Most teams hit the same wall with scripted automation. A workflow that handles phishing alerts, employee onboarding, ticket triage, or identity checks runs fine for six months, then breaks when inputs vary, or another tool joins the chain.
Tines' Voice of Security 2026 research puts numbers to the cost. Security professionals spend 44% of their time on manual, repetitive work, 76% report burnout, and 81% say workloads have increased. The pattern doesn't stop at security. Across IT, customer support, and incident response, deterministic automation alone can't keep up with the variability of real work.
The fix isn't more automation. Forrester research commissioned by Tines found that 88% of leaders say that without orchestration, AI stays fragmented.
Intelligent workflow platforms exist to give teams that orchestration layer. They combine deterministic rules for the predictable bulk, agentic AI for ambiguity, and human-in-the-loop checkpoints for high-stakes decisions, all running together on one surface.
The seven intelligent workflow examples below come from real Tines customers, including Personio, Vimeo, Intercom, Bitpanda, Sophos, Mars, and GitLab. Each shows the automation the team started with, the failure mode that forced a rethink, and the intelligent workflow running in production today.
What makes a good intelligent workflow example?
An intelligent workflow example isn't a screenshot of a trigger-action pair. It's a system with history. Most articles inventory tasks that can be scripted without showing the system that runs in production, the failure modes it hit, or the design decisions that resolved them.
A useful example shows what the team tried first, where that approach hit a wall, and what changed when they moved past basic automation into something more intelligent.
The shift usually follows a consistent arc:
Alert volumes climb
Edge cases multiply
Another tool gets added to the chain
Deterministic logic alone can't keep pace
The team builds an intelligent workflow that handles the predictable bulk with rules, uses agentic AI to reason through ambiguity, and routes high-stakes decisions to human checkpoints. That combination, deterministic plus agentic plus human-in-the-loop on one surface, is an intelligent workflow.
7 intelligent workflow examples from Tines customers
Each example follows the same arc. The team's starting automation, the failure mode that forced a rethink, and the intelligent workflow running today. All seven map to published Tines case studies.
1. Security operations: phishing alert triage at Personio
Personio's security team relied on manual scripts for security workflows. As Lead Security Engineer Victor Lima described it, those scripts could break inside six months. That's the familiar failure mode for any security automation that works only until formats change, tools shift, or alert volume climbs.
Before: Manual scripts supported alert triage, but they were slow to debug, prone to breaking, and connected siloed security tools through custom logic.
The shift: Personio moved from fragile scripts to Tines Stories (Tines' term for workflows) for alert enrichment and triage. The Stories handle normalization, IOC (indicators of compromise) enrichment, and ticketing.
The team also built AI-powered incident summarization, case generation, and remediation recommendations on top.
After: Personio decreased mean time to detect and mean time to respond and absorbed a heavier workload without growing the team. Lima put it directly: "Any story that we build in Tines will decrease either the time to detect or the time to respond."
2. Security operations: vulnerability ticket enrichment at Vimeo
Vimeo's security team manually enriched vulnerability findings before creating tickets for remediation. Each finding needed context from the scanner, asset ownership data, patch availability, and risk scoring before an engineer could act on it. That enrichment step alone consumed 20 to 40 minutes per ticket.
Before: Vulnerability alerts didn't enter the ticketing system cleanly. Manual comparison and export cycles weren't built for daily change. Quarterly audits surfaced issues that should have been caught daily.
The shift: Vimeo built intelligent workflows in Tines for vulnerability management and ticket creation, pulling findings from GitGuardian, Cobalt, and HackerOne into clean Jira tickets. The team also built a UKG-to-Okta identity reconciliation workflow that runs every morning, and used Tines plus Gemini to correct 2,000+ historical Jira tickets.
After: Vimeo freed 1,000+ hours of security and IT capacity by correcting those 2,000+ historical tickets, saved 20 to 40 minutes per new vulnerability ticket, and saved another 20+ hours per month on daily identity checks.
Senior identity and access management (IAM) Manager Connor Murphy said, "I couldn't connect every technology I use easily without Tines. The audit trail that Tines provides is incredible."
3. IT operations: employee onboarding and consolidation at Intercom
Intercom's IT team had partial automation through Workato, but pricing limited what they could build, change control was thin, and every new automation idea became a cost question. Slackbot integrations stacked up, with expensive per-bot pricing and alert fatigue, and the access-request flow lived in those bots, too.
Before: Workato handled some recipes but couldn't be a single platform for IT and adjacent teams. Building one new workflow took two months.
The shift: Intercom replaced Workato with Tines, starting with a proof of concept that converted 15 Workato recipes into a single Tines Story. The team built an employee lifecycle workflow that runs Workday → Okta via AWS Redshift (the engineer at Tines built it in a week), eliminated the Slackbot-based access request system, and migrated the full library to Tines.
After: Build time dropped from two months to two hours. The team built 16 new workflows in four months and consolidated 15 recipes into 1 Story.
According to Director of IT Emanuele Sparvoli, "Intercom's future is being built on Tines."
4. Security operations: access governance and novel detection at Bitpanda
Bitpanda's corporate IT security team had no automation outside of what came built into their existing tools. Alert fatigue from high volumes was constant, and IAM processes were manual. Detection rules had to stay simple to avoid drowning the team in noise.
Before: Inactive users and failed offboarding events were caught late, if at all. Mandatory application monitoring was a spreadsheet exercise.
The shift: Bitpanda built intelligent workflows in Tines that combine deterministic monitoring with cross-system context. The signature workflow is "Work from Anywhere" detection, which verifies logins against Workday travel data and routes alerts through OpsGenie.
The team also built proactive Slackbot engagement for security events, inactive user and asset detection, application monitoring through Elastic and Jumpcloud, and Google Workspace device management.
After: Bitpanda built more complex detection rules without alert overload and added capabilities they couldn't run before.
Corporate IT Security Lead Martin Schlatzer said, "With Tines, we're capable of building more complex detection rules, based on our organization's needs. Without Tines, we would not be able to do this at all."
5. Security operations: case enrichment and analyst time at Sophos
Sophos' security team faced the common SecOps problem. By the time an analyst opened a case, they needed to gather context from multiple tools before they could even decide what kind of case it was. Component-style automation existed in pieces, but nothing tied it together end-to-end.
Before: Analysts manually opened multiple tools to pull context for each case, which slowed response and inflated time-per-case numbers.
The shift: Sophos built intelligent workflows in Tines that pre-enrich every case before a human sees it. AI Agent Action steps (Tines' embedded AI step) read the case, assess intent and urgency, pull customer context, and classify accordingly.
High-confidence cases route automatically. Cases that need a human analyst arrive with the AI's assessment and supporting context already attached, not as a raw submission.
After: Sophos cut analyst time per case by 50% across more than 20 automated use cases, including phishing analysis and privileged access monitoring.
In Senior Security Engineer Tom Sage‘s words, "Thanks to Tines, the first time an analyst looks at the case, they already have all the information they need."
6. Multi-team expansion: from one team to five at Mars
Mars built its security automation practice on Splunk SOAR (security orchestration, automation, and response). One engineer could adequately use it. Lead times for new use cases were long, and 200 Phantom playbooks accumulated over the years.
Before: A single point of failure ran everything. Cross-team adoption was hypothetical because the platform demanded developer skills that most teams didn't have.
The shift: Mars migrated 100% from Splunk SOAR to Tines, consolidated 200 playbooks into 79 Tines Stories, and onboarded five teams (security, IT, data analytics, and others) in six months.
Onboarding time dropped from one to two months on Splunk to one day on Tines. One Microsoft Power Automate skeptic on the team became, as Mars described it, a heavy advocate.
As Director of Cyber Threat and Vulnerability Gregory Poniatowski put it, "He's now a heavy advocate for Tines! He was converted very quickly because of the flexibility that you just don't get with something like Power Automate."
After: Five teams now build intelligent workflows on the same platform, with 80 to 90% true positive coverage of sources within weeks of onboarding.
Poniatowski added, "It gives us an opportunity to bring automation into areas of the organization that just don't have developers to implement automation in the more traditional way."
7. Incident response: pager noise and audit trail at GitLab
GitLab's incident response team automated some of its workflows through manual scripts. The scripts worked, but they were slow to write, hard to maintain on a small team, and didn't carry a consistent audit context.
Before: The team got paged for 100% of alerts. Severity calculations varied across analysts. Shift handovers depended on tribal knowledge.
The shift: GitLab built intelligent workflows in Tines for incident reporting and triage, with severity and priority calculation that conditionally activates PagerDuty. Alert handling automatically pulls context, deduplicates, and correlates against history.
A gamified shift-handover workflow ("Handogotchi") documents what happened across shifts. Spam and phishing analysis runs through VirusTotal and creates GitLab issues with a maliciousness rating attached. The team trained 13 certified Tines builders along the way.
After: Pager noise dropped 80%, from 100% of alerts to roughly 20%. One incident-reporting workflow alone saves 240+ hours per year. Across 77 active workflows, GitLab saves 1,000+ hours annually.
According to Security Manager Valentine Mairet, “Tines has really made our lives easier and reduced the likelihood of burnout."
Patterns across the intelligent workflow examples
Four design patterns appear consistently across all seven customers. These aren't theoretical principles.
They're the structural decisions that made the difference between automation that broke and intelligent workflows that held.
Event-driven, not batch: Personio and Vimeo handle alerts and findings as events move through the system, not as periodic cleanup. GitLab fires its incident workflow the moment an alert lands. Bitpanda's "Work from Anywhere" detection runs against logins as they happen. Workflows that depend on fast handoffs across systems can't wait for a nightly batch.
AI for assist, not authority: In every example, AI proposes and humans dispose. Sophos uses AI Agent Action to classify cases, but the analyst confirms or overrides. Vimeo used Tines plus Gemini to correct 2,000+ historical Jira tickets, with humans reviewing the corrections. Personio's incident summarization and case generation feed a human responder who decides what to do with the AI's output. The pattern reflects a documented limitation of foundational models, which can hallucinate without self-reporting.
Human-in-the-loop is designed in, not bolted on: Intercom's onboarding workflow uses Tines Pages (interactive front-end interfaces built on Tines) to surface controlled access without exposing administrative privileges. GitLab's pager logic decides what reaches a human and what doesn't, with every decision logged for audit. Mars' expansion to five teams worked because non-developers could safely participate in workflows that previously required Python.
Cross-system by default: Vimeo's identity workflow spans UKG, Okta, and 30+ Lumos-connected applications. Bitpanda's detection logic correlates Workday travel data with Okta logins and Slack alerts. Intercom's lifecycle workflow runs Workday → Okta via AWS Redshift. Across the Tines customer base, 54.8% manage 20–49 security tools, and customers connect 68 tools on average. Cross-system orchestration with retries, error handling, credential management, and audit logging is what holds those workflows together.
These four patterns recur because they solve the same structural problem. Workflows that span systems, handle ambiguity, and require auditability can't run on deterministic logic alone.
How to adapt these intelligent workflow examples in your environment
Not every workflow needs all three modes. Deterministic, agentic, and human-led each handle different parts of the work, and the fastest way to identify candidates is to ask three diagnostic questions.
The first is about inputs. Does this workflow break when inputs vary? If a phishing triage script fails on non-standard email formats, that's a signal the workflow needs an AI layer for unpredictable cases.
The second is about manual verification. Does this workflow need a human to do something a machine could verify? Automate the enrichment step. Save the human checkpoint for decisions that need judgment.
The third is about systems. Does this workflow touch more than two systems? Cross-system workflows need orchestration that handles retries, error states, credential management, and audit logging.
When adapting these examples, copy the architecture and customize the integrations. The phishing triage pattern works across email security environments. The onboarding pattern works across identity providers. Each customer above started inside the Tines Story Library, where templates can be imported and modified rather than built from scratch.
To see how a Tines team would map intelligent workflow examples to your environment, book a demo with the Tines team.
Frequently asked questions about intelligent workflow examples
What's a simple intelligent workflow example to start with?
Phishing alert triage is a common starting point. It has a clear trigger (a reported email), well-defined enrichment steps (sender reputation, URL scanning, attachment analysis), and a binary decision point (malicious or benign). Personio, Sophos, and GitLab all started here.
What separates an intelligent workflow example from a basic automation example?
Automation follows fixed rules. If X happens, do Y. An intelligent workflow example combines deterministic automation, agentic AI, and human-in-the-loop processes in a single workflow. Tines describes the three styles running together as the full spectrum of execution, and each of the seven customers above runs all three.
Where do I find more intelligent workflow examples?
The Tines Story Library contains hundreds of pre-built Stories covering security operations, IT, RevOps, and compliance, each one a working intelligent workflow example. Every customer above started by adapting Library templates rather than building workflows from scratch.
Which teams use intelligent workflow examples like these?
Tines customers usually start in security and expand from there. Across the Tines customer base, 75% of customers run intelligent workflows across multiple teams. The pattern is consistent. Once one team eliminates undifferentiated work, adjacent teams notice and want the same thing. Mars expanded to five teams in six months. Intercom now runs IT infrastructure, cloud security, IT support, and customer solutions on the same platform.