Sold by: Security Onion Solutions, LLC
Deployed on AWS
Free Trial
Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, case management, and much more.
3.1
Overview
Image
Security Onion Dashboard
Image
Security Onion Alerts
Image
Security Onion Grid
Image
Security Onion PCAP
Image
Security Onion Configuration
Video
Product video
Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, case management, and much more.
Security Onion Pro is a licensed set of additional features useful to larger organizations, including Onion AI: a built-in AI assistant that is compatible with the either the Pro-bundled cloud AI platform offered by Security Onion, and also compatible with Google's Gemini AI platform or a locally hosted OpenAI-compatible endpoint. Contact our sales team to request a demo or more information.
For network visibility, Security Onion includes signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture via Suricata PCAP, and file analysis via Strelka. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into the Elastic stack. Security Onion's native user interface, called SOC - short for Security Onion Console, for alerting, detection, hunting, dashboards, case management, and grid management, and much more.
Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!
Security Onion can be installed as a standalone, single VM, or in a distributed grid. Additionally, a single VM evaluation install mode is available for learning Security Onion, as well as an import install mode for analyzing past events. The Security Onion Console provides a consistent interface for viewing events, escalating alerts, collecting information into cases, and drilling down into associated PCAP traffic. Aggregate your platform logs into Security Onion for a comprehensive, security-focused view into activity within your infrastructure.
Note that free community-based support for Security Onion is offered via our discussion forum. Premium support is available for purchase separately, and is included with Security Onion Pro paid licenses.
Highlights
- Security Onion can be installed as a standalone, single VM, or in a distributed grid. Additionally, a single-VM evaluation install mode is available for learning Security Onion, as well as an import install mode for analyzing past events.
- Security Onion Console provides a consistent interface for viewing events, escalating alerts, and drilling down into associated PCAP traffic.
- Aggregate your platform logs into Security Onion for a comprehensive, security-focused view into activity within your infrastructure.
Details
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
OtherLinux 9
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 30 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
t3a.2xlarge Recommended | $0.15 |
c4.2xlarge | $0.15 |
r5n.8xlarge | $0.15 |
i4i.16xlarge | $0.15 |
m5ad.large | $0.15 |
r5b.metal | $0.15 |
r6idn.4xlarge | $0.15 |
c5a.4xlarge | $0.15 |
r6id.metal | $0.15 |
r5n.large | $0.15 |
Vendor refund policy
Refunds are not available.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Full release notes for the latest Security Onion release are located at: https://securityonion.net/docs/release-notes
Existing Security Onion 2.4.4 or newer AMI installations should use the "soup" command to upgrade to newer versions of Security Onion. Attempting to switch to a newer AMI from the AWS Marketplace could cause loss of data and require full grid re-installation. Note that grids running Security Onion 2.3 cannot use soup to upgrade to 2.4, as the underlying operating system has changed from CentOS to Oracle Enterprise Linux.
Additional details
Usage instructions
IMPORTANT: Security Onion must be setup once the virtual machine first starts. Additionally, an understanding of DNS and networking concepts is required. Most users will need to map the VM's hostname to the VM IP address, either via their local /etc/hosts file, or via a domain resolution service in order to access the web interface.
Please review the following documentation links, as thoroughly understanding the architecture, such as which nodes should exist in AWS vs On-Premise, is an important prerequisite for deploying Security Onion in AWS.
Guidelines on instance sizing as well as AMI-specific instructions. This is a must read for all users new to running Security Onion on AWS.
Where data is stored within the VM's filesystem:
How Security Onion data is secured:
Information relating to updating passwords:
To verify a healthy installation, follow the recommendations provided in the following links:
- https://securityonion.net/docs/grid
- https://securityonion.net/docs/so-status
- https://securityonion.net/docs/help
Finally, if you run into trouble or need clarification, there is an active Security Onion community that helps answer questions relating to Security Onion. To take advantage of this free community support, visit our discussion forum:
Premium support and Security Onion Pro licenses are also available for purchase.
- Premium support: https://securityonion.net/support
- Pro license: https://securityonion.net/pro
Resources
Vendor resources
Support
Vendor support
Free community-based support for Security Onion is offered via our discussion forum. Premium support is available for purchase separately, and is included with Security Onion Pro paid licenses.
Visit our support website for more information. Premium Support:
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Security Onion Solutions, LLC
By Rapid7
By Check Point Software Technologies
Top
10
In Monitoring, Log Analysis
Top
25
In Data Security and Governance
Top
25
In Network Infrastructure
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Network Traffic Analysis
Signature-based detection via Suricata with full packet capture (PCAP) capability and protocol metadata extraction using Zeek or Suricata
Host Visibility and Monitoring
Elastic Agent for data collection with live queries via osquery and centralized management through Elastic Fleet
File Analysis and Extraction
File analysis and extraction capabilities via Strelka with support for rich protocol metadata and file extraction from network traffic
Intrusion Detection and Deception
Intrusion detection honeypots based on OpenCanary for enterprise visibility and threat detection
Centralized Security Operations Console
Native Security Onion Console (SOC) interface for alerting, detection, hunting, dashboards, case management, and PCAP traffic analysis with support for standalone, single VM, or distributed grid deployment modes
Threat Detection Engine
Library of 900+ out-of-the-box detections with user and attacker behavior analytics backed by community threat intelligence
Data Ingestion and Integration
Ingests CloudTrail, GuardDuty, EC2 network traffic, raw logs via SQS from multiple AWS accounts, on-premises networks, remote endpoints, and SaaS solutions
Investigation and Response Capabilities
Visual investigation timeline with detailed log timelines, automated response workflows, and instant actions such as asset quarantining
Deception Technology
Honeypots, honey credentials, and honey files for layered defense mechanisms
Compliance and Monitoring
File Integrity Monitoring (FIM) with support for PCI, HIPAA, and GDPR compliance requirements, plus detection of new AWS regions, services, and EC2 instance types
Unified Management Console
Single pane of glass console manages entire IT infrastructure across data center, private, public, and hybrid cloud deployments with full visibility and consistency
Policy Management and Segmentation
Policy can be segmented into layers for seamless network segmentation with granular delegation and automation capabilities
RESTful API Integration
RESTful APIs enable secure integration with orchestration, change management, and ticketing systems for automated security change control and provisioning
Integrated Logging and Monitoring
Logging, monitoring, event correlation, and reporting consolidated in one platform with customizable visual dashboard providing drilldown capabilities into incident and log details
AWS Service Integration
Integration with Amazon GuardDuty, Amazon CloudWatch, AWS Security Hub, AWS Transit Gateway, AWS CloudTrail, and VPC Flow Logs with CloudGuard CloudFormation templates for simplified deployment
Standard contract
No
No
No
Customer reviews
HarryJude
Centralized threat monitoring has improved visibility but demands complex setup and configuration
Reviewed on Jun 18, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Security Onion is its integration with multiple platforms and its function as a centralized system to visualize logs and events.
How has it helped my organization?
Security Onion has positively impacted my organization by greatly improving our security posture. It makes alert triage easier to handle, the analysis of threats is very simple, and the cost of threat analysis and detection has decreased.
I have noticed measurable improvements since using Security Onion, with security incidents improving from 45 to 60% over the past three years.
What is most valuable?
The best features Security Onion offers include acting as the intrusion detection system in my organization and helping me to address traffic, logs, and events happening within the organization. Since Security Onion is an open-source system that integrates with tools like Suricata and Zeek with the ELK stack, it enables threat detection and response capabilities, delivering high-level security measures at a cost, making it suitable for businesses of varying skill levels.
These integrations with Suricata and Zeek have greatly impacted our workflow and our team's effectiveness by helping us address issues such as identifying intrusions, evaluating threats, and overseeing log files.
This tool is very cost-effective, making it suitable for any size of organization wanting to use it.
What needs improvement?
For Security Onion, setting up and configuring the system can be quite challenging for newcomers due to the need for a grasp of networking and security concepts.
The specific challenges that make the setup and configuration difficult include the system demanding resources to function, which might be a challenge for smaller companies. Although there is support from the very proactive open-source community, tackling intricate problems usually requires technical knowledge.
For how long have I used the solution?
I have been using Security Onion for the same amount of time.
What do I think about the stability of the solution?
I have not experienced any downtime with Security Onion, so it appears to be quite stable.
What do I think about the scalability of the solution?
Security Onion's scalability has handled my organization's growth perfectly, so it is very scalable as it scales with our organization's growth increases.
How are customer service and support?
For the time I have been in contact with customer support, they have been very responsive and proactive.
Which solution did I use previously and why did I switch?
I previously used SolarWinds Loggly .
How was the initial setup?
My experience with the configuration process is that setting up and configuring the system can be quite challenging, especially for new users or newcomers due to the need for a grasp of networking and security concepts.
What was our ROI?
I have seen a return on investment through time saved from faster incident resolution and also very fast threat detection, freeing time for our security team to focus on more strategic tasks and projects. Additionally, security has greatly improved in my organization, and the cost-effective nature of Security Onion offers a budget-friendly option for monitoring networks in real time and responding to incidents promptly.
A specific example of how Security Onion made threat analysis easier and reduced costs is that it has been one of the best platforms we found for alerting, hunting, and tracking various security vulnerabilities, making it very easy for hunting and tracking of various security vulnerabilities while saving a lot of time and costs.
Which other solutions did I evaluate?
I decided to switch from SolarWinds to Security Onion because, while other vendors may have a more robust solution, Security Onion was the one to move forward with for our needs. We have tested some of the others, but the cost of those platforms made the return on investment not as desirable as Security Onion. There is also a learning curve with Security Onion, but it is worth it.
Before choosing Security Onion, I evaluated other options including SolarWinds IP Monitor and also SolarWinds Log Analyzer .
What other advice do I have?
The advice I would give to others looking into using Security Onion is that it works well for setting up within a Linux environment, bringing a new platform to run and maintain. The application itself has helped to keep track of logs and vulnerabilities in the environment, and alert triage and case creation is simple to start and follow through to the end, making it a highly recommendable tool.
I love Security Onion; it is an open-source tool supported by a community of like-minded users. The GUI is straightforward and easy to work with, and I also appreciate that there is the ability to use an appliance from Security Onion, though we have not had a need to use it yet.
Security Onion integrates very well with other AWS services I use in my case.
The configuration and the easy-to-use interface of Security Onion offer an affordable and budget-friendly option for monitoring networks in real-time and responding to incidents promptly. I would rate this review three out of five.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Anish Bajracharya
Provides good threat hunting by finding infected ports, but its initial setup is difficult
Reviewed on Mar 18, 2024
Review from a verified AWS customer
What is most valuable?
The most valuable feature of Security Onion for security monitoring is its ability to find infected ports. I have used the Squert tool within Security Onion the most for threat hunting.
What needs improvement?
The initial setup of the solution is a little bit difficult.
For how long have I used the solution?
I have been using Security Onion for one year.
How are customer service and support?
The solution’s technical support is good and responsive.
How was the initial setup?
On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup a six out of ten.
What's my experience with pricing, setup cost, and licensing?
Security Onion is an open-source solution.
On a scale from one to ten, where ten is expensive and one is cheap, I rate the solution's pricing a six out of ten.
Which other solutions did I evaluate?
Before choosing Security Onion, we evaluated Splunk. We chose Security Onion because it's a free and open-source solution.
What other advice do I have?
Security Onion is deployed on the cloud in our organization. I would recommend the solution to other users.
Overall, I rate the solution a seven out of ten.
Jörg Kippe
A mature and affordable solution that is easy to install and easy to update
Reviewed on Jan 15, 2024
Review provided by PeerSpot
What is our primary use case?
The solution is used to learn how the tools work. It enables us to do consulting and demonstrate solutions. We develop attacks, detect them, and demonstrate how it works. The customers are interested in seeing how and what these tools can do.
What is most valuable?
We are only working with open-source products. The tool is very easy to install and easy to update. A lot of interfaces are specified. So, it's quite easy to make extensions. It is very important when we do experiments and try to connect and integrate other tools. Security Onion is the most mature solution in the open source world. This is its biggest advantage.
What needs improvement?
The product takes time to learn, it's not that easy. In the beginning we had a lot of questions. If you want to use such a tool in an real (industrial) environment, you have to ask how to get the network data. Can we do a full packet capture? Can we provide agents to our end systems? There are no simple solutions to these questions. It's a general problem when running such systems in an industrial environment.
For how long have I used the solution?
I have been using the solution for about ten years. I am using the latest version.
How are customer service and support?
There is a community. If we are active and ask people questions, we get answers. We also have the option to buy support for difficult problems.
Which solution did I use previously and why did I switch?
We also use Malcolm. It is a similar platform. But it is not as mature as Security Onion . The system management features are not perfect and need to be improved.
How was the initial setup?
The solution is partially in a real environment and partially in a virtual environment. The focus is on the OT environment. Our main focus is to deliver security in automation systems. It is very easy to set up.
What's my experience with pricing, setup cost, and licensing?
It is an open-source solution. The vendor also sells a hardware solution (appliance) as a paid solution.
What other advice do I have?
My advice depends on the requirements, network, and resources available in an organization. It also depends on whether someone is looking for a turnkey solution, whether they are interested in working alone, and what their skills are. There is no one solution for all installations. Overall, I rate the product a ten out of ten.
cybersec
poorly developed , no support for software, no architecture or deployment details,
Reviewed on Nov 06, 2023
Review from a verified AWS customer
poorly developed, no support for software, no architecture or deployment details,
what is the purpose of having this software at this platform , absolutely nothing
Derek Maraw
The solution can be used for internal vulnerability assessment, but its user interface could be improved
Reviewed on Aug 04, 2023
Review provided by PeerSpot
What is most valuable?
We use Security Onion for internal vulnerability assessment.
What needs improvement?
Security Onion 's user interface could be improved. The solution's general reporting should be made simple and better-looking in terms of graphics so that we can update our senior management.
For how long have I used the solution?
I have been using Security Onion for four years.
What do I think about the stability of the solution?
Security Onion is a stable solution, but we experience some crashes.
I rate Security Onion a six out of ten for stability.
What do I think about the scalability of the solution?
Security Onion is a scalable solution, but some connected APIs are a bit difficult to integrate. Two people are using Security Onion in our organization.
I rate Security Onion a five out of ten for scalability.
How are customer service and support?
We are part of the solution's blogging site, where we discuss with other people working on it so that we understand most things. Security Onion's blogging site or community forum helps us to resolve all our issues.
How was the initial setup?
Security Onion's deployment needs to be a bit simple. Some explanations or jargon are a bit complicated and should be made simple enough to understand.
What's my experience with pricing, setup cost, and licensing?
Security Onion is a free solution.
What other advice do I have?
Security Onion is deployed on our established private cloud, which operates from our recovery site.
Security Onion does not need any maintenance.
You need to be skilled in order to use Security Onion.
Overall, I rate Security Onion a six out of ten.