Cortex
Speed up analysis and make response easier
This powerful engine is the essential open-source companion for TheHive.
It allows you to analyze tens, if not hundreds of observables
at once and trigger active responses in just a few clicks.
Trusted worldwide by those who value security the most
In a nutshell
The magic at TheHive’s side
Step up your analysis
- Leverage more than a hundred trusted analyzers for popular services such as VirusTotal, Joe Sandbox, DomainTools, PassiveTotal, Google Safe Browsing, Shodan and Onyphe.
- Identify abuse contacts, parse files in several formats such as OLE and OpenXML to detect VBA macros, generate useful information on PE, PDF files, and much more.
- Submit large sets of observables from TheHive, custom scripts or MISP.
- Query Cortex analyzers from MISP to enrich events and extend the coverage of your investigations.
Own it
- Enable analyzers that allow to query your legacy and 3rd-party services using your own settings and user credentials.
- Create your own responders based on your active response workflows and processes.
- Easily parse Cortex output and display it the way you want using TheHive’s report engine. Cortex can also be interfaced with other products through its REST API or by using Cortex4py.
Share and engage
Create several organizations, populate them with required users, customize the default settings for analyzers and responders and start investigating together. Share everything you use and work as a team.
ALL YOUR TOOLS IN ONE
300+ integrations
What you can integrate TheHive with
Cloud Images (IaaS)
Use Cortex as a separate open-source analysis & response engine, benefit from it coupled with TheHive, or get the most out of it in the IaaS format.
Work with images on your preferred cloud platform while we help with the essentials like deployment, configuration, updates and maintenance.
testimonials
What our users say
We have been using TheHive for many years for our internal needs and those of our customers. It is a tool we have seen evolve over time, which is simple to use and effective for our day-to-day operational activities. The SOAR component is quite relevant and efficiently allows for improving the operational load of SOC/CSIRT analysts. It facilitates our life and has a multitude of integration possibilities with third-party tools such as MISP.
Abdoulaye Fadiga
GM, Global Cyber Operations EU, BT Business
Thanks to the creative minds and community behind TheHive and Cortex, we can efficiently investigate alerts and threats at scale throughout our organization. Having TheHive allows the freedom to build, design, and integrate with all of our security analyst's tools.
Nicholas Penning
Cybersecurity architect, Bureau of Information and Telecommunications, State of South Dakota
CERT Arkéa has been using the TheHive/Cortex combo for several years. In addition to the monitoring of submitted cases, the analysis of IOCs and the automation of incident responses via Cortex are a huge added value to our daily activity. The ease of creating a responder allows us to interact with the various IS APIs (ticketing, proxy blacklisting, IP blocking, takedown of phishing sites). By industrializing and automating our processes via TheHive/Cortex, the analysts save precious time in resolving incidents.
Guillaume Roussel
CERT / CSIRT, ARKEA
My experience with TheHive platform was nothing short of exhilarating. It's like the turbocharged engine of our cybersecurity arsenal, accelerating our threatening message to new heights. TheHive’s sleek interface and top-tier customer support make it a true champion on the cybersecurity track. I am revved up to recommend it.
gartner.com
Software industry
TheHive is a very high-performance and scalable product, which is designed for different platforms, with a very good user-friendly interface.
gartner.com
Education industry
TheHive is incredibly adaptable to our workflow needs. Its alert management system and integration capabilities make it suitable for both small setups and large enterprises.
gartner.com
Manufacturing industry
TheHive is a pretty cool tool for dealing with cyber incidents. You can tweak it to fit your needs, and it plays well with other security tools. It's great for teamwork, helps you stay organized, and makes it easier to figure out which threats are serious.
gartner.com
IT services industry
Our experience with TheHive has been largely positive. It has become an integral part of our incident response and threat intelligence workflow.
gartner.com
IT services industry
TheHive is a powerful and versatile tool for security incident response. It has the ability to automate tasks very well. TheHive has a user-friendly and intuitive interface that makes it easy to create, manage, and analyze security incidents.
gartner.com
IT services industry
From the first deployment until today, it has proved itself to be a game-changer in cybersecurity, and the results are evident. It helps automate repetitive security tasks and workflows. It also reduces the overall work pressure on our threat analysts, who can, in return, focus more on critical tasks and thus improve response time. The UI is also smooth, and navigation is easy. Integration and deployment were done quickly as well.
gartner.com
Insurance (except health) industry
It boasts tight integration with MISP and has been specifically designed to streamline and accelerate the resolution of security incidents. The three most important things that I liked about it are: 1. The ability to facilitate collaboration among multiple SOCs and CERTs. 2. It simplifies the management of tasks and alerts originating from various sources. 3. It is user-friendly and cost-effective.
gartner.com
Transportation industry
I have had a positive experience utilizing TheHive, a product implemented by our parent company and has helped us easily navigate incident response cases.
gartner.com
Construction industry
Excellent speed. User-friendly UI. Excellent support: TheHive's support team operates like a well-oiled pit crew, consistently responsive and prepared to assist.
gartner.com
Education industry
[TheHive] facilitates the creation and consolidation of cases within your ongoing work. The alert management and flexible integration capabilities of TheHive enable seamless adoption across a spectrum of installations, ranging from small setups to expansive enterprise deployments.
gartner.com
Software industry
Ease of use, easy integration with various security tools, able to be used in big environments.
gartner.com
Miscellaneous industry
TheHive makes life easier for SOCs
gartner.com
Miscellaneous industry
A scalable Security Incident Response platform. Very powerful. Recommended.
gartner.com
IT services industry
A very good tool to manage incident response workflows, it helps create and maintain a structure for your security operations team.
gartner.com
Banking industry
TheHive helps us create and merge cases. You can integrate it with Cortex and Wazuh, which maintains a better security posture. TheHive also helps us solve the problem of tracking down incidents. You can assign tasks to your teammates and track down the case. Also, if your investigation is over, you can close this case with proper justification. You can also integrate the tool with different SIEMs, Threat Intel tools, etc.
g2.com
Miscellaneous industry
The best part of TheHive is its integration with multiple threat intelligence tools like Cortex and MISP. Best for SOC teams for their incident response and case management.
g2.com
Miscellaneous industry
Easy to use and configure. Various integrations with various threat intel tools. We get all alerts from our SIEM on TheHive and easily manage them. Immense benefits.
g2.com
Miscellaneous industry
The alert management and the openness of TheHive allow to easily integrate it with different enterprise installations, from small to large. We are able to use it in a very big environment with extremely complex use cases and operation processes, and it works really great. The native integration of MISP interface is really helpful. TheHive’s file system, multi-tenancy, sharing of cases, alerts and observables are outstanding features that make this product choice number 1.
g2.com
Miscellaneous industry
What I like the most about TheHive are maintained dockers, scalability, efficiency in CTI checks, ease of use, design, and connectivity to other tools, thanks to the strong contributions from the community.
Julien M.
Cybersecurity analyst, CERT Gemalto
TheHive is designed for different environments and provides a user-friendly application GUI. It is a great product with good support and is easy to implement. Very little training was needed to navigate and use it. The collaboration method and being able to use TheHive in various capacities.
g2.com
Miscellaneous industry
Get started with Cortex
Join the global community of security professionals who investigate incidents more efficiently than ever with our engine.
Anything else?
Frequently Asked Questions
Other questions?
StrangeBee is happy to help! Get the answers directly from our experts.
Is Cortex still open-source?
Yes, and it’s available here.
How much does it cost?
Cortex is free. We are, however, at your service in case you need support for a deployment or training.
Are there any changes to Cortex with TheHive 5?
Nothing has changed. TheHive 5 and Cortex continue to be an excellent combination.
What happens to my Cortex servers with TheHive 5?
Your Cortex servers will remain functional.
What happens to my existing analyzers and responders with TheHive 5?
Don’t worry, your analyzers and responders will remain hard at work!