Top 5 Open Source SOAR Tools Compared in 2025

As a CISO in a highly regulated industry with ~2 decades of cybersecurity expertise, I listed the top 5 open-source security orchestration, automation, and response (SOAR) tools with threat detection capabilities that can enable SOCs to take proactive incident response actions effectively. Discover these solutions based on their features, usability, and user feedback:

Features

Tools with:

• Self-hosted option: Store your data on self-hosted servers rather than external servers controlled by others.
• Malware information sharing platform (MISP) support: Enable users to store, share, and receive information about malware, threats, and vulnerabilities in a structured way.
• Built-in UEBA: Use machine learning and statistical analytics to identify abnormal user and device behavior.
• Security information and event management (SIEM): Collect, aggregate, and analyze large volumes of data from organization-wide applications, devices, servers, and users in real-time

Technical features

*MITRE ATT&CK labels are available.

Tools with:

• Python-to-no-code: Allow users to create applications and build workflows using Python without writing code.
• Mitre mapping: Provide a comprehensive matrix of threat actors’ tactics, techniques, and procedures
• No-code workflow builder: Enable security teams to automate incident response without writing a single line of code.
• Trigger-based workflows: Can execute a workflow that runs when a specific event occurs, such as a user opening an email or completing a form

Top 5 open source SOAR tools reviewed

See the description of additional categories and tool selection criteria.

Read more: Most common SOAR use cases.

Disclaimer: Insights (below) come from our experience with these solutions as well as other users’ experiences shared in Reddit¹ , and G2² .

n8n

n8n is an open-source workflow automation tool to automate processes across several services. The solution uses a fair-code distribution, hence n8n’s source code is visible and self-hosted. This allows users to add unique functions, logic, and apps. 

It is commonly used by large-scale companies such as UPS, ALMOND, and Northstar Aerospace.

Community edition includes:

• Debug in the editor: Copy and pin execution data while working on a workflow.
• One day’s workflow history: 24 hours of workflow history allows you to revert to earlier workflow versions.
• Custom execution data: Save, find, and comment on the execution metadata.

The open-source community edition does not include the features listed below: These features are offered with self-hosted and cloud pro/enterprise subscriptions.

• External storage
• Log streaming (logging is included)
• Single sign-on (SSO)
• Sharing (workflows, credentials) (Only the instance owner and the user who creates them can access workflows and credentials)
• Version control using Git
• Workflow history (You can get only one day of workflow history with the community edition by registering)

Pros

• Developer-friendly:
  • It supports JavaScript and Python for workflow customization, and it can use the external npm library for JavaScript in self-hosted setups.
  • Provides a “Code Node” for writing custom logic in JavaScript, offering flexibility for developers.
• Integration capabilities: Works seamlessly with APIs and supports importing cURL commands for transferring data specified with URL syntax.
• Scalable pricing: The cloud pricing model doesn’t charge based on the complexity of workflows.
• Deployment: Works seamlessly with Docker for straightforward setup and scalability.
• No-code: n8n’s backend offers no-code features.

Cons

• Steeper learning curve: Setting up OAuth clients for services like Google Sheets is more complex than SaaS products like Zapier and Make.
• Limited cloud features: The cloud version of n8n lacks certain advanced functionalities available in the self-hosted version, such as external npm package support.
• Requires technical expertise: Ideal for developers or technically inclined users but may intimidate non-technical users unfamiliar with Docker, Linux, or command-line tools.
• Resource management: Self-hosted setups require resource management, including server upkeep, security, and backups, which can be challenging for smaller teams.

StackStorm – st2

Source: GitHub⁴

st2 automates auto-remediation, incident responses, troubleshooting, and deployments for DevOps. St2 offers a rule automation engine, workflows, and 160 integration modules.

St2 is used by enterprises, including Cisco, Target, and Netflix. For example, Netflix used StackStorm, a remediation platform, to host and execute its runbooks.⁵

Integration costs: The total monthly costs st2 for the following third-party integrations are ~$28 such as AWS, PackageCloud, stackstorm.com, forum.stackstorm.com, Zoom account, Packet.net, Domain Certificates, and OpenVPN license.⁶

Open-source version features:

• Slack integration: ✅ Available
• AWS integration: ❌ Not available
• Workflow designer: ❌ Not available
• Professional support: ❌ Not available
• Network automation suites: ❌ Not available

Pros

• Custom workflows: Users say they can effectively integrate any script you or others have created into custom workflows.
• Strong plugin ecosystem: StackStorm supports several integrations with third-party tools such as NetBox, Splunk, and more.

Cons

• Kubernetes support: St2 has no native Kubernetes support.
• Steep learning curve: Requires a solid understanding of Python and YAML to create and manage workflows, which might be a barrier for teams with limited coding expertise.
• Limited active updates: The frequency of updates and maintenance is low.

Shuffle

Source: Medium⁷

Shuffle is an open-source SOAR. It helps automate workflows and move data throughout a company via 200+ plug-and-play Apps.

Shuffle utilizes OpenAPI, an existing Web API standard, and provides access for creating apps with over 11,000 endpoints.

Key features:

• SIEM to ticket: Send your SIEM alerts to Shuffle. Network logs are transmitted to the SIEM and sent to your case management system.
• 2-way ticket synchronization: Sync tickets between two systems. Different stakeholders (e.g. supplier or department) and your internal team will have restricted access to particular tickets.

It’s a strong choice for organizations with small to mid-sized teams looking for a free plan with unlimited workflows, apps, and users. Its on-prem enterprise version plan starts at $960/mo for 8 CPU cores.

Free edition vs paid edition (cloud-hosted):

Pros

• Workflows and playbooks: Reviews show that workflows and playbooks are easy to deploy and use.
• Third-party integrations: Connecting Wazuh notifications with Jira is seamless.
• Installation: Easy-to-install setup, especially with Docker.

Cons

• Backend procedures: Navigating backend procedures in the docker environment can be difficult.
• Containerized environment integrations: Integrations with containerized environments are problematic.
• Performance issues: Shuffle has server capacity constraints, which slowed workflow execution.

TheHive Project – Cortex

Source: GitHub⁸

Cortex streamlines threat intelligence, digital forensics, and incident response by providing a unified tool for analyzing observables at scale.

These observables—such as IP addresses, email addresses, URLs, domain names, files, and hashes—can be assessed either individually or in bulk through an intuitive web interface.

Free edition vs paid edition:

Pros

• Network monitoring: Cortex can monitor and analyze massive monitoring information at scale.
• Database integrations: Cortex seamlessly integrates with MongoDB for data analysis and forecasting of current trends. 
• Integration with threat intelligence tools: Strong integration capabilities with Cortex and MISP (Malware Information Sharing Platform).

Cons

• Transition to paid model: The Hive5 release has moved to a commercial licensing model, potentially alienating users who relied on the fully open-source framework.
• Steep learning curve: The platform configurations can be complex to operate for beginners
• Community support: The open source community has limited support and updates.
• UI: The interface could be more user-friendly.

Tracecat

Source: ⁹

Tracecat is an open-source Tines/Splunk SOAR replacement for security engineers. Its Managed Detection and Response (MDR) feature integrates work processes into any security solution.

Tracecat enables security users to build automation using both:

• No-code drag-and-drop UI
• Configuration-as-code (e.g. Ansible / GitHub Actions)

Key considerations: The developers focus on making Tracecat available to understaffed small- and medium-sized organizations.

Thus, it is also user-friendly for nontechnical personnel since it provides Python-to-no-code and no-code workflow builder capabilities.

Additionally, Tracecat is also used by large-scale companies like Datadog, Netflix, and Stripe.

Open source features (self-hosted):

• Automation features:
  • Workflow automation
  • Pre-built and custom integrations
  • REST API for managing workflows
• Security features:
  • Role-based access controls
  • Single sign-on (SSO)

Enterprise features (self-hosted):

Includes all open-source features, plus:

• Integrations:
  • API health monitoring
  • Webhooks
• Automation:
  • Semantic search and clustering
  • Automated entity extraction
  • Automated labeling (e.g., MITRE ATT&CK)
• Professional support:
  • SLAs with private chat (Slack, Microsoft Teams) and email support

What is SOAR?

Security orchestration, automation, and response (SOAR) tools coordinate, execute, and automate processes between several people and products on a single platform.

This enables organizations to respond quickly to cybersecurity threats while also observing, and preventing future incidents.

For more: Most common SOAR use cases.

Why do organizations need SOAR tools?

Organizations need SOAR tools to enhance their ability to respond to security incidents quickly and efficiently, especially as the cost of a data breach continues to rise.

In 2024, the global average cost of a data breach is ~$4.9M—a 10% increase over the previous year and the highest amount ever.¹⁰

Open source security orchestration, automation, and response (SOAR) tools coordinate, execute, and automate tasks between various people and software within a single platform. With these tools:

• Security Operations (SecOps) integrate workflow development between security engineering and SOC teams.
• Security Engineers (SecEngs) create automation with open source connectors, configuration-as-code, and a templating language.

This enables organizations to analyze diverse data to track and respond to data breaches and cyber attack vectors oftentimes manually, resulting in a more proactive approach to security operations.

How to select an open source SOAR tool

1. Evaluate the vendor’s reputation. The amount of stars and collaborators on GitHub reflects the tool’s popularity. Tools with more GitHub stars and contributors will get advantages like:

• Stronger community support
  
  • Larger user base: Tools with high GitHub stars typically have a large and active user community, which means more people to ask for help, share knowledge, and discuss best practices.
  • More frequent updates: High contributor counts often lead to more frequent updates and improvements, ensuring the tool stays up-to-date with the latest technologies and standards.
  • Collaborative problem-solving: A strong community of developers can assist in identifying bugs, sharing solutions, and contributing to feature development of the open source SOAR tool.

2. Analyze the software’s features: Most open source SOAR platforms include incident response, threat hunting, and threat intelligence capabilities. However, if the company expects to utilize the network security tool for numerous purposes, consider a more comprehensive solution.
   
   For example, a company looking to identify potential security threats before they disrupt business operations may choose a system with security information and event management (SIEM)  features.

Read more: SIEM tools.

3. Compare open-source and paid alternatives: Open-source solutions usually have restricted integrations, less specialized capabilities, and lack of expert support. Companies seeking a more personalized paid solution should look for the following in a SOAR platform:
   
   -more comprehensive features (for example, microsegmentation, cloud security posture management)
   – extensive documentation
   – a dedicated team to promptly address and fix security problems.

Description of additional categories

1. SIEM

Security Information and Event Management (SIEM) provides real-time analysis of security alerts generated by network hardware and applications. 

Key components:

• Log management
• Threat detection 
• Behavioral analysis 

2. Workflow automation

Workflow automation technology involves using software to automate various tasks, processes, and workflows that typically require manual intervention. This technology helps improve efficiency, reduce errors, and streamline operations by automating repetitive tasks and orchestrating complex workflows. 

Read more: Process Orchestration Tools.

3. Incident response

Incident response is a systematic process for dealing with security incidents, including cyberattacks, data breaches, and other unauthorized activities targeting an organization’s IT infrastructure. It involves identifying, managing, and mitigating security threats to minimize impact and restore normal operations as quickly as possible.

Tool selection criteria

• Number of GitHub stars: 1,000+
• Update release: At least one update was released last week as of 10/1/24.

Further reading

• Role-based Access Control (RBAC)  
• Network Segmentation: 6 Benefits & 8 Best Practices
• 80+ Network Security Statistics

External Links

• 1. Reddit - Dive into anything.
• 2. Bewertungen von Geschäftssoftware und -diensten | G2. G2
• 3. GitHub - n8n-io/n8n: Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations..
• 4. GitHub - StackStorm/st2: StackStorm (aka "IFTTT for Ops") is event-driven automation for auto-remediation, incident responses, troubleshooting, deployments, and more for DevOps and SREs. Includes rules engine, workflow, 160 integration packs wit.
• 5. Introducing Winston — Event driven Diagnostic and Remediation Platform | by Netflix Technology Blog | Netflix TechBlog. Netflix TechBlog
• 6. StackStorm Expenses · Issue #36 · StackStorm/community · GitHub.
• 7. Getting started with Shuffle — an Open Source SOAR platform part 2 | by Frikky | Shuffle Automation | Medium. Shuffle Automation
• 8. GitHub - TheHive-Project/Cortex: Cortex: a Powerful Observable Analysis and Active Response Engine.
• 9. GitHub - TracecatHQ/tracecat: The open source Tines / Splunk SOAR alternative for security and IT engineers. Built on simple YAML templates for integrations and response-as-code..
• 10. Cost of a data breach 2024 | IBM.