Tines (AI Actions)

Overview

Tines is a no-code security automation platform — a SOAR (Security Orchestration, Automation, and Response) tool that lets security teams build automated workflows without writing code. Founded in Dublin in 2018 by former eBay security engineers, Tines has carved out a distinct position in the SOAR market by being dramatically easier to use than the enterprise incumbents (Splunk SOAR, Palo Alto XSOAR, IBM QRadar SOAR) while being more powerful and flexible than simple automation tools like Zapier or Make.

What sets Tines apart is the workflow builder. Instead of pre-built playbooks that you customize (the approach most SOAR tools take), Tines gives you a blank canvas and a set of building blocks — HTTP requests, triggers, transformations, conditional logic, AI actions — that you compose into workflows called "stories." It's the difference between filling out a form and writing in a notebook. The blank canvas is intimidating for the first hour, but once you understand the building blocks, you can automate things that would be impossible with template-based SOAR tools.

Tines has recently leaned into AI by adding LLM-powered actions that can classify alerts, extract entities from unstructured text, generate summaries, and make routing decisions. These AI actions sit alongside the existing building blocks, which means you can add intelligence to existing automation workflows without rearchitecting them. It's a natural evolution that makes Tines relevant to the AI security tool conversation, even though its core value proposition is automation rather than AI.

How It Works

Tines workflows ("stories") are built from a small set of action types: HTTP Request actions that call APIs, Trigger actions that start workflows based on webhooks or schedules, Transformation actions that reshape data, Event Transformation actions that apply logic and filtering, and the newer AI actions that process text with LLMs. You connect these actions in a visual canvas to create workflows, and the platform handles execution, error handling, retry logic, and logging.

The HTTP Request action is where most of the power lies. Because it can call any REST API with any authentication method, Tines can integrate with literally any tool that has an API — which is every modern security tool. There's no waiting for vendor-built integrations; if the API exists, you can use it today. Tines does maintain a library of pre-built "templates" for common integrations (Jira, Slack, PagerDuty, CrowdStrike, etc.) that handle the authentication setup and common API calls, but these are conveniences rather than requirements. The flexibility to call any API is the core design principle.

The AI actions use a configurable LLM backend — you can connect your own OpenAI, Azure OpenAI, or Anthropic API keys, or use Tines' built-in AI capability. The AI actions can be inserted at any point in a workflow to classify content, extract structured data from unstructured text, generate summaries, or make routing decisions based on natural language analysis. For example, a common pattern is: receive alert from SIEM → AI action classifies severity and extracts IOCs → conditional logic routes to different response workflows based on classification → automated response actions execute.

Data handling is straightforward. Tines processes data in its cloud (they also offer a self-hosted option for organizations that need it), and each action's output is available to subsequent actions as structured JSON. There's a credential vault for storing API keys and secrets, role-based access control for workflow management, and an audit log for compliance. The platform runs on AWS infrastructure and is SOC 2 Type II certified, which checks the procurement boxes for most enterprise buyers.

What We Liked

The speed of building automations is Tines' biggest advantage. We built an alert triage workflow — take a Sentinel alert, enrich it with VirusTotal and Shodan lookups, check the affected user against Azure AD, classify the combined data with an AI action, and route to Slack or Jira based on severity — in about 90 minutes. The same workflow in Splunk SOAR took us roughly a full day, primarily because of the setup overhead, plugin installation, and Python scripting required. In XSOAR, it was similar. Tines doesn't eliminate the need to understand APIs and data structures, but it eliminates the ceremony and boilerplate that makes other SOAR tools slow.

The community-shared story library deserves a mention. Tines maintains a public library of workflows contributed by their user community, and many of them are production-quality. We found a complete phishing response workflow that pulled emails from a shared mailbox, analyzed them with multiple reputation services, extracted IOCs, and generated a report — and it was importable into our environment with minimal customization. The community library accelerates time-to-value in a way that vendor documentation alone can't match.

The AI actions are well-implemented. We used an AI classification action to triage incoming Sentinel alerts and were pleasantly surprised by the accuracy — it correctly classified alert severity (matching our senior analyst's judgment) about 80% of the time, which is good enough to handle initial routing while flagging uncertain cases for human review. The fact that the AI action is just another building block in the workflow means you can add fallback logic: if the AI confidence is below a threshold, route to a human. If it's above, proceed with automated response. That kind of nuanced, conditional AI usage is harder to implement in tools where the AI is baked in rather than composable.

One thing that genuinely surprised us: Tines' customer community is remarkably active and helpful. The Slack community has thousands of practitioners who share workflows, debug each other's stories, and provide practical advice. We posted a question about handling a tricky API pagination issue and got three working solutions within an hour, one from a Tines employee and two from other customers. That community ecosystem adds significant value beyond the product itself, especially for smaller teams that don't have dedicated SOAR engineers.

What Fell Short

The blank canvas approach means there's no guardrails. You can build workflows that are elegant and efficient, or you can build a tangled mess of actions that nobody else can understand or maintain. Tines doesn't enforce any particular workflow structure or naming convention, and it's easy for a team of 3-4 people building stories independently to end up with an inconsistent, hard-to-maintain automation library. The platform needs better built-in governance features — workflow standards, naming conventions, complexity warnings, required documentation fields — to prevent the "automation spaghetti" problem that afflicts every SOAR deployment eventually.

The learning curve, while much shorter than traditional SOAR tools, is still steeper than Tines' marketing suggests. The no-code claim is technically accurate — you don't write Python or JavaScript — but you absolutely need to understand REST APIs, JSON data structures, authentication mechanisms, and basic programming logic (conditionals, loops, data transformation). A security analyst with no technical background won't be productive with Tines without significant training. It's no-code in the same way that advanced Excel is no-code: accessible to technical people, but not truly non-technical.

The reporting and metrics on automation performance are underwhelming. We wanted to track metrics like "how many alerts did this workflow auto-close vs. escalate" and "what's the average time savings per automated workflow" and found that Tines doesn't provide these analytics out of the box. You can build them yourself by adding logging actions to your workflows and piping the data to a dashboard tool, but it's extra work that the platform should handle natively. Demonstrating automation ROI is critical for justifying SOAR investment, and Tines makes it harder than it should be.

Pricing and Value

Tines offers a free Community Edition with limited features (no team collaboration, limited story complexity), a Teams tier starting around $5,000/month, and an Enterprise tier with custom pricing. The paid tiers are priced per user with additional costs for story execution volume at the upper end. For a security team of 10 running moderate automation workloads, expect annual costs in the $75,000-$150,000 range depending on execution volume and support tier.

Compared to traditional SOAR tools, Tines is competitively priced but not cheap. Splunk SOAR and XSOAR typically cost $100,000-$300,000/year for equivalent deployments, but they include features (case management, built-in threat intelligence, compliance reporting) that Tines handles through external integrations. The real value comparison should account for the dramatically lower implementation and maintenance effort — if a Tines workflow takes 90 minutes to build and an XSOAR playbook takes a day, that time difference compounds quickly across dozens of automations. Teams that measure SOAR value by the number of automated workflows in production will build more with Tines, faster.

Who Should Use This

Tines is the right SOAR platform for security teams that want to automate aggressively and have at least one technically capable person who can learn the platform. It's particularly well-suited for teams of 5-15 analysts where the automation builder doesn't need to be a dedicated SOAR engineer — any technically inclined analyst can contribute workflows. Organizations that are frustrated with the rigidity and complexity of traditional SOAR tools (and there are many) will find Tines' flexibility refreshing. The AI actions make it especially relevant for teams that want to inject LLM intelligence into their workflows without committing to a single AI vendor's platform.

It's a poor fit for organizations that want a turnkey SOAR solution with pre-built playbooks for common use cases, because Tines' strength is flexibility at the cost of guided structure. It's also not ideal if your primary need is case management or compliance-driven incident documentation — Tines is an automation engine, not a case management system, and you'll need to integrate it with something like Jira Service Management or ServiceNow for that functionality.

The Bottom Line

We evaluated Tines expecting a lightweight alternative to "real" SOAR tools and came away convinced it's the other way around. Tines' workflow builder is more capable than any template-based SOAR we've used, and the speed of building and iterating on automations is in a different class. It won't organize your incident response program for you — that's not what it's for. But if your goal is "automate away the repetitive work that burns out my team," Tines will get you there faster and with fewer frustrations than the alternatives. The free Community Edition means you can validate this for yourself before spending a dollar, which is exactly what we'd recommend.