Introduction
Shuffle is an open-source security orchestration, automation, and response (SOAR) platform designed to help security teams automate repetitive tasks and streamline incident response. It provides a visual workflow builder that connects security tools, APIs, and data sources into automated playbooks without requiring extensive coding.
What Shuffle Does
- Connects security tools through a visual drag-and-drop workflow builder
- Automates incident response playbooks such as alert triage, enrichment, and containment
- Integrates with SIEM, EDR, ticketing, and threat intelligence platforms via a library of pre-built apps
- Supports custom app creation using OpenAPI specifications or Python scripts
- Provides multi-tenant capabilities for managed security service providers
Architecture Overview
Shuffle runs as a set of Docker containers including a Go-based backend, a React frontend, an OpenSearch database for storage, and Orborus as the workflow execution engine. Each workflow step runs as an isolated Docker container, providing sandboxed execution of third-party integrations. The app framework uses OpenAPI specifications to auto-generate integration connectors, and custom Python apps can be built and shared through the Shuffle app store.
Self-Hosting & Configuration
- Deploy with Docker Compose using the official repository for a single-server setup
- Configure environment variables for admin credentials, database settings, and TLS
- Install pre-built apps from the Shuffle app store or create custom integrations
- Set up webhooks and schedules to trigger workflows from external alerts or on a timer
- Scale horizontally by running additional Orborus workers for workflow execution
Key Features
- Visual workflow builder with conditional logic, loops, and parallel execution paths
- Over 1000 pre-built app integrations for security tools and cloud services
- OpenAPI-based app framework for rapid integration development
- Workflow sharing and collaboration through a public app and workflow library
- Role-based access control and audit logging for compliance
Comparison with Similar Tools
- Tines — commercial SOAR with a polished UI; Shuffle is fully open source and self-hosted
- Splunk SOAR (Phantom) — enterprise platform with Splunk lock-in; Shuffle is vendor-neutral
- n8n — general workflow automation; Shuffle is purpose-built for security operations
- TheHive — case management platform; Shuffle provides the automation layer and integrates with TheHive
- StackStorm — event-driven automation for DevOps; Shuffle targets security teams with a visual builder
FAQ
Q: Does Shuffle require coding knowledge to build workflows? A: Basic workflows can be built entirely through the visual editor. Advanced use cases may involve writing Python for custom app integrations or data transformations.
Q: Can Shuffle handle high-volume alert processing? A: Yes, Shuffle supports parallel workflow execution and can scale with additional worker containers to handle thousands of alerts per hour.
Q: What databases does Shuffle use? A: Shuffle uses OpenSearch for workflow data, execution logs, and app configurations. No additional database setup is required.
Q: Is Shuffle suitable for small security teams? A: Yes, Shuffle is designed to be accessible for teams of any size. Small teams benefit from automating repetitive tasks like alert enrichment and ticket creation.