At a Glance:
tirreno is an open-source security framework that embeds inside products to detect threats, fraud, and abuse through a real-time dashboard, risk-scoring rule engine, and API-based event ingestion.
Overview:
tirreno is an open-source security framework designed to be embedded directly into applications to detect and respond to threats, fraud, and abuse. Rather than focusing on infrastructure perimeter defenses like firewalls or WAFs, tirreno monitors for compromised accounts, application logic abuse, and malicious activity inside the product itself. It is built as a PHP/PostgreSQL application with minimal dependencies. Developers can integrate tirreno through available SDKs or API calls, and immediately access a built-in dashboard for monitoring security events, analyzing user behavior, and reviewing flagged activities. The project was originally a proprietary system and was open-sourced under the AGPL license in December 2024.
Key Decision Points:
Embedded product security: tirreno is designed to detect threats inside applications rather than at the network perimeter, focusing on compromised accounts and business logic abuse.
Self-contained PHP/PostgreSQL application: Deployment requires a standard web server with PHP and PostgreSQL, with a documented installation process that includes creating an administrator account and setting up a cron job.
API and SDK integration: Events are sent to tirreno through API calls or using provided SDKs for PHP, Python, Node.js, and WordPress.
Built-in review and scoring: Includes preset rules for detecting patterns like account takeover, credential stuffing, and content spam, with a review queue that can automatically suspend or flag accounts based on configurable thresholds.
Core Features:
API-based event ingestion: Send security events with full context to tirreno through API calls.
SDK support: Integrate using provided SDKs for PHP, Python, Node.js, and WordPress.
Real-time threat dashboard: Monitor and analyze product security events from a single built-in web interface.
Rule engine with preset rules: Calculate risk scores automatically using preset detection rules for patterns including account takeover, credential stuffing, content spam, and bot detection, or create custom rules.
Single user view: Examine behavior patterns, risk scores, connected identities, and activity timelines for individual users.
Review queue with threshold settings: Automatically suspend accounts with risky events or flag them for manual review based on configured thresholds.
Field audit trail: Track modifications to important fields, including what changed and when, to support audit and compliance workflows.
Use Cases:
Developers adding an embeddable security layer to self-hosted, internal, or legacy applications for audit trails, account takeover protection, and insider threat detection.
SaaS platform operators monitoring for cross-tenant data leakage, privilege escalation, data exfiltration, and business logic abuse.
E-commerce sites detecting payment fraud, account abuse, fake reviews, promotional code exploitation, and credential stuffing attacks.
Administrators monitoring non-human identities such as service accounts, API keys, and bot behaviors for compromised machine identities.
Open-Source Alternative Value:
tirreno provides a self-contained, embeddable alternative for application-layer security monitoring under the AGPL license. Since the project was open-sourced after operating as a proprietary system, it offers a mature codebase with preset detection rules, a review queue, and audit trail capabilities that teams can deploy on their own infrastructure. The availability of SDKs for multiple languages and a straightforward installation process allows developers to ingest security events and access a threat dashboard without relying on external security SaaS platforms for product-level threat detection.