Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.borghq.io/llms.txt

Use this file to discover all available pages before exploring further.

Workflows let you set up event-driven automations that fire when something happens in your workspace — a new finding is discovered, an asset appears, or a report is generated. Use them to push notifications to Slack, Discord, or email without leaving Odin.

Events

Every workflow starts with an event trigger:
EventFires when
New FindingA finding is created (by Mjolnir, black-box testing, or manual triage)
New Asset DiscoveredA new domain, subdomain or IP is added to your attack surface
New ReportA pentest report or findings summary is generated

Conditions

Conditions let you filter which events actually trigger the workflow. Each condition compares a variable path (e.g. severity.cvss, asset.type) against a value using one of three operators:
OperatorBehaviour
EqualsExact match — the variable must equal the specified value
IncludesThe variable contains the specified value (useful for arrays or partial matches)
Not IncludesThe variable does not contain the specified value
Greater ThanThe variable is greater than the specified value
Less ThanThe variable is less than the specified value
Condtions can also be required or not required. If a required condition fails, the whole workflow will fail. Conditions that are not required will not fail the workflow, as long as another condition passes. You must have a condition.

Variables

Variables are matched against the specified value, to allow for filtering actions.
VariableDescriptionAvailable for
Severity LabelThe finding’s severity rating — LOW, MEDIUM, HIGH, or CRITICALNew Finding
Severity CVSSCVSS base score from 0.1 to 10New Finding
Content TitleThe finding title from the latest revision (substring match)New Finding
Affected AssetsMatches if any affected asset’s display name contains the valueNew Finding
TypeThe asset type — SUBDOMAIN, DOMAIN, or IPNew Asset Discovered
Response TimeHTTP response time in milliseconds from the latest recon scanNew Asset Discovered
Status CodeHTTP status code (100–599) from the latest recon scanNew Asset Discovered
Root DomainThe root domain the asset belongs to (not applicable for IP assets)New Asset Discovered
New Report events do not use variables or conditions. The workflow fires automatically whenever a report is delivered.

Actions

When an event passes your conditions, one or more actions execute.

Webhook

Send an HTTP POST to an external URL. Three presets are available:
  • Slack — sends a formatted message to a Slack incoming webhook
  • Discord — sends a formatted message to a Discord webhook
  • Custom — sends a JSON payload to any URL you specify
The webhook URL must be publicly reachable. Odin rejects requests to private IP ranges.

Email

Send an email when the workflow fires. Configure the recipient address, subject line, and body. The same {{variable}} template syntax is available in all three fields.

Creating a workflow

1

Open the Workflows page

Navigate to Management > Workflows in the sidebar.
2

Drag an event node onto the canvas

Pick the event type that should trigger your workflow.
3

Configure the trigger

Select the specific event and any relevant parameters.
4

Add a condition (optional)

Drag a condition node onto the canvas and configure the variable path, operator, and value.
5

Drag an action node

Choose Webhook or Email as your action type.
6

Configure the action

Fill in the webhook URL or email details, using {{variable}} placeholders where needed.
7

Enable the workflow

Toggle the workflow on. It will start firing on the next matching event.

Managing workflows

From the Workflows page you can:
  • Enable / disable — toggle a workflow on or off without deleting it
  • Rename — click the workflow name to edit it
  • Delete — remove a workflow permanently
  • Execution count — see how many times a workflow has fired