ir.mlab.sh · v0.9 · self-hosted

Your alerts deserve a real workflow.

A self-hosted incident response platform that turns scattered security alerts into structured investigations — from initial triage to case closure, entirely on your own infrastructure.

Get started Find my plan

Self-hosted · your data never leaves your infrastructure · latest release →

POST /api/v1/alerts

Integrates with everything

Splunk CrowdStrike SentinelOne Elastic Wazuh Sentinel Defender Proofpoint MISP Webhooks

Workflow

From alert to resolution

Four clear stages, one consistent platform. See it in detail →

Ingest

Collect alerts from your SIEM, EDR, email gateway or any tool via REST API.

Triage

Prioritize, deduplicate, dismiss the noise. Escalate the real threats.

Investigate

Escalate to cases. Attach evidence, track observables, build the timeline.

Resolve

Document findings, close the case, generate reports. Lessons learned, built in.

Inside the product

A queue that doesn't lie

Every alert in one place, severity-coded, SLA-aware. New incidents flash in real-time as your sources fire.

ir.example.com / dashboard

Triage queue · 42 open alerts

live

Suspicious PowerShell on WS-042 crowdstrike 2 obs. 14:02

Beaconing to known C2 — 203.0.113.4 splunk 5 obs. 14:01

Unusual login geo — user alice@ azure-ad 3 obs. 13:58

Brute-force attempts on SSH bastion wazuh 1 obs. 13:54

EDR sensor offline — WS-117 sentinel-one — 13:42

Phishing — HR impersonation campaign proofpoint 8 obs. 13:31

Built for

Made for the people on call

Whatever your seat at the table, mlab IR gives you what you actually need at that seat.

Persona / SOC analyst

Stop drowning in false positives.

"My queue is 400 deep before lunch. Half is noise I've already seen this month."

Saved filters, dedup on content hash, dismiss-with-reason, suppression suggestions when the same alert keeps coming back.

Persona / IR lead

Coordinate without losing thread.

"During an incident we're across three Slack channels, two Google Docs and a war-room call. Hand-off kills us."

A single case page with timeline, observables, evidence, @-mentions, and a generated report at resolution. The whole team works from the same surface.

Persona / CISO

Numbers I can show the board.

"I need MTTA, MTTR, top noisy sources, and proof we follow our process. Today I rebuild this every quarter."

Live dashboards with the metrics that matter, audit-grade history, exportable reports. The platform is doing the bookkeeping for you.

MITRE ATT&CK

Coverage you can defend in a meeting

Tag cases with techniques. mlab IR builds a heat-map across the matrix — every cell tells you how many cases hit it, and when.

Coverage Saturated

Why mlab IR

SOAR features, without the SOAR price tag

Enterprise SOAR vendors charge six figures. Spreadsheets cost zero but lose every thread. mlab IR sits between — a proper platform you actually own.

Your infrastructure, your data

Runs entirely on your servers. We never see your incidents, observables or evidence. No SaaS, no exfiltration risk.

5 minutes to running

docker compose up and you're done. No agents, no ETL, no consulting hours to book.

No vendor lock-in

REST API for everything. MySQL and ClickHouse under the hood. Export your data any time, no exit fee.

Stack honesty

How we compare

	Spreadsheets & Slack	Enterprise SOAR	Open-source IR tool	mlab IR
Self-hosted
Deploy in < 5 min
Structured workflow
MITRE ATT&CK
Cross-case correlation
Free tier
Professional support
No vendor lock-in

0

min to deploy

0

offline grace period

0

self-hosted

0

to start

"Most teams don't lack tools. They lack a place where the alert, the case, the evidence and the verdict all live together. That's the whole product."

The mlab team / Cyber Dream

FAQ

Common questions

No. The only outbound call is a license validation HMAC every hour. No alert, case, observable or evidence ever leaves your infrastructure.

Yes, for up to 48 hours at a time — that's the grace window. Beyond that, the instance locks until you restore outbound HTTPS to mlab.sh. Air-gapped license is available on the Corporate tier.

Same self-hosted spirit, more polished workflow, built-in metrics, professional support on paid tiers. Migration scripts available — POST your existing cases to /api/v1/cases.

3 users, 10 alerts/month, 5 cases/month. Designed for solo analysts and evaluations. The full platform is there; only the monthly caps differ. Upgrade is one config change, no reinstall.

Yes. Drop the database containers from compose, point DB_HOST and CH_HOST at your managed instances. App and executor stay stateless.

If your "SOAR" was being used as a case management tool — no. If you need complex automated playbooks across dozens of integrations, run both. mlab IR exposes everything via webhooks and REST, so it composes well.

Ready to fix your incident workflow?

Free tier included. No credit card. Up and running in under 5 minutes.

Get started Find my plan