End-to-end automation design for CybeReact's cybersecurity incident response pipeline
From contact form submission to assigned rep with AI-enriched context — in seconds, not minutes.
This is the actual system prompt that powers step 3. It's where domain knowledge meets automation — the AI doesn't guess, it follows a defined taxonomy.
// System prompt sent with every intake form submission You are an intake classifier for a cybersecurity incident response firm that helps scam victims. Analyze the following form submission and extract structured data. CLASSIFICATION TAXONOMY (use exactly these categories): - rug_pull: Token/project disappeared with funds (DeFi, NFT) - phishing: Signed malicious transaction, gave seed phrase, wallet drain - romance_scam: Social engineering via dating/social media - pig_butchering: Fake trading platform, locked withdrawals - impersonation: Fake support agent, exchange rep, government official - investment_fraud: Ponzi, fake yield, unlicensed broker - recovery_scam: Scammer posing as recovery service (re-victimization) - other: Doesn't match — flag for manual review URGENCY RULES: - Amount > $50K → high - Incident within 72 hours → high (funds may be recoverable) - Active threat indicators → critical - Emotional distress markers (suicidal ideation, desperation) → critical + flag - Recovery scam indicators → critical - Everything else → assess from context RETURN FORMAT (strict JSON): { "scam_type": "category_from_taxonomy", "amount_lost": "extracted amount or 'not specified'", "currency": "USD/BTC/ETH/etc", "urgency": "low | medium | high | critical", "urgency_reason": "one-line explanation", "contact": { "name": "", "email": "", "phone": "" }, "summary": "2-3 sentence summary of the incident", "key_entities": ["wallet addresses, domains, names mentioned"], "needs_manual_review": false, "draft_email": "professional, empathetic first response (3-4 paragraphs)" }
This is the Deluge code that runs inside Zoho Flow when the webhook fires. It calls Claude, parses the response, and creates the CRM record.
// Triggered when WordPress form webhook fires // Input: form_data (Map) from webhook payload // 1. Call Claude API for classification headers = Map(); headers.put("x-api-key", zoho.encryption.getDecryptedValue("claude_api_key")); headers.put("anthropic-version", "2023-06-01"); headers.put("content-type", "application/json"); payload = Map(); payload.put("model", "claude-sonnet-4-20250514"); payload.put("max_tokens", 2048); payload.put("system", system_prompt); // prompt from above payload.put("messages", { {"role": "user", "content": form_data.get("message")} }); response = invokeurl[ url: "https://api.anthropic.com/v1/messages" type: POST headers: headers parameters: payload.toString() ]; // 2. Parse AI response ai_data = response.get("content").get(0).get("text"); parsed = ai_data.toJSON(); // 3. Create Zoho CRM Lead lead = Map(); lead.put("Last_Name", parsed.get("contact").get("name")); lead.put("Email", parsed.get("contact").get("email")); lead.put("Phone", parsed.get("contact").get("phone")); lead.put("Scam_Type", parsed.get("scam_type")); lead.put("Amount_Lost", parsed.get("amount_lost")); lead.put("Urgency", parsed.get("urgency")); lead.put("AI_Summary", parsed.get("summary")); lead.put("Email_Draft", parsed.get("draft_email")); lead.put("Raw_Submission", form_data.get("message")); lead.put("Lead_Source", "Website Form"); crm_response = zoho.crm.createRecord("Leads", lead); lead_id = crm_response.get("id"); // 4. Send Slack notification slack_msg = "*New Lead — " + parsed.get("scam_type") + " — " + parsed.get("urgency").toUpperCase() + "*\n"; slack_msg = slack_msg + "Amount: " + parsed.get("amount_lost") + "\n"; slack_msg = slack_msg + parsed.get("summary"); // Slack webhook call here... // 5. Create follow-up task task = Map(); task.put("Subject", "Follow-up call: " + parsed.get("contact").get("name")); task.put("Due_Date", zoho.currentdate.addDay(2)); zoho.crm.createRecord("Tasks", task);
When a new lead comes in, the team's #intake channel gets this:
This is what the rep sees when they open the auto-created lead — every field populated by AI in seconds:
Dear Sarah,
Thank you for reaching out to us. I want you to know that we take your situation very seriously, and you've taken an important first step by contacting us.
Based on what you've described, it sounds like you may have been targeted by a sophisticated investment fraud scheme. Unfortunately, these types of scams — where fake trading platforms show fabricated profits to encourage larger deposits — are increasingly common, and you are not alone in experiencing this.
Our team will begin reviewing your case immediately. A specialist will contact you within 24 hours to discuss your situation in detail and outline the steps we can take to help you. In the meantime, please do not make any additional deposits or provide any further access to your accounts.
Sincerely,
[Rep Name]
CybeReact Incident Response
The Claude API prompt includes a domain-specific taxonomy for crypto and financial scams. This ensures consistent categorization across all intake submissions.
| Scam Type | Description | Urgency Signal |
|---|---|---|
| Rug Pull | Token/project disappears with invested funds. Often DeFi-related. | High — funds often irrecoverable after 48h |
| Phishing / Wallet Drain | Victim signed a malicious transaction or gave seed phrase access. | Critical — active drain may be in progress |
| Romance Scam | Long-term social engineering via dating apps/social media. Gradual fund extraction. | Medium — ongoing, but victim may not realize scope |
| Pig Butchering | Hybrid romance/investment scam. Fake trading platform shows profits, then locks withdrawals. | High — often 6-figure losses |
| Impersonation | Fake support agent, exchange rep, or government official requests funds/access. | High — may be actively cooperating with scammer |
| Investment Fraud | Ponzi scheme, fake yield platform, unlicensed broker. | Variable — depends on whether platform is still operational |
| Recovery Scam | Scammer posing as recovery service to extract more from prior victim. | Critical — victim being re-victimized |
| Other / Unclassified | Doesn't match known categories. Flagged for manual review. | Review required |
The AI assigns urgency based on multiple signals extracted from the submission:
Every failure mode has a defined fallback. No submission is ever lost.
#ops channel with error details and the original form payload. Nothing is silently dropped.
* The automation runs in seconds. Total time-to-first-response depends on rep availability for email review — but the prep work is done before the rep even opens the ticket.
Multi-source OSINT aggregation with AI analysis — from a single search target to a structured intelligence report.
An investigator enters a search target via an n8n form or a Zoho CRM button. Supported target types:
If triggered from a client's CRM record (linked to Task 1 intake), the intake form data automatically enriches the investigation context — scam description, claimed addresses, dates, and amounts are pre-loaded.
n8n orchestrates parallel calls to multiple intelligence sources. Each source returns structured data with source URL and timestamp.
| Source | API | Returns |
|---|---|---|
| Domain Intel | WHOIS XML API | Registration dates, registrant info, DNS history, name server changes |
| Blockchain | Etherscan API + Alchemy RPC | Transaction history, wallet connections, token holdings, fund flow patterns |
| Corporate Records | OpenCorporates API | Company registration, directors, filings, jurisdiction, status |
| Social Profiles | SerpAPI / Apify | LinkedIn, Twitter, and other social profiles linked to the entity |
| Infrastructure | Shodan API | Server info, hosting history, associated domains, open ports |
| Threat Intel | VirusTotal API | Domain/URL reputation, malware associations, community reports |
When an investigation is triggered from a client's CRM record, the system automatically pulls intake data:
This creates a continuous intelligence thread from first contact through investigation.
This is the core workflow definition — the part that actually runs. Each node is a step in the pipeline.
// Key nodes from the n8n workflow { "nodes": [ { "name": "Webhook Trigger", "type": "n8n-nodes-base.webhook", "parameters": { "path": "investigate", "method": "POST" } }, { "name": "Route by Target Type", "type": "n8n-nodes-base.switch", "parameters": { "rules": [ { "value": "wallet", "output": 0 }, { "value": "domain", "output": 1 }, { "value": "company", "output": 2 } ] } }, { "name": "Etherscan Lookup", "type": "n8n-nodes-base.httpRequest", "parameters": { "url": "https://api.etherscan.io/api", "qs": { "module": "account", "action": "txlist", "address": "={{ $json.target }}" } } }, { "name": "WHOIS Lookup", "type": "n8n-nodes-base.httpRequest", "parameters": { "url": "https://www.whoisxmlapi.com/whoisserver/WhoisService", "qs": { "domainName": "={{ $json.target }}", "outputFormat": "JSON" } } }, { "name": "Merge All Sources", "type": "n8n-nodes-base.merge", "parameters": { "mode": "append" } }, { "name": "Claude Analysis", "type": "n8n-nodes-base.httpRequest", "parameters": { "url": "https://api.anthropic.com/v1/messages", "method": "POST", "body": { "model": "claude-sonnet-4-20250514", "system": "You are an investigation analyst...", "messages": [{ "role": "user", "content": "={{ JSON.stringify($json) }}" }] } } }, { "name": "Save to Supabase", "type": "n8n-nodes-base.supabase", "parameters": { "operation": "create", "table": "investigations" } } ] }
This is the output an investigator gets — raw data with source attribution on top, AI analysis clearly separated below.
High confidence: Organized pig butchering operation.
Pattern indicators: (1) Domain registered 4 months ago on budget hosting with privacy proxy — typical throwaway infrastructure. (2) 23 unique depositors suggests multiple victims, not a one-off. (3) Systematic 48-hour fund cycling to mixer is a known laundering pattern, not manual withdrawals. (4) VirusTotal community reports align with victim testimony.
Entity connections: The deposit wallet 0x7a3f...b42e connects to mixer 0xd91c...f8a1, which has been flagged in 4 prior investigations (source: our internal DB). Hosting IP shared with 2 other recently-flagged domains: crypto-yield-pro.com, btcprime-trading.net.
Recommended next steps: (1) Check if mixer output wallets have touched any exchanges with KYC — potential for law enforcement subpoena. (2) Cross-reference the 23 depositor wallets against known victim databases. (3) Archive domain content before it goes offline.
Three tools, clear roles, zero overlap — and the full system architecture connecting them.
Client records, case status, rep assignments, email drafts, payment tracking. Every team member looks here.
Investigation data, ad attribution, analytics, AI results, audit logs. Real SQL for real queries — not locked behind a CRM UI.
Orchestration layer. Connects everything, stores nothing. Replaces Zoho Flow where needed, handles parallel API calls, AI integration.
| System | What It Stores | Role |
|---|---|---|
| Zoho CRM | Client records, case status, rep assignments, email drafts, payment status | Client-facing source of truth |
| Supabase | Investigation raw data, ad attribution (UTM + click IDs), analytics, AI analysis results, audit logs | Data backbone for queries & analytics |
| n8n | No persistent data — orchestration only | Connects everything |
| WordPress | Website content, contact form | Entry point only |
| Google/Meta Ads | Ad spend, impressions, clicks | Lead source (data piped to Supabase) |
| Gmail | Email communication | Endpoint (triggered from CRM) |
| Google Calendar | Scheduled calls/meetings | Endpoint (created by automation) |
| WhatsApp Business | Client chat messages | Communication channel |
Every connection between systems, the protocol used, and why that method was chosen.
| Connection | Method | Why This Method |
|---|---|---|
| WordPress → n8n | Webhook | Real-time trigger, zero latency, WordPress supports webhooks natively |
| n8n → Zoho CRM | Zoho REST API | n8n has a native Zoho node. Create/update records programmatically |
| n8n → Claude API | HTTP Request | AI classification (Task 1) + investigation analysis (Task 2) |
| n8n → Supabase | Supabase API / direct PostgreSQL | Store investigation data, analytics, audit logs |
| n8n → Slack | Native Slack node | Team notifications, lead alerts, investigation-ready alerts |
| n8n → Gmail | Gmail API node | Send emails after human approval in CRM |
| n8n → Google Calendar | Google Calendar API | Auto-create follow-up reminders for reps |
| Google Ads → Supabase | n8n scheduled pull | Daily/hourly sync for ad attribution analytics |
| Meta Ads → Supabase | n8n scheduled pull | Same — attribution tracking for paid social |
| WordPress → Supabase | Via n8n (same webhook) | Log raw form submission as audit record |
| Zoho CRM → WhatsApp | Zoho Flow / n8n | Client updates via WhatsApp during case lifecycle |
| Supabase → Zoho CRM | n8n triggered/scheduled | Push investigation results back to client record |
This is what the Supabase database actually looks like. These tables power investigation storage, ad attribution, and audit logging — the things CRM can't handle well.
-- Investigation data from Task 2 pipeline CREATE TABLE investigations ( id uuid PRIMARY KEY DEFAULT gen_random_uuid(), crm_lead_id text, -- links back to Zoho CRM record target text NOT NULL, -- domain, wallet, company name target_type text NOT NULL, -- 'wallet' | 'domain' | 'company' | 'person' raw_data jsonb, -- full API responses with source URLs ai_analysis jsonb, -- Claude output, clearly separated threat_level text, -- 'low' | 'medium' | 'high' | 'critical' status text DEFAULT 'completed', created_at timestamptz DEFAULT now() ); -- Ad attribution: which campaigns bring real clients CREATE TABLE ad_attribution ( id uuid PRIMARY KEY DEFAULT gen_random_uuid(), crm_lead_id text, utm_source text, -- google, meta, organic utm_campaign text, -- campaign name utm_medium text, gclid text, -- Google Click ID fbclid text, -- Meta Click ID landing_page text, converted boolean DEFAULT false, conversion_value numeric, -- actual case value (for ROAS) created_at timestamptz DEFAULT now() ); -- Audit log: every action in the system CREATE TABLE audit_log ( id uuid PRIMARY KEY DEFAULT gen_random_uuid(), event_type text NOT NULL, -- 'intake' | 'investigation' | 'email_sent' | 'status_change' actor text, -- 'system' | rep email | 'ai' crm_lead_id text, payload jsonb, -- full event data created_at timestamptz DEFAULT now() ); -- Known scam entities: grows with every investigation CREATE TABLE known_entities ( id uuid PRIMARY KEY DEFAULT gen_random_uuid(), entity text NOT NULL, -- wallet, domain, or name entity_type text NOT NULL, threat_level text, first_seen timestamptz, investigation_ids uuid[], -- linked investigations notes text, created_at timestamptz DEFAULT now() ); -- Row-level security: reps see only their cases ALTER TABLE investigations ENABLE ROW LEVEL SECURITY; CREATE POLICY "reps_own_cases" ON investigations USING (auth.uid() = assigned_rep_id OR auth.jwt() ->> 'role' = 'admin');
* The known_entities table is the secret weapon — every investigation automatically feeds it, so the system gets smarter with every case. After 100 investigations, you have a proprietary threat database that no off-the-shelf tool provides.