Mlab.sh Mlab.sh
v1.9.1
Platform
Free Tools Blog Glossary Ecosystem Pricing Developer API MCP Integration Academy
Cheat Sheets
Regex HTTP Status Codes Network Ports ASCII Table CIDR / Subnets MIME Types HTML Entities
Learn
MD5 vs SHA-256 YARA vs Sigma SIEM vs SOAR Base64 vs Hex
Support
Help Center Partners
Terms · Privacy · Sales
tprm.mlab.sh
Third-party risk management
Pricing · Docs · Changelog
policy.mlab.sh SOON
Security policy management
pra.mlab.sh SOON
Business continuity & recovery
aware.mlab.sh SOON
Phishing simulation & awareness
ir.mlab.sh
Self-hosted incident response
Pricing · Docs · Changelog
siem.mlab.sh SOON
Log correlation & alerting
intel.mlab.sh SOON
Threat intel feeds & IOC enrichment
hunt.mlab.sh SOON
Threat hunting with Sigma & YARA
vuln.mlab.sh
Attack surface & CVE tracking
sandbox.mlab.sh SOON
Malware analysis & sandboxing
watch.mlab.sh SOON
Dark web monitoring
Deception & Endpoint
honey.mlab.sh SOON
Honeypots & canary tokens
edr.mlab.sh SOON
Endpoint detection & response
Sign up
ir.mlab.sh · v0.9

Your alerts deserve
a real workflow.

A self-hosted incident response platform that turns security alerts into structured investigations — from initial triage to case closure, entirely on your own infrastructure.

  Get Started Free   View Plans   Docs   Changelog
100%
Self-hosted
<5 min
Deploy time
Docker
One command
48h
Grace period
0€
Free tier
Workflow

From alert to resolution

ir.mlab.sh structures the full incident response lifecycle into four clear stages.

Ingest

Collect alerts from your SIEM, EDR, email gateway or any security tool via REST API.

Triage

Prioritize, deduplicate and assign alerts. Dismiss noise, escalate real threats.

Investigate

Escalate to cases. Attach evidence, track observables, build the timeline.

Resolve

Document findings, close the case, generate reports. Lessons learned, built in.

Core capabilities

Everything your SOC needs

Built by security professionals, for security professionals. No bloat, no noise — just the tools that matter.

Alert Management

Ingest alerts from any source via API. Auto-deduplicate, enrich with context, assign severity, and route to the right analyst.

  • Multi-source ingestion (SIEM, EDR, email)
  • Auto-deduplication & severity assignment
  • Analyst routing & notification
Case Management

Escalate alerts into structured cases with full lifecycle tracking from creation to closure.

  • Analyst assignment & priority tracking
  • SLA monitoring & status workflows
  • Complete audit trail on every action
Observable Tracking

Correlate indicators across all investigations and build institutional knowledge over time.

  • IPs, domains, hashes, emails, URLs
  • Cross-case correlation & linking
  • Recurring IOC detection
Activity Timeline

Every action on a case is logged with timestamps. Full traceability, zero guesswork.

  • Status changes & comments
  • Evidence attachments & observable additions
  • Immutable audit log
Team & RBAC

Granular role-based access control so everyone sees exactly what they need, nothing more.

  • Admin, Analyst, Viewer roles
  • Per-case permissions
  • Multi-user collaboration
REST API

Fully documented REST API to integrate ir.mlab.sh into your existing security stack.

  • Alert ingestion endpoints
  • Case & observable CRUD
  • Callback URL support
Infrastructure

Self-hosted, private, yours

Your data never leaves your infrastructure. Deploy with Docker Compose in under 5 minutes. No SaaS dependency, no vendor lock-in.

Docker Compose

Single docker compose up to deploy the full stack. App, executor, MySQL & ClickHouse included.

Minimal requirements

2 GB RAM, 10 GB disk. Runs on any Linux server, VPS or local machine.

Auto-migrations

Database schema updates run automatically on startup. Just pull and restart.

48h grace period

License checks every hour via HMAC. If your server goes offline, ir.mlab.sh keeps running for 48 hours.

Included in every plan

No hidden features behind paywalls

Self-hosted deployment

Run on your own infrastructure. Your data stays with you.

Role-based access control

Admin, analyst and viewer roles with granular permissions.

Complete audit timeline

Every action logged and timestamped for full traceability.

REST API access

Integrate with your existing security stack programmatically.

Free upgrades

Every release includes new features and fixes at no extra cost.

48-hour license resilience

Grace period ensures continuity if license server is temporarily unreachable.

Automatic database migrations

Schema updates apply on startup. No manual SQL needed.

Health checks & auto-restart

Built-in container health monitoring keeps your instance running.

Why ir.mlab.sh

Stop using spreadsheets for incidents

Most teams still manage incidents with shared docs, Slack threads and email chains. ir.mlab.sh gives you a proper platform without the enterprise price tag.

Spreadsheets
& Emails		 Enterprise
SOAR		 Open-source
IR tools		 ir.mlab.sh
Self-hosted
Deploy in <5 min
Case management
Alert triage workflow
Observable correlation
REST API
Free tier available
Professional support
No vendor lock-in
Built for security teams

Who is it for?

SOC Analysts

Triage alerts faster, investigate with context, and stop drowning in false positives.

Incident Responders

Coordinate response across teams with structured cases, evidence and timelines.

Blue Teams

Build detection context, track indicators, and feed findings back into your defenses.

CISOs & Managers

Get visibility into your team's workload, response times and investigation outcomes.

Ready to fix your incident workflow?

Deploy ir.mlab.sh in under 5 minutes. Free tier included, no credit card required.

  Get Started View Pricing