Use Case

SOAR for MSSPs

A SOAR platform built for managed security service providers — per-tenant isolation, shared playbooks, and no per-client licensing.

The MSSP SOAR challenge

MSSPs face a unique challenge with SOAR platforms. You manage security operations for dozens or hundreds of clients, each with different tools, different alert sources, and different response procedures.

Commercial SOAR platforms charge per-user, per-action, or per-tenant. When you're managing 50 clients, those costs multiply quickly. A $75,000/year SOAR license becomes a $500,000+ line item that eats into margins and gets passed to clients.

OpenSOAR is free. Deploy one instance per tenant, or run a shared platform with tenant isolation. No per-client fees, no per-action caps, no licensing math.

How MSSPs use OpenSOAR

Per-tenant deployment

Deploy a dedicated OpenSOAR instance for each client using Docker or Kubernetes. Each tenant gets their own database, their own playbooks, and their own API keys. Complete data isolation with shared infrastructure.

opensoar — multi-tenant deployment
$
terminal 
# Deploy per-tenant with Docker Compose
# Each client gets their own stack
docker compose -f docker-compose.yml \
  -p client-acme \
  --env-file clients/acme/.env \
  up -d

Shared playbook library

Build playbooks once, deploy across clients. Your core triage, enrichment, and response playbooks work for every client. Client-specific customizations are just Python configuration:

standard_triage.py 
@playbook(trigger="alert.created")
async def standard_triage(alert):
    # Core logic — same for every client
    enrichment = await enrich_alert(alert)
    score = calculate_risk(enrichment)

    # Client-specific thresholds from config
    config = get_tenant_config()
    if score > config.escalation_threshold:
        await escalate(alert, channel=config.slack_channel)
    elif score < config.auto_resolve_threshold:
        await resolve(alert, determination="false_positive")

White-label ready

OpenSOAR is Apache 2.0 licensed. You can rebrand, customize, and deploy it as part of your managed service offering without attribution requirements. Your clients see your brand, not ours.

Client-specific integrations

Every client has different tools. Client A uses CrowdStrike + Splunk. Client B uses SentinelOne + Elastic. OpenSOAR's integration layer handles this cleanly — configure integrations per-tenant, use the same playbook logic.

MSSP metrics and reporting

OpenSOAR tracks everything your clients want to see:

  • Mean time to detect (MTTD) — from alert creation to analyst acknowledgment
  • Mean time to respond (MTTR) — from detection to containment
  • Alert volume and trends — by source, severity, and type
  • Automation rate — percentage of alerts handled without human intervention
  • Playbook execution logs — every action taken, with timing and results

Export these metrics to your client-facing dashboards or generate automated monthly reports.

Cost comparison for MSSPs

Scenario (50 clients) OpenSOAR Commercial SOAR
Software licensing $0 $200,000-$500,000/yr
Infrastructure $500-2,000/mo $500-2,000/mo
Per-action fees $0 Variable
Additional tenants $0 $1,000-5,000/tenant/yr

Getting started as an MSSP

  1. Deploy a pilot instance for your highest-volume client
  2. Build your core playbooks — start with alert triage and enrichment
  3. Prove the ROI — measure MTTR reduction and automation rates
  4. Roll out to more clients — reuse playbooks, customize configs
  5. Scale with Kubernetes — auto-scale workers based on alert volume

Build your MSSP's SOAR platform on open source. Deploy OpenSOAR free →

One command. No credit card.

Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.

$curl -fsSL https://opensoar.app/install.sh | sh
GitHub