🧠 Threat intelligence
Cortex
Observable analyser engine that powers TheHive's enrichments.
Why use it
Cortex runs hundreds of community analysers — VirusTotal, AbuseIPDB, urlscan.io, MISP lookups, MaxMind, Shodan and more — against any observable, returning structured results to TheHive. One-click enrichment for analysts.
What you get
- 200+ analysers covering hashes, IPs, URLs, domains, files
- Active responders for triage actions
- Job history per observable
- API for any tool to request enrichment
System requirements
| Cpu | 2 cores |
|---|---|
| Ram | 2 GB |
| Disk | 10 GB |
| Os | Linux |
| Docker | Yes |
Installation
Comes with TheHive Docker Compose by default. Standalone install via docker run -d --name cortex thehiveproject/cortex. Enable analysers in the UI per organisation; some require API keys (free tiers are usually enough).
Suggested configuration
Enable VirusTotal Public, AbuseIPDB free, urlscan.io public, MISP, and MaxMind GeoIP first — these cover most analyst questions for free. Add commercial keys (Shodan, GreyNoise) if you have them.
Integration ideas
- TheHive (primary consumer)
- MISP via dedicated analyser
- Custom scripts via the Cortex REST API
Alternatives
- IntelOwl — Standalone enrichment platform, similar concept.
Cyentrix verdict
Practically mandatory if you run TheHive. Don't install one without the other.