Overview:
tirreno is an open-source security framework designed to detect threats, fraud, and abuse within a product's application layer, rather than at the network perimeter. It addresses attacks like account takeover, credential stuffing, and insider threats that bypass traditional security tools such as firewalls and WAFs. Built as a low-dependency PHP/PostgreSQL application, tirreno uses event ingestion via API to provide a real-time threat dashboard. It is intended for self-hosted applications, SaaS platforms, e-commerce sites, and mission-critical systems, including air-gapped and industrial control environments.
Core Features:
Rule engine: Automatically calculates risk scores using preset rules (e.g., account takeover, bot detection) or custom rules tailored to the product.
Single user view: Analyzes behavior patterns, risk scores, connected identities, and activity timelines for individual users.
Review queue: Automatically suspends accounts based on risky events or flags them for manual review via configurable thresholds.
Field audit trail: Tracks modifications to important data fields, recording what changed and when for audit and compliance purposes.
Built-in dashboard: Monitors security events from a single interface that is operational within minutes.
SDKs & API: Integrates with any product using SDKs for PHP, Python, NodeJS, and WordPress to send events with full context.
Use Cases:
Security for self-hosted applications: Adding audit trails and user account protection against takeover to internal and legacy apps.
Fraud detection for e-commerce: Identifying payment fraud, fake reviews, and promotional code exploitation on online marketplaces.
Monitoring non-human identities: Tracking API keys, service accounts, and bot behaviors to detect compromised machine identities.
Protecting API-first platforms: Preventing abuse like scraping, rate-limit bypasses, and unauthorized access.
Why It Matters:
tirreno focuses on application-layer threats that standard security infrastructure often misses. As an open-source framework (AGPLv3) that started as a proprietary system, it offers a self-hosted approach to embedding threat detection directly into products. The project emphasizes low dependencies and straightforward installation, and its event-driven model allows for real-time monitoring without relying on external security vendors for core detection logic.