Respond to security alerts completely within one web interface

Orchestrator is a collaborative, super-efficient security incident ticketing tool. In just 1 click, you can execute automated tasks like look up IP in VirusTotal, search Splunk for related alerts, and block hash at firewall.

Currently, we only have tasks to contextualize IOCs, but soon we'll add integrations for SIEMs, endpoint and perimeter products, forensics tools, and internal data sources (like LDAP).

Orchestrator is in private beta. We'll send beta invites out on our mailing list.

See Screenshots Join Mailing List


Drag to left to slide


Designed for efficiency

Keyboard Shortcuts

A few - search incidents with Shift P, switch between tabs with Shift-Up/Down, log out with Ctrl-Shift-L.

Multi-task with tabs

You can keep many incidents open at once. And your open tabs are persisted after closing Orchestrator.

30+ out-of-the-box automated tasks

We integrate with ~10 tools to contextualize IOCs quickly. Soon, we will integrate with SIEMs and endpoint and perimeter tools, too.

Fine grained audit log

See what changes where made to the incident, when (see screenshot above)

Anything you can do in web UI, you can do in REST API

We have a browsable REST API and Swagger-based interactive docs. (But both in alpha.)

Full JSON Export

You can export all of an incident's info to a single JSON file.


Integrated Chat

Chat with teammates in real time

Collaborative Notes

Multiple people can edit an incident's notes at once, like Google Docs

Coming soon: Zoom Calls

Each incident will automatically be assigned an unique Zoom call link

Fun to use

100% cloud based

No on-prem component (eg, an agent) required

Start using it in 30 seconds

No need to enter API keys, install anything, or go through an irritating interactive product tour

Dark theme

No justification needed :)

Why is this needed?


Enterprises today receive hundreds of security alerts per week, most false positives. This:

  • Delays response to actual threats.
  • Increases turnover. The typical SOC analyst stays for only 2 years.

Common IR tasks require analysts to log into multiple consoles and struggle to move basic information from one to another.


Some promise to fully automate alert response using AI/ML, but security teams don't trust full automation. They worry about what damage it will cause rather than what problems it'll fix.

What Competing Tools Get Wrong


Some tools are designed specifically for certain formats (eg, MISP, VERIS, etc).

These formats are great for storing data, but don't always reflect how a human reasons about a threat or incident. Especially in the face of uncertainty.


Some competing tools have great-looking UIs, but creating an incident for example requires filling out a long form with a bunch of fields you don't care about.

In Orchestrator, you create incidents in 1 click - no form filling required.


One sysadmin told us that "graphics absolutely kill the performance of SOAR platforms". Visual editors, designed for Tier I SOC analysts, slow down experienced security staff, and so our web UI is minimal and fast.

Everything that can be done in the web UI can be done through the REST API, so you can write custom tools on top of Orchestrator. If there's enough interest, we'll release an official CLI version. Email us!


What is the status of this product (Sept. 2018)?

Private beta. To join the private beta, join our mailing list and we'll send an email when we accept our next private beta batch.

Who is working on this product?

There are two of us working on this product:

Veeral Patel is a junior studying Computer Science at UC Berkeley.

Jemin Desai is a rising junior studying Electrical Engineering and Computer Science at UC Berkeley. He has dedicated himself to Computer Science education on campus and teaches CS61A, the introductory Computer Science course for all CS/EECS majors.

Is it just tracking or does it automate response?

It automates response.

What's your contact info?

Feel free to reach out anytime, we usually respond within the day

Join Our Mailing List ( Samy Kamkar is on it!)

We'll send all project updates here.