Alerts Overview
BreachSpider sends alerts when something changes in your vulnerability landscape that requires attention. Alerts ensure your team knows about critical findings as they happen, without having to check the dashboard manually.
Alert Trigger Events
Each alert is triggered by a specific event type:
| Event | Fires When |
|---|---|
| kev.new | A KEV entry matches an asset in your environment |
| cve.critical | A new critical CVE (CVSS 9.0+) matches your asset |
| cve.high | A new high CVE (CVSS 7.0-8.9) matches your asset |
| exploit.confirmed | A public exploit is published for a CVE in your environment |
| asset.matched | Any new CVE matches one of your assets (any severity) |
| watchlist.update | New exploitation data for a CVE on your watchlist |
| report.ready | A generated report is available for download |
| ticket.created | A new ticket was opened (manual or auto-rule) |
Not all events need to generate alerts for all operators. Configure your rules to match your operational needs.
Alert Destinations
Alerts can be delivered to multiple destination types:
Email (all tiers): Sent via Resend to specified email addresses. The most universal option -- every team member has email. See Email Alerts.
Microsoft Teams (Standard+): Posted to a Teams channel via incoming webhook. See Microsoft Teams.
Slack (Standard+): Posted to a Slack channel via incoming webhook. See Slack.
Custom Webhook (Standard+): An HTTP POST request sent to any URL you configure. Use this for custom integrations, PagerDuty, OpsGenie, or internal tools. See Webhooks.
PagerDuty (via email integration): PagerDuty supports email-based incident creation. Configure a PagerDuty email address as an email alert destination to trigger PagerDuty incidents from BreachSpider alerts.
Jira and ServiceNow (Professional+): These are ticket destinations, not alert destinations. They create issues/incidents rather than notifications. See the Tickets section.
Alert Routing
Alerts can be routed at three levels:
Org-wide: All environments trigger the same destination. Use for global awareness alerts that the entire security team should see.
Per-environment: Different environments route to different destinations. Water plant alerts go to the water plant team. Substation alerts go to the electrical team. See Per-Environment Recipients.
Per-event: Different event types route to different destinations. KEV events go to the Teams urgent channel. Weekly digests go to email. Report-ready notifications go to the manager. See Alert Rules.
These levels can be combined. A single organization might have:
- Org-wide KEV alerts to the #security-critical Slack channel.
- Per-environment critical CVE alerts to each site team's email.
- Per-event report-ready notifications to the compliance officer's email.
Configuring Alerts
All alert configuration is managed under Integrations in the left sidebar.
Connections: Set up the technical connections to your alert destinations (Teams webhook URL, Slack webhook URL, custom webhook endpoints).
Alert Rules: Define which events trigger alerts, for which environments, to which destinations.
Recipients: Configure per-environment email recipients for granular routing.
Default Configuration
New accounts have the following defaults enabled:
- Email alerts for
kev.newandcve.criticalevents, sent to your account email address. - In-app notifications (bell icon) for all event types.
Everything else must be configured manually. The first-time setup checklist includes a step to set up at least one additional alert destination.
Testing Alerts
Every connection and rule has a Test button. Use it to verify your configuration before relying on it for production alerts. The test sends a sample notification to the configured destination.
Always test after initial setup and after any configuration change.