Getting Started

From zero to automated in 60 seconds

Install OpenSOAR, write your first playbook, and deploy it — all in one terminal session.

1

Install

A single command pulls down OpenSOAR and starts all services locally.

terminal — install
$

Or use Docker: docker compose up -d

2

Write your first playbook

Playbooks are plain Python. This one enriches every new alert with threat intel, then either escalates or closes it automatically.

my_first_playbook.py 
from opensoar import playbook

@playbook(trigger="alert.created")
async def enrich_and_decide(alert):
    # Enrich with threat intelligence
    reputation = await check_ip(alert.source_ip)

    if reputation.malicious:
        await notify_slack(f"Threat detected: {alert.title}")
        await isolate_host(alert.hostname)
    else:
        await resolve(alert, determination="benign")
3

Test it

Because playbooks are real code, you can test them with pytest. Mock external actions and assert on outcomes — no staging environment needed.

test_playbook.py 
import pytest
from my_first_playbook import enrich_and_decide
from opensoar.testing import MockAlert, mock_action

@pytest.mark.asyncio
async def test_malicious_ip_triggers_isolation():
    alert = MockAlert(source_ip="45.33.32.156")

    with mock_action("check_ip", returns={"malicious": True}):
        await enrich_and_decide(alert)

    assert "isolate_host" in alert.actions_taken
4

Deploy

Push your playbook to Git. OpenSOAR picks it up and starts watching for matching alerts.

terminal — deploy
$

Next steps

Python Playbooks

Deep dive into playbook patterns

Learn more

AI Triage

Add LLM-powered alert analysis

Learn more

Integrations

Connect your existing tools

Learn more

One command. No credit card.

Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.

$curl -fsSL https://opensoar.app/install.sh | sh
GitHub