Cortex
AGPL-3.0🧠 Threat Intelligence · Scala/Python
Cortex is a powerful observable analysis and active response engine that pairs with TheHive to supercharge incident response workflows. It provides a unified API for running analyzers against observables - IP addresses, file hashes, domain names, URLs, email addresses, and more - using over 100 built-in analyzers that query services like VirusTotal, Shodan, PassiveTotal, MISP, MaxMind, AbuseIPDB, and many others. Analysts can submit observables individually or in bulk and receive structured reports with taxonomy-based classifications. Cortex also supports responders for active response actions like blocking IPs on firewalls, disabling user accounts, or quarantining endpoints. Its REST API and TheHive integration allow organizations to automate the tedious parts of IOC analysis while keeping analysts in control of decision-making.
Installation
Docker
$ docker pull thehiveproject/cortex:latest && docker run -p 9001:9001 thehiveproject/cortex:latestUse Cases
- Bulk analysis of IOCs against 100+ threat intelligence sources simultaneously
- Automating observable enrichment as part of incident response workflows
- Active response actions like firewall blocks and account disables via responders
- Integrating with TheHive for seamless case management and observable analysis
- Building custom analyzers for organization-specific intelligence sources
Tags
Details
- Category
- 🧠 Threat Intelligence
- Language
- Scala/Python
- Repository
- TheHive-Project/Cortex
- License
- AGPL-3.0
- Platforms
- 🐧linux
Links
Alternatives & Comparisons
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare Cortex vs MISPOpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
Compare Cortex vs OpenCTITheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
Compare Cortex vs TheHiveGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare Cortex vs GRR Rapid ResponseKAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Compare Cortex vs KAPEosquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.
Compare Cortex vs osqueryMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
OpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
TheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
KAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
osquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.