// the find
TheHive-Project/TheHive
TheHive is a Collaborative Case Management Platform, now distributed as a commercial version
TheHive 4 was an open-source DFIR case management platform built on Scala/Play, designed for SOC teams to manage security incidents collaboratively with Cortex (for automated analysis) and MISP (for threat intel sharing). The public repo is now a tombstone — versions 3 and 4 were EOL'd in 2023 and the product moved to a closed commercial offering from StrangeBee.
The multi-tenant organisation model with fine-grained sharing between orgs was genuinely well-designed for MSSPs running shared SOC infrastructure. The Cortex integration for running analyzers and responders directly against observables was one of the better automation hooks in open-source DFIR tooling. The graph-based backend (ScalliGraph over JanusGraph/Elasticsearch) gave flexible querying across case/alert/observable relationships that relational schemas struggle with. The REST API was versioned (v0 and v1 DTOs both present) which made automation scripting stable across releases.
The repo is dead — you cannot download it, there are no packages, and the maintainers explicitly tell you to call their sales team. Building on this for anything new is not viable. The Scala/Play stack was a high operational burden; most SOC teams lack the JVM/Scala expertise to run, debug, or extend it. The frontend is AngularJS with Grunt and Bower — a dependency chain that has rotted badly and would require significant work to build from source today. Multi-tenant setup was powerful but notoriously complex to configure correctly, and the documentation never fully caught up with the v4 graph model changes.