tirreno: An Open-Source Security Framework for In-Product Threat Detection

Tirreno: An Open-Source Security Framework for Real-World Threat Detection Inside Your Product

Image: tirreno screenshot

In a world where breaches increasingly slip through the cracks of traditional perimeters, Tirreno offers a different approach. It’s an open-source security framework designed to sit inside your product, not just at the edge. Tirreno helps you understand, monitor, and protect your product from threats, fraud, and abuse by focusing on what actually happens inside your application. With a lightweight, hand-written PHP/PostgreSQL core, Tirreno promises quick deployment, real-time visibility, and a flexible rule system that adapts to your product’s unique risk landscape.

What Tirreno Is and Why It Matters

Traditionally, cybersecurity has centered on infrastructure, networks, and edge defenses—firewalls, SIEMs, WAFs, and the like. But most modern breaches occur through compromised accounts and abuse of application logic that can bypass those defenses. Tirreno shifts the emphasis toward the inside of your product, providing an in-app security layer that complements your existing controls. The result is a real-time threat dashboard, contextual risk scoring, and automated mechanisms to suspend or flag risky behavior.

Tirreno is built to be practical and approachable. It’s designed to be self-hosted, low in dependencies, and easy to install. After a straightforward five-minute setup, you can start ingesting events via API calls and immediately access a live threat dashboard. This combination of immediacy and visibility makes it a compelling option for developers and security teams who want to see risks where they arise — in the day-to-day flows that power their products.

Core Components: What Makes Tirreno Work

Tirreno is composed of a small set of focused, well-integrated components that work together to monitor, analyze, and respond to security events inside your product. Each piece is designed to be straightforward to integrate and to provide maximum insight with minimal overhead.

• SDKs and API: Tirreno can be dropped into nearly any product through its SDKs. With minimal code, you can send events that come with rich context and get the data into Tirreno’s analytics pipeline quickly.
• Built-in dashboard: A centralized interface to monitor and understand your product’s security events. Designed to be ready for use in minutes after installation, the dashboard consolidates alerts, trends, and key metrics.
• Single-user view: A focused perspective on a particular user’s behavior, risks, identities, and activity timelines. This view helps you understand how one user interacts with your system and where anomalies or high-risk patterns appear.
• Rule engine: The core of Tirreno’s risk-scoring logic. It can automatically calculate risk scores with preset rules, and you can also create customized rules tailored to your product’s specifics.
• Review queue: An automated mechanism for actioning risky events. Tirreno can automatically suspend accounts with risky events or flag them for manual review, using threshold settings to balance security and user experience.
• Field audit trail: Keeps track of changes to important fields by capturing what changed and when. This makes audits and compliance processes more transparent and reliable.

Presets That Cover Common Threat Scenarios

Tirreno ships with a set of preset rules that address a broad spectrum of real-world abuse vectors. These rules help teams get up and running quickly and ensure that common threats are detected out of the box. Examples of preset rules include:

• Account takeover
• Credential stuffing
• Content spam
• Account registration abuse
• Fraud prevention
• Insider threat
• Bot detection
• Dormant account
• Multi-accounting
• Promo abuse
• API protection
• High-risk regions

These presets provide a starting point for risk scoring and incident triage, enabling teams to tune thresholds and create a baseline security posture that matches their product’s risk profile.

Built for a Wide Range of Environments and Use Cases

Tirreno is designed to be flexible and applicable to many kinds of products and deployments. Its architecture and feature set target several major use cases:

• Self-hosted, internal, and legacy apps: Add a security layer to extend protection, maintain audit trails, defend user accounts from takeover, and monitor insider threats.
• SaaS and digital platforms: Prevent cross-tenant data leakage, online fraud, privilege escalation, data exfiltration, and business-logic abuse.
• E-commerce and online marketplaces: Detect payment fraud, account abuse, fake reviews, promo-code abuse, inventory manipulation, and protect against credential stuffing and carding attacks.
• Mission-critical applications: Provide sensitive protection even in air-gapped deployments.
• Industrial control systems (ICS) and command-and-control (C2) environments: Guard operational technology and critical infrastructure from unauthorized access and malicious commands.
• Non-human identities (NHIs): Monitor service accounts, API keys, bot behavior, and detect compromised machine identities.
• API-first applications: Guard against abuse, rate-limit bypasses, scraping, and unauthorized access.

Live Demonstrations and How to See Tirreno in Action

If you want to see Tirreno in motion, a live demo is available. You can explore the live demo at play.tirreno.com, using the admin credentials (admin/tirreno). The demo is a practical way to understand how the dashboard presents events, how risk scores evolve, and how the review queue operates in near real time.

Requirements: What You Need to Run Tirreno

To install and operate Tirreno, you’ll need a modest set of prerequisites. The project emphasizes a lightweight footprint, yet it remains a robust platform for security analytics.

• PHP: Version 8.0 to 8.3
• PostgreSQL: Version 12 or greater
• PHP extensions: PDO_PGSQL and cURL
• HTTP web server: Apache with modrewrite and modheaders enabled
• Operating system: Unix-like systems are recommended
• Minimum hardware:
• PostgreSQL: 512 MB RAM (4 GB recommended)
• Tirreno application: 128 MB RAM (1 GB recommended)
• Storage: Approximately 3 GB PostgreSQL storage per 1 million events

Docker-Based Installation for Quick Start

For teams who want to get started quickly, Tirreno provides a Docker-based installation path. A simple command can pull and run Tirreno in a containerized environment, enabling you to stand up the system with minimal friction. The typical workflow involves piping a YAML configuration from Tirreno’s site into Docker Compose to create and start the stack in the background.

• Example command: curl -sL tirreno.com/t.yml | docker compose -f - up -d

Quickstart Install: Step-by-Step at a Glance

A straightforward five-step process helps you get up and running with Tirreno on a server.

1) Download the latest version of Tirreno (ZIP file) from the official download page. 2) Extract tirreno-master.zip to the location on your web server where you plan to host the app. 3) Open a browser and navigate to http://localhost:8585/install/index.php to begin the installation flow. 4) After a successful install, remove the install/ directory to close the installation channel. 5) Navigate to http://localhost:8585/signup/ to create the administrator account.

A note on cron jobs: to schedule Tirreno’s background processing, add a cron entry every 10 minutes. You can either use crontab -e or edit the system’s cron spool directory. The schedule would look like: /10 * * * * /usr/bin/php /absolute/path/to/tirreno/index.php /cron

Heroku Deployment (Optional)

If you prefer a cloud-hosted approach, Tirreno offers a Heroku deployment option. You can deploy from a template that points to Tirreno’s repository and start experimenting with Tirreno in a scalable, managed environment.

Composer, Packagist, and Ecosystem Integration

Tirreno is also available through Composer and Packagist, allowing you to integrate it into existing PHP projects with familiar tooling.

• Quick start with Composer: composer create-project tirreno/tirreno
• Or integrate into an existing project: composer require tirreno/tirreno

SDKs: Language Bindings for Diverse Environments

Tirreno provides SDKs for several languages to streamline integration:

• PHP (tirreno-php-tracker)
• Python (tirreno-python-tracker)
• Node.js (tirreno-nodejs-tracker)
• WordPress (tirreno-wordpress-tracker)

Documentation: Guides for Users, Developers, and Admins

Comprehensive documentation helps teams install, configure, and extend Tirreno:

• User guide: https://docs.tirreno.com
• Developers documentation: https://github.com/tirrenotechnologies/DEVELOPMENT.md
• Admin documentation: https://github.com/tirrenotechnologies/ADMIN.md

Background, Philosophy, and the Name Tirreno

Tirreno is an open-source security framework that embeds protection against threats, fraud, and abuse directly into your product. The project began as a proprietary system in 2021 and opened its codebase under the AGPL in December 2024. A blend of experienced engineers and cyberdefense professionals stands behind Tirreno, driven by real-world threats and a commitment to open technologies. The project champions a philosophy of approachable, practical security that does not rely on venture capital-driven gimmicks but on robust engineering and an ethical, user-centered approach.

Why the name Tirreno?

The name “Tirreno” draws inspiration from the Tyrrhenian Sea and its historical associations. The Tyrrhenian or Tirreno people are linked to the Etruscans, and the term evokes signals and warnings used in ancient times—trumpets signaling coming threats, a concept that resonates with Tirreno’s mission of detecting and signaling risk before harm occurs. The designers kept the word in lowercase as a nod to textual accuracy and historical sources. The logo depicts the wordmark rising behind a horizon line, a metaphor for the endless evolution of the threat landscape and the commitment to rise above it.

Getting to Know Tirreno: Documentation, Community, and Resources

Beyond the core product, Tirreno offers an ecosystem of resources to help teams get the most out of the framework:

• Website: https://www.tirreno.com
• Live demo: https://play.tirreno.com
• Admin documentation: https://github.com/tirrenotechnologies/ADMIN.md
• Developers documentation: https://github.com/tirrenotechnologies/DEVELOPMENT.md
• Resource center: https://www.tirreno.com/bat/
• Docker Hub: https://hub.docker.com/r/tirreno/tirreno
• User guide: https://docs.tirreno.com
• Packagist: https://packagist.org/packages/tirreno/tirreno
• Mattermost community: https://chat.tirreno.com

Security Reporting and Responsible Disclosure

If you encounter a security issue with Tirreno, the project asks for responsible disclosure. Report security issues to security@tirreno.com. Public disclosure on GitHub is avoided during the remediation process. Tirreno commits to a clear process: acknowledge receipt, reproduce and confirm the vulnerability, release updated versions, announce the fix in release notes, and provide credit to the reporter if requested.

License and Warranty

Tirreno is released under the GNU Affero General Public License v3 (AGPLv3). The license ensures freedom to use, modify, and share Tirreno, while preserving the same rights in derivative works. The project emphasizes that Tirreno is distributed with no warranty, and it is provided as-is.

Authors and the Team

The authorship credits Tirreno Technologies sàrl, based in Vaud, Switzerland, with the 2026 publication of Tirreno under AGPLv3. The project emphasizes a human-centered ethos and a commitment to solving real-world security challenges with “ascétique” coding and open technologies — a philosophy that underpins every feature and design decision.

A Roadmap for Practitioners: How to Adopt Tirreno in Your Organization

If you’re evaluating Tirreno for your product, here are practical steps and considerations to help you plan a successful integration:

• Start with the core risk events: identify your product’s primary abuse patterns (e.g., account takeover, fraud, bot abuse) and enable the corresponding preset rules as a baseline.
• Integrate with your product via SDKs: choose the language that aligns with your stack, instrument critical events with rich context, and validate that the data appears in the dashboard in real time.
• Deploy in a controlled environment first: use a staging or development instance to validate data quality, rule behavior, and the performance impact.
• Define risk thresholds: tune the scoring system to align with your business impact tolerance. Decide how aggressive suspensions should be and when manual review is warranted.
• Establish audit and compliance workflows: leverage the field audit trail to maintain a robust history of sensitive data changes and user actions.
• Plan your data retention and privacy approach: ensure that event data handling complies with applicable data protection regulations and your internal policies.
• Set up automated and manual review channels: balance automated suspensions with a review queue to reduce legitimate user friction while maintaining security vigilance.
• Consider deployment options: Docker, Composer, Heroku, or direct deployment on Unix-like servers—choose the path that fits your team’s skills and operational model.
• Leverage the ecosystem: explore SDKs for PHP, Python, Node.js, and WordPress to extend Tirreno’s reach across your applications and services.

A Final Word: The Security That Fits Inside Your Product

Tirreno presents a compelling approach to modern security challenges by folding protection into the product itself. Its architecture emphasizes real-time visibility, contextual risk scoring, and operability through a simple, flexible rule engine. The emphasis on self-hosted deployment, lightweight dependencies, and ease of installation makes Tirreno accessible to a wide range of organizations—from startups to enterprises with strict data sovereignty requirements.

For teams that want a security layer that evolves with the threat landscape, Tirreno offers a practical, principled alternative to “bolt-on” security approaches. By focusing on threats where they actually occur—in the application and among user and service identities—Tirreno helps you protect your product, your users, and your business logic without undue complexity or proprietary lock-in.

Key Takeaways

• Tirreno is an open-source security framework designed to embed protection directly into applications.
• It provides a real-time threat dashboard, risk scoring, a rule engine, and a review queue.
• Preset rules cover common abuse vectors, from account takeover to API abuse.
• The platform supports a wide range of deployment scenarios: self-hosted, SaaS, e-commerce, ICS/C2, NHIs, and API-first apps.
• Quickstart options include Docker-based installation, direct installation, Composer integration, and optional Heroku deployment.
• Comprehensive documentation and SDKs support PHP, Python, Node.js, and WordPress integrations.
• The project is AGPLv3 licensed and values responsible security disclosure and community collaboration.

If you want to learn more or try Tirreno for your product, visit the official website, explore the live demo, and consult the user and developer documentation to tailor Tirreno to your specific security needs. The journey toward in-product threat intelligence and proactive defense starts with a simple decision to bring security closer to where risk actually materializes—inside your product.