tirreno user guide
Overview
“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”
—Sun Tzu, The Art of War
tirreno is an open-source security analytics.
tirreno helps understand, monitor, and protect your applications from cyber threats, account takeovers, and abuse.
While classic cybersecurity focuses on infrastructure and network perimeter, most breaches occur through compromised accounts and application logic abuse that bypass firewalls, SIEM, WAFs, and other defenses.
Our platform detects threats where they actually happen, inside your application. It adds a security layer to internal (workforce) or external (customer-facing) applications to identify malicious activity by analyzing user behavior, account activity, field audit trails, and business logic abuse that infrastructure tools cannot detect.
Application types
Self-hosted, internal and legacy apps: Embed security layer to extend your security through audit trails, protect user accounts from takeover, detect cyber threats and monitor insider threats.
SaaS and digital platforms: Prevent cross-tenant data leakage, online fraud, privilege escalation, data exfiltration and business logic abuse.
Mission critical applications: Sensitive application protection, even in air-gapped deployments.
Non-human identities (NHIs): Monitor service accounts, API keys, bot behaviors, and detect compromised machine identities.
API-first applications: Protect against abuse, rate limiting bypasses, scraping, and unauthorized access.
Industries
Government and public sector: Protect citizen data, detect insider threats, ensure compliance, and maintain data sovereignty.
Banking and fintech: Real-time transaction monitoring, anomalous login detection, synthetic identity fraud protection, regulator compliance.
Energy and utilities: Protect critical infrastructure, detect unauthorized access to control systems, monitor insider threats, and ensure compliance with energy sector regulations.
Healthcare portals: Protect patient data, monitor unauthorized PHI/PII access, detect staff behaivour anomalies, ensure HIPAA compliance.
Educational platforms: Protect student data, detect account sharing and cheating, ensure FERPA compliance.
E-commerce and retail: Detect payment fraud, bot attacks, credential stuffing, and protect customer accounts.
IoT and connected devices: Monitor authentication, detect compromised devices, prevent unauthorized access.
Gaming platforms: Detect account takeover, cheating, bot activity, and protect in-game economies.
How it works
In order to achieve the declared objective, tirreno collects intelligence to detect signals related to user identity and behaviour. This solution enables a detailed investigation of anomalies and a manual review of complex fraudulent patterns and cybrer threats. It helps to maintain non-interrupted services and protect private information.
tirreno brings enterprise-level fraud prevention techniques to a wide variety of digital platforms and organizations. It is developed for platforms with a demand for utmost control or for integration into a complex defence system, facilitating risk assessment during user onboarding and ongoing monitoring for everyday use.
tirreno comes in two versions:
- Community Edition
Open-source security platform for protect your application from cyber threats, account takeovers, and abuse. It is available for free on GitHub.
- Enterprise Edition
Proprietary license, multi-application support, advanced fraud prevention capabilities, SIEM integration and developer support.
Privacy
By saying that tirreno is an ethical tool, we highlight our commitment to not crossing a thin line between taking mandatory actions for cyber threat prevention and breaking user privacy.
In fact, tirreno does not use cookies or browser fingerprinting and does not expose more user data than is strictly necessary, running all operations on the application backend. This provides utmost privacy and an immutable approach for the tirreno security analytics.
System workflow
The tirreno’s workflow consists of the following main parts:
Data ingestion through API calls from your application.
Enrichment and calculation of user context from collected data.
Machine-led data processing through rule-engine system.
4. Manual review of suspicious activity or automatic account suspension to prevent further access to your app.
In the next subsections, we briefly describe each of these stages. When applicable, materials covering the subject more fully are linked.
Data ingestion
This stage is an entry point to tirreno setup and further usage. It requires the installation of a lightweight script for sending user request data to tirreno. And this is the only requirement for tirreno to start operating!
For more information on this, see API integration.
Data enrichment
A perceived magic 🪄 is happening during this stage: raw pieces of data are carefully prepared and then intermingled with the tirreno’s internal as well as external proprietary and open-sourced data.
Machine processing
This is the backbone of the tirreno background workings. Each user request data is processed through a set of specific conditions (rules). During this stage, the rules engine detects irregularities and suspicious activities. The received results define the calculated user score, which is a determinative characteristic to consider at the stage of manual review.
For more details, see the Rules section.
Manual review
tirreno outputs the accumulated knowledge base via a web-accessible user interface. The interface is designed to be a convenient tool for human-led investigation of the machine-preprocessed data analytics. It provides varying ways to proceed with investigation and can thus be flexibly adapted to different workflows and undertakings.
For a description of all the capabilities provided, advance to the chapters Console and Operator procedures.