CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →An open SIRP for the SOC
A Security Operations Centre needs to track incidents, assign tasks, correlate observables, integrate threat intelligence. Commercial Security Incident Response Platforms (ServiceNow SIR, Demisto/XSOAR, Resilient) cover the space but with cost and lock-in.
In 2016 Jérôme Léonard, Nabil Adouani and Thomas Franco (ex-CERT-BDF) start TheHive Project: an open source SIRP platform, written in Scala with Akka framework and Cassandra/Elasticsearch database.
TheHive 4.0, the first major release with Cassandra + ElasticSearch database (scalable architecture), is released on 7 September 2020 under AGPLv3 licence.
Case, task, observable
TheHive organises SOC operations around three main objects:
- Case — the incident (with severity, TLP, PAP, tags, custom fields)
- Task — activity to be carried out during handling (assignable, trackable)
- Observable — IoC or artefact (IP, hash, URL, email, file) with automatic analysis capability
Every object is versioned, searchable and linked to an audit trail.
Integration with Cortex
Cortex is the analysis engine associated with TheHive, also open source. It exposes analyzers (over 150 public: VirusTotal, MISP, PassiveTotal, AbuseIPDB, Shodan, Have I Been Pwned) and responders (actions: IP block on firewall, endpoint isolation, notification).
TheHive automatically sends observables to Cortex for enrichment; the result is visible in the case.
MISP integration
The MISP ↔ TheHive integration is bidirectional:
- Import — MISP events can generate alerts in TheHive
- Export — a TheHive case can be published as a MISP event (for community/ISAC sharing)
This synergy stems from the historical closeness of the two projects and their combined use in European CSIRTs.
Alert feed and automation
TheHive receives alerts from external sources (SIEM, IDS, mail gateway, EDR) via REST API. Alerts are normalised, deduplicated and promoted to cases manually or automatically. Python client (thehive4py) and integrations with n8n, Shuffle, Cortex XSOAR enable SOAR workflows.
The TheHive 5 change
In 2022 the team announces TheHive 5, with a model change: proprietary licence (AGPLv3 retained only for the legacy version 4), company rebrand to StrangeBee, Community/Gold/Platinum tiers. TheHive 4 remains available in archive but no longer receives active maintenance.
Part of the community has continued with community-driven forks or migrated to alternatives; our account here focuses on the open source version 4.
Adoption
- National and governmental CSIRTs — case management for public incidents
- Financial and healthcare CERTs — regulated incident tracking
- MSSPs — multi-tenant platform for customer management
- Academic Blue teams — teaching and exercises
In the Italian context
TheHive 4 was adopted by:
- Public CSIRTs and SOCs — incident handling on critical infrastructure
- Financial sector and public administration — for traceability requirements
- Universities and research centres — cybersecurity projects
It remains a historical reference for open source SOC architectures, even though active development has shifted elsewhere.
References: TheHive 4.0 (7 September 2020). TheHive Project — Jérôme Léonard, Nabil Adouani, Thomas Franco, 2016. AGPLv3 licence for TheHive 4. TheHive 5 (2022) — licence change to StrangeBee proprietary model. Integration with Cortex and MISP. Site: https://thehive-project.org.