Webhook Notifications
Webhooks allow Catchify to send real-time notifications to any system that can receive HTTP requests. This is useful if you want to integrate Catchify with custom tools, internal dashboards, ticketing systems, or communication platforms beyond Slack and Jira.
What Are Webhooks?
A webhook is a way for Catchify to automatically send information to another system when something happens -- like a new finding being discovered or a report being submitted. Instead of your system checking Catchify for updates, Catchify pushes updates to your system as they occur.
Setting Up a Webhook
Navigate to Integrations in the main menu
Find the Webhooks card and click Configure
Click Add Webhook
Enter the following details:
URL -- The endpoint where Catchify should send notifications (provided by your receiving system)
Name -- A friendly name for this webhook (for example, "Internal Dashboard" or "ServiceNow Integration")
Events -- Select which events should trigger this webhook
Click Save
Available Events
You can configure your webhook to send notifications for any combination of these events:
finding.created
A new finding is discovered
finding.updated
A finding's status or details change
report.created
A new bug bounty report is submitted
report.updated
A bug bounty report status changes
retest.completed
A retest has been completed
project.started
A penetration testing engagement begins
project.completed
A penetration testing engagement finishes
comment.created
A new comment is added to a finding or report
What Gets Sent
When an event occurs, Catchify sends an HTTP POST request to your webhook URL. The request includes a JSON body with details about the event, such as:
The event type
A timestamp
Key details about the finding, report, or project that triggered the event
A link to view the full details in the Catchify portal
Your technical team can use the event data to build custom workflows -- for example, automatically creating tickets in a custom ticketing system, updating a security dashboard, or triggering alerts in a monitoring tool.
Securing Your Webhooks
To ensure that webhook notifications are genuinely from Catchify (and not from a malicious source), each webhook request includes an HMAC signature in the request headers. Your receiving system can verify this signature to confirm the request is authentic.
When you create a webhook, Catchify generates a signing secret that is displayed once. Share this secret with your technical team so they can configure signature verification on the receiving end.
Store your webhook signing secret securely. If you lose it, you can regenerate a new one from the webhook settings -- but you will need to update your receiving system with the new secret.
Managing Your Webhooks
From the Webhooks configuration page, you can:
View delivery history -- See a log of all notifications sent, including response codes from your endpoint
Edit a webhook -- Change the URL, name, or selected events
Test a webhook -- Send a test event to verify your endpoint is working
Disable a webhook -- Temporarily stop sending notifications without deleting the configuration
Delete a webhook -- Permanently remove the webhook
Troubleshooting
If your webhook notifications are not arriving:
Check the delivery log -- Look for error response codes that indicate what went wrong
Verify the URL -- Make sure the webhook URL is correct and publicly accessible
Check your firewall -- Ensure your receiving system allows incoming requests from external sources
Review the endpoint -- Make sure your endpoint returns a 200 status code to acknowledge receipt
If deliveries fail repeatedly, Catchify will automatically disable the webhook after a number of consecutive failures. You will see a notification in the portal when this happens.
Webhooks are the most flexible way to integrate Catchify with your existing tools and workflows. If you can receive an HTTP request, you can integrate with Catchify.
Last updated