Kudos on the effort for sure. Your biggest challenge is having good integrations for literally everything. Second big challenge: companies that will use open source are a rarity.
I can't express how much stuff is my bread and butter. No one wants to write scripts, that's the whole point of a soar in the minds of people using this. Really, the support is most of the cost not the product itself. Just have splunk create an app or whatever integration. Then your playbooks have to be easy to manage which I am sure you can figure out.
But then you have to implement case management too, no one wants a separate case management tool. These days, even the SIEM is expected to be just another tab/feature in the soar.
I hope you don't expect security teams to self-host either. It's a major PITA.
I like opensource, but not having support first and foremost is a huge redflag for me since I have been burned badly by foss projects. If you have a fully managed and supported commercial version of the product, that's be great.
Edit: oh and the "ai" stuff only impresses management types, great if that's your audience but at least in my experience, you better be ready to answer questions around that and expect mild hostility because of how gimmicky it is (just my $0.2)
Thanks for sharing. Agreed on having automation + Jira-like tracking in one place. We've implemented case management[1] and have a Cloud version[2]. We're still early but we ship fast.
We will have a full post on the AI part next week. A few unique ideas to look forward to -- open source LLMs for specialized tasks and multimodal evidence for cases (i.e. multimodal search across images, deepfakes etc.)
Cool. Forget Jira though, think more "thehive" which is opensource (implemented it once myself). There may also be cortex responders you can copy+adapt.if you won't have good commercial support soon, your audience is people using thehive. IR case management has needs like evidence collection and reporting (mitre integration usually). Best of luck. Glad someone is doing this.
I can't express how much stuff is my bread and butter. No one wants to write scripts, that's the whole point of a soar in the minds of people using this. Really, the support is most of the cost not the product itself. Just have splunk create an app or whatever integration. Then your playbooks have to be easy to manage which I am sure you can figure out.
But then you have to implement case management too, no one wants a separate case management tool. These days, even the SIEM is expected to be just another tab/feature in the soar.
I hope you don't expect security teams to self-host either. It's a major PITA.
I like opensource, but not having support first and foremost is a huge redflag for me since I have been burned badly by foss projects. If you have a fully managed and supported commercial version of the product, that's be great.
Edit: oh and the "ai" stuff only impresses management types, great if that's your audience but at least in my experience, you better be ready to answer questions around that and expect mild hostility because of how gimmicky it is (just my $0.2)