SOAR for MSSPs
A SOAR platform for managed security providers — shared playbooks, partner-aware workflows, and no per-client licensing.
The MSSP SOAR challenge
MSSPs face a unique challenge with SOAR platforms. You manage security operations for dozens or hundreds of clients, each with different tools, different alert sources, and different response procedures.
Commercial SOAR platforms charge per-user, per-action, or per-tenant. When you're managing 50 clients, those costs multiply quickly. A $75,000/year SOAR license becomes a $500,000+ line item that eats into margins and gets passed to clients.
OpenSOAR is free. The simplest public-core posture is one deployment per client. If you need deeper shared-platform tenant controls, that belongs to the optional enterprise/private extension path rather than the default core bootstrap model. No per-client fees, no per-action caps, no licensing math.
How MSSPs use OpenSOAR
Per-tenant deployment
Deploy a dedicated OpenSOAR instance for each client using Docker or Kubernetes. Each client gets their own database, their own playbooks, and their own API keys. That is the cleanest isolation model in the public core today.
# Deploy per-tenant with Docker Compose
# Each client gets their own stack
docker compose -f docker-compose.yml \
-p client-acme \
--env-file clients/acme/.env \
up -dShared playbook library
Build playbooks once, deploy across clients. Your core triage, enrichment, and response playbooks can stay shared while branching on the alert's `partner` field or deployment-specific configuration:
from opensoar import add_current_alert_comment, playbook, update_current_alert
@playbook(trigger="webhook")
async def standard_triage(alert):
enrichment = await enrich_alert(alert)
partner = alert.get("partner", "default")
await update_current_alert(
status="in_progress",
determination="suspicious",
reason=f"Shared triage playbook completed for partner {partner}",
)
await add_current_alert_comment(
f"Partner-aware enrichment complete for {partner}: {enrichment}"
)White-label ready
OpenSOAR is Apache 2.0 licensed. You can rebrand, customize, and deploy it as part of your managed service offering without attribution requirements. Your clients see your brand, not ours.
Client-specific integrations
Every client has different tools. Client A uses CrowdStrike + Splunk. Client B uses SentinelOne + Elastic. OpenSOAR's integration layer handles this cleanly — configure integrations per deployment, keep the playbook logic largely shared.
MSSP metrics and reporting
OpenSOAR tracks everything your clients want to see:
- Mean time to detect (MTTD) — from alert creation to analyst acknowledgment
- Mean time to respond (MTTR) — from detection to containment
- Alert volume and trends — by source, severity, and type
- Automation rate — percentage of alerts handled without human intervention
- Playbook execution logs — every action taken, with timing and results
Export these metrics to your client-facing dashboards or generate automated monthly reports.
Cost comparison for MSSPs
| Scenario (50 clients) | OpenSOAR | Commercial SOAR |
|---|---|---|
| Software licensing | $0 | $200,000-$500,000/yr |
| Infrastructure | $500-2,000/mo | $500-2,000/mo |
| Per-action fees | $0 | Variable |
| Additional tenants | $0 | $1,000-5,000/tenant/yr |
Getting started as an MSSP
- Deploy a pilot instance for your highest-volume client
- Build your core playbooks — start with alert triage and enrichment
- Prove the ROI — measure MTTR reduction and automation rates
- Roll out to more clients — reuse playbooks, customize configs
- Scale with Kubernetes — auto-scale workers based on alert volume
Build your MSSP's SOAR platform on open source. Deploy OpenSOAR free →
One command. No credit card.
Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.
curl -fsSL https://opensoar.app/install.sh | sh