tirreno

tirreno is an open-source security analytics framework that helps teams monitor and protect applications from threats, fraud, bots, and account takeovers using in-app telemetry. It ingests application events and turns them into actionable dashboards, investigations, and decisions focused on user behavior and business-logic abuse.

Key Features

• Event tracking and ingestion via API calls for application security telemetry
• Near real-time monitoring to detect suspicious behavior inside the product
• Single-user view with activity timelines, sessions, connected identities, and risk signals
• Rule-based risk assessment to flag and score risky events and behaviors
• Case management and automated actions (for example, suspend or send to review)
• Field-level audit trail to track what changed, when, and by whom for key data
• Designed for extensibility with minimal dependencies and a small attack surface

Use Cases

• Detect and investigate account takeover, credential stuffing, and anomalous logins
• Identify bots, scraping, and business-logic abuse that bypass perimeter defenses
• Maintain detailed audit trails and user activity history for compliance and forensics

Limitations and Considerations

• Storage needs can grow quickly with high event volume (approximately several GB per million events in PostgreSQL)

tirreno fits teams that want security visibility at the application layer rather than only at the network perimeter. With a lightweight PHP/PostgreSQL stack and a focus on user-centric analytics, it can act as a security backbone for many kinds of products and internal systems.