Knogin
[Developers]

Builder Template Library and Marketplace

Teams should never have to build a security workflow, threat model, or investigation playbook from a blank canvas when a proven one already exists. The Builder Template Library brings semantic discovery, governed cross-o

Back to All Modules
Category: ModulesLast Updated: May 26, 2026
modulesreal-timecompliance

Overview#

Teams should never have to build a security workflow, threat model, or investigation playbook from a blank canvas when a proven one already exists. The Builder Template Library brings semantic discovery, governed cross-organisation sharing, and inline collaborative review together on top of the platform's visual builder, so analysts start from vetted, ready-to-adapt foundations.

Three connected capabilities work as one. Semantic discovery surfaces the most relevant workflows, threat models, playbooks, alert flows, and investigation storyboards from a single artefact or a free-text description. A governed marketplace lets one organisation publish a non-sensitive artefact and lets others install an approved copy into their own workspace with full provenance. Inline threaded comments let reviewers annotate individual nodes and edges without leaving the canvas. Together they turn institutional knowledge into reusable, searchable, shareable assets.

Key Features#

  • Semantic artefact discovery: A vector index ranks the top-K artefacts most similar to a chosen artefact, returning each result with its title, similarity score, type, classification, and owning organisation so analysts can judge relevance at a glance.

  • Free-text template search: Describe what you need in plain language, such as "phishing triage playbook" or "API gateway threat model", and receive semantically ranked matches, including curated seed templates, in seconds rather than browsing folders.

  • Curated seed library: The index is populated at startup with proven, ready-to-use templates, including CACAO-aligned response playbooks for sanctions and phishing, STRIDE threat-model scaffolds for web applications and API gateways, SOC alert-triage flows, real-time sanctions-watch alert flows, and structured investigation storyboards. All seeds are unclassified and visible to every tenant.

  • Governed cross-org marketplace: Any organisation can publish an eligible artefact as a listing. Other organisations browse approved listings, filter by type, tag, or keyword, and see install counts to gauge popularity, while publishers track the status of their own listings.

  • Secrecy gate on publication: Only unclassified artefacts can be listed. Confidential or higher classifications are blocked at publication, and the gate fails closed so a lookup error never lets a sensitive artefact leak.

  • Review and approval workflow: Every listing enters a PENDING, APPROVED, or REJECTED review cycle. Platform administrators can review listings across organisations; other reviewers are scoped to their own organisation, keeping governance both safe and delegable.

  • One-click install with provenance: Installing an approved listing forks the artefact into your workspace as an editable draft and records a provenance link back to the source artefact and source organisation, supporting traceability and audit.

  • Inline threaded comments: Reviewers attach comments to any node or edge of an artefact, reply in threads, and resolve or delete them through a clear lifecycle, closing the peer-review loop inside the builder without external tooling.

Use Cases#

  • Security operations centres: A SOC engineer searches for a phishing-triage starting point and immediately receives semantically ranked playbooks, including CACAO-aligned seeds, then forks the closest match and tailors it to local tooling.

  • Compliance and financial crime teams: AML analysts adopt sanctions-screening alert flows and sanctions-hit response playbooks aligned to UN, EU, and OFAC list structures, sharing refined versions across partner organisations through the governed marketplace.

  • Application security and architecture review: Engineers begin a new design review from a STRIDE threat-model scaffold for a web application or API gateway, then annotate specific trust boundaries and control nodes with inline comments during peer review.

  • Managed security service providers: A provider curates a library of proven workflows and threat models and publishes them so client organisations install governed, approved copies into their own workspaces, with provenance preserved for each fork.

  • Incident response and investigations: Responders adopt structured investigation storyboards and incident post-mortem templates to standardise how cases are documented and reviewed across teams.

Integration#

The library is exposed through a typed GraphQL API. Semantic discovery is available through the similar-artefacts and similar-artefacts-by-text fields, each accepting an artefact type, a result count, and an optional cross-organisation flag that requires administrative privilege. The marketplace exposes browse and listing fields for discovery alongside publish, install, review, and withdraw operations for the full publication lifecycle. Inline collaboration is served by comment read, add, resolve, and delete operations keyed to an artefact and an optional node or edge identifier.

Every operation runs behind OAuth 2.0 Bearer authentication with JSON Web Tokens, and each resolver enforces organisation scoping and role checks before any read or write. Results are returned as normalised records (artefact identifier, type, title, score, classification, organisation), so a customer can wire discovery and marketplace actions straight into their own builder front end, a partner portal, or an automated provisioning pipeline. The benefit is concrete: discovery, sharing, and review all happen over one consistent, permission-aware surface rather than bespoke per-feature endpoints.

Open Standards#

  • CACAO v2.0 (OASIS CS02): The seed response playbooks for sanctions and phishing are explicitly aligned to the Collaborative Automated Course of Action Operations specification, so adopted playbooks map cleanly onto interoperable, vendor-neutral response automation.
  • STRIDE threat modelling (MITRE methodology): The threat-model seeds are structured around the STRIDE categories of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, giving teams a recognised, repeatable modelling framework.
  • OAuth 2.0 and PKCE (IETF RFC 6749 and RFC 7636): The API gateway STRIDE seed references OAuth 2.0 with Proof Key for Code Exchange as a control node, anchoring authorisation guidance to the established IETF authorisation framework.
  • UN, EU, and OFAC sanctions list structures: The sanctions alert-flow and response playbook seeds reference United Nations, European Union, and Office of Foreign Assets Control list structures, aligning screening templates with the authoritative sources used in AML and sanctions compliance.
  • OAuth 2.0 and Bearer Token (IETF RFC 6749 and RFC 6750): All library, marketplace, and comment operations accept OAuth 2.0 Bearer tokens for authorisation across the API.
  • JSON Web Token (IETF RFC 7519): Caller identity, organisation, and role claims are carried in signed JWTs that the platform validates before enforcing any access decision.
  • GraphQL: Discovery, marketplace, and collaboration capabilities are all served through a single typed GraphQL schema with per-resolver permission enforcement.

Security and Compliance#

Classification is enforced at the point of sharing: only unclassified artefacts can be published, and the secrecy gate fails closed so a database error defaults to the most restrictive outcome rather than risking exposure. Cross-organisation discovery is gated behind administrative roles, and a non-administrative reviewer can only act on listings from their own organisation, preventing privilege escalation across tenants. Installs fork a copy into the installer's own workspace and strip sensitive properties, while the provenance link records exactly which template was adopted and from which organisation, supporting audit and review requirements. Comments and listings are organisation-scoped throughout, so collaboration never crosses a boundary that governance has not approved.

Last Reviewed: 2026-05-26 Last Updated: 2026-06-01

Ready to Build?

Get started with our APIs or contact our integration team for support.