tirrenotechnologies

tirrenotechnologies/tirreno

PHP AGPL-3.0 Security

tirreno is a security framework. Event tracking, threat detection, and risk scoring for any product.

1.5k stars
171 forks
active
GitHub +20 / week

1.5k

Stars

171

Forks

12

Open issues

6

Contributors

v0.10.0 02 Jul 2026

AI Analysis

Tirreno is a self-hosted PHP/PostgreSQL security framework designed to detect threats, fraud, and abuse inside applications through event tracking, risk scoring, and behavioral analysis. It fills the gap between perimeter security (firewalls, WAFs) and application-layer threats (compromised accounts, logic abuse), making it best suited for organizations running self-hosted, SaaS, e-commerce, or mission-critical applications that need embedded security without external dependencies. It is not ...

Security Application Discovery value: 6/10
Documentation 8/10
Activity 9/10
Community 7/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

threat-detection fraud-prevention security-analytics application-monitoring risk-scoring
Actively maintained Niche/specialized use case Well documented Production ready
Deep Analysis · Based on README and public signals
1w ago

PHP-based application security framework for detecting threats and fraud inside products, not just at the perimeter

Tirreno is a self-hosted, open-source security framework written in PHP and PostgreSQL designed to track events, detect threats, and calculate risk scores for applications. It targets fraud detection, account abuse, insider threats, and business logic abuse across SaaS, e-commerce, legacy systems, and API-first applications. The project appears to serve organizations wanting application-level security telemetry and risk scoring without relying on third-party SaaS, with preset rules for common threats and a customizable rule engine. Real-world adoption remains undocumented.

Origin

Tirreno was created in December 2024 by Tirreno Technologies, making it approximately 18 months old as of July 2026. It represents an attempt to democratize application-level threat detection typically available only in enterprise SIEM or identity platforms. The project entered open source with an AGPL-3.0 license.

Growth

The repository gained 1,445 stars over ~18 months (~80 stars per month average), with 7 stars in the most recent 7 days. Docker pull metrics are shown but not quantified in metadata. Growth appears modest and stable rather than accelerating. No evidence of viral adoption or major enterprise deployments mentioned. The presence of SDKs for PHP, Python, Node.js, and WordPress suggests intentional ecosystem building, but adoption velocity of those SDKs is not documented.

In production

Adoption not verified. README mentions a live demo (play.tirreno.com) and official website (tirreno.com), suggesting a commercial entity behind the project, but no case studies, customer counts, deployment numbers, or production usage metrics disclosed. Docker pull counts are tracked but not quantified in provided metadata. No evidence in README of real-world deployments, integrations, or testimonials. Cannot confirm whether adoption exists beyond early adopters and testing.

Code analysis
Architecture

Likely a monolithic PHP application built on standard web stack (PHP 8.0–8.3, PostgreSQL 12+). README describes it as 'hand-written, few-dependency, low-tech' design, suggesting intentional minimalism. Appears to include a web dashboard, API for event ingestion, rule engine, and cron-based batch processing. Architecture supports self-hosted and Docker deployment. Cannot verify code organization, separation of concerns, or internal patterns from README alone.

Tests

Not documented in README. No mention of unit tests, integration tests, or CI/CD pipelines. Codacy badge linked, suggesting some static analysis is in place, but test coverage metrics not disclosed.

Maintenance

Last push was 2026-04-07 (approximately 12 weeks before analysis date 2026-07-01), indicating active but not continuous development. Project is ~18 months old. Codacy grade badge and Docker Hub presence suggest ongoing quality monitoring. No evidence of abandoned state, but infrequent push cadence relative to some active open-source projects. Cannot assess issue response time or PR review velocity from metadata alone.

Honest verdict

ADOPT IF: you need lightweight, self-hosted application-level threat detection and risk scoring in a PHP environment; you want to avoid SaaS dependencies or third-party data residency; you have modest event volumes and in-house infrastructure; preset rules for account takeover, fraud, and insider threats match your use case. AVOID IF: you require enterprise-grade SIEM features, require extensive third-party integrations, need battle-tested, widely-deployed tooling with large community support, depend on vendor support contracts, or need high-volume event processing and complex correlation. MONITOR IF: adoption evidence emerges over next 12 months; major companies or frameworks adopt Tirreno; documentation and SDK maturity improve; real-world case studies become public.

Independent dimensions

Mainstream potential

4/10

Technical importance

6/10

Adoption evidence

2/10

Risks
  • Adoption not verified: no public evidence of production deployments or organizations using Tirreno at scale; early-stage project with limited track record.
  • Limited ecosystem maturity: SDKs exist but adoption not documented; community feedback and real-world integrations not apparent; may lack depth of documentation or troubleshooting resources.
  • AGPL-3.0 licensing may deter commercial adoption: projects integrating Tirreno must open-source their modifications or negotiate commercial license; could limit enterprise deployments.
  • Single maintainer / small team risk: repository shows modest commit frequency; no evidence of distributed development team or governance structure; sustainability unclear if key contributors depart.
  • Performance and scalability unproven: README notes ~3 GB PostgreSQL storage per 1M events; large-scale event ingestion capacity not documented or benchmarked; may struggle with high-throughput environments.
Prediction

Tirreno may remain a niche, self-hosted security framework attractive to privacy-conscious teams and organizations avoiding SaaS, but is unlikely to achieve mainstream adoption unless: (a) production case studies and adoption numbers become public, (b) ecosystem integrations and SDK adoption accelerate, (c) commercial or enterprise backing materializes visibly. Most likely trajectory: slow, steady growth serving a permanent niche of self-hosted and legacy application security teams, or gradual decline if adoption remains hidden and community engagement stalls.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

PHP
82.8%
JavaScript
8.7%
HTML
5.8%
CSS
1.5%
PLpgSQL
1.3%
Shell
0%

Information

Language
PHP
License
AGPL-3.0
Last updated
7d ago
Created
19mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

teamtnt

teamtnt/tntsearch

TNTSearch is a full-text search engine written entirely in PHP that enables...

3.2k PHP Dev Tools
sheeki03

sheeki03/tirith

Tirith is a terminal security tool written in Rust that intercepts and blocks...

2.6k Rust Security
nette

nette/tracy

Tracy is a PHP debugging and error-handling library designed for developers...

1.8k PHP Dev Tools
google

google/tsunami-security-scanner-plugins

A specialized plugin repository for Tsunami Security Scanner, Google's...

1k Java Security
OpenCTI-Platform

OpenCTI-Platform/opencti

OpenCTI is a self-hosted platform for managing cyber threat intelligence data...

9.7k TypeScript Security
vs. alternatives
OpenCTI-Platform/opencti (9614 stars, TypeScript)

OpenCTI is a threat intelligence platform focusing on threat actor tracking and CTI management at organizational/strategic level. Tirreno targets application-level event tracking and behavioral threat detection. Different problem domain; OpenCTI is for security operations centers, Tirreno for product security teams.

google/tsunami-security-scanner (8589 stars, Java)

Tsunami is an automated vulnerability scanner for infrastructure and network services. Tirreno is not a scanner; it's a telemetry and risk-scoring framework for inside-application threats. Complementary rather than competitive.

nette/tracy (1831 stars, PHP)

Tracy is a PHP debugging and error-handling tool. Tirreno is security-focused with threat detection and risk scoring. Different purpose; tracy is for development debugging, Tirreno for production security monitoring.

Splunk Enterprise Security (proprietary SaaS/on-prem)

Splunk provides SIEM, threat detection, and analytics across infrastructure and applications. Tirreno is narrower, focused on application-level event tracking and threat scoring without SIEM complexity. Splunk is market-dominant and widely adopted; Tirreno is lightweight alternative for self-hosted, application-centric deployments.

New Relic / Datadog Security Monitoring (proprietary SaaS)

Both offer cloud-native security and threat detection with dashboards. Tirreno is self-hosted, open-source, and purpose-built for application threat scoring without infrastructure monitoring overhead. Different deployment model and target audience.