Cyber Tool Stack
All tools
SOAROpen source · AGPL-3.0

Cortex (TheHive)

By StrangeBee

TheHive project's open-source analysis engine — no relation to Palo Alto Networks' similarly named Cortex products. It runs a library of analyzers to enrich observables like IPs, domains, and file hashes against dozens of intelligence services, plus responders that take automated action; unlike TheHive itself, it remains fully AGPL open source under StrangeBee's maintenance.

Verified Source: 1

Product type
Software
Deployment
On-prem
Organization size
SMBMid-marketEnterprise
Pricing tier
Free

Capability checklist

SOAR

How Cortex (TheHive) measures up against the full Security Orchestration, Automation & Response taxonomy.

Playbook / workflow automation — supported
Runs automated multi-step response actions triggered by an alert.
Case management — not supported
Tracks an incident from alert to closure with notes, evidence, and assignments.
Integration & connector library — supported
Connects to SIEM, EDR, ticketing, and other tools to take action across the stack.
Alert triage & enrichment — supported
Automatically gathers context on an alert before an analyst sees it.
No-code / low-code playbook builder — not supported
Lets analysts build automation without writing custom scripts.
Metrics & SLA reporting — not supported
Reports response times and automation impact against team SLAs.

Alternatives

Other Security Orchestration, Automation & Response tools with overlapping capabilities, sized for similar teams.

Appears in stacks

Real-world stacks that include Cortex (TheHive).

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.