EN
Français English
Request a demo
EN
Français English
Products
Pricing
Company
Resources
Events
Request a demo

TheHive

Collaborative Case Management Platform
for cybersecurity teams

Get started
See pricing
Get started
See pricing
On-premSaaSIaaS

The Case Management Platform that will make your security job easier

What was once a humble open-source project is now trusted by hundreds of SOC, CERT, CSIRT and other teams worldwide. The current version of the platform, TheHive 5, is our most advanced one ever, thanks to years of innovation, development, and invaluable real-world input from our users and community.

100% visibility

Get complete visibility of all incidents and reduce alert fatigue.

Automation

Automate incident response’s tedious steps, saving time to concentrate on what matters.

Customization

Customize without limits: choose where to receive alerts, what to integrate with, how to filter criteria, and more.

Collaboration

Collaborate in real time, investigating incidents together with other teams and reaching resolutions faster.

100% visibility

Get complete visibility of all incidents and reduce alert fatigue.

Automation

Automate incident response’s tedious steps, saving time to concentrate on what matters.

Customization

Customize without limits: choose where to receive alerts, what to integrate with, how to filter criteria, and more.

Collaboration

Collaborate in real time, investigating incidents together with other teams and reaching resolutions faster.

Trusted worldwide by those who value security the most
In a nutshell

TheHive’s features

What makes our platform your best friend

Alert
management

Alert
management

Collect and manage alerts from your whole security stack on a single pane of glass.

Case
management

Case
management

Escalate potentially malicious alerts to customizable cases for investigation.

Multi-tenant
environments

Multi-tenant
environments

Define different organizations and teams and get them to work in a dedicated or collaborative mode.

Advanced user
management

Advanced user
management

Customize user and organization profiles, and synchronize them via LDAP or AD.

Notifications
framework

Notifications
framework

Invoke webhooks, send emails, Slack and Mattermost messages, or call custom HTTP requests.

Metrics and
dashboards

Metrics and
dashboards

Compile and correlate statistics to generate useful KPIs and MBOs with the dynamic dashboard engine.

Comprehensive
APIs

Comprehensive
APIs

Use documented APIs to implement workflows or develop automated scripts using TheHive data.

MISP
integration

MISP
integration

Quickly import IOCs from other communities or share yours easily by connecting to MISP.

MITRE ATT&CK
integration

MITRE ATT&CK
integration

Import all the MITRE ATT&CK Framework TTPs to TheHive’s alert management.

Case
reporting

Case
reporting

Conclude an incident with a meticulously documented report, available in either markdown or PDF file format.

Knowledge
base

Knowledge
base

Centralize all your policies, procedures, best practices, and guidance within the in-app “wiki.”

Timelines

Timelines

Obtain a synopsis of an incident’s progression, tracing it from initial detection to resolution and recovery phases.

Alert management

Collect and manage alerts from your whole security stack on a single pane of glass.

Case management

Escalate potentially malicious alerts to customizable cases for investigation.

Multi-tenant environments

Define different organizations and teams and get them to work in a dedicated or collaborative mode.

Advanced user management

Customize user and organization profiles, and synchronize them via LDAP or AD.

Notifications framework

Invoke webhooks, send emails, Slack and Mattermost messages, or call custom HTTP requests.

Metrics and dashboards

Compile and correlate statistics to generate useful KPIs and MBOs with the dynamic dashboard engine.

Comprehensive APIs

Use documented APIs to implement workflows or develop automated scripts using TheHive data.

MISP integration

Quickly import IOCs from other communities or share yours easily by connecting to MISP.

MITRE ATT&CK integration

Import all the MITRE ATT&CK Framework TTPs to TheHive’s alert management.

Case reporting

Conclude an incident with a meticulously documented report, available in either markdown or PDF file format.

Knowledge base

Centralize all your policies, procedures, best practices, and guidance within the in-app “wiki.”

Timelines

Obtain a synopsis of an incident’s progression, tracing it from initial detection to resolution and recovery phases.

WORKFLOW

Purpose-built for incident responders

See how TheHive makes your work even more satisfying, step by step

Centralized alert management

Automatically collect and manage all security alerts on one dedicated and detailed page.

  • Make comments
  • Identify similar alerts
  • Define custom statuses and fields
  • Escalate alerts to investigations or incident response
  • Import shared IOCs from MISP and framework TTPs from MITRE ATT&CK

Enriched case management

Create security cases using a simple yet powerful template engine. Customize them as you like, and work together with other analysts to thoroughly investigate alerts.

Enrichment

  • Assign tasks and add observables
  • Merge similar cases
  • Add tags and flag IOCs
  • Attach evidence files, including password-protected ZIP archives
  • Define the Permissible Actions Protocol level for each observable

Collaboration

  • Define and edit user profiles capabilities
  • Synchronize them via LDAP or AD
  • Customize roles and permissions
  • Isolate cases or make them accessible to more collaborators
  • Contribute to dynamic timelines and dashboards together

Automated analysis & response

Choose from 300+ integrated analyzers and responders or create your own. Quickly learn if an observable is malicious, and react swiftly if confirmed.

  • Analyze up to hundreds of observables at once
  • Automatically trigger active responses

Reporting & sharing

Create customizable reports and “lessons learned” files with the results of your incident response. Use MISP to allow others to access this information and to foster broader security awareness.

  • Edit report templates based on the specific content needed and the intended recipients of the document
  • Easily export your IOCs to as many MISP instances as you want
  • Export Tactics and Techniques of a particular case to a MISP event
Triage alerts Manage cases Automate workflows Reports
The "brain" of TheHive

Speed up analysis & response with Cortex

Analyze faster

Thanks to this powerful engine working hand-in-hand
with TheHive, you can analyze observables such as IP
and email addresses, URLs, domain names, files
or hashes in one click or automatically.

Facilitate
the containment phase

Easily trigger existing active responses, automate them and create your own.
Submit large sets of observables from TheHive, custom scripts or MISP.

All your tools in one

300+ integrations

What you can integrate TheHive with
Options

TheHive's deployment options

On-premises (self-hosted)

You are in complete control of every aspect of TheHive that you install by yourself at your organization. It’s up to you to configure, update, monitor and operate the platform while enjoying everything it has to offer.

Get started
See pricing
Get started
See pricing
Cloud Platform (SaaS)

Enjoy all the benefits of TheHive in our highly secure and dedicated AWS cloud environment. Focus on incident analysis and response while we handle the rest.

Get ready for action

TheHive and Cortex work as a duo to meet your needs.

Secured

The underlying systems of TheHive Cloud Platform (THCP) are thoroughly hardened.

Tailored for your organization

We can customize THCP to perfectly fit with your existing infrastructure and help migrate your existing on-prem data.

Fully managed & supported

Focus on what you do best while we manage everything for you.

Get ready for action

TheHive and Cortex work as a duo to meet your needs.

Secured

The underlying systems of TheHive Cloud Platform (THCP) are thoroughly hardened.

Tailored for your organization

We can customize THCP to perfectly fit with your existing infrastructure and help migrate your existing on-prem data.

Fully managed & supported

Focus on what you do best while we manage everything for you.

Learn more
See pricing
Learn more
See pricing
Cloud Images (IaaS)

Work hassle-free with robust TheHive IaaS images, backed by the reliability and scalability of leading cloud services. We’ll provide the deployment code and keep these images updated and maintained.

Available for:

AWS
Azure
AWS
Azure
testimonials

What our users say

We have been using TheHive for many years for our internal needs and those of our customers. It is a tool we have seen evolve over time, which is simple to use and effective for our day-to-day operational activities. The SOAR component is quite relevant and efficiently allows for improving the operational load of SOC/CSIRT analysts. It facilitates our life and has a multitude of integration possibilities with third-party tools such as MISP.
Abdoulaye Fadiga

GM, Global Cyber Operations EU, BT Business

Thanks to the creative minds and community behind TheHive and Cortex, we can efficiently investigate alerts and threats at scale throughout our organization. Having TheHive allows the freedom to build, design, and integrate with all of our security analyst's tools.
Nicholas Penning

Cybersecurity architect, Bureau of Information and Telecommunications, State of South Dakota

CERT Arkéa has been using the TheHive/Cortex combo for several years. In addition to the monitoring of submitted cases, the analysis of IOCs and the automation of incident responses via Cortex are a huge added value to our daily activity. The ease of creating a responder allows us to interact with the various IS APIs (ticketing, proxy blacklisting, IP blocking, takedown of phishing sites). By industrializing and automating our processes via TheHive/Cortex, the analysts save precious time in resolving incidents.
Guillaume Roussel

CERT / CSIRT, ARKEA

My experience with TheHive platform was nothing short of exhilarating. It's like the turbocharged engine of our cybersecurity arsenal, accelerating our threatening message to new heights. TheHive’s sleek interface and top-tier customer support make it a true champion on the cybersecurity track. I am revved up to recommend it.
gartner.com

Software industry

TheHive is a very high-performance and scalable product, which is designed for different platforms, with a very good user-friendly interface.
gartner.com

Education industry

TheHive is incredibly adaptable to our workflow needs. Its alert management system and integration capabilities make it suitable for both small setups and large enterprises.
gartner.com

Manufacturing industry

TheHive is a pretty cool tool for dealing with cyber incidents. You can tweak it to fit your needs, and it plays well with other security tools. It's great for teamwork, helps you stay organized, and makes it easier to figure out which threats are serious.
gartner.com

IT services industry

Our experience with TheHive has been largely positive. It has become an integral part of our incident response and threat intelligence workflow.
gartner.com

IT services industry

TheHive is a powerful and versatile tool for security incident response. It has the ability to automate tasks very well. TheHive has a user-friendly and intuitive interface that makes it easy to create, manage, and analyze security incidents.
gartner.com

IT services industry

From the first deployment until today, it has proved itself to be a game-changer in cybersecurity, and the results are evident. It helps automate repetitive security tasks and workflows. It also reduces the overall work pressure on our threat analysts, who can, in return, focus more on critical tasks and thus improve response time. The UI is also smooth, and navigation is easy. Integration and deployment were done quickly as well.
gartner.com

Insurance (except health) industry

It boasts tight integration with MISP and has been specifically designed to streamline and accelerate the resolution of security incidents. The three most important things that I liked about it are: 1. The ability to facilitate collaboration among multiple SOCs and CERTs. 2. It simplifies the management of tasks and alerts originating from various sources. 3. It is user-friendly and cost-effective.
gartner.com

Transportation industry

I have had a positive experience utilizing TheHive, a product implemented by our parent company and has helped us easily navigate incident response cases.
gartner.com

Construction industry

Excellent speed. User-friendly UI. Excellent support: TheHive's support team operates like a well-oiled pit crew, consistently responsive and prepared to assist.
gartner.com

Education industry

[TheHive] facilitates the creation and consolidation of cases within your ongoing work. The alert management and flexible integration capabilities of TheHive enable seamless adoption across a spectrum of installations, ranging from small setups to expansive enterprise deployments.
gartner.com

Software industry

Ease of use, easy integration with various security tools, able to be used in big environments.
gartner.com

Miscellaneous industry

TheHive makes life easier for SOCs
gartner.com

Miscellaneous industry

A scalable Security Incident Response platform. Very powerful. Recommended.
gartner.com

IT services industry

A very good tool to manage incident response workflows, it helps create and maintain a structure for your security operations team.
gartner.com

Banking industry

TheHive helps us create and merge cases. You can integrate it with Cortex and Wazuh, which maintains a better security posture. TheHive also helps us solve the problem of tracking down incidents. You can assign tasks to your teammates and track down the case. Also, if your investigation is over, you can close this case with proper justification. You can also integrate the tool with different SIEMs, Threat Intel tools, etc.
g2.com

Miscellaneous industry

The best part of TheHive is its integration with multiple threat intelligence tools like Cortex and MISP. Best for SOC teams for their incident response and case management.
g2.com

Miscellaneous industry

Easy to use and configure. Various integrations with various threat intel tools. We get all alerts from our SIEM on TheHive and easily manage them. Immense benefits.
g2.com

Miscellaneous industry

The alert management and the openness of TheHive allow to easily integrate it with different enterprise installations, from small to large. We are able to use it in a very big environment with extremely complex use cases and operation processes, and it works really great. The native integration of MISP interface is really helpful. TheHive’s file system, multi-tenancy, sharing of cases, alerts and observables are outstanding features that make this product choice number 1.
g2.com

Miscellaneous industry

What I like the most about TheHive are maintained dockers, scalability, efficiency in CTI checks, ease of use, design, and connectivity to other tools, thanks to the strong contributions from the community.
Julien M.

Cybersecurity analyst, CERT Gemalto

TheHive is designed for different environments and provides a user-friendly application GUI. It is a great product with good support and is easy to implement. Very little training was needed to navigate and use it. The collaboration method and being able to use TheHive in various capacities.
g2.com

Miscellaneous industry

Bee-come part of TheHive!

Hundreds of teams all over the world rely on our platform to manage security incidents more efficiently than ever.
Put us to the test today:

Request a demo
Anything else?

Frequently Asked Questions

Other
questions?

StrangeBee is happy to help! Get the answers directly from our experts.

Ask our experts
Can I still use TheHive 3 and 4 for free?

Yes. TheHive 3 has already been in EOL since Dec 31st, 2021. TheHive 4’s EOS (End-Of-Support) was December 31st, 2022.

Can I use the Community Edition for free?

Yes. The Community Edition is free and has no duration limit. If you do not get a license, you can still use TheHive 5 Community Edition and get new upgrades for free.

Can I have a trial or the Platinum Edition?

Yes. StrangeBee can offer you a 14-day trial of the Platinum License.

I have a TheHive 3 instance. Is there a possible migration?

Yes. TheHive 5 comes with a migration tool that helps migrate the data of TheHive 3 directly without the need to migrate to TheHive 4 first.

I have a TheHive 4 instance. Can I upgrade it?

Yes. TheHive 5 comes with a migration tool that helps upgrade your existing TheHive 4 data.

Does TheHive 5 support multiple languages?

Yes. TheHive 5 users can employ one of the following languages depending on the application’s localization: English (UK and US), French, Italian, German, Spanish, Dutch, Brazilian Portuguese, Swedish, Japanese, Simplified Chinese, Polish, Arabic and Russian.