Free & Open Source

Terminal-First Incident Response for Modern SOCs

Ingest OCSF alerts, enrich with powerful plugins, and perform comprehensive case investigations. Built by analysts, for analysts who demand speed and precision.

View on GitHub Watch Demo
6+ Plugins
4 LLM Providers
OCSF Native

See Console-IR in Action

Watch how Console-IR streamlines incident response workflows with keyboard-first efficiency.

Demo showing core Console-IR workflows and plugin enrichments.

Powerful Plugin Ecosystem

Extend Console-IR with a growing ecosystem of enrichments and connectors. Build your perfect investigation workflow.

GeoIP Plugin

GeoIP

IP geolocation enrichment for context on alerts.

Whois Plugin

Whois

Domain registration and ownership lookups.

LLM Plugin

LLM

AI-powered summarization and case assistance.

IntelOwl Plugin

IntelOwl

Threat intel aggregation and lookups.

MISP Plugin

MISP

Integration with MISP for indicators and events.

OpenCTI Plugin

OpenCTI

Graph-based threat intelligence platform connector.

Why Choose Console-IR

Enterprise-grade incident response capabilities designed for modern security teams.

Key Benefits

  • Faster Investigations - Keyboard-first workflows accelerate triage and response
  • OCSF-Native Processing - Seamless ingestion and normalization of security alerts
  • Rich Context Enrichment - Automated GeoIP, threat intelligence, and EDR correlations
  • AI-Powered Summaries - Automated case summaries with actionable recommendations
  • Enterprise Security - RBAC, on-prem deployments, and compliance-ready architecture

Technical Capabilities

  • Data Ingestion - Batch JSON/JSONL and real-time streaming support
  • Plugin Architecture - Language-agnostic internal and external plugins
  • Advanced Search - SQLite full-text search with filtered queries
  • AI Integration - Pluggable LLMs with offline local stub
  • Cross-Platform - Native support for Windows, Linux, and macOS
  • Observability - Comprehensive logs, health checks, and debug mode

Perfect For

  • SOC Analysts - Streamline daily investigation workflows
  • Incident Responders - Rapid triage with enriched context
  • Security Teams - Multi-user collaboration and case management
  • MSSPs - Scalable deployments with custom integrations
  • Enterprise Security - On-prem/air-gapped compliance requirements
  • Open-Source Users - Free community edition with full feature access

Ready to Accelerate Your Investigations?

Get Console-IR for free from GitHub and start investigating faster today.

View on GitHub

Frequently Asked Questions

Can we run it on-prem?

Yes — on-prem and air-gapped deployments are fully supported. Console-IR is designed to work in environments with strict security requirements, including completely isolated networks.

How is data stored?

Local SQLite with full-text search capabilities for fast queries. For enterprise deployments, optional centralized storage solutions are available to support multi-user collaboration.

Can we use our own LLM?

Yes, you can bring your own license/API key. Console-IR supports pluggable LLM integrations, allowing you to use your preferred AI provider or run models locally.

What integrations are available?

Custom plugins via streams architecture. Build your own integrations or use community plugins for GeoIP, Whois, MISP, OpenCTI, IntelOwl, and more.

Is there commercial support available?

Console-IR is open source and community-driven. For enterprise support, training, and custom development, reach out through our GitHub repository.