tirreno is an open-source security framework designed to detect threats, fraud, and abuse at the application layer — where most breaches occur through compromised accounts and logic exploits. It’s built for developers and product teams who need real-time monitoring of user behavior, field changes, and API abuse without relying on network-level tools. With minimal dependencies and a self-hosted architecture, it integrates into legacy systems, SaaS platforms, ICS, and air-gapped environments.
tirreno uses PHP 8.0–8.3 and PostgreSQL 12+ with PDO_PGSQL and cURL extensions. It supports Docker, Heroku, and Composer-based deployments, and provides SDKs for PHP, Python, and Node.js to send contextual events. The system includes a built-in dashboard, rule engine, and audit trails, enabling teams to monitor risk scores, review suspicious activity, and enforce automated actions without changing their stack or DNS.
What You Get
- SDKs & API - Integrate tirreno into any application using official SDKs for PHP, Python, and Node.js to send events with full user and context data via simple API calls.
- Built-in dashboard - Real-time visual interface to monitor security events, risk scores, and user activity without external tools or complex SIEM configurations.
- Single user view - Analyze a user’s complete activity timeline, connected identities, behavior patterns, and risk scores to detect account compromise or multi-accounting.
- Rule engine - Automatically calculate risk scores using preset rules (e.g., credential stuffing, promo abuse) or create custom rules based on event patterns and thresholds.
- Review queue - Automatically flag or suspend accounts based on risk thresholds, enabling manual review workflows for suspicious activity without manual log parsing.
- Field audit trail - Track all modifications to critical fields (e.g., email, permissions, balances) with timestamps and user context to meet compliance and forensic needs.
Common Use Cases
- Running a SaaS platform with fraud risk - A fintech startup uses tirreno to detect fake account creation, promo abuse, and chargeback fraud by analyzing user behavior and transaction patterns in real time.
- Protecting internal legacy systems - A healthcare provider embeds tirreno into an old patient portal to monitor unauthorized field changes and detect insider threats without replacing the legacy stack.
- Securing API-first microservices - A logistics company uses tirreno to detect API scraping, rate-limit bypasses, and unauthorized access to shipping endpoints via event-based risk scoring.
- Monitoring industrial control systems (ICS) - An energy firm deploys tirreno on an air-gapped C2 system to detect anomalous machine identity behavior and unauthorized command sequences.
Under The Hood
Architecture
- Built on FatFree Framework with explicit routing configurations that cleanly separate HTTP endpoints from business logic
- Layered structure with controllers delegating to domain-specific models, though direct instantiation introduces tight coupling
- Hierarchical model design with base classes enabling reuse across security domains like blacklists and user searches
- Dictionary-based localization system decouples UI text from application logic, though static entries limit dynamic translation
- Procedural utility classes handle cross-cutting concerns like security and environment validation, creating implicit dependencies
- PSR-4 autoloading with custom fallback maintains namespace integrity but ties initialization to framework-specific bootstrapping
Tech Stack
- PHP 8.1 backend powered by FatFree Framework for routing and application flow
- MySQL database hosted on Heroku Postgres with schema migrations managed through application startup
- Composer-managed dependencies including PHPMailer, Ruler for rule-based decisioning, and Matomo Device Detector for threat analysis
- Heroku deployment with custom Nginx configs, PHP buildpack, and scheduled cron jobs for background processing
- HTTPS enforcement and file permission controls applied at the application level for security hardening
Code Quality
- Extensive test suite with unit-level coverage, using environment mocking to isolate behavior and ensure reliability
- Strong type safety enforced through strict typing, PHPDoc annotations, and explicit return types across the codebase
- Robust error handling with meaningful exceptions and validation logic that enhances debuggability
- Consistent PSR-compliant naming and modular organization that reflects clear domain boundaries
- Proactive code maintenance evident through TODOs in test files and comprehensive linting practices
What Makes It Unique
- Native integration of behavioral anomaly detection into event logging to identify account takeovers in real time
- Dynamic rule engine with human-readable syntax enabling non-technical users to define custom fraud rules
- Immutable audit trails that chain user actions across sessions and devices to reconstruct attack sequences
- Context-aware blacklist system that correlates identity signals to reduce false positives
- PHP-based frontend with embedded routing and localization that delivers rich interactivity without modern JavaScript frameworks
- Unified API and UI layer synchronizing real-time threat visualizations with granular access controls for cohesive security operations