The Hive

What is The Hive?

TheHive is an open-source security incident response platform designed for SOC, CSIRT, and CERT teams that need a collaborative, scalable case management system without a commercial licensing dependency. It provides a structured environment for managing security incidents from initial alert through investigation to resolution, with each case containing a timeline of analyst actions, evidence attachments, observables, and task assignments. TheHive integrates natively with MISP for indicator sharing and with Cortex, its companion analysis engine, which can automatically enrich observables by running them through dozens of analyzers covering threat intelligence, sandbox analysis, and passive DNS. Its multi-tenancy support makes it suitable for MSSPs managing security operations for multiple client organizations, and its API-first architecture allows deep integration with other security tools and automation platforms.

How does The Hive work with Qevlar?

Qevlar integrates with TheHive to create cases and update investigation records as part of automated triage workflows. When Qevlar completes an automated investigation, it can push the findings, enriched observables, and recommended actions into a TheHive case, giving the analyst a structured record of the investigation to review, validate, and act on.