Security incident response for the masses


TheHive is a scalable Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.


Multiple SOC and CERT analysts can collaborate on investigations simultaneously. Thanks to the built-in live stream, real time information pertaining to new or existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, and preview new MISP events and alerts from multiple sources such as email reports, CTI providers and SIEMs. They can then import and investigate them right away.


Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics and custom fields to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks through dynamic dashboards. Analysts can record their progress, attach pieces of evidence or noteworthy files, add tags and import password-protected ZIP archives containing malware or suspicious data without opening them.


Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event or any alert sent to the platform. Quickly triage and filter them. Harness the power of Cortex and its analyzers and responders to gain precious insight, speed up your investigation and contain threats. Leverage tags, flag IOCs, sightings and identify previously seen observables to feed your threat intelligence. Once investigations are completed, export IOCs to one or several MISP instances.

Thanks to Cortex, observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed using a Web interface. Analysts can also automate these operations and submit large sets of observables from TheHive or through the Cortex REST API from alternative SIRP platforms, custom scripts or MISP. When used in conjunction with TheHive, Cortex largely facilitates the containment phase thanks to its Active Response features.


By using Cortex, you won't need to reinvent the wheel every time you'd like to use a service or a tool to analyze an observable and help you investigate the case at hand or contain threats before it's too late. Leverage its very large set of analyzers or create your own analyzer or responder using any programming language supported by Linux and share them with your team or, better, with the whole community. You can also simultaneously query multiple MISP instances.


Cortex is the perfect companion for TheHive. TheHive can connect to one or multiple Cortex instances and with a few clicks you can analyze tens if not hundreds of observables at once or trigger active responses. Using TheHive's report engine, it's easy to parse Cortex output and display it the way you want. You can also use Cortex as a standalone product thanks to its powerful Web UI to manage multiple organizations, analyzers and configure query limits. Cortex can be interfaced with other products through its REST API or by using Cortex4py.


Cortex comes with more than a hundred analyzers for popular services such as VirusTotal, Joe Sandbox, DomainTools, PassiveTotal, Google Safe Browsing, Shodan and Onyphe. Identify abuse contacts, parse files in several formats such as OLE and OpenXML to detect VBA macros, generate useful information on PE, PDF files and much more. Cortex analyzers can also be queried from MISP to enrich events and extend the coverage of your investigations.

A team of hard-working enthusiastic people who helped this project come to life.

Nabil Adouani
Thomas Franco
Jerome Léonard

Past contributors >>>

StrangeBee is a company co-founded by TheHive Project's Jérôme, Nabil and Thomas.
Since 2019, TheHive, Cortex and their ecosystem are under the leadership of StrangeBee. The company is committed to develop, maintain, support and distribute TheHive, Cortex, Cortex-Analyzers and all API Client and helper libraries.

In 2022, after witnessing its license evolving into a commercial license, TheHive, which has grown in maturity, aims to respond to challenges faced by companies.

Looking for more information ?
Please send your request to StrangeBee.

If you'd like to report a vulnerability, please, read our Responsible Vulnerability Disclosure Policy first.

Stay informed and learn about the products:
  • News and announcements: StrangeBee blog
  • Technical and products documentation: TheHive & Cortex

  • Follow us on social networks:
  • Join our Community on Discord
  • Twitter: @TheHive_Project | @StrangeBee
  • Mastodon: @TheHive_Project | @StrangeBee
  • LinkedIn: TheHive Project | StrangeBee

  • Security:
  • You'd like to report a vulnerability ? please, read our Responsible Vulnerability Disclosure Policy first.