tirreno is an open-source security framework designed to detect cyber threats, account takeovers, bots, and business logic abuse at the application level. Unlike traditional infrastructure-focused tools like SIEMs or WAFs, tirreno operates inside your application by analyzing user behavior, account activity, field changes, and API usage patterns. It’s built for developers and security teams who need to protect applications where attacks actually occur—through compromised credentials, insider threats, or logic exploits. With low dependencies (PHP 8.0–8.3 + PostgreSQL), it can be self-hosted on-premises, in air-gapped environments, or via Docker, making it ideal for legacy systems, SaaS platforms, industrial control systems, and compliance-heavy industries like finance, healthcare, and government.
The framework ingests events via API calls and provides a real-time dashboard to visualize threats without requiring complex integrations. Its AGPLv3 license and minimal architecture make it accessible for organizations that need full control over their security data, especially those with strict data sovereignty or regulatory requirements.
What You Get
- Real-time threat dashboard - Visualize active threats, suspicious user behavior, and bot activity through an intuitive web interface with live event streams and risk scoring.
- Event ingestion via API - Integrate tirreno into any application by sending structured event data through HTTP POST requests to /api/events, enabling monitoring of user actions, field changes, and API calls.
- User and account behavior analysis - Detect anomalies like credential stuffing, unusual login locations, privilege escalation, and account sharing by analyzing historical user patterns.
- Bot and non-human identity detection - Identify automated bots, compromised service accounts, and API abuse by monitoring request frequency, headers, and authentication patterns.
- Audit trails and audit logs - Automatically log all user actions and system events for compliance with HIPAA, FERPA, GDPR, or other regulatory frameworks.
- Self-hosted deployment - Deploy on your own server with no cloud dependency; supports Apache with mod_rewrite, PHP 8.0–8.3, and PostgreSQL 12+ for full data control.
- Docker support - Run tirreno in containers using the official Docker image with a single command:
docker pull tirreno/tirreno:latest.
- Cron-based background processing - Automate threat analysis and log cleanup with a scheduled cron job:
*/10 * * * * /usr/bin/php /absolute/path/to/tirreno/index.php /cron.
Common Use Cases
- Building a multi-tenant SaaS platform - Prevent cross-tenant data leakage and privilege escalation by monitoring user access patterns and flagging unauthorized data queries across tenants.
- Protecting healthcare portals with HIPAA compliance - Detect and alert on unauthorized access to PHI/PII data by staff members, creating immutable audit trails for regulatory audits.
- Detecting credential stuffing attacks on e-commerce platforms - Identify rapid login attempts across multiple accounts using IP, user-agent, and timing analysis to block automated bots before they compromise accounts.
- Securing industrial control systems (ICS) in air-gapped environments - Monitor operator commands and API calls to critical infrastructure without requiring internet connectivity, using local deployment.
- Monitoring non-human identities (NHIs) - Track API key usage patterns, detect anomalous service account behavior, and alert on excessive or unusual machine-to-machine interactions.
- DevOps teams managing legacy applications - Add security monitoring to old PHP or internal apps without rewriting them, using simple API-based event ingestion and minimal infrastructure overhead.
Under The Hood
Tirreno is an open-source security framework designed for fraud detection, threat monitoring, and protection against cyber abuse. It offers a modular architecture with extensive administrative interfaces and rule-based context evaluation capabilities that enable dynamic threat assessment and response.
Architecture
Tirreno follows a layered MVC-style architecture with strong separation between controllers, models, and assets. The system uses a modular controller structure organized by administrative functions and API endpoints.
- Modular controller hierarchy with base classes for common functionality
- Clear separation of concerns between admin interfaces, API controllers, and core logic
- Extensive use of abstract classes to enforce consistent behavior across components
Tech Stack
Built primarily on PHP with a focus on security and extensibility, leveraging modern frameworks and libraries for robust operation.
- PHP 8+ with strict typing and modern language features
- Fat-Free Framework (F3) as the core MVC framework
- Integration with Ruler library for rule-based context evaluation
- Extensive use of PSR-4 autoloading and custom namespace handling
Code Quality
Tirreno demonstrates solid code organization with consistent naming and structured error handling, though some areas show potential for improvement in test coverage.
- Consistent use of namespaces and class hierarchies
- Strong error handling with custom onError functions and error codes
- Extensive configuration-based approach for environment and route management
- Moderate test coverage with some missing unit tests in core modules
What Makes It Unique
Tirreno stands out through its rule-based context evaluation system and modular administrative interface design that allows for flexible threat detection and response.
- Rule-based context evaluation using the Ruler library for dynamic threat assessment
- Modular admin interface with dedicated controllers for each administrative function
- Extensible asset system that allows custom context and rule implementations
- Integrated API key management with usage tracking and subscription integration