FAQ

Fast answers to questions we hear often.

Is my data sent to mlab.sh?

No. The only outbound call is a license validation HMAC every hour. No alert, case, observable or evidence ever leaves your infrastructure.

Can I run mlab IR fully offline?

For up to 48 hours at a time, yes — that's the grace window. Beyond that, the instance locks until you restore outbound HTTPS to mlab.sh. We're working on an air-gapped license model for Corporate-tier customers; contact us if you need it sooner.

Can I bring my own MySQL / ClickHouse?

Yes. Drop the mysql and clickhouse services from compose, point DB_HOST/CH_HOST at your managed instances. The app and executor stay stateless.

Does it scale to my team size?

Single-host Compose handles up to a few hundred analysts comfortably. Beyond that, run app/executor on separate hosts behind a load balancer and use dedicated DB hosts. There's no architectural ceiling — we have customers at 10k+ alerts/day on a single Compose stack.

Can I customise the UI / fields / report templates?

Custom fields on alerts and cases: yes, via Settings > Schema. Custom report templates: Markdown templates with case-payload variables, dropped in uploads/templates/. Full UI theming is on the roadmap.

How do I migrate from TheHive / Splunk SOAR / Demisto?

Import an existing case base via POST /api/v1/cases. The shape maps cleanly from TheHive 4/5. We have a community-contributed import script — contact us for a copy.

Is there a CLI?

Yes. ir-mlab is a small Go binary that wraps the REST API for common operations (ingest from stdin, dump a case, bulk dismiss). Download from the releases page on GitHub.

What about MITRE ATT&CK coverage tracking?

Tag cases with techniques. The dashboard shows a heat-map across the matrix and how many cases hit each technique over the selected window.

Where can I propose a feature?

Email [email protected]. We read everything; the public roadmap lives on the changelog.