Skip to content

Email Alerts

Email alerts are available on all tiers and enabled by default for the most critical events. They are delivered via Resend to your account email address and any additional recipients you configure.

Default Behavior

When you create a BreachSpider account, email alerts are automatically enabled for:

  • kev.new: A KEV entry matches an asset in your environment.
  • cve.critical: A new critical CVE (CVSS 9.0+) matches your asset.

These alerts are sent to the email address on your account. No additional configuration is needed for this default behavior.

Adding Additional Recipients

To send email alerts to additional people:

  1. Navigate to Integrations > Email Alerts > Additional Recipients.
  2. Click Add Recipient.
  3. Enter the email address.
  4. Click Save.

Additional recipients receive all org-wide email alerts (the same events as your account email). They do not need BreachSpider accounts.

Per-Environment Recipients

Route alerts from specific environments to specific email addresses:

  1. Navigate to Integrations > Email Alerts > By Environment tab.
  2. Select an environment.
  3. Add one or more recipient email addresses for that environment.
  4. Click Save.

Example configuration:

Environment Recipients
Water Plant Alpha [email protected], [email protected]
Substation Beta [email protected]
Corporate IT [email protected], [email protected]

Per-environment recipients receive alerts only for events in their assigned environment. They do not receive alerts from other environments.

Alert Email Format

Subject line:

[BreachSpider] CRITICAL KEV Alert - CVE-2025-32433 affects Water Plant Alpha

The subject includes the severity level, event type, CVE ID, and affected environment for quick inbox scanning.

Body content:

  • CVE ID and BSID.
  • Severity badge (CRITICAL, HIGH, MEDIUM, LOW).
  • Affected asset name and environment.
  • BCS score and EPSS percentile.
  • KEV status and exploit maturity.
  • One-sentence SAGE summary of the vulnerability and its ICS impact.
  • Patch availability and patch URL (if available).
  • Direct link to the CVE detail page in BreachSpider.
  • Acknowledge button: a direct link to the finding acknowledgment page.

The email is designed to be actionable. The recipient can read the summary, understand the urgency, click the link to see full detail, and acknowledge the finding -- all without navigating through the platform.

Configuring Which Events Send Email

By default, only kev.new and cve.critical send email. To add or remove event types:

  1. Navigate to Integrations > Alert Rules.
  2. Find or create a rule with destination type: Email.
  3. Set the trigger event to the desired type (kev.new, cve.high, exploit.confirmed, asset.matched, etc.).
  4. Save the rule.

You can create multiple email rules with different event triggers and different recipient lists.

Email Delivery

Emails are sent via Resend. Delivery is typically within seconds of the triggering event.

If emails are not arriving:

  • Check spam or junk folders.
  • Verify the recipient email address is correct.
  • Ask your IT team to allowlist [email protected].
  • Check if your organization's email gateway has a delay for transactional emails from new senders.
  • Verify the alert rule is enabled under Integrations > Alert Rules.
  • Check the audit log for WEBHOOK_FIRED entries to confirm the alert was triggered.

Email Digest Option

For lower-priority events, you may prefer a digest rather than individual emails:

Navigate to Account > Notifications > Digest Preference.

Options:

  • Real-time: Each event triggers an immediate email. Best for kev.new and cve.critical.
  • Daily digest: Events are batched and sent once per day. Best for cve.high and asset.matched.
  • Weekly digest: Events are batched weekly. Best for low-priority awareness.
  • Off: No email for this event type.

Digest preferences apply per event type. You can receive kev.new in real-time while batching cve.high into a daily digest.