A
AI & Agents#automation#threat-hunting#comfyui

ComfyUI for Security: Visual AI Pipelines for Threat Analysis

A
Amit Nepal
Security Engineer · Linux & Infrastructure · Offensive Security
·Jun 1, 2026·1 min read
AI & Agents

ComfyUI for Security: Visual AI Pipelines for Threat Analysis

Jun 1, 2026 · 1 min read

ComfyUI for Security: Visual AI Pipelines for Threat Analysis

ComfyUI started as a node-based interface for Stable Diffusion. The security community has adapted it into something more interesting: a visual pipeline builder for AI-powered security workflows. If you think better in diagrams than code, this changes how you build automation.

Why a visual pipeline for security?

Complex multi-step security workflows are hard to reason about as code. A ComfyUI-style graph lets you see exactly how data flows — from raw log input through enrichment, analysis, and output.

[Log Source] → [Parser] → [Entity Extractor] → [Threat Intel Lookup]
                                                        ↓
[Alert Output] ← [Risk Scorer] ← [LLM Analyst] ← [Context Aggregator]

Setting up a security-focused ComfyUI instance

# The Docker way (no host install needed)
docker run -p 8188:8188 \
  -v ./workflows:/workflows \
  -v ./models:/models \
  security-comfyui:latest

The security fork adds nodes for:

  • SIEM connectors (Splunk, Elastic, QRadar)
  • Threat intel feeds (MISP, OTX, VirusTotal)
  • LLM analysis (OpenAI, Anthropic, local models via Ollama)
  • IOC extractors (IPs, hashes, domains, CVEs)
  • Alert formatters (Slack, PagerDuty, JIRA)

Example: Automated phishing analysis pipeline

Build a visual workflow that:

  1. Receives raw email via webhook
  2. Extracts URLs, attachments, sender info
  3. Queries VirusTotal for each IOC
  4. Feeds everything to an LLM for triage summary
  5. Routes HIGH severity to PagerDuty, MEDIUM to JIRA

No code. Just nodes and connections. Shareable as a JSON workflow file.

The serious use case: collaborative threat hunting

Workflows are shareable JSON files. A threat hunter can build a hunt workflow, share it with the team, and everyone runs the same logic against their own data sources. This is how you standardize detection across a distributed SOC.

Defensive note

ComfyUI pipelines that call external LLMs process your data externally. For sensitive log analysis, run local models via Ollama or use on-premise deployments.

Keep going

Get the next writeup in your inbox

New posts delivered when I publish. No spam.

automationthreat-huntingcomfyuivisual-pipelinessoc

Keep reading

all posts →
AI & Agents
AI & Agents · 1 min

Securing AI Systems: Hardening Your LLM Infrastructure

AI & Agents
AI & Agents · 1 min

AI-Powered Reconnaissance: OSINT Automation with Language Models

AI & Agents
AI & Agents · 1 min

Agentic AI in the SOC: From Alert Queue to Autonomous Response