "condition-2",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severity }}",
"rightValue": "HIGH"
}
]
}
},
"typeVersion": 2
},
{
"id": "9c1414b8-f5cc-47da-a9de-909901adb984",
"name": "Send Slack Alert - Critical",
"type": "n8n-nodes-base.slack",
"position": [
1088,
464
],
"webhookId": "d6a0a10f-e8d2-4582-8575-c616319d80b6",
"parameters": {
"text": "=π¨ **SECURITY ALERT - {{ $json.severity }}**\n\n**Threat Type:** {{ $json.type }}\n**Source/System:** {{ $json.source || $json.affected_systems || $json.indicator }}\n**Description:** {{ $json.description }}\n**Time Detected:** {{ $json.timestamp }}\n**Action Required:** {{ $json.action_required }}\n\nβ οΈ Immediate response required!",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "C12345678"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"id": "credential-id",
"name": "Slack account - test "
}
},
"typeVersion": 2.2
},
{
"id": "de4c0273-fa6e-4af0-9495-f78695e7e67f",
"name": "Send Email Alert - Detailed",
"type": "n8n-nodes-base.emailSend",
"position": [
1088,
672
],
"webhookId": "ce029cd9-3d2c-41d6-a482-33fb385b3356",
"parameters": {
"options": {},
"subject": "=π¨ {{ $json.severity }} Threat Detected: {{ $json.type }}",
"toEmail": "user@example.com, user@example.com",
"fromEmail": "user@example.com"
},
"credentials": {
"smtp": {
"id": "credential-id",
"name": "SMTP -test"
}
},
"typeVersion": 2.1
},
{
"id": "217d7550-3a07-4d86-b8aa-c7013ad4f165",
"name": "Create PagerDuty Incident",
"type": "n8n-nodes-base.httpRequest",
"position": [
1328,
464
],
"parameters": {
"url": "https://api.pagerduty.com/incidents",
"method": "POST",
"options": {},
"jsonBody": "={\n \"incident\": {\n \"type\": \"incident\",\n \"title\": \"{{ $json.severity }}: {{ $json.type }}\",\n \"service\": {\n \"id\": \"YOUR_SERVICE_ID\",\n \"type\": \"service_reference\"\n },\n \"urgency\": \"high\",\n \"body\": {\n \"type\": \"incident_body\",\n \"details\": \"{{ $json.description }}\\n\\nAction: {{ $json.action_required }}\"\n }\n }\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Token token=YOUR_PAGERDUTY_KEY"
},
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "Accept",
"value": "application/vnd.pagerduty+json;version=2"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "1cc4631b-7d8a-4231-ad8d-c8d70add7faa",
"name": "Create Security Ticket",
"type": "n8n-nodes-base.httpRequest",
"position": [
1328,
672
],
"parameters": {
"url": "https://your-ticketing-system.com/api/tickets",
"method": "POST",
"options": {},
"jsonBody": "={\n \"title\": \"{{ $json.severity }} Security Threat: {{ $json.type }}\",\n \"description\": \"{{ $json.description }}\\n\\nDetected: {{ $json.timestamp }}\\nAction Required: {{ $json.action_required }}\",\n \"priority\": \"{{ $json.severity === 'CRITICAL' ? 'P1' : 'P2' }}\",\n \"category\": \"Security Incident\",\n \"assigned_to\": \"SOC Team\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "cc06d7fd-96e9-4e91-b529-80eae70a9787",
"name": "Log Medium/Low Threats",
"type": "n8n-nodes-base.httpRequest",
"position": [
1088,
896
],
"parameters": {
"url": "https://your-siem-system.com/api/events/log",
"method": "POST",
"options": {},
"jsonBody": "={\n \"event_type\": \"security_threat\",\n \"severity\": \"{{ $json.severity }}\",\n \"threat_type\": \"{{ $json.type }}\",\n \"description\": \"{{ $json.description }}\",\n \"timestamp\": \"{{ $json.timestamp }}\",\n \"source\": \"n8n_threat_detection\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "2c5a881f-a51a-41bf-a00e-0f5ddc8beff5",
"name": "Store in Database",
"type": "n8n-nodes-base.postgres",
"position": [
1344,
896
],
"parameters": {
"query": "=INSERT INTO threat_log (severity, type, description, timestamp, action_required)\nVALUES (\n '{{ $json.severity }}',\n '{{ $json.type }}',\n '{{ $json.description }}',\n '{{ $json.timestamp }}',\n '{{ $json.action_required }}'\n);",
"options": {},
"operation": "executeQuery"
},
"credentials": {
"postgres": {
"id": "credential-id",
"name": "Postgres-test"
}
},
"typeVersion": 2.5
},
{
"id": "8199dd00-b0af-43c3-a5c6-346738debf86",
"name": "Merge All Paths",
"type": "n8n-nodes-base.merge",
"position": [
1568,
592
],
"parameters": {},
"typeVersion": 3
},
{
"id": "81cd1ef3-176a-4c56-b48a-429d24c9f659",
"name": "Generate Summary Report",
"type": "n8n-nodes-base.code",
"position": [
1808,
592
],
"parameters": {
"jsCode": "// Generate Summary Report\nconst items = $input.all();\n\nconst summary = {\n timestamp: new Date().toISOString(),\n total_threats: items.length,\n critical: items.filter(i => i.json.severity === 'CRITICAL').length,\n high: items.filter(i => i.json.severity === 'HIGH').length,\n medium: items.filter(i => i.json.severity === 'MEDIUM').length,\n low: items.filter(i => i.json.severity === 'LOW').length,\n threat_types: [...new Set(items.map(i => i.json.type))],\n status: 'Workflow completed successfully'\n};\n\nreturn [{ json: summary }];"
},
"typeVersion": 2
},
{
"id": "de5188a7-acc2-48e8-910a-61fdb4f25c7e",
"name": "Send Summary to Monitoring Channel",
"type": "n8n-nodes-base.slack",
"position": [
2048,
592
],
"webhookId": "c636bac1-5c75-4b12-98ca-4a9583026339",
"parameters": {
"text": "=β
**Threat Detection Scan Complete**\n\n**Summary:**\nβ’ Total Threats: {{ $json.total_threats }}\nβ’ Critical: {{ $json.critical }}\nβ’ High: {{ $json.high }}\nβ’ Medium: {{ $json.medium }}\nβ’ Low: {{ $json.low }}\n\n**Threat Types Detected:** {{ $json.threat_types.join(', ') }}\n\n**Scan Time:** {{ $json.timestamp }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "C87654321"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"id": "credential-id",
"name": "Slack account - test "
}
},
"typeVersion": 2.2
},
{
"parameters": {
"operation": "verify",
"email": "={{ $json.email || $json.Email }}",
"additionalOptions": {}
},
"type": "n8n-nodes-billionverify.billionVerify",
"typeVersion": 1,
"position": [
728,
672
],
"name": "Verify Email (BillionVerify)",
"credentials": {
"billionVerifyApi": {
"id": "",
"name": "BillionVerify account"
}
}
},
{
"parameters": {
"conditions": {
"options": {
"caseSensitive": true,
"leftValue": "",
"typeValidation": "loose"
},
"combinator": "and",
"conditions": [
{
"id": "is-deliverable",
"leftValue": "={{ $json.is_deliverable }}",
"rightValue": "",
"operator": {
"type": "boolean",
"operation": "true",
"singleValue": true
}
}
]
}
},
"type": "n8n-nodes-base.if",
"typeVersion": 2,
"position": [
908,
672
],
"name": "IF deliverable"
}
],
"connections": {
"Merge All Paths": {
"main": [
[
{
"node": "Generate Summary Report",
"type": "main",
"index": 0
}
]
]
},
"Fetch Network Logs": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 0
}
]
]
},
"Check Threat Severity": {
"main": [
[
{
"node": "Send Slack Alert - Critical",
"type": "main",
"index": 0
},
{
"node": "Verify Email (BillionVerify)",
"type": "main",
"index": 0
}
],
[
{
"node": "Log Medium/Low Threats",
"type": "main",
"index": 0
}
]
]
},
"Merge All Threat Data": {
"main": [
[
{
"node": "Analyze & Detect Threats",
"type": "main",
"index": 0
}
]
]
},
"Create Security Ticket": {
"main": [
[
{
"node": "Merge All Paths",
"type": "main",
"index": 1
}
]
]
},
"Log Medium/Low Threats": {
"main": [
[
{
"node": "Store in Database",
"type": "main",
"index": 0
}
]
]
},
"Generate Summary Report": {
"main": [
[
{
"node": "Send Summary to Monitoring Channel",
"type": "main",
"index": 0
}
]
]
},
"Analyze & Detect Threats": {
"main": [
[
{
"node": "Check Threat Severity",
"type": "main",
"index": 0
}
]
]
},
"Create PagerDuty Incident": {
"main": [
[
{
"node": "Merge All Paths",
"type": "main",
"index": 0
}
]
]
},
"Send Email Alert - Detailed": {
"main": [
[
{
"node": "Create Security Ticket",
"type": "main",
"index": 0
}
]
]
},
"Send Slack Alert - Critical": {
"main": [
[
{
"node": "Create PagerDuty Incident",
"type": "main",
"index": 0
}
]
]
},
"Fetch Threat Intelligence Feed": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 1
}
]
]
},
"Fetch Vulnerability Scan Results": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 1
}
]
]
},
"Schedule Trigger - Every 15 Minutes": {
"main": [
[
{
"node": "Fetch Network Logs",
"type": "main",
"index": 0
},
{
"node": "Fetch Vulnerability Scan Results",
"type": "main",
"index": 0
},
{
"node": "Fetch Threat Intelligence Feed",
"type": "main",
"index": 0
}
]
]
},
"Verify Email (BillionVerify)": {
"main": [
[
{
"node": "IF deliverable",
"type": "main",
"index": 0
}
]
]
},
"IF deliverable": {
"main": [
[
{
"node": "Send Email Alert - Detailed",
"type": "main",
"index": 0
}
],
[]
]
}
},
"settings": {
"executionOrder": "v1"
}
}Workflow templates with Pagerduty
Ready-to-use workflows that verify emails before Pagerduty sends.
How it works
- 1
A new user is provisioned or a stakeholder list is updated in PagerDuty via your identity or HR workflow.
- 2
An n8n automation or Integrately integration extracts the contact email and sends it to BillionVerify.
- 3
BillionVerify checks the address for syntax errors, domain validity, MX records, and SMTP reachability.
- 4
Invalid addresses trigger a notification to the provisioning team to correct the record before it goes live.
- 5
Only verified email addresses are confirmed in PagerDuty, ensuring alerts reach real inboxes.
When to use this
Validate On-Call Responder Emails During Provisioning
When new team members are added to PagerDuty through your HR or identity management automation, BillionVerify verifies their email before the account is activated. Typos are caught before they cause missed alerts during an incident.
Keep Stakeholder Notification Lists Clean
PagerDuty can notify stakeholder groups via email during major incidents. BillionVerify validates those contact lists so stale or invalid addresses are removed before a high-severity event demands reliable delivery.
FAQ
Can BillionVerify be triggered automatically when a new PagerDuty user is created?
Yes. Use PagerDuty's webhook events or an n8n trigger to detect new user creation, then pass the email to BillionVerify's API automatically as part of your provisioning pipeline.
What happens if an on-call engineer's email is flagged as invalid?
Your automation can pause the provisioning step and alert an admin to correct the email address before the user is activated, preventing a gap in on-call coverage.
Is BillionVerify useful for existing PagerDuty user lists, or only new signups?
Both. Export your existing user list, run bulk verification through BillionVerify's API, and flag stale addresses β useful before large-scale schedule changes or annual roster audits.
Verify emails in Pagerduty
Create a free account, grab your API key, and stop bounces before they happen.
Get started free