Security incident response for the masses

Scalable, Open Source and Free Solutions


A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.


Multiple SOC and CERT analysts can collaborate on investigations simultaneously. Thanks to the built-in live stream, real time information pertaining to new or existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, preview new MISP events, SIEM alerts, email reports, import and investigate them right away.


Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics and custom fields to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks through dynamic dashboards. Analysts can record their progress, attach pieces of evidence or noteworthy files.


Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event or any alert sent to the platform. Quickly triage and filter them. Harness the power of Cortex and its analyzers to gain precious insight and speed up your investigation. Leverage tags, flag IOCs, sightings and identify previously seen observables to feed your threat intelligence. Once investigations are completed, export IOCs to one or several MISP instances.

Thanks to Cortex, observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed using a Web interface. Analysts can also automate these operations and submit large sets of observables from TheHive or through the Cortex REST API from alternative SIRP platforms, custom scripts or MISP.


By using Cortex, you won't need to reinvent the wheel every time you'd like to use a service or a tool to analyze an observable and help you investigate the case at hand. Leverage its large set of analyzers or create your own using any programming language supported by Linux and make it available to the whole team or, better, to the whole community. You can also query MISP expansion modules from Cortex.


Cortex is the perfect companion for TheHive. TheHive can connect to one or multiple Cortex instances and with a few clicks you can analyze tens if not hundreds of observables at once. Using TheHive's report engine, it's easy to parse Cortex output and display it the way you want. You can also use Cortex as a standalone product thanks to its powerful Web UI to manage multiple organizations, analyzers and configure query limits. Cortex can be interfaced with other products through its REST API or by using Cortex4py.


Cortex comes with tens of analyzers for popular services such as VirusTotal, Joe Sandbox, DomainTools, PassiveTotal, Google Safe Browsing, PhishTank, MaxMind, and Open Threat Exchange. Identify abuse contacts, parse files in several formats such as OLE and OpenXML to detect VBA macros, generate useful information on PE, PDF files and much more. Cortex analyzers can also be queried from MISP to enrich events to extend the coverage of your investigations.

Hippocampe gives your organisation a threat feed 'memory' and lets you query it easily through a REST API or a Web UI.


Hippocampe regularly downloads and parses text-based threat feeds, public or private, from the Internet and stores them in Elasticsearch. Hassle-free. You can also supervise these operations and the data freshness.


Use the Cortex analyzers we have created to take advantage of Hippocampe’s REST API. And if you use TheHive, the results are clearly displayed thanks to the report template that we kindly provide. Alternatively, you can use the Web UI to efficiently and quickly search IP addresses, URLs and domain names in the indexed feeds.


Hippocampe allows analysts to configure a confidence level for each feed that can be changed over time and when queried, it will provide Hipposcore, a score that aids in deciding whether the observables are innocuous or rather malicious.

A Python API client for TheHive.

TheHive4py allows analysts to create cases out of different sources such as email or a SIEM. For example, a SOC may ask its constituency to send suspicious email reports to a specific mailbox that a script polls at regular intervals. When a new email is received, the script parses it then calls TheHive4py to send an alert to the TheHive. Analysts can then preview the alert and if deemed interesting, they can import it as a case and start working on it collaboratively thanks to TheHive's live stream.

A team of hard-working enthusiastic people who helped this project come to life.

Nabil Adouani
Thomas Franco
Saâd Kadhi
Jerome Léonard
Danni Co
Nils Kuhnert

If you are looking for trainings, limited professional support, analyzer development assistance or if you have other specific requests, please contact us at [email protected]. We can directly provide such services through Creative Source, a non-profit organization we created to sustain TheHive Project.

If you'd like to make a donation to support TheHive Project, you can do so as well through Creative Source. Please contact us at [email protected] to get more information. Thank you!

If you'd like to report a bug or request a feature, please open an issue on the corresponding GitHub repository: TheHive, Cortex, Hippocampe, Analyzers, TheHive4py, Cortex4py.

You can also subscribe to our user forum and join the conversation on Gitter.