9 Free Tools to Automate Your Incident Response Process

What Is Incident Response?

  1. Preparation and evaluation
  2. Identification and analysis
  3. Containment and neutralization
  4. Eradication
  5. Recovery and restoration
  6. Retrospective and improvement

1. Wazuh

  • Supports cloud monitoring in AWS and Azure
  • Includes compliance mapping
  • Integrates with Puppet, Ansible, and Chef for automation
  • Requires you to use Elastic Stack
  • Can be complicated to deploy

2. GRR Rapid Response

  • Developed and maintained by Google
  • Scalable and flexible
  • Can be used with remote, distributed devices
  • Requires agents and dedicated server
  • Large deployments require time and development investment

3. Osquery

  • Relatively easy to use and customizable
  • Exposes difficult-to-access endpoint data
  • Recently turned over to The Linux Foundation to ensure continued support
  • Documentation on use and deployment is lacking
  • No commercial support available


  • REST API you can use for automation and data sharing
  • Enables you to create database of both technical and non-technical information
  • Extensible through pre-built or custom-built python modules
  • You must host the platform and store data
  • You start with an empty database so it takes time to gain functionality

5. TheHive

  • Easy to use and intuitive interface
  • Flexible and customizable through templates or playbooks
  • No out-of-the-box integrations for alerting tools like SIEMs
  • Installation and maintenance can be time complicated

6. Zeek

  • Well known and supported
  • Highly extensible and flexible
  • Can detect events by both signature and anomaly analysis
  • Can be complicated to set up and learn
  • Lacks a native GUI

7. The Mozilla Defense Platform (MozDef)

  • Works without agents
  • Scalable and flexible
  • Can integrate cloud-based data sources
  • Created and supported by Mozilla for improved trust
  • Only accepts logs in JSON format
  • Newly released and not yet widely adopted

8. OwlH

  • Can use to monitor stand-alone systems or groups of devices
  • Includes a REST API for managing and configuring probes
  • You can create custom rulesets or import 3rd party rules

9. Apache Metron

  • Integrates with a variety of data sources, including Bro, Snort, and sourcefire
  • Has long development history




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store