SecureWatch_n8n: Practice of an Open-Source Security Automation Platform Based on Multi-Agent Architecture

SecureWatch_n8n is a modular multi-agent cybersecurity automation platform built on n8n, designed specifically for MSPs, MSSPs, and security teams. This article analyzes its architectural design, agent division of labor, observability implementation, deployment solutions, and application value, aiming to address pain points in security operations such as tool collaboration, cost, and customization.

Against the backdrop of digital transformation, enterprise security threats are complex. Security teams need to handle a large number of repetitive tasks, and manual operations are inefficient and prone to missing risks. Existing tools have issues such as insufficient collaboration, high costs, and weak customization, leading to the emergence of the innovative SecureWatch_n8n platform in the open-source community.

SecureWatch_n8n adopts a multi-agent architecture, where each agent is an independent n8n workflow:

1. Security Scanner: Performs external reconnaissance and asset discovery, combining passive and active detection;
2. Vulnerability Assessment: Connects to databases like NVD for vulnerability matching and risk rating;
3. Compliance Management: Detects configuration drift and violations against CIS/ISO standards; 4-5. In Planning: Training phishing simulation and incident response agents to form a complete closed loop.

Observability design includes:

• Distributed Tracing: Each request is assigned a unique trace_id that runs through its lifecycle, supporting SQL query tracing;
• Data Storage: Supabase two-layer architecture—sw_event_log records key events, sw_event_artifacts stores large-volume artifacts;
• Auxiliary Tools: Views (e.g., v_trace_timeline) and RPC functions (e.g., sw_event_log_errors_since) facilitate troubleshooting and analysis.

Deployment Requirements: Supabase project, n8n instance, Python 3.11+, Node.js 18+; Workflow Configuration: Provides standardized JSON export files, supports SW_LOG_STEP sub-workflows and SW_ALERT_CRON alerts; Debugging Tools: replay_runner.py for request replay, contract_tests.py for contract testing, Node.js end-to-end testing.

Suitable Scenarios:

• MSP/MSSP: Multi-tenant design improves service efficiency;
• Small and Medium Enterprises: Open-source solution reduces costs;
• Security Research/Red Teams: Modular design enables quick setup of experimental environments, and trace_id facilitates data collection.

SecureWatch_n8n represents the trend of security automation, breaking down processes into agent units and being open-source-friendly. After implementing the training and incident response agents in the future, it is expected to become a complete SOC automation solution, which is worth the attention and trial of security teams.