TL;DR, What is TheHive?
TheHive is a collaborative security incident response platform (SIRP). Security teams often struggle with scattered tools and manual work that leads to alert fatigue and slower investigations. TheHive addresses these issues by giving analysts a single platform to manage cases, analyze observables, and handle threat intelligence.
The platform turns chaotic responses into organized security workflows, which helps teams coordinate better and cuts down on manual tasks. With features like TheHive Cortex integration for automating incident response, you can shorten response times and improve the quality of your investigations. SOCs, CSIRTs, and CERTs around the world use this SIRP to strengthen their security operations.
How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template
A quickstart guide to creating a robust incident response plan - designed specifically for companies with cloud-based deployments.
At-A-Glance
GitHub: https://github.com/TheHive-Project/TheHive (No longer maintained)
License: AGPL-3.0
Primary Language: Scala
Stars: 3.8k ⭐
Last Relevance: Archived on July 25, 2025. Last release was in September 2022. Switched to a commercial business model, with free community version available at https://docs.strangebee.com/thehive/overview/
Topics/Tags: security, incident-response, sirp, threat-intelligence, information-security
Common use cases
1. SOC teams use TheHive as their main platform for handling daily alerts from SIEM, EDR, and network monitoring tools. Your analysts can use the alert triage queue to quickly assess and prioritize events, merging related alerts into one case. Using pre-defined case templates and task lists helps teams follow a consistent investigation process for common incidents like phishing attempts or malware infections.
A standardized approach boosts efficiency, reduces the risk of overlooking important steps, and creates a detailed, auditable record for every investigation, which is key for compliance.
2. For major security incidents like data breaches or ransomware attacks, computer security incident response teams (CSIRTs) use TheHive as a central command hub. The case management system lets incident commanders coordinate the work of multiple analysts by assigning tasks and tracking their progress in real time. The platform acts as the single source of truth for an investigation, holding all evidence, communication logs, and analysis results from tools like Cortex.
3. Threat hunting teams use TheHive to structure and document their hypothesis-driven investigations. A hunt can start as a case where analysts collect and analyze observables tied to a potential threat actor or TTP.
The platform's tagging and search features let hunters connect findings across different cases over time, helping to uncover quiet, long-term attacks. Integration with MISP and Cortex provides direct access to community-sourced threat intelligence and analysis tools, allowing hunters to quickly pivot between leads and build a full picture of adversary activity.
4. National and sector-specific computer emergency response teams (CERTs) use TheHive to manage the lifecycle of vulnerability disclosures. When a new vulnerability is reported, a case tracks all related activities, including technical analysis, impact assessment, and communication with vendors.
The platform’s customizable templates and fields allow CERTs to adapt their workflow to specific disclosure policies. An organized process ensures that remediation efforts are coordinated and that critical security information is shared with the public responsibly.
5. TheHive functions as a hub for security teams focused on using threat intelligence. Through its deep integration with MISP, teams can automatically pull in new threat events and triage them as alerts. Your team can then validate and enrich the intelligence with internal context.
Once an investigation confirms a threat, any new, internally found indicators of compromise (IOCs) can be structured in TheHive and exported back to MISP. The process operationalizes the threat intelligence lifecycle, turning passive data consumption into an active process of enrichment and community contribution.
How does TheHive work?
TheHive works by taking in security alerts from sources like SIEMs, email, or API calls and placing them into a central queue. From there, analysts can triage incoming alerts, preview them, and turn relevant ones into structured cases. Each case is a collaborative workspace where your team can manage tasks, log actions, and collect evidence. The platform's capabilities are expanded through its ecosystem, which integrates with Cortex for automated observable analysis and MISP for threat intelligence, ensuring a streamlined and informed investigation.
Modular Three-Layer Architecture: The platform keeps core logic separate from data. It uses Apache Cassandra for structured data, Elasticsearch for searching and indexing, and configurable backends like Amazon S3 for file storage.
Case-Based Investigation: Cases are central to TheHive, containing all related observables (IoCs), tasks, analyst logs, and evidence. A complete, structured record of the entire response effort is provided.
Integrated Analysis and Intel: Through a seamless integration with Cortex, you can automatically analyze observables for context. The MISP connection enriches investigations with current threat intelligence.
Real-Time Collaboration: The system provides live updates within each case, giving all team members immediate access to the latest findings, notes, and investigation progress.
Core Capabilities:
1. TheHive offers a real-time collaborative environment for security investigations. The platform centralizes incident response activities into structured “cases,” which you can build from customizable templates to enforce standard procedures. Multiple analysts can work on a single case at once, assigning and tracking tasks, adding notes, and viewing a live stream of all actions.
The platform allows you to attach evidence, including files and password-protected archives. Analysts can also enrich cases with custom fields, tags, and severity levels, ensuring the investigation workspace meets specific organizational needs and compliance requirements. A centralized approach guarantees a complete and auditable record of every step taken during an incident.
2. At the core of TheHive is its system for managing and analyzing observables—indicators of compromise like IP addresses, domains, and file hashes. You can add these observables to cases manually, in bulk, or have them automatically parsed from alerts. The platform's effectiveness is unlocked through its tight integration with TheHive Cortex, a separate analysis engine.
From within a case, analysts can trigger dozens of “analyzers” via Cortex to automatically enrich observables with external intelligence from services like VirusTotal, Shodan, and MISP. The process turns raw data into actionable intelligence in seconds, greatly reducing manual effort and letting analysts focus on higher-level investigation tasks.
3. TheHive is designed to be the central nervous system for a security operations center, managing the high volume of security events and reducing alert fatigue. The platform can ingest alerts from many sources, including SIEMs and EDRs, via a flexible API and pre-built “feeders.”
A dedicated triage space lets analysts efficiently filter, search, and preview incoming alerts. From this view, your team can perform bulk actions, like merging related alerts into a single case or dismissing false positives. A structured workflow ensures that all potential threats are reviewed, prioritized, and either escalated into a formal case or closed, preventing critical events from getting lost in the noise.
4. The platform has deep, native, and bidirectional integration with the Malware Information Sharing Platform (MISP), making it a key part of a collaborative threat intelligence ecosystem. You can configure TheHive to automatically check one or more MISP instances, creating alerts for observables that match known indicators of compromise.
Proactively hunting for threats based on shared community intelligence becomes much easier. Conversely, once an investigation is finished in TheHive, valuable findings like new observables and attack patterns can be easily exported back to MISP. This creates a feedback loop that enriches the global threat landscape and strengthens collective defense.
5. TheHive, along with Cortex, serves as an engine for incident response automation and security orchestration. Beyond simple observable analysis, Cortex provides “responders” that can take direct action on an endpoint or network device. Your organization can build automated or semi-automated playbooks that execute containment actions, such as blocking an IP address on a firewall or disabling a user account.
Additionally, TheHive’s notification system can trigger webhooks, sending critical updates to other systems like Slack or Jira. A combination of analysis and action enables the creation of security orchestration workflows that speed up response times and reduce manual errors.
IR Playbook [Template]: AWS Ransomware Attacks
This IR Playbook Template provides a detailed, seven-step approach to manage ransomware incidents across AWS environments, helping you control, contain, and recover from attacks.
Limitations
1. Deploying TheHive effectively is not a simple plug-and-play process. You need careful planning and technical expertise to install and configure the core application, its database, and its companion, Cortex. Integrating with alert sources, configuring Cortex analyzers with API keys, and developing case templates for your workflows require a significant upfront investment of time. A steep learning curve can be a barrier for smaller security teams or organizations without dedicated IT support.
2. While TheHive is excellent for case management, its full potential as a security orchestration, automation, and response (SOAR) platform depends entirely on its integration with Cortex. Without Cortex, TheHive is limited to being a manual investigation tool. All automated analysis of observables and all automated response actions are handled by Cortex. Organizations must deploy and manage a second, separate application to unlock the key automation features that define a modern SIRP, adding complexity to deployment and maintenance.
3. TheHive is designed as an operational platform for active incident response, not for strategic analysis or management reporting. The platform lacks built-in dashboards, trend analysis features, or a user-friendly report builder. Although all data is stored and searchable, generating metrics like mean time to detect (MTTD) or creating executive-level summaries usually requires exporting data from TheHive's API to an external business intelligence tool.
4. The user interface of TheHive is functional and dense, prioritizing access to features over a simplified user experience. For experienced security analysts, this density can be efficient, but for new team members, the UI can feel cluttered. The learning curve for navigating the interface and understanding the relationships between cases, tasks, and observables can be steep. Unlike some commercial alternatives with more guided workflows, TheHive's UI requires more training, which can slow down adoption.
5. For large enterprises that generate tens of thousands of alerts daily, TheHive's performance relies heavily on the health of its underlying Elasticsearch cluster. A poorly configured or undersized backend can lead to slow search queries, a sluggish UI, and delays in alert ingestion. Ensuring high availability and performance at scale requires deep expertise in Elasticsearch administration, including index management and cluster tuning.
Using TheHive to manage your security incidents? You can enrich your investigations with critical cloud context from Wiz. While TheHive excels at organizing the response workflow, Wiz shows you exactly why an alert matters by mapping the affected cloud resource to its permissions, data access, and full attack path. This helps your SOC team prioritize the incidents that pose a genuine risk to your business.
Getting Started:
Step 1:
Visit the official documentation to get the latest version of TheHive: https://docs.strangebee.com
Step 2:
Request a Community license or purchase a license:
Step 3:
Follow the platform-specific installation instructions. For example, for a Docker-based deployment:
docker run -d --name thehive strangebee/thehive:latestStep 4:
After installation, start TheHive service using the method for your deployment (systemd, Docker, etc.). (This depends on your environment, so the command varies.)
Step 5:
Access the TheHive web interface by navigating in your browser to: http://<your_server_ip>:9000
FAQs
Verified User Reviews for TheHive
Positive Reviews
"I self-hosted and used versions 3 and 4 for years and loved it, haven't tried strangebee variants." - [Beef_Studpile] - r/cybersecurity
G2
"The platform plays a critical role in our incident response. It integrates with and automates many of our processes for our analysts, helping to decrease our response times. The platform is easy to set up, maintain, and use. There is also an active Discord community for sharing information and asking questions." - Sam F. - IT Security Officer
"TheHive is an open source which helps us to create & merge cases in which you are working. You can integrate TheHive with Cortex & Wazuh, which maintains a better security posture. For integration purposes, you need the API key of hive, which help us to integrate it with another software. Also you can create different dashboards to visualise the cases & alerts coming from SIEM tool." - Rohan G. - Mid-Market(51-1000 emp.)
"The Alert Management and the Openness of TheHive allows it to easily integrate from small to Enterprise large installations. We are able to use it in a very big Environment with extremly complex use-cases and Operation processes and it works really great. It is becoming a new de-facto-Standard for SOAR Tools on enterprise Level. Especially the native Integration of MISP Interface is really helpfull." - Verified User in Telecommunications
Negative Reviews
"we used it for a year hated it, the entire SOC didn’t wanna work in it at all... well it slowed us down, for starters. I don’t really know how else to go into greater depth than that. It was also not really super intuitive to use. so the base “create a ticket” and then fill that with some data was ok… but beyond that it was difficult. to create automated things was always a pain. It wouldn’t usually elevate more strain that it brought itself." - [deleted] - r/cybersecurity
"It’s not great. We had the free version then moved to the paid version… It’s buggy, and takes forever to get anything fixed. We are looking for another product as well." - [-Veggys-] - r/cybersecurity
"Out of the box without any pipelines and automations, it's awful. It takes too long to create tickets and then it's a pain to add information to them. It really does shine when you have automations for creating tickets, running queries for OSINT on IOCs and then tagging those appropriately and all that good stuff. It's a platform that requires an engineer or two to set everything up and get it going for the analysts." - [joca_the_second] - r/cybersecurity
Alternatives
| Features | TheHive | Shuffle | DFIR-IRIS | StackStorm |
|---|---|---|---|---|
| Collaborative Case Management | Core feature with customizable templates, task assignment, and real-time activity streams | Provides case management capabilities, allowing for the creation and tracking of security incidents | Designed for collaborative incident response with features for case and task management | Does not have built-in case management; focuses on event-driven automation that can be integrated with case management systems |
| Observable Management and Analysis | Excels at managing and analyzing observables (IPs, hashes, etc.) with automated analysis through Cortex | Supports observable enrichment and analysis through integrations with various security tools | Allows for the collection and analysis of observables within cases, with integrations for enrichment | Can be configured to automatically enrich observables by triggering actions in response to events |
| Alert Processing and Triage | Sophisticated alert processing engine to ingest, filter, and triage alerts, with the ability to promote alerts to cases | Automates the triage process by ingesting alerts and running predefined workflows to determine the appropriate response | Focuses on the investigation of alerts that have been triaged, providing tools to manage the incident response process | Acts as an event-driven automation engine that can process and respond to alerts from various sources in real time |
| Threat Intelligence Integration | Deep integration with MISP for seamless threat intelligence sharing | Integrates with various threat intelligence platforms to enrich security incidents with relevant data | Supports integration with MISP and other threat intelligence feeds to provide context during investigations | Can be configured to pull data from threat intelligence platforms to enrich security events and automate responses |
| Automation and Workflow Engine | Powerful automation capabilities through integration with Cortex analyzers and responders | A no-code/low-code platform for building and automating security workflows | Focuses on providing a platform for incident responders to collaborate and share information during an investigation | A powerful and flexible event-driven automation platform that can be used to automate a wide range of security operations |