In a three-part series on security automation for handling account compromises, the first part focuses on detection using the HaveIBeenPwned (HIBP) Domain Search service to automate responses to stolen credential threats. By setting up automated workflows triggered through HIBP alerts, organizations can reduce response times, minimize exposure windows, and enhance their defensive capabilities. The process involves checking a designated security mailbox for breach notifications every three minutes and using a webhook for additional triggers. This modular automation allows for easy integration of new checks over time and facilitates rapid adaptation to evolving risks. The initial detection phase leads to querying the HIBP API to identify specific email accounts involved in breaches, followed by enrichment and case creation in subsequent phases.