Notify: Streaming Security Tool Output to Team Communication Platforms
Hook
Most security teams still copy-paste reconnaissance results into Slack manually, or worse, let them accumulate in terminal scrollback buffers until context is lost. There’s a better way.
Context
Security reconnaissance workflows generate streams of data from tools like subfinder, httpx, and nuclei. The challenge isn’t just capturing this output; it’s getting actionable results in front of the right people at the right time.
Traditional approaches fall short: redirecting output to files creates data silos that require manual review, email notifications lack context and get buried in inboxes, and building custom integrations for each tool-platform combination becomes unmaintainable. ProjectDiscovery built notify to solve this specific problem—streaming security tool output directly into team communication channels with minimal configuration overhead. It’s the glue layer between command-line reconnaissance tools and platforms like Slack, Discord, and Telegram, designed specifically for security teams running automated scans.
Technical Insight
Notify operates as a pipeline filter, reading from stdin or files and dispatching formatted messages to configured providers through their webhook APIs. The tool is a single Go binary that treats notification delivery as a streaming operation.
The core workflow revolves around a provider configuration file at $HOME/.config/notify/provider-config.yaml that defines your communication endpoints:
slack:
- id: "recon"
slack_channel: "recon"
slack_username: "scanner"
slack_format: "{{data}}"
slack_webhook_url: "https://hooks.slack.com/services/XXXXXX"
- id: "vulns"
slack_channel: "vulns"
slack_username: "scanner"
slack_format: "New finding: {{data}}"
slack_webhook_url: "https://hooks.slack.com/services/YYYYYY"
discord:
- id: "subs"
discord_channel: "subdomains"
discord_username: "recon-bot"
discord_format: "{{data}}"
discord_webhook_url: "https://discord.com/api/webhooks/XXXXXXXX"This multi-provider, multi-ID design enables sophisticated routing. You can pipe subdomain enumeration results to your #recon Slack channel while sending vulnerability findings to #vulns—all from a single configuration file. The -id flag controls destination selection: subfinder -d example.com | notify -id recon routes to the Slack recon channel, while nuclei -l targets.txt | notify -id vulns sends findings elsewhere.
The formatting system uses Go template syntax with a {{data}} variable representing each input line. This allows custom message prefixes and structured formatting. For high-volume output, the -bulk flag batches messages instead of sending line-by-line, and -char-limit (default 4000) prevents webhook rejections from platforms with message size restrictions.
Rate limiting is built-in through the -rate-limit flag, which caps HTTP requests per second to prevent API throttling: cat results.txt | notify -bulk -rate-limit 5 -id recon sends batched notifications at a controlled pace. The -delay flag adds fixed intervals (in seconds) between messages for even finer control.
Here’s a realistic security workflow combining multiple ProjectDiscovery tools:
# Discover subdomains and notify on each find
subfinder -d example.com -silent | notify -id subs
# Probe live hosts and send batched results
httpx -l subdomains.txt -silent | notify -bulk -id recon
# Scan for vulnerabilities with custom formatting
nuclei -l targets.txt -severity critical -silent | \
notify -id vulns -msg-format "🚨 Critical: {{data}}"The provider ecosystem extends beyond Slack and Discord to Telegram (with parse mode options: None/Markdown/MarkdownV2/HTML), Pushover (with device targeting), SMTP email (with CC support and optional HTML formatting), Microsoft Teams, Google Chat, and Gotify. Each provider gets its own configuration block with platform-specific parameters. Telegram supports topic IDs for forum-style chats through the telegram_chat_id field formatted as CHATID:TOPICID.
Custom webhooks enable integration with arbitrary HTTP endpoints. The README shows three approaches: basic formatting with custom_format, JSON string formatting with custom_format: '{"text":{{dataJsonString}} }', and Sprig templating with custom_sprig: '{"text":"{{ .url }}"}'. Custom headers (like Content-Type and X-Api-Key) are supported for authentication.
Gotcha
Notify’s simplicity means it appears to lack delivery guarantees—the README doesn’t document retry logic, message queuing, or delivery acknowledgment. The tool’s streaming architecture suggests a fire-and-forget approach where failed webhook calls may result in lost notifications.
The character limit handling requires manual tuning per provider. The default 4000-character limit works for most platforms, but exceeding it will likely truncate your data. For structured output like JSON vulnerability reports, this could chop off critical fields. You’ll need to experiment with -char-limit values for your specific use case, or pre-process output to ensure important data appears first. The -bulk flag enables batched sending, but the README doesn’t specify how batch sizes are determined or if they’re configurable beyond the character limit.
The proxy support (-proxy flag) accepts HTTP/SOCKSv5 proxies, but there’s no documentation on authentication or behavior when the proxy is unreachable.
Verdict
Use notify if you’re running security reconnaissance tools and need instant visibility into results across team communication channels. It excels at streaming tool output (subdomain enumeration, port scanning, vulnerability detection) to organized Slack/Discord workflows, and the multi-provider routing with IDs is genuinely useful for separating signal types. The zero-infrastructure deployment (single binary, YAML config) makes it trivial to integrate into existing CI/CD pipelines or cron jobs. The tool supports eight provider types (Slack, Discord, Telegram, Pushover, SMTP, Teams, Google Chat, Gotify) plus custom webhooks, with features like rate limiting (-rate-limit), delays (-delay), bulk mode (-bulk), and custom message formatting (-msg-format).
Skip notify if you need guaranteed message delivery or complex notification orchestration. The README doesn’t document retry mechanisms or persistence, suggesting this is a straightforward pipe-to-webhook tool rather than a robust alerting platform. Also skip it if your notification needs require message transformation beyond simple template formatting—the tool focuses on getting tool output to webhooks quickly, not on sophisticated data processing.
