Security Workflow: Scheduled Vulnerability Report

This walkthrough shows you how to build a scheduled agent that generates weekly vulnerability prioritization reports. By the end, you’ll have an agent that automatically fetches vulnerability data, prioritizes findings, and delivers executive reports.

Overview

What this workflow does:

• Runs automatically on a schedule (weekly cron)
• Fetches vulnerability findings from your scanner
• Prioritizes by CVSS, exploit availability, and asset criticality
• Generates an executive summary with top 10 priorities
• Posts the report to Slack or email

Who it’s for: Vulnerability management teams, DevSecOps engineers

What it produces: Prioritized vulnerability report posted to Slack or email

Cron trigger (weekly) -> Fetch vuln data -> Prioritize with LLM -> Generate report -> Post to Slack

What You’ll Need

• Kindo account with a vulnerability scanner integration (Tenable, CrowdStrike, or similar)
• Slack integration for report delivery
• ~45 minutes

The Workflow

Step 1: Create a Scheduled Agent

1. Navigate to Agents tab — Click Agents in the left sidebar.

2. Click Create an Agent — Select Workflow as the agent type.

3. Add a cron trigger — Click Add Trigger and select Schedule:

   • Expression: 0 9 * * 1 (Every Monday at 9:00 AM)
   • Timezone: Select your organization’s timezone
   • Description: “Weekly vulnerability report”

4. Name your agent — Enter “Weekly Vulnerability Report”.

5. Save the trigger — Click Save Trigger to activate the schedule.

Tip

Cron expressions use the standard format: minute hour day-of-month month day-of-week. Use crontab.guru to validate your expressions.

Step 2: Add an API Action Step — Fetch Vulnerability Data

1. Add a step — Click the + button under Agent Steps.

2. Select API Action Step — Choose API Action Step from the dropdown.

3. Configure the API request for your scanner:

   For Tenable:

   • Method: GET
   • URL: https://cloud.tenable.com/workbenches/vulnerabilities
   • Headers: X-ApiKeys: accessKey={{tenable_access_key}};secretKey={{tenable_secret_key}}
   • Query Parameters:
     • date_range: 7 (last 7 days)
     • severity: high,critical

   For CrowdStrike:

   • Method: GET
   • URL: https://api.crowdstrike.com/combined/detects/queries/detects/v1
   • Headers: Authorization: Bearer {{crowdstrike_token}}
   • Query Parameters:
     • filter: created_timestamp:>'last 7 days'

4. Handle pagination — For large result sets:

   • Use the Magic button to generate pagination logic
   • Or add a second API Action step to fetch additional pages
   • Large responses automatically go to the sandbox

5. Save the step — The vulnerability data will be available to subsequent steps.

Note

Large API responses are automatically written to the sandbox. Use sandbox commands to filter and process the data before passing to LLM steps. See Working with Large Context for techniques.

Step 3: Add an LLM Step — Prioritize and Summarize

1. Add a step — Click the + button and select LLM Step.

2. Write the prompt:

   You are a vulnerability management analyst. Review the following vulnerability scan results and produce a prioritized executive report.
   
   VULNERABILITY DATA:
   [The previous step fetched vulnerability data from the scanner. Reference it here or use sandbox if data is large.]
   
   Prioritization criteria (in order of importance):
   1. CVSS score (higher is more urgent)
   2. Exploit availability (check against CISA KEV list)
   3. Asset criticality (DMZ > Production > Internal > Development)
   4. Age of finding (newer findings may indicate active threats)
   
   Your output should include:
   
   1. EXECUTIVE SUMMARY (2-3 sentences for leadership)
   2. TOP 10 PRIORITY VULNERABILITIES (table with CVE, severity, affected systems, recommended action)
   3. TRENDS (compared to last week: new criticals, resolved items, aging findings)
   4. RECOMMENDED ACTIONS (prioritized list with owners if known)
   
   Format as professional markdown suitable for executive distribution.

3. Select a model — Use a capable model (GPT-4, Claude 3 Opus) for complex analysis.

4. Save the step — The LLM will generate the report when the agent runs.

Working with Large Scan Results

For scans with 10,000+ findings, use the sandbox:

1. First LLM pass — Group findings by severity in the sandbox
2. Second LLM pass — Analyze only Critical/High findings
3. Filter at source — Use scanner API query parameters to limit results

→ See Working with Large Context for detailed sandbox techniques.

Step 4: Add an API Action Step — Deliver the Report

1. Add a step — Click the + button and select API Action Step.

2. Configure Slack delivery:

   • Action: slack.post_message
   • Channel: #security-alerts (or your security channel)
   • Message: Include the LLM-generated report
   • Formatting: Use markdown blocks for readability

3. Alternative: Email delivery:

   • Use an email API (SendGrid, AWS SES)
   • POST to your email service with the report as body
   • Include distribution list for security team

4. Alternative: Notion/Confluence:

   • Create a page for weekly reports
   • Append each report as a new section
   • Build a historical record for trend analysis

5. Save the step — The report will be delivered when the agent runs.

Step 5: Test and Enable

1. Run manually first — Click Run Now to test the workflow:

   • Verify the scanner API returns data
   • Check that the LLM produces a coherent report
   • Confirm the report is delivered to Slack/email

2. Enable the cron schedule — Toggle the schedule to Active

3. Verify first scheduled run — Wait for the next Monday 9 AM (or your schedule):

   • Check Kindo Terminal for execution logs
   • Verify report appears in Slack/email
   • Review report quality and adjust prompt if needed

4. Monitor ongoing runs — Check weekly that reports are generating correctly

Adapting This Workflow

Change Scanner

From	To	Changes Needed
Tenable	CrowdStrike	Update API endpoint, authentication headers, query parameters
Tenable	Qualys	Change to Qualys API format, adjust severity mappings
CrowdStrike	Rapid7	Update to InsightVM API, adjust response parsing

Same pattern, different API. The LLM prioritization step remains unchanged.

Change Cadence

Frequency	Use Case	Cron Expression
Daily	Critical asset monitoring	0 9 * * *
Weekly	Standard vulnerability reports	0 9 * * 1
Monthly	Executive reviews	0 9 1 * *
Custom	Compliance deadlines	Adjust to specific dates

Add Compliance Overlay

1. Upload your compliance framework (PCI-DSS, GDPR, SOC 2) to Knowledge Store
2. Add a step that cross-references findings against framework requirements
3. Include compliance mapping in the LLM prompt:

   Cross-reference each finding with the attached compliance framework.
   Identify which requirements are violated and the potential impact.

4. Output includes compliance-specific recommendations

Troubleshooting

Scanner API Returns No Data

Symptoms: API Action step succeeds but returns empty results

Check:

• Date range parameters (are you looking at the right time period?)
• Severity filters (are you excluding the findings you want?)
• Authentication (is the API key valid and has permissions?)
• API quotas (have you hit rate limits?)

Fix:

• Expand date range to “last 30 days” for testing
• Remove severity filters temporarily to see all findings
• Regenerate API keys if authentication fails
• Add delays between requests if hitting rate limits

LLM Produces Inconsistent Prioritization

Symptoms: Same vulnerability gets different severity ratings on different runs

Check:

• Prompt clarity (are criteria well-defined?)
• Model capability (is it a reasoning model?)
• Context completeness (is all necessary data provided?)

Fix:

• Add explicit weighting: “Prioritize in this order: 1) CVSS, 2) Exploit availability…”
• Include examples in the prompt: “Critical: CVSS 9.0+ with public exploit…”
• Switch to a more capable model (GPT-4, Claude 3 Opus)
• Add a validation step that checks consistency

Report Not Delivered

Symptoms: Agent runs successfully but report doesn’t appear in Slack/email

Check:

• Delivery step configuration (correct channel/email?)
• Integration permissions (can the integration post to that channel?)
• Message formatting (is it too long? malformed?)
• Rate limits (has the integration hit API limits?)

Fix:

• Verify channel name/email address is correct
• Test the integration manually in the integration settings
• Shorten the message or split into multiple posts
• Add error handling to catch delivery failures
• Check integration logs for specific error messages

Next Steps

• Memory and Persistence Patterns — Learn how to maintain state across agent runs
• Multi-Agent Coordination — Chain multiple agents for investigate → remediate pipelines
• On-Demand Threat Hunting — Build interactive workflows for threat hunting
• Working with Large Context — Handle large scan results efficiently