Keep
The open-source AIOps and alert management platform that unifies 130+ monitoring tools into a single pane of glass with AI-powered correlation, deduplication, and workflow automation.
Keep is an open-source AIOps and alert management platform built for SREs, DevOps engineers, and platform teams drowning in alert noise from dozens of disconnected monitoring tools. By aggregating alerts from over 130 providers — including Datadog, Prometheus, Grafana, CloudWatch, New Relic, and PagerDuty — into a unified interface, Keep eliminates the need to switch between tools to understand what is broken and why.
At its core, Keep uses a Google CEL-based rules engine to evaluate incoming alerts against user-defined correlation rules, automatically grouping related events into high-fidelity incidents and dramatically reducing alert fatigue. Enrichment pipelines add context from CMDBs, ticketing systems, and databases before human eyes ever see the alert. When intervention is needed, a GitHub Actions-style YAML workflow engine can trigger Jira ticket creation, Slack notifications, Python script execution, or any other automated response.
Keep supports multiple AI backends — OpenAI, Anthropic Claude, Google Gemini, DeepSeek, Ollama, and LlamaCPP — for alert summarization, root cause suggestions, and incident context gathering. Bi-directional integrations mean Keep can both receive alerts from and push actions back to tools like Datadog and PagerDuty, closing the loop without manual handoffs.
Deployed via Docker Compose or Kubernetes, Keep is production-tested and actively maintained with regular releases, a growing contributor community, and commercial cloud and enterprise offerings for teams that want managed infrastructure and enterprise security features.
What You Get
- Single pane of glass - Unified, customizable dashboard to view, filter, search, and query alerts from 130+ monitoring tools including Datadog, Prometheus, Grafana, CloudWatch, New Relic, and Dynatrace in one interface with real-time WebSocket updates.
- CEL-based alert correlation - Define correlation rules using Google’s Common Expression Language to automatically group related alerts from multiple sources into high-fidelity incidents, with deduplication fingerprinting per provider.
- AI-powered enrichment and summarization - Connect OpenAI, Anthropic Claude, Gemini, DeepSeek, Ollama, or LlamaCPP to summarize incident context, suggest root causes, and auto-generate incident reports from correlated alerts.
- YAML workflow automation engine - GitHub Actions-style workflows that trigger on alert conditions to create Jira tickets, send Slack messages, execute Python scripts, query databases, and push actions back to monitoring tools bidirectionally.
- Mapping and enrichment rules - Extract fields from alert payloads using regex, map alert attributes to CMDB data from NetBox or custom databases, and add ownership metadata before alerts reach on-call engineers.
- Topology-aware incident grouping - Build service dependency maps from provider-discovered infrastructure combined with manually defined relationships, enabling topology-aware alert correlation that understands upstream and downstream impact.
- Provider health checker - Real-time assessment of alert quality and integration health across connected providers, surfacing spammy or low-quality alert sources before they generate noise.
- Multi-tenancy and enterprise security - SSO, SAML, OIDC, LDAP authentication with RBAC and ABAC access control, team management, and air-gapped on-premises deployment support.
Common Use Cases
- Consolidating multi-cloud alert noise - An SRE team using Datadog for APM, CloudWatch for AWS infrastructure, and Prometheus for Kubernetes connects all three to Keep, defines correlation rules that group related alerts into single incidents, and cuts on-call page volume by deduplicating cross-tool noise.
- Automated incident response with Jira integration - A platform engineering team configures a Keep workflow that triggers when a critical Prometheus alert fires: it creates a Jira ticket, posts a Slack message with AI-generated context, and acknowledges the alert in PagerDuty — all without human intervention.
- Enriching alerts with CMDB context - An operations engineer sets up mapping rules that automatically enrich incoming CloudWatch alerts with service ownership data from NetBox and team routing from a MySQL table, so on-call engineers immediately see who owns the affected service.
- AI-powered incident summarization - A DevOps team connects Anthropic Claude to Keep so that when multiple alerts correlate into an incident, Keep generates a plain-English summary of what happened, what services are affected, and suggested remediation steps before the engineer even opens the incident.
- Building a custom alert dashboard - A startup with five different monitoring tools uses Keep’s preset and facet system to build team-specific alert views filtered by severity, environment, and service, replacing ad-hoc Slack alert channels with a structured, searchable interface.
Under The Hood
Architecture Keep follows a layered, provider-centric architecture where every external integration is encapsulated in a typed BaseProvider abstract class that enforces consistent authentication, webhook handling, deduplication fingerprinting, and scoped permissions across all 132 integrations. The alert processing pipeline flows from provider ingestion through an enrichment layer — supporting regex extraction, database mapping, and CMDB lookups — into a CEL-based rules engine that groups alerts into incidents, with each stage independently addressable and testable. FastAPI routes remain thin, delegating to dedicated business logic modules and a centralized database layer, while ARQ with Redis handles background alert processing asynchronously without blocking the HTTP layer. The enterprise edition identity management lives cleanly in an isolated ee/ directory, separating proprietary capabilities from the open-source core without polluting shared abstractions.
Tech Stack The Python 3.11+ FastAPI backend uses SQLModel with SQLAlchemy 2.0, supporting PostgreSQL via psycopg3 and MySQL via PyMySQL, with optional Elasticsearch for full-text alert search. The Next.js 15 frontend uses NextAuth for authentication and Tailwind CSS for styling, instrumented with Sentry for error tracking, PostHog for analytics, and Pusher/Soketi for real-time WebSocket alert delivery. Background task processing runs via ARQ with Redis as the message broker. The cel-python library implements Google’s Common Expression Language for alert correlation rules. Full-stack observability uses OpenTelemetry SDK with traces and metrics exported to Grafana, Loki, and Tempo. Docker Compose with environment-specific overrides is the primary deployment mechanism, with documented paths for Kubernetes, AWS ECS, and OpenShift.
Code Quality The codebase maintains extensive test coverage across 84 Python test files spanning unit, integration, and end-to-end scenarios, with comprehensive mocking of provider dependencies and database fixtures for isolated test execution. Type safety is enforced via Pydantic v1 schemas throughout the API layer, with SQLModel bridging ORM operations and runtime validation. The provider abstraction enforces interface consistency across all 132 integrations through abstract methods for alert ingestion, action dispatch, and webhook processing. Workflow YAML definitions are validated at parse time via Pydantic-backed models, preventing invalid configurations from reaching runtime. GitHub Actions CI pipelines handle semantic release automation and test execution. Naming conventions and module organization are consistent, with routes, business logic, and database access clearly separated.
What Makes It Unique Keep’s most distinctive technical capability is the combination of cel-python’s expression evaluation with automatic string-to-numeric severity normalization, enabling alert correlation rules that can compare severity levels across providers using a unified numeric scale without requiring custom normalization code per provider. The enrichment pipeline’s layered model — combining Chevron-templated attribute extraction, configurable mapping rules, external CMDB lookups, and AI enrichment — creates a composable enrichment chain that runs before human-visible alert display. The topology service generates service dependency maps from both auto-discovered provider relationships and user-defined manual mappings, enabling topology-aware grouping that understands blast radius. The PREMIUM_PROVIDERS gate elegantly enforces SaaS-tier restrictions on bash, Python, LlamaCPP, and Ollama workflow steps without scattering license checks across provider code.
Self-Hosting
Keep’s core codebase is released under the MIT license, which is one of the most permissive open-source licenses available. MIT allows unrestricted commercial use, modification, and redistribution. Self-hosters can deploy Keep in production environments without any royalties, license fees, or usage restrictions imposed by the license itself. The one important caveat is the ee/ directory: any code in that subdirectory is covered by Keep’s proprietary Enterprise Edition license, which requires a paid subscription for production use. The open-source core excludes these enterprise identity management features, so a self-hosted MIT deployment operates entirely on the permissively licensed code.
Running Keep yourself is a meaningful infrastructure commitment. The full stack requires Redis for background task processing and WebSocket management, a PostgreSQL or MySQL database for persistent storage, and the Keep backend and frontend services as separate containers. Optional components include Elasticsearch for full-text alert search, OpenTelemetry collectors, and Pusher or a self-hosted Soketi instance for real-time notifications. Docker Compose configurations covering development, auth-enabled, and ARQ worker variants are provided, and Kubernetes Helm charts and deployment guides for AWS ECS and OpenShift exist in the documentation. You are responsible for database backups, Redis persistence, service health monitoring, and rolling upgrades through Alembic migrations.
The managed cloud offering at platform.keephq.dev removes the operational burden of infrastructure management and adds enterprise features including SSO and SAML authentication, RBAC and ABAC access control, high availability, managed database backups, and priority support. The enterprise edition (ee/ directory) adds advanced identity management capabilities that are not available in the self-hosted MIT build without a subscription. Self-hosters also forgo access to the commercial support channel and SLA guarantees that enterprise subscribers receive, though the active Slack community and comprehensive documentation provide substantial community-level support for production deployments.
Related Apps
n8n
Automation · No Code Platforms
Code when you need it, UI when you don't — the workflow automation platform built for technical teams who refuse to choose.
n8n
OtherAutoGPT
Automation · Productivity · AI Assistants
Build, deploy, and run autonomous AI agents that automate complex multi-step workflows using a visual block-based graph editor.
AutoGPT
OtherUptime Kuma
Monitoring
Self-hosted monitoring for every service you run — 23 monitor types, 95 notification channels, live dashboards, and public status pages with no vendor lock-in.