Console-IR
Console-IR landing screenshot

Terminal-first Incident Response for modern SOCs

Ingest OCSF alerts, enrich with plugins, and perform case investigations. Built for analysts.

Get Started on GitHub

Plugins

Extend Console-IR with a growing ecosystem of enrichments and connectors.

GeoIP logo

GeoIP

IP geolocation enrichment for context on alerts.

Whois logo

Whois

Domain registration and ownership lookups.

LLM logo

LLM

AI-powered summarization and case assistance.

IntelOwl logo

IntelOwl

Threat intel aggregation and lookups.

MISP logo

MISP

Integration with MISP for indicators and events.

OpenCTI logo

OpenCTI

Graph-based threat intelligence platform connector.

Watch Console-IR in action

Demo showing core Console-IR workflows and plugin enrichments.

Closed captions (.vtt) · Transcript

Why Choose Console-IR

Key Benefits

  • Faster Investigations - Keyboard-first workflows accelerate triage and response
  • OCSF-Native Processing - Seamless ingestion and normalization of security alerts
  • Rich Context Enrichment - Automated GeoIP, threat intelligence, and EDR correlations
  • AI-Powered Summaries - Automated case summaries with actionable recommendations
  • Enterprise Security - RBAC, on-prem deployments, and compliance-ready architecture

Technical Capabilities

  • Data Ingestion - Batch JSON/JSONL and real-time streaming support
  • Plugin Architecture - Language-agnostic internal and external plugins
  • Advanced Search - SQLite full-text search with filtered queries
  • AI Integration - Pluggable LLMs with offline local stub
  • Cross-Platform - Native support for Windows, Linux, and macOS
  • Observability - Comprehensive logs, health checks, and debug mode

Perfect For

  • SOC Analysts - Streamline daily investigation workflows
  • Incident Responders - Rapid triage with enriched context
  • Security Teams - Multi-user collaboration and case management
  • MSSPs - Scalable deployments with custom integrations
  • Enterprise Security - On-prem/air-gapped compliance requirements
  • Open-Source Users - Free community edition with full feature access

Ready to accelerate your investigations?

Get the free community edition from GitHub and start investigating faster.

View on GitHub

FAQ

Can we run it on-prem?

Yes — on‑prem and air‑gapped deployments supported.

How is data stored?

Local SQLite with full-text search; optional centralized storage for enterprise.

Can we use our LLM?

yes you can bring your licence/api key

What integrations are available?

custom plugins via streams.