Open-source threat detection, honestly reviewed. No marketing fluff, just what you get when you embed it in your product.

TL;DR

What it is: Open-source (AGPL-3.0) security framework that instruments your application to detect threats, fraud, and abuse from inside — not just at the network perimeter [README].
Who it’s for: Developers and small product teams building internal tools, SaaS platforms, or legacy apps who want behavioral threat detection without paying enterprise SIEM prices. Requires PHP/PostgreSQL familiarity [README].
Cost savings: Enterprise fraud detection and SIEM platforms (Splunk, Datadog security) run hundreds to thousands per month. tirreno self-hosted runs on commodity hardware — the software is free [README][pricing page].
Key strength: It detects threats where they actually happen — inside your app logic, not at the firewall. The single-user behavior view and rule engine are genuinely useful for teams without a dedicated SOC [README][2][3].
Key weakness: AGPL-3.0 license has commercial use restrictions. PHP/Apache stack is not what most modern teams run. Independent third-party reviews are essentially nonexistent as of this writing — almost all available content is first-party.

What is tirreno

tirreno is a security framework you embed inside your application, not alongside it. The core insight is that most breaches don’t come through firewalls — they come through compromised accounts and abused application logic that looks perfectly legitimate to network-layer defenses. A user with valid credentials exfiltrating client records, a payroll clerk adjusting figures within their permitted access, a departing employee bulk-downloading documents — none of this trips a WAF or SIEM alert because it’s technically authorized behavior [3].

What tirreno gives you is visibility into those behavioral patterns. You instrument your application by sending events to the tirreno API — logins, page views, data modifications, API calls — and tirreno builds a risk profile per user. The dashboard shows you the full timeline of a user’s behavior, risk scores, connected identities (shared IPs, devices, browser fingerprints), and flags accounts that match threat signatures [README][2].

The tech stack is PHP 8.0–8.3 with PostgreSQL 12+ and Apache. The README calls it a “few-dependency, low-tech PHP/PostgreSQL application” — which is both honest and a feature. Low dependencies means small attack surface, which matters in a security tool [README]. The project sits at 1,170 GitHub stars, is headquartered in Yverdon-les-Bains, Switzerland (tirreno Technologies Sàrl), and ships a live demo at play.tirreno.com (login: admin/tirreno) [README][homepage].

The license is AGPL-3.0. That’s meaningfully different from MIT — read the licensing section before embedding this in a commercial product you distribute.

Why people choose it

Independent third-party reviews of tirreno are sparse. The available sources are primarily tirreno’s own documentation and website content, so take the framing accordingly. What the first-party content does demonstrate clearly is the problem the tool is solving — and it’s a real problem that most small teams handle badly or not at all.

The insider threat blog post [3] is the clearest articulation of where tirreno fits. It opens by acknowledging that most insider threat guidance assumes you have a SOC, endpoint detection agents, DLP tools, and a SIEM budget. Then it walks through the actual behavioral signals that indicate misuse in ERP systems, CRMs, healthcare platforms, HR tools, and document management systems: a sales rep who exports their entire book of business before leaving, a billing clerk who modifies procedure codes, an IT admin accessing personnel files without a corresponding help desk ticket. The common thread is that all of these actions are technically permitted — the only signal is that the pattern is abnormal.

That’s the gap tirreno fills. It doesn’t replace infrastructure security. It adds the application-layer behavioral layer that most teams skip because it’s expensive (enterprise SIEM) or requires dedicated engineering effort (building it yourself).

The use cases page [2] maps to specific business scenarios: account takeovers, insider threat detection, compliance monitoring, field audit trails, multi-accounting and password sharing, non-human identity monitoring (service accounts, API keys, bots), and click fraud detection for ad campaigns. The breadth suggests this isn’t just for one vertical — it’s positioned as a horizontal security layer for anything that has users doing things you care about.

Features

Based on the README and official documentation:

Core instrumentation:

SDKs and REST API for sending events from any application stack [README]
Nginx reverse proxy integration via mirroring — you can instrument an existing app without code changes [1]
Events carry full context: user ID, IP address, user agent, referrer, HTTP method, URL, timestamp, browser language [1]
Apache with mod_rewrite required for the dashboard; API accepts standard HTTP POST [README]

Dashboard and analysis:

Real-time threat dashboard after a “five-minute installation” [README]
Single user view: behavior patterns, risk scores, connected identities, activity timelines [README]
Field audit trail: tracks what data was modified, by whom, and when [README][2]
Review queue: automatically suspend or flag accounts that hit risk thresholds [README]

Detection engine:

Rule engine with preset rules and custom rule support [README]
Preset rules cover: account takeover, credential stuffing, content spam, account registration, fraud prevention, insider threat, bot detection, dormant accounts, multi-accounting, promo abuse, API protection, high-risk regions [README]
Risk scoring is continuous and automated [README]

Deployment:

Docker Compose one-liner: curl -sL tirreno.com/t.yml | docker compose -f - up -d [README]
Heroku deploy button in the README for quick cloud trials [README]
Available via Composer and Packagist [README]
Air-gapped deployment supported — relevant for industrial control systems and mission-critical environments [README]

Hardware requirements:

PostgreSQL: 512MB RAM minimum, 4GB recommended
Application: 128MB RAM minimum, 1GB recommended
Storage: approximately 3GB PostgreSQL storage per 1 million events [README]

Pricing: SaaS vs self-hosted math

The pricing page confirms a Community Edition exists and is free for developer teams who want to self-host. The full commercial tier details weren’t available in the scraped content, but the website mentions “custom packages available for mission-critical organizations” suggesting enterprise pricing is contact-sales [homepage][pricing page].

tirreno self-hosted (Community Edition):

Software license: $0 (AGPL-3.0, with restrictions — see below)
Server: a VPS with 1GB+ RAM covers most small deployments; $5–15/month on Hetzner or Contabo
PHP/Apache stack — most shared hosting providers include this, which is unusual for self-hosted security tools

AGPL-3.0 caveat: AGPL is not MIT. The key restriction: if you run tirreno as a network service as part of a product you distribute to others, you must open-source your changes to tirreno. For internal tooling and self-hosted apps where you’re the operator, this doesn’t bite you. If you’re embedding tirreno in a SaaS product you sell, consult a lawyer. The README doesn’t address commercial licensing explicitly — the “custom packages for mission-critical organizations” contact-sales path presumably covers that [README][homepage].

Versus enterprise alternatives: Data on exact pricing for tirreno commercial tiers is not available from the provided sources. What is clear is the comparison class: Splunk, Datadog security monitoring, Sumo Logic, and dedicated fraud platforms like Kount or Sift charge hundreds to thousands per month depending on event volume. For a team that only needs behavioral monitoring for a few hundred users in an internal app, paying enterprise SIEM rates is absurd — and tirreno is the only self-hosted open-source option in this specific niche that’s production-ready enough to have a live demo and documented deployment path.

Deployment reality check

The README’s claim of “five-minute installation” is optimistic but the underlying stack is genuinely simpler than most self-hosted tools. PHP and PostgreSQL are ubiquitous — many teams already have this infrastructure somewhere.

Docker path (fastest):

curl -sL tirreno.com/t.yml | docker compose -f - up -d

Then navigate to http://localhost:8585/install/index.php to complete setup, delete the install/ directory, and create your admin account at /signup/ [README].

Manual install path: Download the ZIP, extract to your web server, run the installer in the browser, set up a cron job for every 10 minutes, done [README].

Cron job requirement: tirreno requires a cron entry — */10 * * * * /usr/bin/php /path/to/tirreno/index.php /cron — for background processing. This is standard for PHP apps but something Docker users sometimes miss [README].

Nginx integration: The documentation includes a full Nginx reverse proxy configuration that uses request mirroring [1]. This is the “instrument without code changes” path — Nginx mirrors every request to the tirreno API in the background without affecting the target app’s response time. The configuration is non-trivial: it requires a map directive for time formatting (Nginx can’t natively format timestamps to the Y-m-d H:i:s.v format tirreno requires), UTC timezone enforcement, and careful extraction of user identity [1].

What can go wrong:

The Nginx configuration has significant placeholders that must be replaced with real values. The documentation explicitly warns: “testing in a development or staging environment is crucial… using these settings without prior testing and validation is strongly discouraged” [1].
Identifying the correct user identity variable ($APPUSERID in the example) requires understanding your own application’s auth flow — there’s no magic here [1].
Air-gapped or ICS deployments are mentioned as supported but documentation for those scenarios isn’t publicly detailed [README].
PHP 8.0–8.3 is the supported range. PHP 8.4 (released December 2024) is not yet on the list — worth checking compatibility before deploying on newer systems [README].

Realistic setup time: 30–60 minutes for a technical user doing the Docker path on a fresh VPS. Manual install with Nginx mirroring: 2–4 hours, including testing that events actually show up in the dashboard.

Pros and Cons

Pros

Fills a real gap. Application-layer behavioral monitoring is genuinely underserved for teams that aren’t running enterprise SIEM. Most small teams have zero visibility into what authenticated users are doing — tirreno gives you that visibility [3][README].
Low-dependency stack. PHP/PostgreSQL is everywhere. No Kubernetes, no Elasticsearch, no Kafka. The minimal attack surface argument is real for a security tool [README].
Docker one-liner deployment. The actual install path is fast [README].
Air-gapped deployment supported. Rare in this category — relevant for industrial control systems, healthcare, and mission-critical environments where data cannot leave the network [README].
Preset rule library covers common threats. Account takeover, credential stuffing, bot detection, insider threat, promo abuse — these are ready to use without custom rule development [README].
SDK + Nginx mirroring = two integration paths. You can either instrument at the code level or instrument at the proxy level without touching application code [README][1].
Live demo available. play.tirreno.com with credentials in the README. You can evaluate the actual UI before committing to deployment [README].
Swiss company. Tirreno Technologies Sàrl is based in Yverdon-les-Bains, Switzerland. For teams with European data residency requirements, this matters [homepage].

Cons

AGPL-3.0, not MIT. Commercial use in distributed products requires either open-sourcing your changes or a commercial license. This is a real constraint for anyone building a SaaS that embeds tirreno [README].
PHP/Apache stack is polarizing. Most modern backend teams run Node, Python, or Go. Adding a PHP/Apache dependency for a security layer feels awkward. The Docker path mitigates this, but the underlying stack affects maintainability and upgrade path [README].
Almost no independent third-party reviews. The available sources are primarily first-party. Claims about ease of use, real-world performance, and reliability at scale cannot be verified from external reviewers as of this writing.
Apache required for the application server. The README specifies Apache with mod_rewrite and mod_headers. Nginx users will need to run Apache in the Docker container or as a separate service [README].
1,170 GitHub stars is early-stage. This is a small project. Community size affects plugin availability, bug fix velocity, and long-term sustainability. Betting core security infrastructure on a 1,170-star project carries real risk [README].
Cron dependency. Background processing requires a cron job. In containerized environments this is manageable but adds operational overhead [README].
Commercial pricing not publicly documented. The “contact sales for mission-critical organizations” path means you can’t evaluate cost without a sales conversation for anything beyond the Community Edition [homepage].
No mentions in major self-hosted community newsletters. Neither Self-Host Weekly issue from March 2026 [4][5] mentioned tirreno, which suggests limited community penetration at this point.

Who should use this / who shouldn’t

Use tirreno if:

You’re running an internal application (ERP, CRM, HR platform) and you have zero visibility into what authenticated users are actually doing with their access.
You need an audit trail that goes beyond “who logged in when” to “what fields did they change and in what pattern.”
You’re building for air-gapped or compliance-heavy environments (healthcare, finance, ICS) where on-premise deployment of security tooling is mandatory.
You’re already running PHP/PostgreSQL and want to add a security layer without a new technology dependency.
Your threat model includes insider risk, account sharing, promo abuse, or multi-accounting — and you want automated detection rather than manual log analysis.

Skip it if:

Your application runs on a modern stack (Node, Python, Rails) and you’re not willing to add PHP/Apache for one component. The Docker path helps, but it’s still a different runtime to maintain.
You need MIT or Apache 2.0 licensing for commercial distribution — AGPL-3.0 restricts that.
You need network-layer or infrastructure-level threat detection. tirreno is application-layer only and explicitly doesn’t replace firewalls or network SIEM [3][README].
Your team has no one who can read PHP source code to evaluate security issues in the security tool itself.
You need a large community, extensive documentation, and guaranteed long-term maintenance — at 1,170 stars, that’s not guaranteed here.

Alternatives worth considering

Wazuh — open-source SIEM and endpoint detection. Free, active community, handles infrastructure and endpoint security well. Does not do application-level behavioral analytics out of the box — you’d build that on top of log ingestion. MIT/GPL licensed.
Graylog — log management and SIEM. Better for infrastructure log aggregation than application-layer behavioral profiles. Open-source core, commercial tiers for advanced features.
Sentry — error and event tracking. Not a security tool per se, but teams often use it as a proxy for application behavior monitoring. No fraud detection or risk scoring.
Elastic SIEM — powerful, but requires Elasticsearch infrastructure (RAM-hungry) and significant configuration expertise. Commercial licensing for advanced security features.
Supabase / custom audit logging — if your primary need is a field audit trail and you’re already on Postgres, you can build a simple trigger-based audit log for a fraction of the setup effort. Lacks risk scoring and behavioral analytics, but covers the compliance use case for many teams.
Kount / Sift — commercial fraud detection SaaS platforms. If you have the budget and need managed service reliability, these are the category leaders. $500–2,000+/month depending on volume — the exact opposite of the self-hosting value proposition.

Bottom line

tirreno is solving a problem that most small teams ignore until something bad happens: they have no idea what their authenticated users are actually doing inside their applications. The network perimeter is protected; the application layer is a blindspot. tirreno instruments that blindspot — it turns event streams into user behavioral profiles, risk scores, and automated review queues.

The honest caveat is that this is an early-stage project with limited third-party validation. The PHP/Apache stack will feel foreign to many modern teams, the AGPL-3.0 license has real commercial use restrictions, and there’s no public track record of how it performs at scale. For the right context — a small team running an internal app with sensitive data and a real need for behavioral monitoring — it’s worth evaluating against the live demo. For teams shopping for reliability and community support first, wait for more independent adoption evidence.

If deployment is the blocker, that’s the kind of setup upready.dev handles for clients — one-time fee, you own the infrastructure.

Sources

tirreno Documentation — Nginx Reverse Proxy Integration (docs.tirreno.com). https://docs.tirreno.com/tutorials/nginx-reverse-proxy.html
tirreno — Use Cases (tirreno.com). https://www.tirreno.com/use-cases/
tirreno Blog — “Application-level security for insider threats” (November 25, 2025) (tirreno.com). https://www.tirreno.com/bat/2025-11-25
Ethan Sholly, Self-Host Weekly — 13 March 2026 (selfh.st). https://selfh.st/weekly/2026-03-13/
Ethan Sholly, Self-Host Weekly — 20 March 2026 (selfh.st). https://selfh.st/weekly/2026-03-20/

Primary sources:

GitHub repository and README: https://github.com/tirrenotechnologies/tirreno (1,170 stars, AGPL-3.0)
Official website: https://www.tirreno.com
Pricing page: https://www.tirreno.com/pricing/
Live demo: https://play.tirreno.com (admin/tirreno)

Features

Integrations & APIs

REST API

Replaces

Related Analytics & Business Intelligence Tools

View all 176 →

Superset

71K

Apache Superset is an open-source data exploration and visualization platform — connect to any SQL database, build interactive dashboards, and run ad-hoc queries.

analytics Apache-2.0

OpenBB

63K

The open-source AI workspace for finance — connect proprietary and public data, build custom analytics apps, and deploy AI agents on your own infrastructure.

analytics

Metabase

46K

Open-source business intelligence that lets anyone in your company ask questions and learn from data. Build dashboards, run queries, and share insights without SQL.

analytics

ClickHouse

46K

Ultra-fast column-oriented database for real-time analytics. Process billions of rows per second with SQL. Open-source alternative to Snowflake and BigQuery.

analytics Apache-2.0