TheHive
AGPL-3.0🧠 Threat Intelligence · Scala/JavaScript
TheHive is a scalable, open-source Security Incident Response Platform (SIRP) designed to make life easier for SOCs, CSIRTs, and CERTs dealing with security incidents that need to be investigated and acted upon. It provides collaborative case management where multiple analysts can work on the same case simultaneously, with full audit trails and task assignment. TheHive integrates tightly with Cortex for automated observable analysis (IP lookups, hash checks, domain reputation) and with MISP for threat intelligence sharing. Cases can be created from email alerts, SIEM events, or manually, and each case supports tasks, observables, and evidence attachments. Its template system and custom fields make it adaptable to any organization's incident response workflow.
Installation
Docker
$ docker pull strangebee/thehive:latest && docker run -p 9000:9000 strangebee/thehive:latestDebian/Ubuntu
$ wget -qO- https://raw.githubusercontent.com/TheHive-Project/TheHive/main/package/thehive-install.sh | sudo bashUse Cases
- Managing security incidents with collaborative case tracking and task assignment
- Automating observable analysis through Cortex integration for IOC enrichment
- Creating cases from SIEM alerts, email reports, or MISP events automatically
- Tracking incident timelines, evidence, and analyst actions with full audit trails
- Coordinating incident response across SOC teams with role-based workflows
Tags
Details
- Category
- 🧠 Threat Intelligence
- Language
- Scala/JavaScript
- Repository
- TheHive-Project/TheHive
- License
- AGPL-3.0
- Platforms
- 🐧linux
Links
Alternatives & Comparisons
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare TheHive vs MISPOpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
Compare TheHive vs OpenCTIGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare TheHive vs GRR Rapid ResponseKAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Compare TheHive vs KAPECortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
Compare TheHive vs Cortexosquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.
Compare TheHive vs osqueryMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
OpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
KAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Cortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
osquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.