Slack Integration
BreachSpider can post alert notifications to Slack channels via incoming webhooks. This brings vulnerability intelligence into your team's existing communication flow.
Available on Standard tier and above.
Setting Up the Slack Webhook
Step 1: Create an Incoming Webhook in Slack
- Go to api.slack.com/apps and create a new Slack app (or use an existing one).
- Under Features, click Incoming Webhooks.
- Toggle Activate Incoming Webhooks to On.
- Click Add New Webhook to Workspace.
- Select the channel where you want BreachSpider alerts to appear.
- Click Allow.
- Copy the generated webhook URL (it starts with
https://hooks.slack.com/services/...).
Alternatively, if your workspace uses the legacy custom integrations:
- Go to
your-workspace.slack.com/apps/manage/custom-integrations. - Click Incoming Webhooks > Add to Slack.
- Select the channel and copy the webhook URL.
Step 2: Add the Connection in BreachSpider
- Navigate to Integrations > Connections > Add Connection.
- Select Slack as the connection type.
- Enter a name (e.g., "OT Alerts Channel").
- Paste the webhook URL.
- Click Test Connection to send a test message.
- Verify the test message appeared in your Slack channel.
- Click Save.
Step 3: Create an Alert Rule
- Navigate to Integrations > Alert Rules > Add Rule.
- Name the rule (e.g., "Critical CVEs to Slack").
- Select the trigger event.
- Select the environment.
- Select the Slack connection as the destination.
- Click Save Rule.
What the Slack Message Looks Like
BreachSpider posts a formatted Block Kit message to your Slack channel:
- A color-coded sidebar (red for critical, orange for high, yellow for medium).
- CVE ID as a bold header, linked to the BreachSpider detail page.
- Vulnerability title and one-line description.
- Fields: Asset, Environment, BCS, CVSS, EPSS, KEV status, Exploit Maturity.
- SAGE summary in a quoted block.
- "View Details" button linking to the full CVE page.
The message is designed for quick scanning in a busy Slack channel. Critical alerts stand out with red sidebars.
Channel Strategy
A common Slack channel strategy for BreachSpider alerts:
| Channel | Events | Purpose |
|---|---|---|
| #vuln-critical | kev.new, cve.critical | Immediate attention required |
| #vuln-triage | cve.high, exploit.confirmed | Daily triage queue |
| #vuln-all | asset.matched | Comprehensive awareness (high volume) |
| #vuln-reports | report.ready | Report completion notifications |
Create one BreachSpider connection per Slack channel, then create alert rules routing the appropriate events to each.
Per-Environment Channels
For organizations with separate Slack channels per site or team:
| Environment | Slack Channel |
|---|---|
| Water Plant Alpha | #water-plant-security |
| Substation Beta | #substation-security |
| Manufacturing | #mfg-security |
Create environment-specific alert rules pointing to the appropriate Slack connection.
Troubleshooting
Test message does not appear:
- Verify the webhook URL is correct and complete.
- Check that the Slack app has not been disabled or removed from the workspace.
- Verify the webhook is authorized for the target channel.
- Check Slack's webhook rate limits (Slack allows a maximum of 1 message per second per webhook).
Messages appear but look plain text:
- BreachSpider uses Block Kit formatting. Ensure the webhook is an Incoming Webhook (not a legacy plain text webhook).
- Some Slack API limitations may affect formatting in shared channels or external workspaces.
Too many messages:
- Reduce alert volume by using specific trigger events (kev.new instead of asset.matched).
- Use severity floors in your alert rules to filter out lower-priority events.
- Route high-volume events to a dedicated channel that team members can check periodically rather than monitoring in real-time.