TheHive Reviews

I use TheHive as an end user, implementation engineer, and administrator. My main use cases include ingesting alerts from SIEM systems such as Wazuh or Splunk and acting on them as they come in to investigate them. I also use Cortex, which is a Strange Bee product integrated with TheHive, to help with getting intelligence from multiple sources such as multiple vendors including VirusTotal and AbuseIPDB.

TheHive's case management features have significantly improved my incident response workflow and boosted my productivity.

TheHive's main functionality centers on case management and incident tracking, which are on par with the best tools available. The platform is easy to use and intuitive, providing a single pane window to see what is happening in any case or alert. Tasks can be assigned to any alert according to the playbook, and both the playbook and tasks are very customizable, which are some very good standout features.

TheHive's alert aggregation system is impressive as it aggregates alerts from almost everywhere and parses them very nicely. This is one of the main reasons I love TheHive's case management, as it makes it easy for any end user or analyst to work on the alerts and gather information, providing very deep insight into what the problem is.

TheHive's case management features have had a pretty good impact on my incident response workflow. It has boosted my productivity. Although I have not used any other case management systems professionally, having used some open-source ones, TheHive being properly optimized has made my incident response workflow way easier, better, and more automated. I can even close alerts automatically using a SOAR platform in between and then take action based on user confirmation, closing the alerts and organizing them very effectively. This has had a pretty positive impact on my incident response workflow.

I integrate TheHive with other security tools. TheHive was integrated with my SIEM or Security Event and Information Management system, which is where all the logs come in. TheHive was integrated with Wazuh SIEM and even Splunk, which was pretty easy and did not require much technical effort. Integration always requires some technical effort, but this was pretty straightforward compared to other tools.

TheHive's reporting and analytics features are also good. I have not used their cloud platform much, so I cannot comment on how the newer reporting method is, but the last version of TheHive I used with the older dashboard was pretty intuitive. There was some room for improvement which I believe they have already overcome with the latest versions and continuous development of TheHive. The dashboard was a pretty rocky but good experience for me.

TheHive is actually quite beautiful and very optimized. If I had to improve anything, I would say that it could improve costing. TheHive is pretty expensive right now. With a low number of users, it works for how the business runs, but I feel that it is pretty expensive when you want to go for the commercial versions, which is where people might not want to go with it.

Cost is the only downside, but it is the major downside. I would like to share an incident with you about a recent meeting I had with a client regarding TheHive. The only trigger that they had not to go with TheHive was the cost. Everything looked very good and was very fine, but the costing part was hard. The costing part was something that made them hold off on TheHive and choose a different solution.

Over the years, TheHive has improved significantly in how the platform is used and how cases are managed. One good feature that I appreciated when I moved from TheHive 4 to TheHive 5 was the dark mode. When Strange Bee did the rebranding and made it a closed-source product, they added the dark mode feature, which I need because I am not good with light screens. TheHive was the only tool having only white mode capabilities. Once they added it, they have improved a lot. Many connectors are added, and many more integrations are possible now with TheHive. Basically, the appearance, performance, and integrations have improved a lot over the years.

I have been using the solution for approximately three and a half to four years and I am continuously using it.

I would rate the stability level of TheHive at a seven out of ten. I have faced multiple stability issues at points where the database goes down or enters a race condition, requiring a restart of the service to make the platform usable again. I believe that all these issues are already taken care of and solved in the cloud version. Basically, when you deploy it, if you have optimized it well based on your organization's data flow, it is a very reliable tool. If you miss the optimization, there might be a few hiccups.

I would say TheHive is scalable at an eight out of ten. It is pretty scalable, but it requires a good technical hand to manage it. Someone who is always working with servers and environments might get it done easily, but a security admin might face some issues at first. Once you get the hang of it, it gets much easier.

There was one more tool that I used alongside TheHive. I started with TheHive at the beginning of my career, but once it went to the paid version, I moved to another tool which was DFIR-IRIS. DFIR-IRIS is a totally open-source tool which helps a lot and is similar to TheHive. However, having used TheHive since the start, I find it a lot easier and better than DFIR-IRIS in every way possible, whether it is performance, appearance, or analysis.

That was very easy. I deployed TheHive on-premises with just two or three commands and then everything was up and running. It was pretty easy and straightforward.

I had two vendors or two tools to evaluate: TheHive and DFIR-IRIS. I would choose TheHive any day, but the point is that it is expensive, and that is where everything revolves around the cost. If the cost was a bit less or if it was more accessible, there might be a high chance that everyone would go with TheHive rather than any other tool. The people at TheHive have made it very customizable, flexible, and very security-centric. They understand what a particular incident responder or security team needs and provide it quite well. This is the only reason that everyone will choose TheHive if the pricing were a bit less or if the free tier had some more users, as a two-user team is not ideal for many people.

My main use case for TheHive is incident response and tickets register for DLP.

A quick specific example of how I use TheHive for incident response or ticket registration is that we have many tools connected to TheHive like EDR, antivirus, and DLP, and we receive many tickets there, registering and using it to investigate, create some runbooks, and investigate some cases there.

The best features TheHive offers are that it is easy to use, and we used an open-source version that was free, so we could extract good value from the solution, even though we had some problems regarding performance.

The ease of use for my team with TheHive comes from the interface, the integrations, documentation, and everything being easy to use and to improve the solution. We actually use it as a SOAR solution with many tools integrated, such as VirusTotal, a MIP, and other solutions for incident response.

TheHive has positively impacted my organization because before that, we did not have a good solution to register the tickets. When we started the CSIRT department and began using it, it was really good to have measures to understand how many alerts we were getting at that point and to start improving our runbooks to be more assertive and remove false positives.

After implementing TheHive, we saw both a big reduction in false positives and the runbooks that we constructed helped the team to be more assertive and leveled.

TheHive can be improved because if you want to use it in a small or medium company, it will be really good, but for a really huge company like mine was, I believe that at least on the free version, you will have big issues regarding performance because the solution is not built for a huge company like mine was. The value you can extract from the solution depends on the case.

I encountered specific performance issues with TheHive, mainly regarding the many alerts we had, as it started to become slow and have some lags. Many times we had to restart the on-premises server many times to solve that problem, at least temporarily.

I have been using TheHive for more than six years.

TheHive is stable, more or less.

TheHive's scalability is good, I believe, but you really have to understand how to have a good infrastructure to support all the alerts that a company can have.

We did not have customer support for TheHive.

I did not previously use a different solution.

My experience with pricing, setup cost, and licensing for TheHive was that we did not have a license to use it, as it was the free version, but the main thing was the infrastructure needed to use it, which was acceptable, I believe.

We have seen a return on investment using TheHive, as we saved a lot of money mainly comparing with other enterprise solutions, but on the other side, we had some performance issues that I believe could impact the time saved to investigate some incidents.

Before choosing TheHive, I did not evaluate other options.

I rate TheHive an eight on a scale of one to ten.

I choose the number eight because it is a really good solution if you know how to configure it and if you know how to measure the infrastructure needed to make it really good for the company.

My opinion on TheHive's AI capabilities is that it is really good regarding its governance and security. I do not know exactly the AI capabilities, but I know the integrations that we can make, and these integrations with other tools that have AI solutions made the solution much better.

My advice to others looking into using TheHive is that if you do not have an enterprise solution to use in your company, I advise you to use it, but be aware that if you use an on-premises solution, you will have to make the sizing really well to avoid slow performance later. The overall rating I would give TheHive is an eight.