When Your Firewall Misses the Real Threat: Inside Your Application
You've got a solid network perimeter. Your firewall is configured, your WAF is running, your SIEM is ingesting logs. But the most dangerous threats don't come through port 443—they come through valid credentials, exploited business logic, and compromised accounts that your infrastructure tools never see. That's the gap tirreno is designed to fill: an open-source security framework that watches what happens inside your application, not just at the network boundary.
What It Does
Tirreno is a self-hosted, PHP and PostgreSQL application that ingests events from your product through API calls and SDKs, then provides a real-time dashboard for monitoring threats, fraud, and abuse. Think of it as application-layer security intelligence—it tracks user behavior, calculates risk scores, and surfaces suspicious activity that traditional security tools would miss.
The core workflow is straightforward. You send events from your application (logins, registrations, purchases, profile changes) with full context via their SDKs. Tirreno processes these events through a built-in rule engine that applies preset rules—things like account takeover detection, credential stuffing, content spam, promo abuse, bot detection—or your own custom rules. Risk scores are calculated automatically, and you can configure thresholds that trigger account suspension or flagging for manual review through a review queue.
Beyond real-time monitoring, tirreno offers a single user view that shows behavior patterns, risk scores, connected identities, and activity timelines for any specific user. There's also a field audit trail that tracks modifications to important fields—what changed and when—which is useful for compliance and forensic analysis.
The tech stack is deliberately low-dependency: PHP 8.0-8.3, PostgreSQL 12+, and a web server with Apache. The README claims a five-minute installation, and the hardware requirements are modest—128 MB RAM for the application, 512 MB for PostgreSQL, with about 3 GB of storage per million events.
Why It's Cool
What makes tirreno interesting isn't that it's another security tool—it's that it targets a specific blind spot that most organizations have. Your SIEM doesn't know what a normal user session looks like in your application. Your WAF can't tell the difference between a legitimate login and a credential stuffing attack using valid passwords. Tirreno operates at the application layer where the actual abuse happens.
It's purpose-built for application logic abuse. The preset rules list reads like a catalog of modern web attacks: account takeover, credential stuffing, content spam, multi-accounting, promo abuse, API protection. These are problems that infrastructure security tools struggle with because they lack application context.
The single user view is a practical feature. When you're investigating a suspicious account, you don't want to grep logs ac