I’ve been building something with my team that I’m really proud of and I want to share it.
We built our entire security alert workflow inside Notion. Every alert comes in as a Notion page, with the basics laid out: what happened, who was involved, when, and where. The whole thing lives in a clean database that’s easy to scan and work with.
The workflow is two buttons. You pick up an alert, hit acknowledge, and it records who you are and when you started. When you’re done investigating, you hit resolve. If you forgot to classify the outcome, it gently nudges you, “hey, you left this with an outcome of empty, did you mean to?” Time-to-investigate gets calculated from the two timestamps. All of it falls out naturally from clicking two buttons.
In between those two clicks, the alert page is a blank page. Type up your notes, tag a teammate, paste in some embeds, whatever you need. It trusts the responder to write what they found and how they got to the outcome. And all of those investigation notes build up over time into a record of how your team thinks through problems.
The part that makes me happiest is how everything stays connected. When you acknowledge an alert in Notion, it acks the page in our paging platform too if it was a pageable event. Same with resolve. Alerts post to Slack, and whenever someone responds in that thread the messages get copied back into Notion as comments. The conversation and the work live together in one place.
And since all the data already lives in Notion, reporting is that simple too. When our manager needs metrics, I build them a page with a few database charts. Time to acknowledge, time to resolve, whether we’re hitting SLA, which alert types trend false positive. No exports, no piping data into some other tool. It’s all right there.
We even branded it. When an alert gets acknowledged, a little Scruff emoji pops up on the Slack message with a thumbs up and a green ack icon. When it gets resolved, there’s a red Scruff with a resolved badge. It’s clean and it’s ours.
Then there’s Scruff itself. A Notion Custom Agent that works alongside us on investigations. An alert comes in, and Scruff is already digging into part of it while I’m looking at other parts. Then we compare notes. What’d you find? Oh nice, I pulled these logs. Oh I didn’t think to look there.
It feels like rubber ducking an engineering problem, but you’re tossing investigation findings back and forth instead of code. And because all of our past investigations live in Notion too, Scruff can see how we’ve handled similar alerts before. Conversations we’ve had, outcomes we’ve reached. It factors all of that in as we work.
I’ve always felt like security tools don’t have to be intense to be effective. Not everything needs to be a dark mode war room with red flashing indicators and pew pew maps. The tools we use every day can be simple, natural, even fun. I think the people doing security work deserve that. That’s what we tried to build, and I think we got pretty close.
We made a video about Scruff where I got to talk about how it all works, and my teammate wrote a blog post about it too. You can see a bit of the alerts database in action, how each alert links out to runbooks and the logging platform where it originated.