PERSONA: Automation Engineer
CATEGORY: Integration
ENDPOINTS: 4 used
UPDATED: April 2026

USE CASE · AUTOMATION ENGINEER

Security automation with n8n one key, every workflow

n8n is the fastest way to stitch together a SOAR-style automation without paying enterprise licensing. DFIR Platform plugs into n8n through its built-in HTTP Request node — one Bearer-auth credential covers phishing triage, multi-source IOC enrichment, and exposure scanning across every workflow you build.

Create a free account (100 credits/mo)Try /ioc-check — no signup

CONTEXT

n8n security flows die in credential sprawl

Most SecOps automation engineers hit the same wall in n8n: every workflow needs VirusTotal for hashes, AbuseIPDB for IPs, urlscan for URLs, Shodan for exposure, a phishing parser for headers, and something AI-shaped for summaries. That's six credentials, six rate limits, six billing relationships, and a separate error-handling branch for each HTTP Request node. Most of those services also forbid commercial / MSP usage on their free tiers.

PAIN POINTS

6+ vendor API credentials per workflow — each with its own auth header, rate limit, and retry logic in a separate HTTP Request node.
Fragmented quota pools: 500 VT queries/day here, 1,000 AbuseIPDB/day there, no unified view of monthly spend.
Free tiers of major TI vendors explicitly disallow MSP / commercial use — breaking any reseller or managed-SOC workflow.
No native DFIR Platform community node yet — so engineers waste time assuming they need one when the generic HTTP Request node is the shipped path.

The reality

“6+ vendor API credentials per workflow — each with its own auth header, rate limit, and retry logic in a separate HTTP Request node.”

CAPABILITIES

The endpoints that solve it

DFIR Platform exposes every capability as plain JSON-over-HTTPS with a single `Authorization: Bearer <api_key>` header. In n8n, that means one HTTP Header Auth credential configured once, then reused by every HTTP Request node across every workflow. One quota pool, one invoice, one set of rate-limit semantics. The three endpoints below cover 90% of the SecOps automations n8n users actually build.

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Accepts an indicators[] array of IPs, domains, URLs, and hashes. Each gets a normalized verdict aggregated across up to 11 sources per IP, 8 per domain/URL, 6 per hash (VirusTotal, AbuseIPDB, GreyNoise, Shodan, urlscan, OTX, and more). Perfect for n8n's Split In Batches + HTTP Request pattern.

Phishing email analyzer

1 credit

POST /v1/phishing/analyze

Parses raw .eml or RFC 822 headers. Returns SPF/DKIM/DMARC alignment, extracted indicators, and a deterministic risk score. Drop the n8n Email Trigger (IMAP) node in front and you have an auto-triage flow in under 10 nodes.

Public exposure scan

10 credits

POST /v1/exposure/scan

Given a domain or IP range, returns open ports, exposed services, TLS posture, and public-facing risk findings. Wire it behind an n8n Cron or Webhook node for scheduled attack-surface monitoring of your own or customer assets.

Single credential, any workflow

Configure the API key once as an n8n HTTP Header Auth credential (Name: `Authorization`, Value: `Bearer <api_key>`) and every HTTP Request node in any workflow can reuse it — no per-workflow secret shuffling.

WORKFLOW

Wiring it into n8n in under five minutes

The canonical n8n setup is: (1) add an HTTP Header Auth credential holding your Bearer token, (2) drop an HTTP Request node into your workflow, (3) point it at the endpoint you need. Below is a minimal HTTP Request node configuration — you can paste it as n8n JSON or replicate the fields in the UI.

$ dfir-lab run n8n-security-automation

{
  "nodes": [
    {
      "name": "DFIR Enrich IOCs",
      "type": "n8n-nodes-base.httpRequest",
      "parameters": {
        "method": "POST",
        "url": "https://api.dfir-lab.ch/v1/enrichment/lookup",
        "authentication": "genericCredentialType",
        "genericAuthType": "httpHeaderAuth",
        "sendBody": true,
        "contentType": "json",
        "jsonBody": "={{ { indicators: $json.indicators } }}"
      },
      "credentials": {
        "httpHeaderAuth": { "id": "dfir-lab-api-key", "name": "DFIR Platform" }
      }
    }
  ]
}

HTTP Header Auth credential stores `Authorization: Bearer <api_key>` once; every HTTP Request node references it.

01
Step 01
Create the credential
In n8n → Credentials → New → HTTP Header Auth. Name: `Authorization`. Value: `Bearer <your_api_key>`. Save as `DFIR Platform`.
02
Step 02
Add the HTTP Request node
Drop a HTTP Request node into your workflow. Method: POST. URL: `https://api.dfir-lab.ch/v1/enrichment/lookup` (or `/phishing/analyze`, `/exposure/scan`). Authentication: Generic → HTTP Header Auth → select `DFIR Platform`.
03
Step 03
Shape the body
Send Body: on, JSON. Use an expression to pass indicators from upstream nodes — e.g. `{{ { indicators: $json.extracted_iocs } }}` from an IMAP trigger or a Set node.
04
Step 04
Fan out results
Use Split In Batches to rate-limit where needed, then an IF node on `verdict === "malicious"` to branch into containment actions (Slack alert, ticket creation, firewall block).
05
Step 05
Validate before wiring
Sanity-check the response shape using the public `/ioc-check` tool in the browser first — same enrichment pipeline, no signup needed.

PRICING

Pricing that tracks your workload

A single phishing-triage flow or a small IOC-enrichment automation fits inside Starter's 500 credits/mo. The moment you run two or three production workflows — or start offering automated exposure scanning to clients — step up to Professional. Enterprise only makes sense past ~10,000 credits/month of sustained usage.

Recommended tier

Starter

500 credits / month

Entry price

$29/mo

01
Single flow — IOC enrichment for a small SOC (40 IOCs/day)
40 × 30 × 3 credits = 3,600 credits/month — overshoots Starter; 15 IOCs/day = 15 × 30 × 3 = 1,350 credits/mo
15 IOCs/day fits Professional ($99, 2,500 credits). For 5 IOCs/day (5 × 30 × 3 = 450 credits) Starter ($29, 500 credits) is the right fit.
02
Multi-flow SecOps — phishing + IOCs + weekly exposure scan
(30 phishing × 1) + (90 IOCs × 3) + (4 weekly scans × 10) = 30 + 270 + 40 = 340 credits/month
Fits Starter ($29, 500 credits) with room to grow, if volumes stay modest. Most growing MSPs land here first.
03
MSP pipeline — 5 client tenants, daily enrichment + scans
(5 × 20 IOCs × 22 workdays × 3) + (5 × 4 weekly × 10) = 6,600 + 200 = 6,800 credits/month
Beyond Professional (2,500) — take Professional + a 5,000-credit top-up, or move to Enterprise for unlimited-usage pricing.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /ioc-check — no signup

Paste an IP, domain, URL, or hash in the browser to see the exact enrichment response shape your n8n HTTP Request node will receive. Useful for designing downstream IF / Switch branches before wiring the real API call.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Not today. The sanctioned path is n8n's built-in HTTP Request node (n8n-nodes-base.httpRequest) with an HTTP Header Auth credential holding `Authorization: Bearer <api_key>`. That covers every endpoint with zero maintenance overhead on either side — a dedicated community node may land later, but it wouldn't unlock new capabilities.
Q / 02: The enrichment endpoint accepts batched `indicators[]` arrays, so prefer one call with 10 IOCs over 10 calls with 1 IOC each. For high-volume loops, use n8n's Split In Batches node with a Wait node between iterations. Non-2xx responses include a JSON `error` — wire an IF node on `$json.error` for retry / backoff.
Q / 03: Yes. Unlike several free-tier TI APIs that explicitly forbid commercial use, DFIR Platform's paid tiers (Starter and up) permit MSP and reseller usage. Dedicated sub-accounts per client tenant are an Enterprise feature.
Q / 04: Both. The HTTP Request node is a core n8n node — identical behavior on n8n.cloud, Docker self-host, and desktop. The only difference worth mentioning: egress IP will differ between the two, so if you IP-allowlist outbound traffic from your automation, account for that.
Q / 05: The response still returns a normalized verdict with `reputation: "unknown"` and an empty `sources[]` array for that indicator. No partial failures — you always get a predictable shape, which makes downstream n8n logic much easier to write.
Q / 06: Self-hosted DFIR Platform is Enterprise-only. If you already run n8n on-prem and need the TI layer air-gapped too, get in touch — otherwise the SaaS API is what every self-serve tier ships against.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Security automation with n8n one key, every workflow

n8n security flows die in credential sprawl

PAIN POINTS

6+ vendor API credentials per workflow — each with its own auth header, rate limit, and retry logic in a separate HTTP Request node.
Fragmented quota pools: 500 VT queries/day here, 1,000 AbuseIPDB/day there, no unified view of monthly spend.
Free tiers of major TI vendors explicitly disallow MSP / commercial use — breaking any reseller or managed-SOC workflow.
No native DFIR Platform community node yet — so engineers waste time assuming they need one when the generic HTTP Request node is the shipped path.

The reality

“6+ vendor API credentials per workflow — each with its own auth header, rate limit, and retry logic in a separate HTTP Request node.”

The endpoints that solve it

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Phishing email analyzer

1 credit

POST /v1/phishing/analyze

Public exposure scan

10 credits

POST /v1/exposure/scan

Single credential, any workflow

Wiring it into n8n in under five minutes

$ dfir-lab run n8n-security-automation

{
  "nodes": [
    {
      "name": "DFIR Enrich IOCs",
      "type": "n8n-nodes-base.httpRequest",
      "parameters": {
        "method": "POST",
        "url": "https://api.dfir-lab.ch/v1/enrichment/lookup",
        "authentication": "genericCredentialType",
        "genericAuthType": "httpHeaderAuth",
        "sendBody": true,
        "contentType": "json",
        "jsonBody": "={{ { indicators: $json.indicators } }}"
      },
      "credentials": {
        "httpHeaderAuth": { "id": "dfir-lab-api-key", "name": "DFIR Platform" }
      }
    }
  ]
}

HTTP Header Auth credential stores `Authorization: Bearer <api_key>` once; every HTTP Request node references it.

Step 01

Create the credential

In n8n → Credentials → New → HTTP Header Auth. Name: `Authorization`. Value: `Bearer <your_api_key>`. Save as `DFIR Platform`.

Step 02

Add the HTTP Request node

Drop a HTTP Request node into your workflow. Method: POST. URL: `https://api.dfir-lab.ch/v1/enrichment/lookup` (or `/phishing/analyze`, `/exposure/scan`). Authentication: Generic → HTTP Header Auth → select `DFIR Platform`.

Step 03

Shape the body

Send Body: on, JSON. Use an expression to pass indicators from upstream nodes — e.g. `{{ { indicators: $json.extracted_iocs } }}` from an IMAP trigger or a Set node.

Step 04

Fan out results

Use Split In Batches to rate-limit where needed, then an IF node on `verdict === "malicious"` to branch into containment actions (Slack alert, ticket creation, firewall block).

Step 05

Validate before wiring

Sanity-check the response shape using the public `/ioc-check` tool in the browser first — same enrichment pipeline, no signup needed.

Pricing that tracks your workload

Recommended tier

Starter

500 credits / month

Entry price

$29/mo

Single flow — IOC enrichment for a small SOC (40 IOCs/day)

40 × 30 × 3 credits = 3,600 credits/month — overshoots Starter; 15 IOCs/day = 15 × 30 × 3 = 1,350 credits/mo

15 IOCs/day fits Professional ($99, 2,500 credits). For 5 IOCs/day (5 × 30 × 3 = 450 credits) Starter ($29, 500 credits) is the right fit.

Multi-flow SecOps — phishing + IOCs + weekly exposure scan

(30 phishing × 1) + (90 IOCs × 3) + (4 weekly scans × 10) = 30 + 270 + 40 = 340 credits/month

Fits Starter ($29, 500 credits) with room to grow, if volumes stay modest. Most growing MSPs land here first.

MSP pipeline — 5 client tenants, daily enrichment + scans

(5 × 20 IOCs × 22 workdays × 3) + (5 × 4 weekly × 10) = 6,600 + 200 = 6,800 credits/month

Beyond Professional (2,500) — take Professional + a 5,000-credit top-up, or move to Enterprise for unlimited-usage pricing.

Frequently asked

Q / 01

Is there an official n8n community node for DFIR Platform?

Not today. The sanctioned path is n8n's built-in HTTP Request node (n8n-nodes-base.httpRequest) with an HTTP Header Auth credential holding `Authorization: Bearer <api_key>`. That covers every endpoint with zero maintenance overhead on either side — a dedicated community node may land later, but it wouldn't unlock new capabilities.

Q / 02

How do I handle rate limits inside n8n?

The enrichment endpoint accepts batched `indicators[]` arrays, so prefer one call with 10 IOCs over 10 calls with 1 IOC each. For high-volume loops, use n8n's Split In Batches node with a Wait node between iterations. Non-2xx responses include a JSON `error` — wire an IF node on `$json.error` for retry / backoff.

Q / 03

Can I use this for MSP / reseller workflows?

Yes. Unlike several free-tier TI APIs that explicitly forbid commercial use, DFIR Platform's paid tiers (Starter and up) permit MSP and reseller usage. Dedicated sub-accounts per client tenant are an Enterprise feature.

Q / 04

Does the HTTP Request node work with self-hosted n8n and n8n.cloud?

Both. The HTTP Request node is a core n8n node — identical behavior on n8n.cloud, Docker self-host, and desktop. The only difference worth mentioning: egress IP will differ between the two, so if you IP-allowlist outbound traffic from your automation, account for that.

Q / 05

What happens if an indicator is unknown to every source?

The response still returns a normalized verdict with `reputation: "unknown"` and an empty `sources[]` array for that indicator. No partial failures — you always get a predictable shape, which makes downstream n8n logic much easier to write.

Q / 06

Can I self-host DFIR Platform alongside self-hosted n8n?

Self-hosted DFIR Platform is Enterprise-only. If you already run n8n on-prem and need the TI layer air-gapped too, get in touch — otherwise the SaaS API is what every self-serve tier ships against.

Security automation with n8n one key, every workflow

n8n security flows die in credential sprawl

The endpoints that solve it

Batch IOC enrichment

Phishing email analyzer

Public exposure scan

Single credential, any workflow

Wiring it into n8n in under five minutes

Create the credential

Add the HTTP Request node

Shape the body

Fan out results

Validate before wiring

Pricing that tracks your workload

Single flow — IOC enrichment for a small SOC (40 IOCs/day)

Multi-flow SecOps — phishing + IOCs + weekly exposure scan

MSP pipeline — 5 client tenants, daily enrichment + scans

Three ways to evaluate

Create a free account (100 credits/mo)

Try /ioc-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Automated Phishing Triage for SOC Teams

Exposure Monitoring for MSSPs

IOC Enrichment for Incident Response

Stop triaging by hand.

Security automation with n8n one key, every workflow

n8n security flows die in credential sprawl

The endpoints that solve it

Batch IOC enrichment

Phishing email analyzer

Public exposure scan

Single credential, any workflow

Wiring it into n8n in under five minutes

Create the credential

Add the HTTP Request node

Shape the body

Fan out results

Validate before wiring

Pricing that tracks your workload

Single flow — IOC enrichment for a small SOC (40 IOCs/day)

Multi-flow SecOps — phishing + IOCs + weekly exposure scan

MSP pipeline — 5 client tenants, daily enrichment + scans

Three ways to evaluate

Create a free account (100 credits/mo)

Try /ioc-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Automated Phishing Triage for SOC Teams

Exposure Monitoring for MSSPs

IOC Enrichment for Incident Response

Stop triaging by hand.