Alert comes in.
Python handles the rest.
Open-source platform for automating alert triage, enrichment, and response — in real Python. No DSL, no sandbox, no per-action billing. Works for security, IT ops, or anything that pages you at 3 AM.
Automation platforms got
the abstraction wrong
SOAR tools, runbook builders, no-code automators — they all invent their own way to define workflows. Visual canvases you can't diff. YAML you can't debug. Proprietary SDKs that lock you in. Per-action pricing that punishes you for automating more.
OpenSOAR uses the abstraction that already exists: Python. Your playbooks are async functions with decorators. Test them, version them, review them in PRs. Apache 2.0, self-hosted, free.
Three steps. Zero vendor meetings.
Alerts flow in
Connect any source — SIEM, EDR, monitoring, custom webhooks. OpenSOAR normalizes payloads, extracts IOCs, and deduplicates automatically.
Playbooks run
Your Python playbooks trigger automatically based on alert conditions. Enrich, triage, escalate, contain — all async, all testable.
@playbook("on_critical_alert")
async def handle(alert):
ctx = await enrich(alert)
if ctx.is_threat:
await contain(alert)
await notify(alert)Humans decide what matters
Automation handles the volume. Your team handles the judgment calls. Every action is logged with full context for audit and review.
Not "code-like."
Actual Python.
Other platforms say "Python support" but mean a sandboxed runtime with vendor imports and no debugger. OpenSOAR playbooks are plain async functions — import anything, run locally, ship like software.
- pytest your playbooks — catch bugs before they hit production, not after
- Deploy with git push — PRs, code review, CI/CD. Standard engineering workflow
- asyncio.gather() — enrich from 10 APIs in parallel, not chained sequentially
- Any pip package — not a marketplace of vendor-approved integrations
from opensoar import playbook, action
@action(name="enrich_ip", timeout=30, retries=2)
async def enrich_ip(ip: str) -> dict:
return await virustotal.lookup_ip(ip)
@playbook(
trigger="webhook",
conditions={"severity": ["high", "critical"]}
)
async def triage_critical(alert):
# Enrich all IPs in parallel
iocs = alert.get("iocs", {})
results = await asyncio.gather(
*[enrich_ip(ip) for ip in iocs.get("ips", [])]
)
# Auto-escalate if confirmed malicious
if any(r.get("malicious") for r in results):
await notify_soc(f"Confirmed: {alert['title']}")Built for engineers, not demo audiences
Every feature links to source code. No black boxes, no hidden limits.
No YAML. No sandbox. No vendor SDK. A playbook is a decorated async function — your IDE, your debugger, your rules.
@playbook("triage_critical")
async def run(alert):
iocs = await extract_iocs(alert)
results = await gather(
lookup_virustotal(iocs),
check_abuseipdb(iocs),
)
if results.malicious:
await escalate_to_slack(alert)Enrich 10 sources in parallel, not one at a time. Built-in timeout, retry, and exponential backoff per action.
Webhooks, Elasticsearch polling, syslog — alerts from any source, normalized on arrival.
Priority queue, MTTR tracking, unassigned alerts, per-partner stats.
Every integration is open source with a standard base class. Build your own in minutes, not weeks.
Ingest, deduplicate, extract IOCs, track determinations — from raw webhook to resolved incident.
If it generates alerts,
OpenSOAR can automate it
Built for security teams. Works for anyone drowning in alerts.
Security Operations
SOC teams, MSSPs, incident response
- • Auto-triage SIEM alerts with threat intel enrichment
- • Contain threats in seconds — isolate hosts, block IPs, disable accounts
- • Phishing response: extract IOCs, quarantine emails, block senders
IT Operations
SRE, infrastructure, on-call
- • Auto-remediate infrastructure alerts — restart services, scale resources
- • Runbook automation that's actually testable and version-controlled
- • Reduce on-call fatigue by auto-resolving known patterns
DevOps & Platform
CI/CD, deployments, cloud ops
- • Auto-rollback failed deployments based on health check alerts
- • Coordinate cross-service incident response with approval gates
- • Cost anomaly detection and automated scaling responses
Compliance & Audit
GRC, evidence collection, reporting
- • Automated evidence collection for SOC 2, GDPR, HIPAA audits
- • Every automation action logged with timestamps and full context
- • Generate incident reports automatically from playbook run history
500+ failed attempts from 45.33.32.156
C2 callback pattern on port 443
Login from 2 countries in 10 minutes
Your model. Your data.
Your confidence thresholds.
AI triage is a playbook action — not a black box. Call it from any playbook, set your own thresholds, and keep humans in the loop for anything below your confidence bar. No data leaves your network if you don't want it to.
- Bring your own LLM — Anthropic, OpenAI, Google, or fully local with Ollama
- Structured assessments — severity, determination, confidence score, reasoning chain
- You control the thresholds — auto-resolve at 90% confidence, escalate at 70%, queue the rest
- Full audit trail — every AI decision logged with inputs, outputs, and reasoning
How OpenSOAR stacks up
Compared to commercial SOAR platforms and open-source alternatives.
| OpenSOAR | Shuffle | Turbine | Splunk SOAR | XSOAR | |
|---|---|---|---|---|---|
| Open Source | |||||
| Python-Native Playbooks | Sandboxed | ||||
| No Per-Action Billing | |||||
| Self-Hosted | |||||
| AI-Ready Architecture | Partial | Partial | Partial | ||
| No Vendor Lock-In | |||||
| Async / Parallel Execution | |||||
| Apache 2.0 License |
One command. No credit card.
Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.
curl -fsSL https://opensoar.app/install.sh | sh