Top 5 Open Source SOAR Tools

I’ve spent nearly two decades as a CISO in heavily regulated industries long enough to have tested, deployed, and ripped out more SOAR tools than I’d like to admit. Most open-source options look promising on documentation, but fall apart when you actually run them in production. These 5 are the ones that didn’t:

Features of SOAR tools

SOAR tools rely on accurate endpoint data and actionable device control. Learn how endpoint management software strengthens automated security response.

GitHub stars of the best open-source SOAR tools

The chart tracks GitHub stars for the top open-source SOAR tools over the past 2 years. n8n dominates, with a higher star count of approximately 160k. This is largely because n8n has a much broader focus as a general workflow automation platform, attracting users beyond the security operations space.

The other tools, StackStorm, Shuffle, TheHive Project, and Tracecat, remain clustered in the lower range (under 20k stars), reflecting their more specialized focus on security-specific SOAR use cases.

Analysis of the top tools

n8n

n8n is a self-hosted workflow automation platform with a visual, low-code interface. Security teams use it in SecOps contexts to automate detection, response, and enrichment tasks across SIEMs and threat intelligence platforms.

Licensing model: Source-available, not fully open-source. n8n’s free Community Edition ships with source code, but its Sustainable Use License places it outside the Open Source Initiative’s definition of open source.¹

What the n8n Community Edition includes:

The free tier covers the core workflow engine: debug-in-editor with execution data pinning, 24 hours of workflow history, and custom execution metadata (save, search, comment).

What requires a paid plan:

Workflow sharing is restricted to the instance owner and creator; broader team access requires a Pro or Enterprise plan.

SOAR use cases with n8n:

Source: n8n²

MCP instance-level connections

n8n added instance-level MCP (Model Context Protocol) support, allowing MCP-compatible AI platforms to access opted-in workflows through a single OAuth-secured endpoint. Newly added workflows become available through the same connection without additional configuration.³

Security advisory

Multiple critical CVEs affecting self-hosted n8n instances were disclosed. CVE-2026-21858 (“Ni8mare”) carries a CVSS score of 10.0. It affects versions prior to 1.121.0 and allows an unauthenticated remote attacker to read arbitrary files and, in some configurations, achieve remote code execution through improperly validated web form file uploads. ⁴

Two additional flaws patched in version 2.4.0 target deployments used for AI orchestration, exposing stored credentials for services including OpenAI, Anthropic, Azure OpenAI, and vector databases such as Pinecone and Weaviate. ⁵

For a SecOps tool that stores credentials by design, this pattern of high-severity vulnerabilities is a material operational risk. Any self-hosted instance should be on version 2.4.0 or later.

SOAR use cases with n8n:

Source: N8n⁶

Pros

• JavaScript and Python are both supported for custom workflow logic, and self-hosted instances can pull in external npm libraries via the Code Node.
• The API integration layer handles cURL imports cleanly, speeding up connections to non-standard internal tools.
• Docker deployment is well documented and scales without significant friction.
• Cloud pricing is workflow-count-based rather than complexity-based, which avoids the cost unpredictability common in competing platforms.

Cons

• n8n is not a SOAR in the traditional sense; it lacks native case management, built-in alert correlation, and entity behavior profiling.
• OAuth configuration for third-party services like Google Workspace is noticeably more involved than comparable SaaS automation tools.
• The cloud version also lacks some capabilities available in self-hosted deployments, including access to npm packages. And as the 2026 CVE cluster makes clear, the self-hosted model places the patching burden squarely on the operator.

StackStorm – st2

Source: StockStorm⁷

StackStorm automates remediation, incident response, troubleshooting, and deployments. It offers a rule-based automation engine, workflow management, and around 160 integration packs. Enterprises including Cisco, Target, and Netflix have deployed it in production; Netflix used it to host and execute operational runbooks.⁸

The open-source version includes Slack integration. AWS integration, a workflow designer, professional support, and network automation suites are available only in the enterprise tier.

Third-party infrastructure costs for a self-hosted deployment run roughly $28 per month, covering AWS, PackageCloud, forum hosting, domain certificates, and an OpenVPN license.⁹

Pros

• Custom workflows: The platform accepts custom scripts within workflows, allowing teams to wrap existing automation without rewriting it.
• Plugin ecosystem: Integration packs cover tools including NetBox, Splunk, and AWS, with additional packs available through the StackStorm Exchange.

Cons

• Kubernetes support: No native Kubernetes support is available.
• Learning curve: Building and managing workflows requires working knowledge of Python and YAML, which adds onboarding time for teams without that background.
• Maintenance cadence: Release frequency has declined in recent years. Teams evaluating it should weigh the breadth of the integration against the operational overhead of a project with slowing community activity.

Shuffle

Source: Architecture¹⁰

Shuffle is an open-source SOAR platform built around OpenAPI, giving it access to over 11,000 endpoints across 200+ pre-built app integrations.

Its core automation model covers two patterns common in SOC environments: forwarding SIEM alerts to a case management system and bidirectional ticket synchronization across platforms with per-stakeholder access controls.¹¹

Shuffle’s pricing is based on app-run volume rather than CPU cores. The free Starter tier covers 2,000 app-runs per month and includes all 2,500+ apps. The Scale tier starts at $29 per month for 10,000 app runs and increases limits to 15 users, 25 workflows, and 3 tenants. Enterprise pricing is custom and includes unlimited users, workflows, tenants, and environments, along with dedicated onboarding, on-call support, and a key management system.¹²

Limitations

Deployment via Docker is straightforward, and connecting tools such as Wazuh and Jira requires minimal configuration. On the other hand, managing backend procedures within a Docker environment adds complexity; integrations within containerized setups have reported reliability issues; and workflow execution speed is bounded by the host server’s capacity rather than by Shuffle’s own scheduler. Teams running resource-constrained infrastructure should account for this before committing to it at scale.¹³

TheHive Project – Cortex

Source: GitHub¹⁴

Cortex analyzes observables such as IP addresses, domains, and file hashes, individually or in bulk, via a RESTful API and a web interface.

Cortex remains fully open-source under the AGPL license. TheHive itself, however, moved to a commercial model with version 5. After a 14-day trial, new installations require a valid StrangeBee license; without one, the platform enters read-only mode. A free Community license is available on request.¹⁵

Free edition vs paid edition:

Pros

• Observable analysis at scale: Cortex supports bulk analysis of observables via a single interface, eliminating the need to query multiple tools separately.
• MISP integration: Cortex connects to MISP (Malware Information Sharing Platform) to enable threat intelligence sharing across platforms.

Cons

• TheHive licensing shift: TheHive 5 is no longer open source. Teams that relied on self-hosted TheHive 3 or 4 have no maintained upgrade path without accepting commercial terms.¹⁶
• Configuration complexity: Initial setup requires coordinating Cortex, Elasticsearch, and TheHive, which adds operational overhead for smaller teams.
• Community support limits: Cortex issues outside of enterprise contracts are handled through community channels, with no guaranteed response times.

Tracecat

Source: ¹⁷

Tracecat is an open-source automation platform for security and IT engineers, positioned as a self-hosted alternative to Tines and Splunk SOAR.

Workflows can be built using a no-code drag-and-drop UI or YAML-based configuration-as-code, and the two stay in sync automatically. The workflow engine runs on Temporal, the same durable execution framework used by major cloud infrastructure teams.¹⁸

Open-source (self-hosted) features:

Unlimited workflows, case management, built-in lookup tables, 100+ integrations, custom Python/YAML integrations with git sync, SAML SSO, audit logs, and Docker or AWS Fargate deployment.

Professional and Enterprise features:

Includes all open-source features, plus fully managed cloud hosting, Kubernetes deployment via Helm, bring-your-own Temporal cluster, self-hosted LLMs, enterprise AI chatbots in Microsoft Teams, STIG compliance for federal use cases, and 24/7 tiered SLA support. Pricing requires contacting Tracecat directly.¹⁹

Pros

• Licensing model: SSO, audit logs, and infrastructure-as-code deployments remain free in the open-source tier, unlike most commercial SOAR platforms that gate these features.
• Dual authoring: No-code and YAML workflows stay synchronized, so analysts and engineers can work on the same workflow without conflict.
• Deployment flexibility: Docker Compose, AWS Fargate via Terraform, and Kubernetes via Helm are all supported.

Cons

• Active development pace: The project is under active development, and the team advises reviewing the changelog before each update, as breaking changes occur between releases.
• Self-hosting requirements: Running a production Tracecat stack with Temporal, PostgreSQL, and optional LLMs requires infrastructure capacity that can be a constraint for smaller teams.
• Relatively new: Tracecat has a smaller community and fewer third-party integrations compared to older platforms like StackStorm or TheHive.

FAQ

Further reading

• 6 Real-life RBAC Examples
• 10 SOAR Use Cases with Real-World Workflow Examples
• Top 10 Microsegmentation Tools
• Top 15+ Open Source Incident Response

Reference Links

1.

Sustainable Use License | n8n Docs

2.

Discover 158 SecOps Automation Workflows from the n8n's Community

3.

https://docs.n8n.io/release-notes/1-x/

4.

https://www.rapid7.com/blog/post/etr-ni8mare-n8scape-flaws-multiple-critical-vulnerabilities-affecting-n8n/

5.

https://www.infosecurity-magazine.com/news/two-critical-flaws-in-n8n-ai

6.

Discover 158 SecOps Automation Workflows from the n8n's Community

7.

”St2”. StockStorm.

8.

Introducing Winston — Event driven Diagnostic and Remediation Platform | by Netflix Technology Blog | Netflix TechBlog

Netflix TechBlog

9.

StackStorm Expenses · Issue #36 · StackStorm/community · GitHub

10.

” Shuffle Architecture”. Shuffle.

11.

https://medium.com/shuffle-automation/introducing-shuffle-an-open-source-soar-platform-part-1-58a529de7d12

12.

https://shuffler.io/pricing

13.

https://github.com/Shuffle/Shuffle

14.

GitHub - TheHive-Project/Cortex: Cortex: a Powerful Observable Analysis and Active Response Engine

15.

https://docs.strangebee.com/thehive/installation/licenses/about-licenses/

16.

https://blog.thehive-project.org/2025/

17.

” Tracecat” Tracecat.

18.

GitHub - TracecatHQ/tracecat: All-in-one AI automation platform (workflows, agents, cases, tables) for security, IT, and infra teams.

19.

https://www.tracecat.com/pricing

20.

“Cost of a Data Breach Report 2025”. IBM.

Technical Advisor

Adil Hafa

Technical Advisor

Follow On

Adil is a security expert with over 16 years of experience in defense, retail, finance, exchange, food ordering and government.

View Full Profile

Researched by

Sena Sezer

Industry Analyst

Follow On

Sena is an industry analyst in AIMultiple. She completed her Bachelor's from Bogazici University.

View Full Profile

Be the first to comment

Your email address will not be published. All fields are required.

Name

Email Address

Comment

0/450

Post Comment