tirreno is a security framework. Event tracking, threat detection, and risk scoring for any product.
1.5k
Stars
171
Forks
12
Open issues
6
Contributors
AI Analysis
Tirreno is a self-hosted PHP/PostgreSQL security framework designed to detect threats, fraud, and abuse inside applications through event tracking, risk scoring, and behavioral analysis. It fills the gap between perimeter security (firewalls, WAFs) and application-layer threats (compromised accounts, logic abuse), making it best suited for organizations running self-hosted, SaaS, e-commerce, or mission-critical applications that need embedded security without external dependencies. It is not ...
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
PHP-based application security framework for detecting threats and fraud inside products, not just at the perimeter
Tirreno is a self-hosted, open-source security framework written in PHP and PostgreSQL designed to track events, detect threats, and calculate risk scores for applications. It targets fraud detection, account abuse, insider threats, and business logic abuse across SaaS, e-commerce, legacy systems, and API-first applications. The project appears to serve organizations wanting application-level security telemetry and risk scoring without relying on third-party SaaS, with preset rules for common threats and a customizable rule engine. Real-world adoption remains undocumented.
Tirreno was created in December 2024 by Tirreno Technologies, making it approximately 18 months old as of July 2026. It represents an attempt to democratize application-level threat detection typically available only in enterprise SIEM or identity platforms. The project entered open source with an AGPL-3.0 license.
The repository gained 1,445 stars over ~18 months (~80 stars per month average), with 7 stars in the most recent 7 days. Docker pull metrics are shown but not quantified in metadata. Growth appears modest and stable rather than accelerating. No evidence of viral adoption or major enterprise deployments mentioned. The presence of SDKs for PHP, Python, Node.js, and WordPress suggests intentional ecosystem building, but adoption velocity of those SDKs is not documented.
Adoption not verified. README mentions a live demo (play.tirreno.com) and official website (tirreno.com), suggesting a commercial entity behind the project, but no case studies, customer counts, deployment numbers, or production usage metrics disclosed. Docker pull counts are tracked but not quantified in provided metadata. No evidence in README of real-world deployments, integrations, or testimonials. Cannot confirm whether adoption exists beyond early adopters and testing.
Likely a monolithic PHP application built on standard web stack (PHP 8.0–8.3, PostgreSQL 12+). README describes it as 'hand-written, few-dependency, low-tech' design, suggesting intentional minimalism. Appears to include a web dashboard, API for event ingestion, rule engine, and cron-based batch processing. Architecture supports self-hosted and Docker deployment. Cannot verify code organization, separation of concerns, or internal patterns from README alone.
Not documented in README. No mention of unit tests, integration tests, or CI/CD pipelines. Codacy badge linked, suggesting some static analysis is in place, but test coverage metrics not disclosed.
Last push was 2026-04-07 (approximately 12 weeks before analysis date 2026-07-01), indicating active but not continuous development. Project is ~18 months old. Codacy grade badge and Docker Hub presence suggest ongoing quality monitoring. No evidence of abandoned state, but infrequent push cadence relative to some active open-source projects. Cannot assess issue response time or PR review velocity from metadata alone.
ADOPT IF: you need lightweight, self-hosted application-level threat detection and risk scoring in a PHP environment; you want to avoid SaaS dependencies or third-party data residency; you have modest event volumes and in-house infrastructure; preset rules for account takeover, fraud, and insider threats match your use case. AVOID IF: you require enterprise-grade SIEM features, require extensive third-party integrations, need battle-tested, widely-deployed tooling with large community support, depend on vendor support contracts, or need high-volume event processing and complex correlation. MONITOR IF: adoption evidence emerges over next 12 months; major companies or frameworks adopt Tirreno; documentation and SDK maturity improve; real-world case studies become public.
Independent dimensions
Mainstream potential
4/10
Technical importance
6/10
Adoption evidence
2/10
- Adoption not verified: no public evidence of production deployments or organizations using Tirreno at scale; early-stage project with limited track record.
- Limited ecosystem maturity: SDKs exist but adoption not documented; community feedback and real-world integrations not apparent; may lack depth of documentation or troubleshooting resources.
- AGPL-3.0 licensing may deter commercial adoption: projects integrating Tirreno must open-source their modifications or negotiate commercial license; could limit enterprise deployments.
- Single maintainer / small team risk: repository shows modest commit frequency; no evidence of distributed development team or governance structure; sustainability unclear if key contributors depart.
- Performance and scalability unproven: README notes ~3 GB PostgreSQL storage per 1M events; large-scale event ingestion capacity not documented or benchmarked; may struggle with high-throughput environments.
Tirreno may remain a niche, self-hosted security framework attractive to privacy-conscious teams and organizations avoiding SaaS, but is unlikely to achieve mainstream adoption unless: (a) production case studies and adoption numbers become public, (b) ecosystem integrations and SDK adoption accelerate, (c) commercial or enterprise backing materializes visibly. Most likely trajectory: slow, steady growth serving a permanent niche of self-hosted and legacy application security teams, or gradual decline if adoption remains hidden and community engagement stalls.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Website
- https://www.tirreno.com
- Language
- PHP
- License
- AGPL-3.0
- Last updated
- 7d ago
- Created
- 19mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Top contributors
Similar repos
google/tsunami-security-scanner-plugins
A specialized plugin repository for Tsunami Security Scanner, Google's...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
1.5k | +20 | PHP | 7/10 | 7d ago |
|
|
3.2k | — | PHP | 7/10 | 3w ago |
|
|
2.6k | — | Rust | 8/10 | 1d ago |
|
|
1.8k | — | PHP | 8/10 | 3w ago |
|
|
1k | — | Java | 7/10 | 1w ago |
|
|
9.7k | — | TypeScript | 8/10 | 7h ago |
OpenCTI is a threat intelligence platform focusing on threat actor tracking and CTI management at organizational/strategic level. Tirreno targets application-level event tracking and behavioral threat detection. Different problem domain; OpenCTI is for security operations centers, Tirreno for product security teams.
Tsunami is an automated vulnerability scanner for infrastructure and network services. Tirreno is not a scanner; it's a telemetry and risk-scoring framework for inside-application threats. Complementary rather than competitive.
Tracy is a PHP debugging and error-handling tool. Tirreno is security-focused with threat detection and risk scoring. Different purpose; tracy is for development debugging, Tirreno for production security monitoring.
Splunk provides SIEM, threat detection, and analytics across infrastructure and applications. Tirreno is narrower, focused on application-level event tracking and threat scoring without SIEM complexity. Splunk is market-dominant and widely adopted; Tirreno is lightweight alternative for self-hosted, application-centric deployments.
Both offer cloud-native security and threat detection with dashboards. Tirreno is self-hosted, open-source, and purpose-built for application threat scoring without infrastructure monitoring overhead. Different deployment model and target audience.