← All Developer Tools Workflows
BillionVerifyPagerduty
Detect and route cybersecurity threats with SIEM, Slack, email and PagerDuty
Pull contacts, verify each address with BillionVerify, and continue to PagerDuty — only deliverable addresses get through.
Why verify before the send
Sending to invalid, risky, catch-all, or disposable addresses spikes your bounce rate and erodes sender reputation. A verification gate before the PagerDuty step removes that risk automatically — only deliverable addresses continue, the rest are flagged.
The workflow
BillionVerify — verification sits right before the send.
Node by node
- 1Schedule Trigger - Every 15 MinutesTrigger· n8n
Starts the workflow — on a schedule, a webhook, or manually while you test.
- 2Fetch Network LogsSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 3Fetch Vulnerability Scan ResultsSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 4Fetch Threat Intelligence FeedSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 5Merge All Threat DataSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 6Analyze & Detect ThreatsSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 7Check Threat SeverityLogic· n8n
Branches on the verification result: only deliverable addresses continue to the send; the rest are skipped and flagged.
- 8Send Slack Alert - CriticalSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 9Verify Email (BillionVerify)Verify· billionverify
The BillionVerify node verifies the address — status (valid / invalid / risky / catch-all / role / disposable), is_deliverable, and a confidence score — before anything is sent.
- 10Log Medium/Low ThreatsSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 11Create PagerDuty IncidentSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 12IF deliverableLogic· n8n
Branches on the verification result: only deliverable addresses continue to the send; the rest are skipped and flagged.
- 13Store in DatabaseSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 14Merge All PathsSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 15Send Email Alert - DetailedSend· n8n
Sends only to verified, deliverable addresses. Swap in your own provider node if you send elsewhere.
- 16Generate Summary ReportSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 17Create Security TicketSource· n8n
Provides or transforms the contact data flowing through the workflow.
- 18Send Summary to Monitoring ChannelSource· n8n
Provides or transforms the contact data flowing through the workflow.
Workflow JSON
Copy or download this workflow, then import it in n8n (Workflows → Import from File / Paste). Install the BillionVerify community node first, then add your API key credential.
verify-emails-in-pagerduty.json
{
"name": "Detect and route cybersecurity threats with SIEM, Slack, email and PagerDuty + BillionVerify",
"nodes": [
{
"id": "b20161b9-009c-4670-9563-377582851b77",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-1152,
96
],
"parameters": {
"width": 800,
"height": 800,
"content": "## Real-time threat detection & incident response\n\nScans and aggregates threat intelligence, network logs, and vulnerability data every 15 minutes to detect emerging risks across the infrastructure. Detected threats are scored by severity — critical and high issues trigger immediate multi-channel alerts and incident tickets, while medium and low threats are logged for trend analysis. Every scan closes with an executive summary posted to Slack.\n\n## How it works\n\n1. **Collect** — Fetches network logs from SIEM, vulnerability scan results, and external threat intel feeds in parallel\n2. **Merge & analyze** — Combines all data, then detects brute force attacks, malware, critical CVEs, suspicious traffic, and IOC matches\n3. **Route by severity** — Critical/High threats go to immediate alerting; Medium/Low are logged to the database\n4. **Alert** — Sends Slack alert, detailed email to SOC, creates a PagerDuty incident, and opens a ticket\n5. **Log** — Stores Medium/Low threats to SIEM and PostgreSQL for audit trail\n6. **Report** — Merges all paths and posts a scan summary to the Slack monitoring channel\n\n## Setup steps\n\n1. **SIEM** — Replace `your-siem-system.com` with your SIEM endpoint in both the log fetch and log write nodes\n2. **Vulnerability scanner** — Update the scanner URL and replace `YOUR_API_KEY` with your credentials\n3. **Threat intel** — Add your API key to the threat intelligence feed node header\n4. **PagerDuty** — Replace `YOUR_PAGERDUTY_KEY` and `YOUR_SERVICE_ID` in the PagerDuty node\n5. **Ticketing** — Update the ticket URL to your Jira or ServiceNow instance and add `YOUR_TICKET_API_KEY`\n6. **Slack** — Set the correct channel IDs in both Slack nodes (alerts channel and monitoring channel)\n7. **Email** — Configure SMTP credentials; update `from` and `to` addresses in the email node\n8. **PostgreSQL** — Ensure a `threat_log` table exists with columns: severity, type, description, timestamp, action_required"
},
"typeVersion": 1
},
{
"id": "7c9fbfd3-9663-4ad2-84d2-2dc19cf804da",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-176,
144
],
"parameters": {
"color": 4,
"width": 440,
"height": 876,
"content": "## 1. Data collection\n\nTriggers every 15 minutes and fetches network logs, vulnerability scan results, and external threat intelligence feeds in parallel before merging them for analysis."
},
"typeVersion": 1
},
{
"id": "34565425-c656-4881-928d-32f678ac9cdf",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
304,
352
],
"parameters": {
"color": 4,
"width": 436,
"height": 460,
"content": "## 2. Threat analysis\n\nMerges all collected data and runs detection logic to identify brute force attacks, malware signatures, critical vulnerabilities, suspicious traffic patterns, and IOC matches. Each threat is tagged with a severity level."
},
"typeVersion": 1
},
{
"id": "d929174b-463e-4376-89f0-5a63f282b7f8",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
800,
256
],
"parameters": {
"color": 4,
"width": 640,
"height": 860,
"content": "## 3. Alert & remediate\n\nCritical and High threats trigger a Slack alert, a detailed SOC email, a PagerDuty incident, and an incident ticket. Medium and Low threats are logged to SIEM and stored in PostgreSQL."
},
"typeVersion": 1
},
{
"id": "0a3e7f2b-d06f-45fb-a8dd-33125071246a",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
1488,
336
],
"parameters": {
"color": 4,
"width": 764,
"height": 524,
"content": "## 4. Summary report\n\nAll paths merge and a scan summary — total threats by severity and type — is posted to the Slack monitoring channel after every run."
},
"typeVersion": 1
},
{
"id": "5633b4a5-b9cf-44ea-99ea-0dad8156574c",
"name": "Schedule Trigger - Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
-144,
496
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 15
}
]
}
},
"typeVersion": 1.2
},
{
"id": "9de6147c-8a55-4613-913a-604093822d75",
"name": "Fetch Network Logs",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
384
],
"parameters": {
"url": "https://your-siem-system.com/api/logs",
"method": "POST",
"options": {},
"sendBody": true,
"sendHeaders": true,
"bodyParameters": {
"parameters": [
{
"name": "time_range",
"value": "15m"
},
{
"name": "log_types",
"value": "firewall,ids,auth"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "14354e5f-bb8c-4fa7-852c-d82621fc03bd",
"name": "Fetch Vulnerability Scan Results",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
592
],
"parameters": {
"url": "https://your-vulnerability-scanner.com/api/scan",
"method": "POST",
"options": {},
"sendBody": true,
"sendHeaders": true,
"bodyParameters": {
"parameters": [
{
"name": "scan_type",
"value": "quick"
},
{
"name": "targets",
"value": "internal_network"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "e6b1d20e-48e5-435f-bc96-621f95c6d1a5",
"name": "Fetch Threat Intelligence Feed",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
784
],
"parameters": {
"url": "https://api.threatintel.com/v1/threats/recent",
"options": {},
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "X-API-Key",
"value": "YOUR_THREAT_INTEL_KEY"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "52a555e8-19c0-4cc5-99a3-e780ac8cbc7e",
"name": "Merge All Threat Data",
"type": "n8n-nodes-base.merge",
"position": [
352,
592
],
"parameters": {},
"typeVersion": 3
},
{
"id": "2c8301ec-fa9a-4a4e-a7aa-f26357b26cef",
"name": "Analyze & Detect Threats",
"type": "n8n-nodes-base.code",
"position": [
608,
592
],
"parameters": {
"jsCode": "// Threat Detection Logic\nconst items = $input.all();\nconst threats = [];\n\nfor (const item of items) {\n const data = item.json;\n \n // Check for failed login attempts (Brute Force)\n if (data.failed_logins && data.failed_logins > 10) {\n threats.push({\n severity: 'HIGH',\n type: 'Brute Force Attack',\n source: data.source_ip || 'Unknown',\n description: `${data.failed_logins} failed login attempts detected`,\n timestamp: new Date().toISOString(),\n action_required: 'Block IP and notify SOC'\n });\n }\n \n // Check for critical vulnerabilities\n if (data.vulnerabilities) {\n const criticalVulns = data.vulnerabilities.filter(v => v.severity === 'CRITICAL');\n if (criticalVulns.length > 0) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Critical Vulnerability Detected',\n affected_systems: data.hostname || 'Multiple systems',\n description: `${criticalVulns.length} critical vulnerabilities found`,\n timestamp: new Date().toISOString(),\n action_required: 'Immediate patching required'\n });\n }\n }\n \n // Check for suspicious traffic patterns\n if (data.traffic_volume && data.traffic_volume > 10000) {\n threats.push({\n severity: 'MEDIUM',\n type: 'Suspicious Traffic Pattern',\n source: data.source_ip || 'Unknown',\n description: `Abnormal traffic volume: ${data.traffic_volume} requests`,\n timestamp: new Date().toISOString(),\n action_required: 'Investigate and monitor'\n });\n }\n \n // Check for malware signatures\n if (data.malware_detected === true) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Malware Detection',\n affected_systems: data.hostname || 'Unknown',\n description: `Malware signature: ${data.malware_name || 'Unknown'}`,\n timestamp: new Date().toISOString(),\n action_required: 'Isolate system immediately'\n });\n }\n \n // Check threat intelligence matches\n if (data.ioc_match === true) {\n threats.push({\n severity: 'HIGH',\n type: 'IOC Match',\n indicator: data.indicator || 'Unknown',\n description: `Known threat indicator detected: ${data.indicator_type}`,\n timestamp: new Date().toISOString(),\n action_required: 'Block and investigate'\n });\n }\n}\n\nreturn threats.map(threat => ({ json: threat }));"
},
"typeVersion": 2
},
{
"id": "e9494946-bdcd-41a9-b685-86cb6c5ddfd4",
"name": "Check Threat Severity",
"type": "n8n-nodes-base.if",
"position": [
848,
592
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"id": "condition-1",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severity }}",
"rightValue": "CRITICAL"
},
{
"id": "condition-2",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severity }}",
"rightValue": "HIGH"
}
]
}
},
"typeVersion": 2
},
{
"id": "9c1414b8-f5cc-47da-a9de-909901adb984",
"name": "Send Slack Alert - Critical",
"type": "n8n-nodes-base.slack",
"position": [
1088,
464
],
"webhookId": "d6a0a10f-e8d2-4582-8575-c616319d80b6",
"parameters": {
"text": "=🚨 **SECURITY ALERT - {{ $json.severity }}**\n\n**Threat Type:** {{ $json.type }}\n**Source/System:** {{ $json.source || $json.affected_systems || $json.indicator }}\n**Description:** {{ $json.description }}\n**Time Detected:** {{ $json.timestamp }}\n**Action Required:** {{ $json.action_required }}\n\n⚠️ Immediate response required!",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "C12345678"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"id": "credential-id",
"name": "Slack account - test "
}
},
"typeVersion": 2.2
},
{
"id": "de4c0273-fa6e-4af0-9495-f78695e7e67f",
"name": "Send Email Alert - Detailed",
"type": "n8n-nodes-base.emailSend",
"position": [
1088,
672
],
"webhookId": "ce029cd9-3d2c-41d6-a482-33fb385b3356",
"parameters": {
"options": {},
"subject": "=🚨 {{ $json.severity }} Threat Detected: {{ $json.type }}",
"toEmail": "user@example.com, user@example.com",
"fromEmail": "user@example.com"
},
"credentials": {
"smtp": {
"id": "credential-id",
"name": "SMTP -test"
}
},
"typeVersion": 2.1
},
{
"id": "217d7550-3a07-4d86-b8aa-c7013ad4f165",
"name": "Create PagerDuty Incident",
"type": "n8n-nodes-base.httpRequest",
"position": [
1328,
464
],
"parameters": {
"url": "https://api.pagerduty.com/incidents",
"method": "POST",
"options": {},
"jsonBody": "={\n \"incident\": {\n \"type\": \"incident\",\n \"title\": \"{{ $json.severity }}: {{ $json.type }}\",\n \"service\": {\n \"id\": \"YOUR_SERVICE_ID\",\n \"type\": \"service_reference\"\n },\n \"urgency\": \"high\",\n \"body\": {\n \"type\": \"incident_body\",\n \"details\": \"{{ $json.description }}\\n\\nAction: {{ $json.action_required }}\"\n }\n }\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Token token=YOUR_PAGERDUTY_KEY"
},
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "Accept",
"value": "application/vnd.pagerduty+json;version=2"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "1cc4631b-7d8a-4231-ad8d-c8d70add7faa",
"name": "Create Security Ticket",
"type": "n8n-nodes-base.httpRequest",
"position": [
1328,
672
],
"parameters": {
"url": "https://your-ticketing-system.com/api/tickets",
"method": "POST",
"options": {},
"jsonBody": "={\n \"title\": \"{{ $json.severity }} Security Threat: {{ $json.type }}\",\n \"description\": \"{{ $json.description }}\\n\\nDetected: {{ $json.timestamp }}\\nAction Required: {{ $json.action_required }}\",\n \"priority\": \"{{ $json.severity === 'CRITICAL' ? 'P1' : 'P2' }}\",\n \"category\": \"Security Incident\",\n \"assigned_to\": \"SOC Team\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "cc06d7fd-96e9-4e91-b529-80eae70a9787",
"name": "Log Medium/Low Threats",
"type": "n8n-nodes-base.httpRequest",
"position": [
1088,
896
],
"parameters": {
"url": "https://your-siem-system.com/api/events/log",
"method": "POST",
"options": {},
"jsonBody": "={\n \"event_type\": \"security_threat\",\n \"severity\": \"{{ $json.severity }}\",\n \"threat_type\": \"{{ $json.type }}\",\n \"description\": \"{{ $json.description }}\",\n \"timestamp\": \"{{ $json.timestamp }}\",\n \"source\": \"n8n_threat_detection\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "2c5a881f-a51a-41bf-a00e-0f5ddc8beff5",
"name": "Store in Database",
"type": "n8n-nodes-base.postgres",
"position": [
1344,
896
],
"parameters": {
"query": "=INSERT INTO threat_log (severity, type, description, timestamp, action_required)\nVALUES (\n '{{ $json.severity }}',\n '{{ $json.type }}',\n '{{ $json.description }}',\n '{{ $json.timestamp }}',\n '{{ $json.action_required }}'\n);",
"options": {},
"operation": "executeQuery"
},
"credentials": {
"postgres": {
"id": "credential-id",
"name": "Postgres-test"
}
},
"typeVersion": 2.5
},
{
"id": "8199dd00-b0af-43c3-a5c6-346738debf86",
"name": "Merge All Paths",
"type": "n8n-nodes-base.merge",
"position": [
1568,
592
],
"parameters": {},
"typeVersion": 3
},
{
"id": "81cd1ef3-176a-4c56-b48a-429d24c9f659",
"name": "Generate Summary Report",
"type": "n8n-nodes-base.code",
"position": [
1808,
592
],
"parameters": {
"jsCode": "// Generate Summary Report\nconst items = $input.all();\n\nconst summary = {\n timestamp: new Date().toISOString(),\n total_threats: items.length,\n critical: items.filter(i => i.json.severity === 'CRITICAL').length,\n high: items.filter(i => i.json.severity === 'HIGH').length,\n medium: items.filter(i => i.json.severity === 'MEDIUM').length,\n low: items.filter(i => i.json.severity === 'LOW').length,\n threat_types: [...new Set(items.map(i => i.json.type))],\n status: 'Workflow completed successfully'\n};\n\nreturn [{ json: summary }];"
},
"typeVersion": 2
},
{
"id": "de5188a7-acc2-48e8-910a-61fdb4f25c7e",
"name": "Send Summary to Monitoring Channel",
"type": "n8n-nodes-base.slack",
"position": [
2048,
592
],
"webhookId": "c636bac1-5c75-4b12-98ca-4a9583026339",
"parameters": {
"text": "=✅ **Threat Detection Scan Complete**\n\n**Summary:**\n• Total Threats: {{ $json.total_threats }}\n• Critical: {{ $json.critical }}\n• High: {{ $json.high }}\n• Medium: {{ $json.medium }}\n• Low: {{ $json.low }}\n\n**Threat Types Detected:** {{ $json.threat_types.join(', ') }}\n\n**Scan Time:** {{ $json.timestamp }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "C87654321"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"id": "credential-id",
"name": "Slack account - test "
}
},
"typeVersion": 2.2
},
{
"parameters": {
"operation": "verify",
"email": "={{ $json.email || $json.Email }}",
"additionalOptions": {}
},
"type": "n8n-nodes-billionverify.billionVerify",
"typeVersion": 1,
"position": [
728,
672
],
"name": "Verify Email (BillionVerify)",
"credentials": {
"billionVerifyApi": {
"id": "",
"name": "BillionVerify account"
}
}
},
{
"parameters": {
"conditions": {
"options": {
"caseSensitive": true,
"leftValue": "",
"typeValidation": "loose"
},
"combinator": "and",
"conditions": [
{
"id": "is-deliverable",
"leftValue": "={{ $json.is_deliverable }}",
"rightValue": "",
"operator": {
"type": "boolean",
"operation": "true",
"singleValue": true
}
}
]
}
},
"type": "n8n-nodes-base.if",
"typeVersion": 2,
"position": [
908,
672
],
"name": "IF deliverable"
}
],
"connections": {
"Merge All Paths": {
"main": [
[
{
"node": "Generate Summary Report",
"type": "main",
"index": 0
}
]
]
},
"Fetch Network Logs": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 0
}
]
]
},
"Check Threat Severity": {
"main": [
[
{
"node": "Send Slack Alert - Critical",
"type": "main",
"index": 0
},
{
"node": "Verify Email (BillionVerify)",
"type": "main",
"index": 0
}
],
[
{
"node": "Log Medium/Low Threats",
"type": "main",
"index": 0
}
]
]
},
"Merge All Threat Data": {
"main": [
[
{
"node": "Analyze & Detect Threats",
"type": "main",
"index": 0
}
]
]
},
"Create Security Ticket": {
"main": [
[
{
"node": "Merge All Paths",
"type": "main",
"index": 1
}
]
]
},
"Log Medium/Low Threats": {
"main": [
[
{
"node": "Store in Database",
"type": "main",
"index": 0
}
]
]
},
"Generate Summary Report": {
"main": [
[
{
"node": "Send Summary to Monitoring Channel",
"type": "main",
"index": 0
}
]
]
},
"Analyze & Detect Threats": {
"main": [
[
{
"node": "Check Threat Severity",
"type": "main",
"index": 0
}
]
]
},
"Create PagerDuty Incident": {
"main": [
[
{
"node": "Merge All Paths",
"type": "main",
"index": 0
}
]
]
},
"Send Email Alert - Detailed": {
"main": [
[
{
"node": "Create Security Ticket",
"type": "main",
"index": 0
}
]
]
},
"Send Slack Alert - Critical": {
"main": [
[
{
"node": "Create PagerDuty Incident",
"type": "main",
"index": 0
}
]
]
},
"Fetch Threat Intelligence Feed": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 1
}
]
]
},
"Fetch Vulnerability Scan Results": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 1
}
]
]
},
"Schedule Trigger - Every 15 Minutes": {
"main": [
[
{
"node": "Fetch Network Logs",
"type": "main",
"index": 0
},
{
"node": "Fetch Vulnerability Scan Results",
"type": "main",
"index": 0
},
{
"node": "Fetch Threat Intelligence Feed",
"type": "main",
"index": 0
}
]
]
},
"Verify Email (BillionVerify)": {
"main": [
[
{
"node": "IF deliverable",
"type": "main",
"index": 0
}
]
]
},
"IF deliverable": {
"main": [
[
{
"node": "Send Email Alert - Detailed",
"type": "main",
"index": 0
}
],
[]
]
}
},
"settings": {
"executionOrder": "v1"
}
}When to use this
- Cleaning a list before a PagerDuty send or sync.
- Protecting PagerDuty deliverability and sender reputation.
- Keeping bounce rates low so your sending is never throttled.
FAQ
Why verify before sending in PagerDuty?
Verifying first keeps your bounce rate low, which protects your sender reputation and your results.
How do I import this workflow?
Download the JSON, then in n8n go to Workflows → Import from File (or paste it). Install the BillionVerify community node and add your API key credential.
What happens to risky or catch-all addresses?
They are routed to the false branch and excluded from the send. You decide whether to retry, review, or drop them.
Add verification to your workflow
Create a free account, grab your API key, and stop bounces before they happen.
Get started free