Shuffle SOAR Platform
Open source platform for orchestration and automation of security operations
What is Shuffle?
Shuffle is a SOAR (Security Orchestration, Automation and Response) open source platform designed to automate and orchestrate cybersecurity workflows. It enables SOC teams to create automated playbooks without requiring advanced programming skills.
Thanks to its visual drag-and-drop interface, Shuffle simplifies the creation of complex workflows integrating dozens of security tools. The platform excels in automatic IOC enrichment, incident response and malware analysis.
Key Points
- 100% Open Source - Accessible code, active community, no hidden costs
- 300+ Integrations - Compatible with all major CTI tools
- No-Code - Intuitive visual interface, accessible to all
- Scalable - Distributed architecture for large infrastructure
Key Features
Discover the advanced capabilities that make Shuffle the reference in SOAR automation
SOAR Orchestration
Create complex automation workflows without programming with an intuitive drag-and-drop interface
- Visual workflow builder
- Drag & drop interface
- Conditional logic
- Loop & iteration support
Native Integrations
Over 300 out-of-the-box integrations with major cybersecurity tools
- VirusTotal, MISP, TheHive
- Cortex, Splunk, ELK
- Slack, Teams, Email
- Custom REST APIs
Open Source
100% open source, free and self-hosted solution with active community
- MIT License
- Self-hosted
- Active community
- Regular updates
Scalability
Distributed architecture capable of handling thousands of parallel executions
- Distributed execution
- Load balancing
- Queue management
- High availability
Real-time Analysis
Live monitoring of workflows with detailed logs and performance metrics
- Real-time execution
- Detailed logs
- Performance metrics
- Error tracking
Advanced Security
Secure credential management, RBAC and complete audit of actions
- Encrypted secrets
- RBAC support
- Audit logging
- API authentication
Installation and Configuration
Deploy Shuffle in minutes with Docker
System Requirements
Quick Installation with Docker
Clone the repository
git clone https://github.com/Shuffle/Shuffle cd Shuffle
Configure environment
# Copy environment file cp .env.example .env # Generate a secret key export SHUFFLE_APP_HOTLOAD_SECRET=$(openssl rand -hex 32)
Launch Shuffle
docker-compose up -d # Check logs docker-compose logs -f
Access the interface
Recommended Configuration
- Change the default password immediately
- Configure HTTPS with a reverse proxy (Nginx, Traefik)
- Enable data persistence with Docker volumes
- Configure regular database backups
CTI Use Cases
Practical automation examples for your Cyber Threat Intelligence operations
IOC Enrichment
Automate enrichment of indicators of compromise
Automatic reception of alerts (SIEM, EDR)
IOC extraction (IPs, hashes, domains)
Multi-source enrichment (VT, MISP, AbuseIPDB)
Correlation with threat intelligence
Automatic scoring and prioritization
Create enriched TheHive ticket
Team notification with complete context
Incident Response
Orchestrate automated response to security incidents
Critical incident detection
Automatic case creation
Artifacts and logs collection
Automatic isolation if necessary
Preliminary forensic analysis
Escalation notification by severity
Complete timeline documentation
Malware Analysis
Complete pipeline for suspicious file analysis
Suspicious file upload (email, API)
Hash calculation and VirusTotal search
Detonation in sandbox (Cuckoo, Any.run)
IOCs and behavior extraction
YARA signature generation
IOCs sharing to MISP
Detailed analysis report
Available Integrations
Over 300 natively integrated applications
Threat Intelligence
Case Management
Communication
Analysis & Sandbox
Workflow JSON Example
Structure of an IOC enrichment workflow
{
"name": "IOC Enrichment Workflow",
"description": "Automated IOC enrichment with multi-source intelligence",
"start": "webhook",
"triggers": [
{
"name": "Webhook Trigger",
"app": "webhook",
"function": "webhook_trigger",
"parameters": {
"url": "/api/v1/hooks/ioc-enrichment"
}
}
],
"actions": [
{
"name": "Parse IOC",
"app": "shuffle_tools",
"function": "parse_ioc",
"input": "$exec.webhook_trigger.body"
},
{
"name": "VirusTotal Lookup",
"app": "virustotal",
"function": "get_report",
"input": "$exec.parse_ioc.ioc_value",
"authentication": "virustotal_api_key"
},
{
"name": "MISP Search",
"app": "misp",
"function": "search_attributes",
"input": {
"value": "$exec.parse_ioc.ioc_value",
"type": "$exec.parse_ioc.ioc_type"
}
},
{
"name": "AbuseIPDB Check",
"app": "abuseipdb",
"function": "check_ip",
"input": "$exec.parse_ioc.ioc_value",
"conditions": [
{
"field": "$exec.parse_ioc.ioc_type",
"operator": "equals",
"value": "ip"
}
]
},
{
"name": "Aggregate Results",
"app": "shuffle_tools",
"function": "merge_reports",
"input": [
"$exec.virustotal_lookup.result",
"$exec.misp_search.attributes",
"$exec.abuseipdb_check.data"
]
},
{
"name": "Calculate Threat Score",
"app": "shuffle_tools",
"function": "calculate_score",
"input": "$exec.aggregate_results.merged_data"
},
{
"name": "Create TheHive Alert",
"app": "thehive",
"function": "create_alert",
"input": {
"title": "IOC Enrichment: $exec.parse_ioc.ioc_value",
"description": "$exec.aggregate_results.summary",
"severity": "$exec.calculate_score.severity",
"tags": ["shuffle", "automated", "ioc-enrichment"],
"artifacts": "$exec.aggregate_results.artifacts"
}
},
{
"name": "Notify Team",
"app": "slack",
"function": "send_message",
"input": {
"channel": "#threat-intel",
"text": "🚨 New IOC Alert",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*IOC:* `$exec.parse_ioc.ioc_value`\n*Score:* $exec.calculate_score.score/100"
}
}
]
}
}
],
"branches": [
{
"name": "High Severity Branch",
"condition": "$exec.calculate_score.score > 75",
"actions": ["create_thehive_alert", "notify_team"]
},
{
"name": "Low Severity Branch",
"condition": "$exec.calculate_score.score <= 75",
"actions": ["log_to_database"]
}
]
}Best Practices
Recommendations to optimize your Shuffle workflows
Do
- Test in developmentValidate your workflows in a test environment before production
- Version your workflowsExport and version with Git to track changes
- Document actionsAdd clear descriptions for each workflow step
- Robust error handlingImplement fallbacks and retry for each critical action
- Monitor performanceTrack execution metrics and response times
- Secure credentialsUse the built-in secrets manager, never hardcode
Don't
- Monolithic workflowsAvoid overly complex workflows, prioritize modularity
- Hardcoded credentialsNever store API keys directly in workflows
- Missing timeoutsAlways set timeouts to avoid blocking
- Insufficient loggingWithout detailed logs, debugging becomes impossible
- Untested deploymentNever deploy directly to production without testing
- Ignoring API limitsRespect rate limits to avoid blocking
Resources and Documentation
Useful links to deepen your knowledge
Official Documentation
Complete guide, tutorials and workflow examples on shuffler.io
GitHub Repository
Source code, issues, contributions and community workflows
Discord Community
Join the community to ask questions and share your workflows
API Documentation
Complete documentation of the REST API for custom integrations
Ready to automate your workflows?
Explore our CTI use cases and apply your knowledge with practical exercises