Alerts Configuration
Alerts let you define rules that automatically notify your team when BleedWatch detects security findings matching your criteria. Configure severity thresholds, choose notification channels, and ensure the right people are informed immediately.
How Alerts Work
An alert rule combines three things:
- Condition — What triggers the alert (finding severity, type, or source)
- Severity Threshold — The minimum severity level that fires the alert
- Channel — Where the notification is sent (email, Slack, webhook, or Telegram)
When a new finding matches a rule's conditions and meets or exceeds its severity threshold, BleedWatch sends a notification to the configured channel.
Creating an Alert Rule
Step 1: Navigate to Alerts
Open Alerts from the dashboard sidebar and click Create Rule.
Step 2: Configure the Rule
| Field | Description |
|---|---|
| Name | A descriptive name (e.g., "Critical findings to #security-alerts") |
| Condition | Free-text description of what this rule monitors (e.g., "All critical and high findings from production assets") |
| Minimum Severity | The lowest severity that triggers this rule |
| Channel | Notification delivery method |
| Destination | Channel-specific target (email address, webhook URL, etc.) |
| Active | Enable or disable the rule without deleting it |
Step 3: Test the Rule
After saving, click Send Test to verify the notification reaches its destination. This sends a sample alert payload so you can confirm delivery and formatting.
Severity Thresholds
Set the minimum severity level for each rule:
| Threshold | Fires On |
|---|---|
| Critical | Critical findings only |
| High | Critical + High |
| Medium | Critical + High + Medium |
| Low | Critical + High + Medium + Low |
| Info | All findings including informational |
Create at least two rules: one for Critical findings sent to an immediate channel (Slack, Telegram), and one for Medium+ findings sent as email for daily review. This prevents alert fatigue while ensuring critical issues get immediate attention.
Notification Channels
Email
Send alerts to any email address. Each alert email includes:
- Finding severity and type
- Affected asset/package
- Detection timestamp
- Direct link to the finding in the BleedWatch dashboard
Slack
Two integration methods:
Webhook URL — The simplest option. Create an Incoming Webhook in your Slack workspace and paste the URL. Must match the pattern https://hooks.slack.com/services/T.../B.../....
Bot API — For interactive notifications with action buttons (acknowledge, assign, view details). Requires:
- A Slack Bot Token (
xoxb-...) - A Channel ID (found in channel details → "Copy Channel ID")
The Bot API method enables richer notifications with clickable actions directly in Slack.
Webhook
Send alert data as an HTTP POST to any endpoint. The webhook payload:
{
"event": "finding.created",
"severity": "critical",
"source": "npm",
"packageName": "[email protected]",
"secretType": "github_token",
"secretPreview": "ghp_XXXX...XXXX",
"detectedAt": "2026-03-25T10:00:00Z"
}
Use webhooks to integrate BleedWatch with:
- SIEM platforms (Splunk, Elastic, Sentinel)
- Incident management (PagerDuty, Opsgenie, ServiceNow)
- Custom automation pipelines
- Internal security dashboards
Webhook URLs are validated for SSRF protection — BleedWatch will not send requests to private IP ranges, loopback addresses, or cloud metadata endpoints.
Telegram
Send alerts to a Telegram chat or group. Configure with your Telegram Bot token and chat ID.
Managing Rules
From the Alerts page, you can:
- Enable/Disable — Toggle a rule on or off without deleting it
- Edit — Modify any rule configuration
- Delete — Permanently remove a rule
- Filter — View rules by channel type or active status
Common Configurations
Security Team — Immediate Critical Alerts
| Setting | Value |
|---|---|
| Name | Critical findings — immediate |
| Severity | Critical |
| Channel | Slack (Bot API) |
| Destination | #security-incidents |
Engineering Lead — Daily High+ Summary
| Setting | Value |
|---|---|
| Name | High+ findings — engineering |
| Severity | High |
| Channel | |
| Destination | [email protected] |
SIEM Integration — All Findings
| Setting | Value |
|---|---|
| Name | SIEM ingest — all findings |
| Severity | Info |
| Channel | Webhook |
| Destination | https://siem.yourcompany.com/api/ingest/bleedwatch |
Troubleshooting
Alerts Not Firing
- Verify the rule is Active (not disabled)
- Check the severity threshold — findings below the threshold won't trigger the rule
- Click Send Test to verify the destination is reachable
- For Slack webhooks, confirm the URL hasn't been revoked in your Slack workspace settings
Webhook Delivery Failures
If webhooks fail to deliver:
- Ensure your endpoint is publicly accessible (BleedWatch cannot reach private networks)
- Check that your endpoint responds with a 2xx status code within 10 seconds
- Verify the URL passes SSRF validation (no private IPs, no loopback)
Too Many Alerts
If alert volume is overwhelming:
- Raise the severity threshold (e.g., from Low to High)
- Make the condition more specific
- Use email with Daily Digest for lower-severity findings instead of real-time channels
Related
- Settings & Integrations — Configure Slack and webhook integrations
- Honeytokens — Set up alerts for honeytoken triggers
- Findings — Understanding finding severities and types