Best Self-hosted Threat Detection, SIEM & Incident Response tools in 2026
13 self-hosted open source alternatives in this category
See also:
Certificates, PKI & TLS AutomationIdentity & Access Management (IAM)Network Security (VPN, Firewall, WAF)Secrets, Passwords & VaultsSSO & Federated Identity (OIDC/SAML)Vulnerability Management, Compliance & Audit13 services found
Web-Check
All-in-one OSINT tool for analyzing any website.
Comprehensive on-demand OSINT to analyze a website's security, architecture, and tech stack.
SafeLine
Self-hosted WAF and reverse proxy for securing web apps
SafeLine is a self-hosted Web Application Firewall (WAF) and reverse proxy that defends web apps from SQL injection, XSS, bot abuse, and DDoS using ML-powered threat dete...
Fail2Ban
Log-monitoring daemon that bans abusive IPs via firewall rules
Fail2Ban monitors service logs for repeated failures and automatically bans abusive IP addresses by updating firewall rules for a configurable time.
CrowdSec
Crowdsourced IDS/IPS and WAF with shared malicious IP intelligence
CrowdSec is an open-source security engine that detects attacks from logs and blocks malicious IPs using bouncers and community-curated threat intelligence.
Graylog
Centralized log management and analysis platform
Graylog is an open source platform for collecting, indexing, searching, and alerting on logs and machine data from many sources in one place.
OneUptime
Open-source monitoring, incident management, and observability platform
Self-hostable observability platform for uptime monitoring, alerting, incident management, on-call, status pages, logs, and APM in one integrated suite.
NetAlertX
Network device scanner and presence detection with alerts
Self-hosted network visibility and presence scanner that discovers connected devices and alerts on new, unknown, or changed hosts across your LAN/Wi‑Fi.
Canarytokens
Honeytokens that alert when accessed or executed
Canarytokens generates honeytokens (URLs, files, credentials, docs) that alert you when an attacker touches them, helping detect breaches early.
Beelzebub
Low-code honeypot framework using LLMs for safe system deception
Secure low-code honeypot framework that uses LLMs to simulate high-interaction systems across SSH/HTTP/TCP and MCP, with metrics and cloud-native deployment options.
GlobaLeaks
Secure whistleblowing and anonymous reporting platform
Open-source platform for secure, anonymous whistleblowing and case handling, designed for privacy by default and adaptable to many reporting use cases.
tirreno
Security analytics framework for in-app threat detection and risk
Open-source security analytics framework for event tracking, in-app threat detection, and risk management to protect applications from abuse, bots, and account takeover.
Fail2Ban-Report
Web dashboard for Fail2Ban logs and centralized UFW blocklist management
Lightweight PHP dashboard that converts Fail2Ban logs into searchable JSON reports and centralizes UFW-based blocklist control with HTTPS-based multi-server sync.
Mistborn
Multi-source threat intelligence and IOC aggregation platform
Mistborn aggregates threat intelligence from multiple sources to enrich, normalize, and distribute IOCs for security analysis and incident response workflows.
