In the cybersecurity engineering and security automation field, we use Tines to automate the enrichment and analysis of different use cases, including IOC enrichment and bringing AI-powered capabilities into our workflows.

The primary use case is automating our detection use cases. Whenever we create a new detection, the alert is sent to a webhook in Tines, and from that webhook we create a workflow that automates the primary job of the L1 analyst, which is the initial triage of that particular alert. Tines will then create a ticket in our ticketing platform that will be sent directly to the customer, so the initial manual effort after that alert has been created is automated through Tines.

Regarding the scope of impact, we have about 12,000 customers using our product, and for each customer, we generate roughly about five alerts per day. Ninety percent of these alerts are automated through Tines, which is going to reach 100% pretty soon. For each of these alerts, the initial triage costs about 30 minutes to one hour per analyst, and the entire work is being done through Tines, which includes time-consuming enrichment. For example, we have a particular module in Tines that takes in a malicious IP that was seen in a particular alert and drives that IP through different OSINT tools—about seven different OSINT tools—and consolidates the results and generates a risk score for that IP based on all the results. For an analyst, it would take at least one hour to two hours to get the result with this much perfection, but with Tines, it happens instantaneously. Including the enrichment of different IOCs, the workflow does the initial triage of the alert and creates a ticket that has sufficient information that would take a significant amount of time for an analyst to compile manually for each alert. In perspective of 12,000 customers with each customer having about roughly two to five alerts per day, that much alert volume is completely automated through Tines.

Beyond this primary use case, we also use Tines for integrating different tools and making the SOC AI powered. We have a different AI model that we integrate with Tines to bring AI capacity and GenAI capabilities into our day-to-day activities, including detection creation, ticket management, and change control management. We have integrations with GitHub to use this in the DevOps field. However, all of these are smaller use cases compared to the SIEM rules automation, which is the primary one, but we cover a broad spectrum across many different fields.

Our team, the Security Automation Engineering team, had a primary role to do platform management for Tines. Initially we could only focus on Tines or trying to automate these use cases, but eventually we brought in so much automation that other teams started to pitch in. We only needed to do platform management and we got fewer in numbers because the level of automation got so large that we are now focusing on many different projects and not just level two SOC operations.

The API capabilities are what I find most valuable. I have used other SOAR platforms before, and the integration and API capabilities in those other SOAR platforms are relatively difficult to use when compared to Tines. In Tines, if I want to build an integration or API connectivity within different platforms, it is much easier. There are two very helpful actions: one is called Webhook and another is called HTTP Actions. We can use these two, so the webhook will literally accept traffic from the internet and the HTTP action makes it so much easier to send an HTTP request or an API request to different platforms. Using these two actions, we can very easily have interconnectivity, which really adds to the orchestration part when we are using SOAR.

The second feature I find really attractive is called Pages. By using Pages, instead of just creating a workflow, we can also use Pages to add a UI for anyone who is not a builder but who can actually use the workflows. For example, I am creating ten different workflows, and I can connect them through Pages so that someone from my team who is not a builder or a developer can actually use these workflows if I create for them a nice UI using Pages.

There are three things that I would say could be better. The first is the Change Control UI. I have noticed that the UI for Change Control is a bit difficult to navigate and assess, but I know that Tines is working on that and so hopefully we will see results soon.

The second thing is the action called Implode. The issue with the Implode action is that once we get a certain number of events into the Implode action, we lose context of all the events except the last one that came in, so it is a bit difficult to send data back once it goes through the Implode action. I have raised this up with Tines, but I do not know if they are working on this or not.

The third thing is the capacity to debug. If my story is not attached to a case, it is a bit difficult to debug if I run into an error. I have to identify the exact event that caused the error and then start debugging from there, so that is not entirely user-friendly. These are the three downfalls that I have noticed with Tines.

I have been actively using Tines for about two years.

Tines is stable. I cannot speak for the answer to that question before we chose Tines because ever since I joined my organization, Tines has already been there.

Tines has an auto-scaling feature that clearly provides the metrics about the number of workers that have been deployed and the amount of workload that these workers are carrying. We have the capacity to increase and decrease the number of workers to some extent manually, and it has to some extent an auto-scaling feature as well. We can put a ceiling on the permitted auto-scaling so as not to blow up. Whenever this became insufficient, we could easily reach out to the Tines team where they immediately gave us a remedy or fixed the issue. When things felt going off the roof, they have themselves reached out to us saying that these stories are causing issues and we could think of optimizing them or something.

I had direct interactions and the experience was great. The customer support is extremely active and they have an AI-powered customer support that is really, really good. The customer support engineers are extremely friendly. We had an open Slack where we could reach out whenever we wanted clarifications or had requests. We would get a response within six hours in my experience. We would get an AI-powered response immediately, and if that was not sufficient, we could connect to a manual person within six hours and they were really friendly. They were willing to get on call, assess the problem, and provide whatever we needed. We had review meetings every month and we could bring up whatever we thought would be an improvement on our side and they would immediately start prioritizing it and working on that. They also gave us a heads up on whatever new features they were thinking of rolling out.

Whenever we hit roadblocks or issues with the platform or story, even if it was our mistake, the people from the most senior engineering team of Tines immediately were willing to get on call with us to try to solve the issue, and they were also willing to temporarily scale the platform just to accommodate the issue that was going on and then temporarily bring it back down. All of these I have had experience with and it was great.

Tines was the first SOAR solution in my organization, but in a different organization, I have worked with different SOAR solutions before.

Tines is a great product. I have used multiple SOAR platforms before and I would say that, I do not know about the cost factor, but otherwise it is a great product and it is amazing to use with its user-friendly features. It is constantly improving, and that is a great thing, so I would highly recommend it.

I can speak for fewer employees needed because we used to require many analysts to deal with all the alerts that we were generating, but now we have about 90 to 95% of the alerts already automated through Tines, which requires tremendous time saved and a ton of reduction in the number of analysts required.

We are not in control of the deployment anymore. Initially we were using an S3 bucket to deploy Tines, but now Tines is taking care of the deployment. It used to be Amazon before, but now Tines is in control of that. The overall rating I give this review is 8 out of 10.