TheHive
Incident response software
System security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if TheHive and its alternatives fit your requirements.
Contact the product provider
Free TrialFree version
Small
Medium
Large
- Information technology and software
- Media and communications
- Public sector and nonprofit organizations
What is TheHive
TheHive is an incident response and case management platform used by security operations teams to track, coordinate, and document investigations. It provides structured workflows for alerts, cases, tasks, observables, and reporting, and it integrates with external security tools for enrichment and response actions. The product is commonly deployed by SOCs and incident response teams that need collaboration and auditability across investigations. It is available as an open-source project with commercial offerings and support from the vendor.
Purpose-built IR case management
TheHive centers on cases, tasks, and observables, which maps well to day-to-day incident response workflows. It supports assignment, status tracking, timelines, and structured documentation to improve handoffs between analysts. This focus can be more straightforward than broader monitoring platforms when the primary need is investigation coordination and recordkeeping.
Strong integration and automation hooks
TheHive integrates with enrichment and response tooling through its ecosystem (including companion automation components commonly used with it) and APIs. Teams can automate repetitive steps such as observable enrichment, indicator lookups, and task creation. This helps standardize playbooks and reduces manual context gathering during investigations.
Collaboration and audit-friendly workflows
The platform supports multi-analyst collaboration with role-based access controls and structured tasking. It maintains investigation artifacts and actions in a way that supports post-incident review and compliance evidence. These capabilities are useful for teams that must demonstrate process and decision trails across incidents.
Customization can require expertise
Getting the most value often involves configuring workflows, templates, integrations, and automation to match internal processes. Complex environments may require development effort to build and maintain connectors and playbooks. Time-to-value can vary depending on how much tailoring is needed.
Not a full detection platform
TheHive does not replace SIEM, EDR, or infrastructure monitoring systems that generate detections and telemetry. Organizations typically need to integrate it with other tools to ingest alerts and gather evidence. Buyers looking for an all-in-one detection-and-response suite may find the scope narrower.
Operational overhead for self-hosting
Many deployments require running and maintaining the application and its dependencies, which can add operational burden. Upgrades, scaling, backups, and security hardening are the customer’s responsibility in self-managed environments. This can be a constraint for smaller teams without dedicated platform engineering support.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Community (On‑prem) | Free (0) — downloadable | Free community edition for up to 2 users; community support; downloadable from StrangeBee docs. |
| Gold (On‑prem) | Custom pricing — contact StrangeBee | Paid license; starting from 5 users & 1 organization; pay-per-user beyond included seats; business-hours (EU) support; enhanced quotas (up to 5 Cortex/MISP servers). |
| Platinum (On‑prem) | Custom pricing — contact StrangeBee | Paid license for large organizations; starting from 5 users & 1 organization; unlimited Cortex/MISP servers; priority support and feature handling. |
| Large (Cloud Platform SaaS) | Custom pricing — contact StrangeBee | TheHive Platinum hosted on TYPE‑1 infrastructure (private & dedicated); starting from 5 users & 1 org; TheHive 4 vCPU / 16 GB RAM, Cortex 4 vCPU / 16 GB RAM; 100 GB TheHive storage, 150 GB Cortex storage. |
| XLarge (Cloud Platform SaaS) | Custom pricing — contact StrangeBee | TheHive Platinum hosted on TYPE‑2 infrastructure; starting from 5 users & 1 org; TheHive 8 vCPU / 32 GB RAM, Cortex 8 vCPU / 32 GB RAM; 500 GB TheHive storage. |
| Tailored fit (Cloud Platform SaaS) | Custom pricing — contact StrangeBee | Custom infrastructure (TYPE‑X) and resources; fully private & dedicated; contact sales for bespoke quote. |
Notes: StrangeBee states TheHive is offered as an annual subscription and paid plans require contacting sales for a tailored quote. A one-time migration service fee is listed on StrangeBee’s blog as $3,000 / €3,000 (migration service), but license/pricing for Gold/Platinum/Cloud itself is custom and not published on the public pricing pages.
Seller details
Strangebee
Paris, France
2017
Private
https://strangebee.com/
https://x.com/strangebee_
https://www.linkedin.com/company/strangebee
