Respond to security alerts completely within one web interface

Orchestrator lets you script common incident response tasks, like "shut down machine" or "disable account", combine them into workflows like "contain ransomware", and run them on your security alerts.

Orchestrator has no learning curve. You write tasks in Powershell and Bash to run on endpoints, in any language to run from the Orchestrator server, and workflows in YAML. It can integrate with any product with a REST API.

Orchestrator is under development. It will be a (paid) commercial product, free to individuals. Join Mailing List.

See Screenshots Join Mailing List


Drag to left to slide


Orchestrator runs scripts on endpoints using Powershell Remoting (for Windows) and SSH (for Linux).

Supports Windows, Linux, Mac

Orchestrator is compatible with any machine that can run Powershell or Bash scripts.

Customize tasks based on environment

All tasks' code, whether out-of-the-box or custom, is open and editable through the web UI.

Setup within an hour

Orchestrator requires only 3 PCs: web server, Linux worker, and Windows worker. We give you Dockerfiles for each, and can also deploy for you in AWS EC2.


Orchestrator is currently free, with no limits - we appreciate you trying us out!

Out-of-the-box tasks & workflows

We have a soon-to-be-public GitHub repo with dozens of common tasks for Linux and Windows.

Security Orchestration is a Must


Enterprises today receive hundreds of security alerts per week, most false positives. This:

  • Delays response to actual threats.
  • Increases turnover. The typical SOC analyst stays for only 2 years.

Common IR tasks, like shutting down an infected endpoint, require analysts to log into multiple consoles and struggle to move basic information from one to another.

We've read about SOC analysts who spent 40% of the time investigating an alert getting the infected PC's IP address.


Some promise to fully automate alert response using AI/ML, but security teams don't trust full automation. They worry about what damage it will cause rather than what problems it'll fix.

Instead, we should enable security teams to build and run tasks and workflows to quickly remediate alerts (called security orchestration ).

Current SOAR Products Aren't Flexible


Other SOAR products force you to write tasks in a specific language using REST APIs. But you should not have to write 20 Python LOC to take a remote screenshot - you should just be able to write scrot .

Also, importing your custom scripts into SOAR products often requires you to rewrite the scripts using the product's APIs. Orchestrator lets you just run any custom script (in any language) from the server.


Other SOAR products make you use visual workflow editors, then auto-generate code from your visual workflow. This code is hardly reusable and difficult to read or extend. If you switch SOAR vendors, all your workflows are now obsolete.


One sysadmin told us that "graphics absolutely kill the performance of SOAR platforms". Visual editors, designed for Tier I SOC analysts, slow down experienced security staff, and so our web UI is minimal and fast.

Everything that can be done in the web UI can be done through the REST API, so you can write custom tools on top of Orchestrator. If there's enough interest, we'll release an official CLI version. Email us!

What Orchestrator Is Not


Orchestrator automates response, not just tracks it.


Currently, Orchestrator integrates technology and processes, but not people. Orchestrator knows nothing about the structure of your organization. But it's a feature we can add in the future if there's interest!


Orchestrator is designed for the routine, 97% of alerts. If you need to investigate an advanced persistent threat, this is not the tool for you.

Write tasks to run on endpoint in Powershell & Bash

Write tasks to run from Orchestrator server in any language

Write workflows in YAML

Write Integrations in Python

An integration requires at least 2 files:

  • 1 or more Python files defining tasks
  • 1 YAML file defining metadata and exporting tasks

Anything you can do in web interface, you can do in REST API

# don't worry; this will be authenticated

curl https://localhost:8080/shutdown_pc?ip=

{ "result": "success", "output": "Shut down PC-003 ( at 03/25/18 23:22:12" }


What is the status of this product (March 2018)?

We will release this project in the next few months. We have been working on it part time for a few months. Web UI is done, working on task/workflow engine and out-of-the-box tasks/workflows.

Orchestrator is meant to be a paid, commercial product. However, it will be free for individuals. As we said before, it will be free for all initially as we work to fix bugs. We know this puts corporate teams in an uncomfortable spot; we apologize.

Join the mailing list below! If you have feature requests or questions, email us any time at . We usually respond within the day!

Who is working on this product?

There are two of us working on this product:

Veeral Patel is a rising junior studying Computer Science at UC Berkeley. He is heavily involved in our cybersecurity club (, teaches a cybersecurity speaker series (, and is interning at Yelp in Summer 2018!

Jemin Desai is a rising junior studying Electrical Engineering and Computer Science at UC Berkeley. He has dedicated himself to Computer Science education on campus and teaches CS61A, the introductory Computer Science course for all CS/EECS majors.

How does Orchestrator work?

Our tech stack is: Postgres, Django, Django Rest Framework, React.

We use Powershell Remoting to run Powershell scripts remotely. Our documentation will teach how to set up. We use ssh to run Linux scripts remotely. To run a task from the Orchestrator server, we just run the script with the correct program (python, perl, bash, etc). To run a workflow, we parse each task in the YAML file individually.

Is it just tracking or does it automate response?

It automates response.

What are its data sources?
  • SIEMs: Will build integrations with popular SIEMs
  • Email
  • Manually through web UI
  • Authenticated POST call
How does it determine severity?

Orchestrator doesn't determine severity. It uses the severity from your SIEM, or the severity you specify (email/manual alerts).

What does deployment look like?

Orchestrator requires 2 machines minimum:

  • 1 Linux Machine. Runs:
    • 1 Docker container for Web UI
    • 1 Docker container for running tasks on Linux endpoints
    • 1 Docker container for running tasks on server
  • 1 Windows Machine. Runs:
    • 1 Docker container for running tasks on Windows endpoints

We'll provide all 4 Dockerfiles in a public GitHub repo. Each Docker container just runs a binary. We can also deploy all this for you in AWS EC2.

How are you authenticating users to the web UI? Seems like a huge point of failure if breached.

Still working on it, but a few ideas:

  • Yubico
  • RSA SecurID
  • 2FA
  • SSH Agent Forwarding
  • Active Directory Integration
What makes Orchestrator different from existing vendors?
  • Cost - it's currently free, to thank you for trying us out. Also it's not tied to an expensive SIEM or integrated security offering.
  • Ease of writing tasks and workflows
What's your contact info?

Feel free to reach out anytime, we usually respond within the day

Join Our Mailing List (Samy Kamkar is on it!)

We'll send all project updates here.