We kept hearing the same thing.
"We love Cydarm, but getting alerts from ${toolName} into cases is a pain."
The tools varied – vulnerability scanners, SIEMs, cloud security platforms, threat intel feeds – but the problem was always the same. Security teams were either manually copying alerts between systems or waiting on custom integration work that took weeks and required developer time they didn't have.
So we built something better.
The Integration Fidelity problem
Not all integrations are created equal. Think of it as a spectrum.
At one end, you've got email. It's universal – almost every security tool can send an email notification. But email is low-fidelity. The data arrives as unstructured text with a Subject line. Someone still has to read it, parse out the relevant details, and manually create a case. It's better than nothing, but not by much.
At the other end, you've got custom code. A bespoke integration built specifically for your environment, pulling exactly the data you need into exactly the right fields. High-fidelity, but high-effort too. You need developer time, ongoing maintenance, and the patience to rebuild it every time an API changes.
Most teams are stuck choosing between these two extremes: low effort but low value, or high value but high effort.
We wanted to find the sweet spot – structured enough to be useful, simple enough to actually get done.
Start simple, go deep
The Webhook Receiver Connector is designed around a principle we come back to often: sensible defaults, unlimited flexibility.
When you create a new webhook receiver, Cydarm generates a unique URL instantly. Copy it, paste it into your security tool's webhook settings, and you're done. Alerts start flowing into Cydarm as cases.
That's the five-second version.
But most teams want more control – and that's where the configuration options come in.
Make it yours
The connector uses Mustache templates to map incoming webhook data to case fields. If you've ever written {{variable}} in a template, you already know how it works.
Say your vulnerability scanner sends a JSON payload with a description field. Your case description template might look like:
New Alert: {{data.description}}
That's it. When the webhook fires, Cydarm pulls the description from the payload and creates a case with that text.
The same logic applies across the board:
- Severity can be a fixed value like "Low" or extracted dynamically from the payload using
{{data.severity}} - Organisation routes cases to the right team
- Tags get applied automatically for filtering and triage
- ACLs control who can see what
For teams with more complex workflows, there's an Advanced Templates section where you can define initial case notes and custom metadata fields – all using the same templating approach.
And if you want a complete audit trail, tick "Attach Full Payload" and the entire original webhook gets saved as a JSON file on the case. Nothing lost, everything traceable.
This is what we mean by the sweet spot. You get structured, properly-fielded data flowing into cases – the fidelity of a custom integration – without writing a line of code. Set it up once, and it just works.
Why this matters
The average security team runs dozens of tools. Each one generates alerts. Each one has its own dashboard. The cognitive load of context-switching between consoles is real – and so is the risk that something important gets missed because it was in the wrong tab.
The Webhook Receiver changes the equation. Instead of your team going to the alerts, the alerts come to your team – automatically transformed into tracked, triaged, assignable cases with full context.
During internal testing, we connected our vulnerability notifications, EDR, and SIEM in an hour. Each connector took minutes to configure.
What can you connect?
Anything that sends HTTP POST requests. That includes:
- SIEMs like Splunk, Elastic, SumoLogic, LogRhythm, and QRadar
- Middleware and workflow tools like Splunk SOAR, Zapier, Tines, Torq, Cortex XSOAR, Shuffle, and n8n
- EDR/XDRs like CrowdStrike, SentinelOne, and Microsoft Defender (via Logic Apps)
- Vulnerability scanners like Tenable, Qualys, and Rapid7
- Cloud security tools like AWS Security Hub (using Lambda) and Azure Security Center
- Threat intel platforms like MISP and OpenCTI
- Your own scripts, serverless functions, and automation workflows
If it can call a URL, it can create a case.
Try it
The Webhook Receiver Connector is available now under Settings > Advanced Connectors. Set one up, point a tool at it, and see how fast alerts can become cases.
We think you'll like it.
