(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-WRBNM36X');
EN
Français English
Request a demo
EN
Français English
Products
Pricing
Company
Resources
Events
Request a demo

TheHive

Collaborative Case Management Platform
for cybersecurity teams

Get started
See more
Get started
See more
On-premSaaSIaaS

What is TheHive?​

TheHive is a purpose-built security operations platform for SOC, CSIRT, CERT and MSSP teams. It covers the full incident lifecycle—from alert triage and case management to investigation, collaboration and reporting—with built-in automation and 300+ integrations.​

​Trusted by 3,500+ security teams across 50+ countries, TheHive is designed for collaborative, at-scale incident response.

100% visibility

Centralize alerts from every source, prioritize what matters and cut through the noise with convenient alert triage.​

Automation

Automate repetitive IR tasks, from alert enrichment to case creation, and let your analysts focus on actual threats.​

Customization

Build workflows your team needs with flexible APIs and more than 300 out-of-the-box integrations.​

Collaboration

Investigate together, share findings, generate reports and keep stakeholders in the loop.​

100% visibility

Centralize alerts from every source, prioritize what matters and cut through the noise with convenient alert triage.​

Automation

Automate repetitive IR tasks, from alert enrichment to case creation, and let your analysts focus on actual threats.​

Customization

Build workflows your team needs with flexible APIs and more than 300 out-of-the-box integrations.​

Collaboration

Investigate together, share findings, generate reports and keep stakeholders in the loop.​

Trusted by 3500+ users in 50+ countries
In a nutshell

TheHive’s features

Everything your team needs to manage the full incident response lifecycle​

Deal with alerts
at scale​

Deal with alerts
at scale​

Collect, triage and manage alerts from your entire security stack in a single pane of glass.​

Manage cases
end-to-end​

Manage cases
end-to-end​

Automate routine incident response steps and let your analysts focus on actual threats.​

Isolate and manage
multiple tenants​

Isolate and manage
multiple tenants​

Build workflows with flexible APIs and 300+ out-of-the-box integrations.​

Control access
with precision​

Control access
with precision​

Share tasks, findings and reports, and keep external and internal stakeholders in the loop.​

Set up automated
notifications​

Set up automated
notifications​

Invoke webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests.​

Track team
progress​

Track team
progress​

Generate actionable KPIs and MBOs with the dynamic dashboard engine.​

Integrate without limits​

Integrate without limits​

Use documented APIs to build custom workflows and automate processes using TheHive data.​

Receive and share
threat intelligence​

Receive and share
threat intelligence​

Quickly import IOCs from other communities or share yours easily by connecting to MISP.​

Map TTPs to every alert​

Map TTPs to every alert​

Import MITRE ATT&CK Framework TTPs directly into TheHive’s alert management.​

Generate reports
in seconds​

Generate reports
in seconds​

Conclude an incident with a detailed report, available in either markdown or PDF file format.​

Build your
knowledge base​

Build your
knowledge base​

Centralize all your policies, procedures, best practices and guidance within the in-app “wiki.”​

Use timelines​

Use timelines​

Trace an incident’s progression from initial detection to resolution and recovery phases.​

Deal with alerts at scale​

Collect, triage and manage alerts from your entire security stack in a single pane of glass.​

Manage cases end-to-end​

Automate routine incident response steps and let your analysts focus on actual threats.​

Isolate and manage multiple tenants​

Build workflows with flexible APIs and 300+ out-of-the-box integrations.​

Control access with precision​

Share tasks, findings and reports, and keep external and internal stakeholders in the loop.​

Set up automated notifications​

Invoke webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests.​

Track team progress​

Generate actionable KPIs and MBOs with the dynamic dashboard engine.​

Integrate without limits​

Use documented APIs to build custom workflows and automate processes using TheHive data.​

Receive and share threat intelligence​

Quickly import IOCs from other communities or share yours easily by connecting to MISP.​

Map TTPs to every alert​

Import MITRE ATT&CK Framework TTPs directly into TheHive’s alert management.​

Generate reports in seconds​

Conclude an incident with a detailed report, available in either markdown or PDF file format.​

Build your knowledge base​

Centralize all your policies, procedures, best practices and guidance within the in-app “wiki.”​

Use timelines​

Trace an incident’s progression from initial detection to resolution and recovery phases.​

Explore the key features of TheHive
What you can do with TheHive

Purpose-built for incident responders

See how security teams use TheHive: from first alert to final report—every step of incident response in one platform​.

Centralize your alert management

Automatically collect and prioritize alerts from your entire security stack. Enrich them with threat intelligence and escalate what matters.​

  • Ingest alerts from SIEMs, EDRs and other sources​
  • Deduplicate, merge and score incoming alerts​
  • Import IOCs from MISP and map TTPs to MITRE ATT&CK​
  • Escalate confirmed threats to investigation

Investigate every threat, end to end

Open a case for every confirmed threat. Assign tasks, collect evidence and map the full context—all in one collaborative workspace.​

Enrichment

  • Assign tasks and track observables across the case​
  • Merge related cases, add tags and flag IOCs​
  • Attach evidence files, including password-protected ZIP archives​
  • Define the Permissible Actions Protocol level for each observable​
  • Analyze each observable with out-of-the-box or custom analyzers

Collaboration

  • Assign cases to analysts and coordinate tasks across shifts​
  • Customize roles and permissions, restrict case visibility for specific users
  • Share cases with external collaborators
  • Synchronize user profiles via LDAP or AD​
  • Contribute to dynamic timelines and dashboards together

React faster with automated analysis and response​

Trigger automated enrichment and response the moment a threat is confirmed. Choose from 300+ integrated analyzers and responders or create your own.

  • Analyze hundreds of observables simultaneously​
  • Perform response actions in a few clicks​
  • Build custom workflows via flexible APIs​
  • Notify the right people automatically (email, Slack and more)

Close every incident with a full audit trail

Generate structured reports for internal review, management or clients. Stay audit-ready and share intelligence back to the community.​

  • Generate reports in markdown or PDF​
  • Customize templates per audience and recipient​
  • Export IOCs and TTPs to MISP​
  • Track KPIs and response metrics on dynamic dashboards
  • Meet compliance requirements with complete, timestamped case records
Triage alerts Investigate Respond & automate Report & close
Cortex

The powerful engine working hand in hand with TheHive

Automate your threat analysis and response

Analyze any observable in seconds​

Automatically analyze IP addresses, URLs, domain names, file hashes, email addresses and other observables one at a time or in bulk.​

Contain threats before they spread​

Quickly trigger active response actions (isolate endpoints, block domains, quarantine files and more) the moment a threat is confirmed, without leaving TheHive.​

All your tools in one

300+ integrations

See here what you can integrate TheHive with
All integrations
Deployment options

Deploy TheHive your way—on-premises, SaaS or IaaS​

On-premises (self-hosted)

You’re in full control over your deployment. Install, configure and operate TheHive within your own infrastructure, with no external dependencies.​

Get started
See more
Get started
See more
Cloud Platform (SaaS)

All the power of TheHive, fully managed by StrangeBee in a dedicated, hardened AWS environment. Focus on incident response while we handle the rest.​

TheHive + Cortex, ready out of the box​

Fully configured and integrated from day one​

Hardened by design​

Infrastructure secured and maintained to enterprise standards​

Tailored to your infrastructure​

We migrate your existing on-prem data and adapt the platform to your environment​

Fully managed & supported

Zero maintenance burden on your team​

TheHive + Cortex, ready out of the box​

Fully configured and integrated from day one​

Hardened by design​

Infrastructure secured and maintained to enterprise standards​

Tailored to your infrastructure​

We migrate your existing on-prem data and adapt the platform to your environment​

Fully managed & supported

Zero maintenance burden on your team​

Learn more
See what's included
Learn more
See what's included
Cloud Images (IaaS)

Deploy TheHive on AWS or Azure using pre-built, maintained IaaS images. You control the infrastructure, and we keep the images updated.​

Available for:

AWS
Azure
AWS
Azure
testimonials

What security teams say about TheHive​

We have been using TheHive for many years for our internal needs and those of our customers. It is a tool we have seen evolve over time, which is simple to use and effective for our day-to-day operational activities. The SOAR component is quite relevant and efficiently allows for improving the operational load of SOC/CSIRT analysts. It facilitates our life and has a multitude of integration possibilities with third-party tools such as MISP.
Abdoulaye Fadiga

GM, Global Cyber Operations EU, BT Business

Thanks to the creative minds and community behind TheHive and Cortex, we can efficiently investigate alerts and threats at scale throughout our organization. Having TheHive allows the freedom to build, design, and integrate with all of our security analyst's tools.
Nicholas Penning

Cybersecurity architect, Bureau of Information and Telecommunications, State of South Dakota

CERT Arkéa has been using the TheHive/Cortex combo for several years. In addition to the monitoring of submitted cases, the analysis of IOCs and the automation of incident responses via Cortex are a huge added value to our daily activity. The ease of creating a responder allows us to interact with the various IS APIs (ticketing, proxy blacklisting, IP blocking, takedown of phishing sites). By industrializing and automating our processes via TheHive/Cortex, the analysts save precious time in resolving incidents.
Guillaume Roussel

CERT / CSIRT, ARKEA

My experience with TheHive platform was nothing short of exhilarating. It's like the turbocharged engine of our cybersecurity arsenal, accelerating our threatening message to new heights. TheHive’s sleek interface and top-tier customer support make it a true champion on the cybersecurity track. I am revved up to recommend it.
gartner.com

Software industry

TheHive is a very high-performance and scalable product, which is designed for different platforms, with a very good user-friendly interface.
gartner.com

Education industry

TheHive is incredibly adaptable to our workflow needs. Its alert management system and integration capabilities make it suitable for both small setups and large enterprises.
gartner.com

Manufacturing industry

TheHive is a pretty cool tool for dealing with cyber incidents. You can tweak it to fit your needs, and it plays well with other security tools. It's great for teamwork, helps you stay organized, and makes it easier to figure out which threats are serious.
gartner.com

IT services industry

Our experience with TheHive has been largely positive. It has become an integral part of our incident response and threat intelligence workflow.
gartner.com

IT services industry

TheHive is a powerful and versatile tool for security incident response. It has the ability to automate tasks very well. TheHive has a user-friendly and intuitive interface that makes it easy to create, manage, and analyze security incidents.
gartner.com

IT services industry

From the first deployment until today, it has proved itself to be a game-changer in cybersecurity, and the results are evident. It helps automate repetitive security tasks and workflows. It also reduces the overall work pressure on our threat analysts, who can, in return, focus more on critical tasks and thus improve response time. The UI is also smooth, and navigation is easy. Integration and deployment were done quickly as well.
gartner.com

Insurance (except health) industry

It boasts tight integration with MISP and has been specifically designed to streamline and accelerate the resolution of security incidents. The three most important things that I liked about it are: 1. The ability to facilitate collaboration among multiple SOCs and CERTs. 2. It simplifies the management of tasks and alerts originating from various sources. 3. It is user-friendly and cost-effective.
gartner.com

Transportation industry

I have had a positive experience utilizing TheHive, a product implemented by our parent company and has helped us easily navigate incident response cases.
gartner.com

Construction industry

Excellent speed. User-friendly UI. Excellent support: TheHive's support team operates like a well-oiled pit crew, consistently responsive and prepared to assist.
gartner.com

Education industry

[TheHive] facilitates the creation and consolidation of cases within your ongoing work. The alert management and flexible integration capabilities of TheHive enable seamless adoption across a spectrum of installations, ranging from small setups to expansive enterprise deployments.
gartner.com

Software industry

Ease of use, easy integration with various security tools, able to be used in big environments.
gartner.com

Miscellaneous industry

TheHive makes life easier for SOCs
gartner.com

Miscellaneous industry

A scalable Security Incident Response platform. Very powerful. Recommended.
gartner.com

IT services industry

A very good tool to manage incident response workflows, it helps create and maintain a structure for your security operations team.
gartner.com

Banking industry

TheHive helps us create and merge cases. You can integrate it with Cortex and Wazuh, which maintains a better security posture. TheHive also helps us solve the problem of tracking down incidents. You can assign tasks to your teammates and track down the case. Also, if your investigation is over, you can close this case with proper justification. You can also integrate the tool with different SIEMs, Threat Intel tools, etc.
g2.com

Miscellaneous industry

The best part of TheHive is its integration with multiple threat intelligence tools like Cortex and MISP. Best for SOC teams for their incident response and case management.
g2.com

Miscellaneous industry

Easy to use and configure. Various integrations with various threat intel tools. We get all alerts from our SIEM on TheHive and easily manage them. Immense benefits.
g2.com

Miscellaneous industry

The alert management and the openness of TheHive allow to easily integrate it with different enterprise installations, from small to large. We are able to use it in a very big environment with extremely complex use cases and operation processes, and it works really great. The native integration of MISP interface is really helpful. TheHive’s file system, multi-tenancy, sharing of cases, alerts and observables are outstanding features that make this product choice number 1.
g2.com

Miscellaneous industry

What I like the most about TheHive are maintained dockers, scalability, efficiency in CTI checks, ease of use, design, and connectivity to other tools, thanks to the strong contributions from the community.
Julien M.

Cybersecurity analyst, CERT Gemalto

TheHive is designed for different environments and provides a user-friendly application GUI. It is a great product with good support and is easy to implement. Very little training was needed to navigate and use it. The collaboration method and being able to use TheHive in various capacities.
g2.com

Miscellaneous industry

Join 3,500+ users worldwide​

SOC, CSIRT, CERT and MSSP teams across 50+ countries rely on TheHive to manage security incidents faster and more efficiently.​

See it in action:​

Request a demo
Anything else?

Frequently Asked Questions

Other
questions?

StrangeBee is happy to help! Get the answers directly from our experts.

Ask our experts
What is TheHive used for?​

TheHive is a security case management platform used by SOC, CSIRT, CERT and MSSP teams to manage the full incident lifecycle, from alert triage and case management to investigation, response and reporting.​

How is TheHive different from a SIEM or a ticketing system?​

SIEMs collect and correlate security events; ticketing systems track generic tasks. TheHive is purpose-built for incident response: it combines alert triage, collaborative case management, evidence handling, automated analysis and active response actions in one platform. With it, your team can move from first alert to closed case without switching tools.​

Does TheHive integrate with existing security tools?​

Yes. TheHive supports 300+ integrations, including SIEMs, EDRs, threat intelligence platforms and ticketing systems. It also offers flexible REST APIs to build custom workflows and connect to any tool in your security stack.​

What happened to TheHive 3 and TheHive 4?​

TheHive 3 reached End-of-Life on December 31, 2021. TheHive 4’s End-of-Support was December 31, 2022. Both versions are no longer maintained. TheHive 5 includes a migration tool that allows direct migration from TheHive 3 or TheHive 4—no intermediate steps required.​

What languages does TheHive support?​

TheHive 5 is available in English (UK and US), French, German, Italian, Spanish, Dutch, Portuguese, Swedish, Polish, Russian, Arabic, Japanese and Simplified Chinese.​