The winners are officially in, and this round of You Did WHAT with Tines?! showcased some of the most creative and impactful workflows we’ve seen yet. Across every category, customers and partners demonstrated how intelligent workflows can help teams move faster, reduce manual effort, and bring AI into real operational processes.
The Spring 2026 competition brought together builders from organizations of all sizes, all pushing the boundaries of what’s possible with Tines. Now, let’s jump into this season’s winners!
OVERALL WINNER
Manage incident lifecycle in Google Chat with Jira Service Management (O.R.B.I.T.)
Darren Burrows, OVO
After working in an environment where the company was split between using Slack and Google Chat, the company decided to unify on Google Chat together. O.R.B.I.T. (Operational Response & Broadcast Interface for Tines) is a major Incident management platform built in Tines, with Google Chat as its primary interface. When an alert fires, O.R.B.I.T. routes it through a triage pipeline, takes the appropriate action in the alerting tool and surfaces an interactive card directly in Google Chat. When an incident is raised in Jira, O.R.B.I.T. instantly spins up a dedicated Google Chat space, assembles the right people, and keeps the channel in sync as the ticket evolves.
In a prior You Did What With Tines?! competition, OVO was recognized for a workflow called TERRA. Expanding on TERRA’s foundation of AI-summarized updates, O.R.B.I.T. is a full incident command console that converts Opsgenie alerts into interactive Google Chat cards, enabling one-click actions (close, snooze, priority, classify and note actions), a slash-command interface, and Major Incident channel orchestration with on-call lookups and real-time Jira updates. It completes the loop with weighted retrospective scheduling, automated reminders, and a sentiment-analyzed post-retro digest. TERRA accompanied the incident; O.R.B.I.T. runs the room. A very deserving winner. 🚀
Manage incident lifecycle in Google Chat with Jira Service Management (O.R.B.I.T.)
Orchestrate the full incident lifecycle across Google Chat, Jira Service Management, and JSM Ops — from alert triage and Major Incident war rooms to AI-assisted retrospective scheduling — using four interconnected workflows.
Community author
Darren Burrows at OVO Group
OUR CATEGORY WINNERS
Scale with AI
Route security queries to specialized AI agents
Jillian Huizenga, Owens Corning
This story acts as a central routing layer for security operations queries. It receives an incoming prompt via a Webhook, passes it to an orchestrator (like Workbench) that analyzes the query and determines which specialized agents should handle it, then fans out targeted sub-prompts accordingly. The responses are collected and merged into a unified output.
This is a powerful force-multiplier for SOC analysts: instead of manually querying multiple security platforms, an analyst can ask a single natural-language question and the orchestrator intelligently routes it to the right experts in parallel, aggregating the results into one consolidated answer, dramatically reducing investigation time and cognitive load.
Eliminate silos
Triage threat intelligence with AI and create Jira tickets from Slack
Tommy Odle, Appfire
This story is a threat intelligence pipeline that ingests security data from multiple sources including RSS feeds, a ReliaQuest advisory email inbox, and a Wiz threat feed. It then uses AI to categorize articles, assess whether your company (in this case, Appfire) is potentially affected, deduplicate alerts, and analyze findings. Relevant intel is enriched, standardized, and stored as records before being formatted and distributed via Slack and a custom report.
It includes a self-service feed management UI (add/remove RSS feeds with validation), a ticket creation workflow that generates Jira-style tickets for DevOps and ITOps teams based on the type of threat, and a SentinelOne integration that searches for affected apps and exports results to Google Sheets, delivering end-to-end value by turning raw threat data into actionable, routed intelligence without the manual lift.
Build apps
Confirm and revoke terminated user access in CrowdStrike, Wiz and Qualys
Arun Murugesan, NewsCorp
This story orchestrates the offboarding process for terminated users by querying Okta for deprovisioned accounts, then cross-referencing those users across tools like CrowdStrike, Wiz, and Qualys to identify where active accounts still exist. It filters and presents the findings via an email and an interactive review page, allowing approvers to confirm which accounts should be removed.
Once approved, it automatically removes or deactivates the users from each platform, capturing the results as records, updating a tracking timestamp, and logging key metrics. This eliminates the manual, error-prone process of hunting down and revoking access across multiple tools after an employee is terminated, reducing the risk of lingering access, saving analyst time, and creating an auditable trail of every departure.
Tech stack synergy
Manage firewall lists with Tines and Jira
Jason Grybaitis, Nexon Asia Pacific
This story creates a full lifecycle firewall indicator blocking solution for their company. Analysts or external systems submit indicators (IPv4, IPv6, URLs, or Domains) via a form or webhook, which are then validated, defanged, and checked against both the company’ internal whitelists and live IP ranges from major cloud providers (AWS, Google, Cloudflare, Microsoft, Atlassian) before being registered in an External Dynamic List (EDL) blocking service.
The results are reconciled against Jira tickets that are automatically transitioned to "Resolved" if all indicators were successfully blocked, or "Waiting for Support" if any failed. This eliminates manual firewall management and ensures indicators are consistently validated, deduplicated, and tracked end-to-end.
Hack your life
RSS/ATOM daily vulnerability feed
Ben King, Nexon Asia Pacific
This story is a daily vulnerability intelligence pipeline that aggregates RSS and ATOM security feeds, filters articles by relevant keywords, and extracts CVE identifiers from matching content. It then enriches those CVEs via a RecordedFuture search, deduplicates results, and uses an AI agent to generate summaries or analysis. The enriched, AI-processed findings are delivered as a digest email, posted to a Microsoft Teams channel, and written to a Confluence page as a structured report while also being captured as a record in Tines.
It makes staying on top of vulnerability news easier by cutting through noise with keyword and CVE filtering, adding AI-driven context, and pushing actionable intelligence to the right stakeholders and knowledge bases so they can focus on their core responsibilities.
Ready to dive in?
Check out all of these workflows and more in the Tines Story Library today!