Skip to main content



What is TheHive?

TheHive is an open source and free cybersecurity incident response platform.

Read more
Recent Reviews

TrustRadius Insights

TheHive is a versatile tool that provides an array of use cases for incident management and response. With this product, users can track …
Continue reading

TheHive--it works

10 out of 10
August 11, 2022
TheHive is our incident response platform, as a small team it allows us to automate a lot of the tasks we need to perform. The design also …
Continue reading
Read all reviews
Return to navigation


View all pricing

TheHive Gold Edition

Starting from $17.000

On Premise
per year per installation

TheHive Platinum Edition

Starting from $23.000

On Premise
per year per installation

TheHive Cloud Platform - Large

Starting from $41.000

per year per installation

Entry-level set up fee?

  • $5,000 one-time fee per installation
For the latest information on pricing, visit…


  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $17,000 per year per installation
Return to navigation

Product Details

What is TheHive?

TheHive was purpose built for SOC, CERT and CSIRT teams to minimize the time between actions taken by a bad actor and a team’s security response unit. Whether the goal is to share observables with a team, open a case, correlate incidents, or automate forensic analysis, TheHive, enables the user to do it.

TheHive Features

Incident Response Platforms Features

  • Supported: Company-wide Incident Reporting
  • Supported: Integration with Other Security Systems
  • Supported: Attack Chain Visualization
  • Supported: Centralized Dashboard
  • Supported: Live Response for Rapid Remediation

TheHive Screenshots

Screenshot of Alert Management: Go through your dedicated and detailed Alert page, make comments, identify similar Alerts, define custom statuses and fields. Then decide whether or not they should be escalated to investigations or to incident response.Screenshot of Case Management: Create cases and associated tasks and observables. Identify similar cases and alerts, define the PAP (Permissible Actions Protocol) level on each Observable, or improve your Incident Response process using a simple yet powerful template engine.Screenshot of Muti Tenant Environments: Define the different organizations and teams and get them to work in a dedicated or collaborative mode: tenants' cases can be isolated or investigated by users from different organizations based on customizable roles and permissions.Screenshot of User Management: Define and customize user profiles, assign them to users within their organizations and synchronise them via LDAP or AD.Screenshot of Metrics and Dashboards: Compile and correlate statistics on cases, tasks, observables, metrics and more to generate useful KPIs and MBOs with our dynamic dashboard engine.Screenshot of MISP Integration: Get shared Indicators of compromise quickly imported and ready to use or share yours easily with your communities by connecting TheHive with MISP.Screenshot of MITRE ATT&CK Framework Integration: Import all of the MITRE ATT&CK Framework TTPs to TheHive Alert management. Import Tactics and Techniques of a particular Case or Alert or simply export them to a MISP event.Screenshot of Powerful Notification Framework: In addition to invoking Webhooks, send emails, Slack and Mattermost messages or call custom HTTP requests (JIRA, ServiceNow, QRadar...)

TheHive Video

TheHive 5 new features

TheHive Integrations

TheHive Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux
Mobile ApplicationNo
Supported LanguagesEnglish, French, Italian, German, Dutch, Spanish, Portuguese, Polish, Swedish, Chinese, Japanese, Arabic

Frequently Asked Questions

TheHive is an open source and free cybersecurity incident response platform.

TheHive starts at $17000.

Splunk SOAR, Swimlane, and ServiceNow Security Operations are common alternatives for TheHive.

The most common users of TheHive are from Enterprises (1,001+ employees).

TheHive Customer Size Distribution

Small Businesses (1-50 employees)0%
Mid-Size Companies (51-500 employees)30%
Enterprises (more than 500 employees)70%
Return to navigation


View all alternatives
Return to navigation

Reviews and Ratings


Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

TheHive is a versatile tool that provides an array of use cases for incident management and response. With this product, users can track down and assign tasks to teammates, ensuring efficient collaboration during incident resolution. The ability to close cases with proper justification after completing investigations ensures thorough documentation. Additionally, the integration capabilities of TheHive with various SIEM and Threat Intel tools enhance its functionality, making it a valuable asset for SOC teams.

One of the key use cases of TheHive is its seamless integration with SIEM tools, allowing for easy management of alerts and streamlining the incident response process. This feature has proven beneficial for SOC teams by providing them with a centralized platform to log, track, and analyze incidents. Moreover, TheHive supports multi-tier SOC operations and enables the deployment of new SOAR systems, facilitating scalability and adaptability to changing security needs.

Beyond incident management, TheHive also plays a crucial role in problem-solving within IT departments. By efficiently managing incidents and trend analysis, organizations can gain insights into recurring issues and take proactive steps to address them. The collaboration features of TheHive enable users to utilize it in different capacities, be it tracking ongoing investigations or shaping the IT side of companies. Additionally, the software's ease of use and analytical capabilities have garnered positive feedback from users who found it helpful in solving typical IT problems.

While incident reporting can be resolved using TheHive, some users expressed the need for additional tools for support. Nonetheless, the product proves useful in tackling big data problems and offering real-time threat management solutions. Its automation capabilities allow for the effortless execution of tasks and the creation of response templates for efficient incident response. Furthermore, the integration of TheHive with third-party service providers further enhances its functionality for users seeking comprehensive solutions.

In conclusion, TheHive serves as a reliable tool for incident response and case management in diverse organizational settings. Its ability to track and assign tasks, close cases with proper justification, integrate with SIEM and Threat Intel tools, and support multi-tier SOC operations make it a valuable asset for SOC teams. Furthermore, the software's features extend beyond incident management, helping organizations shape their IT environment by solving problems and improving overall efficiency.

Versatile Platform: Users have found TheHive to be a versatile platform that allows for easy creation and merging of cases. Several reviewers mentioned this as one of the positive aspects of the software.

Integration with Cortex and Wazuh: The integration with Cortex and Wazuh was highly appreciated by users as it enhances the overall security posture. Many reviewers specifically mentioned this feature and its value in their feedback.

API Keys for Integration: The availability of API keys for integration purposes was seen as a valuable feature by users. This aspect of TheHive received positive feedback from multiple reviewers who highlighted its usefulness in integrating with other tools and systems.

Cons: Limited functionality: Some users have expressed that TheHive5 is missing several options that its competitors offer. This has been mentioned by a significant number of reviewers, indicating a common concern. Complicated installation process: Several reviewers have found the installation process of TheHive5 to be complicated, especially for beginners. This has been highlighted as a drawback by multiple users, suggesting that it may require technical expertise to set up. Slow performance of Impala feature: A noticeable number of users have reported that the performance of the Impala feature in TheHive5 is slow. This indicates an issue with the efficiency and responsiveness of this specific component within the tool.

Users commonly recommend the following when using TheHive:

Consider options and pricing before choosing TheHive. Thoroughly evaluate different options and pricing plans to make an informed decision.

Be patient as TheHive gets better over time. The product may have room for improvement, but it has the potential for future enhancements and updates.

Utilize TheHive if you are skilled with Linux OS and server CLI. Having proficiency in Linux operating system (OS) and server command-line interface (CLI) can enhance your experience with TheHive.


(1-1 of 1)
Companies can't remove reviews or game the system. Here's why
August 11, 2022

TheHive--it works

Score 10 out of 10
Vetted Review
Verified User
TheHive is our incident response platform, as a small team it allows us to automate a lot of the tasks we need to perform. The design also allows us to set up templates which sign to our response plans. We use it on every Cyber Security incident we deal with in the University, and ties into a number of our third party service providers (in some cases, we have gone with a service provider as we know there was easy integration with TheHive).
  • Templates for cases, ensuring standard processes
  • Integration with third parties, to provide a single screen for incident response
  • Customisation, so that what we see reflects the way we work
  • Analysers and responders might need more more documentation to help us understand them
Managing incident response - it does exactly what it is supposed to do!
  • Integration with other service providers
  • Standardised templates
  • Automation
Incident Response Platforms (5)
Company-wide Incident Reporting
Integration with Other Security Systems
Attack Chain Visualization
Centralized Dashboard
Live Response for Rapid Remediation
  • Reduced time to analyse and respond to incidents
Return to navigation