Can you use Tines for SOAR automation?

Using Tines for SOAR Automation

Yes. Tines is designed and marketed as a no-code security automation platform used by security operations (SOC) teams for SOAR (Security Orchestration, Automation, and Response) workflows. As of April 2026, Tines customers include security teams at Canva, McKesson, Mars, and Databricks, and the platform is positioned directly against traditional SOAR vendors such as Splunk SOAR, Palo Alto Cortex XSOAR, and IBM Resilient.

What Tines Automates for SOC Teams

Tines executes SOAR playbooks as Stories, which are directed graphs of Actions connected by event flow. Common SOC use cases include:

• Phishing triage: Parse reported phishing emails, extract headers and URLs, enrich indicators via VirusTotal or urlscan.io, and auto-respond to the reporter with the verdict
• SIEM alert enrichment: Pull alerts from Splunk, Sentinel, or Chronicle, enrich with threat intelligence (Recorded Future, MISP), and create tickets in Jira or ServiceNow only when the alert meets severity thresholds
• Endpoint isolation: Trigger CrowdStrike or SentinelOne host containment APIs when a rule fires, then notify the analyst and log the action for audit
• Indicator of compromise (IOC) enrichment: Cross-reference IPs, domains, and hashes against multiple threat intelligence feeds and update watch lists
• User access review automation: Pull entitlements from Okta or Azure AD on a schedule and generate manager review tickets

How Tines Differs From Traditional SOAR

Traditional SOAR products ship with hundreds of vendor-specific apps and scripted integrations. Tines instead treats every external system as an HTTP API and builds playbooks using six core Action types: HTTP Request, Send Email, IMAP, Trigger, Event Transform, and Webhook. This design reduces the surface area for maintenance (only six Action types to learn) but requires that analysts know how the target API works rather than relying on pre-packaged connectors.

Pricing and Deployment

Tines pricing as of April 2026 is custom-quoted, with entry-level Team plans starting at approximately $35,000 per year and Enterprise deployments running into six figures. Tines is deployed as a SaaS tenant by default; self-hosted and tenant-isolated options are available on Enterprise plans. The platform includes a free Community Edition with a cap on monthly stories and is widely used for personal security automation projects.

Limitations to Consider

Tines is optimized for API-driven automation. Organizations that rely heavily on legacy SOAR features such as deep case management, analyst shift handoff, or MITRE ATT&CK mapping typically pair Tines with a dedicated case-management tool (Jira, ServiceNow, or a SIEM-native case feature) rather than using Tines as a full incident response system.