Security orchestration and automation platforms are essential for modern MSSPs and security teams. Shuffle tackles this by splitting workflow execution across distributed components, enabling multi-tenant, hybrid cloud, and on-premises deployments. Its architecture and use of OpenAPI for integrations make it worth a close look if you’re building or maintaining security automation at scale.
What Shuffle does and its architecture
Shuffle is an open-source security automation platform designed primarily for Managed Security Service Providers (MSSPs) and enterprise security teams. Its core purpose is to orchestrate workflows that span multiple security tools, automating routine and complex security operations.
Under the hood, Shuffle separates concerns cleanly into three main components:
A ReactJS frontend that uses Material UI for the general interface and Cytoscape.js for interactive workflow editing. This provides a graphical way to design, visualize, and manage automation workflows.
A Golang backend webserver that handles API requests, workflow management, user authentication, and coordination of execution.
Distributed execution components: Orborus, responsible for distributing workflow execution across different locations, and Worker, which runs the actual workflows. This design supports scaling the execution layer horizontally and geographically.
The platform’s integrations with external apps and APIs are driven by OpenAPI specifications. Developers use a Python SDK to build connectors quickly, which means adding new integrations doesn’t require deep changes to the core platform. This modularity is key for security environments where new tools or APIs emerge frequently.
Deployment-wise, Shuffle supports hybrid scenarios: you can self-host it using docker-compose for on-prem or private cloud setups, or opt for the cloud-hosted service at shuffler.io. It also supports optional resource sharing between deployments, an important feature for MSSPs managing multiple clients securely.
Licensing is dual: the core backend is under AGPLv3, which ensures that any modifications remain open source. Meanwhile, workflows, apps, documentation, and the Python SDK use the more permissive MIT license, facilitating easier adoption and customization.
The distributed execution model as Shuffle’s core technical strength
What really sets Shuffle apart is its distributed execution architecture involving Orborus and Worker components. In many SOAR platforms, execution is centralized, which can become a bottleneck or a security risk when scaling across multiple tenants or environments.
Orborus acts as an orchestrator for workflow execution locations. It routes workflow tasks to appropriate Worker instances, which actually execute the steps defined in the workflows. This separation enables:
Scalability: You can add Worker nodes wherever needed, including on-premises networks or cloud regions, distributing load and reducing latency.
Security boundary enforcement: MSSPs often need to keep client data isolated. By running Workers in client-specific environments, Shuffle respects these boundaries while still providing centralized management.
Flexibility for hybrid deployments: The architecture supports workflows that span cloud and on-prem resources seamlessly.
This model is more complex than a monolithic execution engine but pays off in production by avoiding a single point of failure and reducing risk of data leakage.
The codebase reflects this modularity. The Golang backend is cleanly separated from execution components, and the React frontend leverages Cytoscape for a visually rich, interactive editor. The Python SDK for app integrations is a smart choice, striking a balance between accessibility and power for developers building connectors.
There are tradeoffs to keep in mind:
The distributed system requires more operational overhead. Deploying and managing Orborus and Workers alongside the backend and frontend components demands solid DevOps practices.
Debugging distributed workflows can be challenging, especially when execution is spread across multiple networks.
The dual licensing model means any backend modifications need to be open source under AGPLv3, which might affect commercial use cases.
Nonetheless, for MSSPs and security teams needing scalable, secure multi-tenant orchestration, these tradeoffs are reasonable.
Explore the project
Since the README does not provide explicit installation or quickstart commands, the best way to begin exploring Shuffle is to familiarize yourself with its main repositories and documentation:
The core backend and frontend live in the main Shuffle repo. This is where you’ll find the Golang backend and ReactJS frontend code.
Separate repos handle OpenAPI-based apps, Python SDK apps, workflows, and documentation. This modular approach keeps concerns isolated and makes it easier to contribute or customize specific parts.
The documentation provides guidance on architecture, deployment options (including docker-compose self-hosting), and development workflows.
For developers building new integrations, the Python SDK is the primary tool. It uses OpenAPI specs to scaffold connectors, which can then be deployed as apps within Shuffle.
The frontend’s use of Cytoscape.js means workflow definitions are graph-based, making the visual editor a key resource for understanding how automations are composed.
Overall, start by cloning the main repo, reading the docs, and exploring the examples of workflows and apps. The modular repos and SDK documentation will guide you on adding new connectors or custom workflows.
Verdict
Shuffle is a solid open-source SOAR platform with a clear focus on distributed, scalable security automation for MSSPs and security teams needing multi-tenant, hybrid deployments.
Its architecture stands out in this space due to the Orborus/Worker distributed execution model, which solves real-world challenges around scaling and security boundaries. The tradeoff is increased operational complexity and a steeper learning curve compared to monolithic automation tools.
The choice of Golang for backend, ReactJS for frontend, and Python for SDK strikes a balance between performance, developer experience, and extensibility.
If you manage security workflows across multiple environments or clients and want an open-source platform that supports hybrid cloud and on-prem deployment with modular integrations, Shuffle is definitely worth exploring.
For smaller teams or those without the resources to manage distributed components, the operational overhead might be a hurdle. Also, the AGPLv3 backend license requires attention if you plan commercial modifications.
Overall, Shuffle solves a real problem in security automation with a practical, modular approach and a distributed execution design that’s worth understanding even if you don’t adopt it directly.
Related Articles
- Syncthing: secure, decentralized continuous file synchronization in Go — Syncthing is an open-source Go tool for continuous, secure, decentralized file synchronization across devices, emphasizi
- n8n: hybrid AI-driven workflow automation with low-code flexibility — n8n blends no-code workflow automation with AI agent workflows via LangChain, offering 400+ integrations and flexible se
- Dokploy: a self-hosted PaaS combining Docker Compose and Swarm for scalable deployments — Dokploy is a self-hosted PaaS that streamlines app and database deployments using Docker Compose and Swarm for multi-nod
- Agno: Building production-ready agentic software with minimal code — Agno provides a minimal, production-ready Python framework for scalable agentic software with per-user isolation and nat
- Crawlee: a TypeScript library for stealthy web scraping and browser automation — Crawlee is a TypeScript library for web scraping and browser automation with human-like stealth. Supports Playwright, Pu
→ GitHub Repo: Shuffle/Shuffle ⭐ 2,274 · JavaScript