Show HN: Wildbox – Open-source, self-hosted alternative to paid tools

2 hours ago 2

The Complete Open-Source Security Operations Suite

A comprehensive, modular, and scalable open-source security platform designed for modern cybersecurity operations. Wildbox provides enterprise-grade security tools, threat intelligence, cloud security posture management (CSPM), vulnerability management, endpoint monitoring, automated response, and AI-powered analysis through a unified architecture with intelligent API gateway.

🎯 Platform Overview
🏗️ Architecture
🚀 Components
✨ Key Features
🔧 Quick Start
🐳 Docker Deployment
🛠️ Development
📊 Service Ports
🔗 Integration
📖 Documentation
🤝 Contributing
📄 License

Wildbox is a complete security operations platform built from the ground up with modularity, scalability, and extensibility at its core. Each component operates as an independent microservice while seamlessly integrating to provide a unified security experience.

Next.js 14: React framework with App Router and Server Components
TypeScript 5.0+: Type-safe JavaScript with modern features
Tailwind CSS: Utility-first CSS framework for rapid styling
Shadcn/ui: High-quality React components built on Radix UI
TanStack Query: Powerful data synchronization for React
Recharts: Composable charting library for React
Lucide React: Beautiful and customizable icon library

FastAPI: Modern, fast web framework for building APIs with Python
Django 5.0: High-level Python web framework for rapid development
OpenResty: High-performance web platform with Nginx and LuaJIT scripting
PostgreSQL 15: Advanced open-source relational database
Redis 7: In-memory data structure store for caching and queues
SQLAlchemy: Python SQL toolkit and Object-Relational Mapping
Alembic: Lightweight database migration tool for SQLAlchemy
Celery: Distributed task queue for background processing

OpenAI GPT-4o: Advanced language model for intelligent analysis
LangChain: Framework for developing LLM-powered applications
Pydantic: Data validation using Python type annotations
Jinja2: Modern and designer-friendly templating language
NLTK: Natural Language Toolkit for text processing
Scikit-learn: Machine learning library for predictive analysis

🔧 DevOps & Infrastructure

Docker: Containerization platform for consistent deployments
Docker Compose: Multi-container Docker application orchestration
Nginx: High-performance web server and reverse proxy
Prometheus: Monitoring system and time series database
Grafana: Analytics and interactive visualization platform
GitHub Actions: CI/CD platform for automated testing and deployment

JWT (JSON Web Tokens): Secure authentication token standard
bcrypt: Password hashing function for secure storage
python-jose: JavaScript Object Signing and Encryption for Python
cryptography: Cryptographic recipes and primitives for Python
osquery: SQL-based host monitoring and endpoint visibility
TLS 1.3: Latest Transport Layer Security protocol

📊 Monitoring & Observability

Health Checks: Automated health monitoring for all services
Metrics Collection: Prometheus metrics for performance monitoring
Centralized Logging: Structured logging with log aggregation
Real-time Dashboards: Grafana dashboards for system visibility
Alerting: Automated alerts for critical events and failures

# Health checks for all services curl http://localhost:8000/health # Security API curl http://localhost:8001/health # Identity Service curl http://localhost:8002/health # Data Lake curl http://localhost:8013/health # Guardian curl http://localhost:8004/health # Sensor curl http://localhost:8018/health # Responder curl http://localhost:8006/health # AI Agents curl http://localhost:8019/health # CSPM # Metrics endpoints curl http://localhost:8000/metrics # Prometheus metrics curl http://localhost:9090 # Prometheus UI curl http://localhost:3001 # Grafana dashboard

📊 Key Performance Indicators (KPIs)

API Response Time: Average response time across all endpoints
Throughput: Requests per second for each service
Error Rate: Percentage of failed requests
Resource Utilization: CPU, memory, and disk usage
Queue Length: Background task queue depth
Active Users: Concurrent authenticated users
Threat Detection Rate: Number of threats detected per hour

High CPU Usage: > 80% for 5 minutes
High Memory Usage: > 90% for 3 minutes
API Errors: > 5% error rate for 2 minutes
Database Connections: > 80% of max connections
Disk Space: < 10% free space remaining
Service Unavailable: Health check failures

# security-config.yml authentication: jwt: algorithm: "HS256" expiration: 3600 # 1 hour refresh_expiration: 604800 # 7 days api_keys: encryption: "sha256" rate_limiting: true expiration_days: 365 authorization: rbac: enabled: true roles: ["owner", "admin", "member", "viewer"] rate_limiting: requests_per_minute: 100 burst_size: 20 security_headers: hsts: true csp: "default-src 'self'" frame_options: "DENY" content_type_options: "nosniff"

# network-config.yml networking: load_balancer: type: "nginx" ssl_termination: true health_checks: true service_mesh: enabled: false mtls: true circuit_breaker: true firewall: allow_ports: [80, 443, 8000-8006] deny_by_default: true monitoring: prometheus: scrape_interval: "15s" retention: "15d" logging: level: "INFO" format: "json" rotation: "daily"

🗄️ Database Configuration

# database-config.yml postgresql: max_connections: 100 shared_buffers: "256MB" effective_cache_size: "1GB" maintenance_work_mem: "64MB" checkpoint_completion_target: 0.9 backup: enabled: true retention_days: 30 redis: # Consolidated Redis instance for all services maxmemory: "512MB" maxmemory_policy: "allkeys-lru" save: "900 1 300 10 60 10000" databases: 16 # Logical separation per service # Service database allocation: # 0: Identity Service # 1: Guardian Service # 2: Responder Service # 3: CSPM Service # 4: AI Agents Service # 5: Gateway Service # 6: API Service # 7: Data Service cluster: enabled: false replicas: 1

Wildbox uses a consolidated Redis architecture for improved efficiency:

Single Redis Instance: Reduced from 8 containers to 1
Memory Efficiency: 512MB total vs ~2GB previously
Logical Separation: Database 0-15 for service isolation
Simplified Operations: Unified backup, monitoring, and management
Better Performance: Reduced container overhead and improved caching

--- ## 🚨 Troubleshooting Guide ### 🔍 **Common Issues** #### **Service Won't Start** ```bash # Check service logs docker-compose logs [service-name] # Verify port availability netstat -tulpn | grep [port] # Check system resources docker system df docker stats

Database Connection Issues

# Test database connectivity docker exec -it wildbox-postgres psql -U wildbox -d wildbox -c "SELECT 1;" # Check database logs docker-compose logs postgres # Verify database configuration cat .env | grep DATABASE_URL

# Verify API key configuration curl -H "Authorization: Bearer YOUR_API_KEY" http://localhost:8001/api/v1/auth/verify # Check JWT token validity python -c "import jwt; print(jwt.decode('YOUR_TOKEN', verify=False))" # Reset authentication docker-compose exec identity python manage.py reset-auth

# Check memory usage by service docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" # Optimize Redis memory docker exec -it wildbox-redis redis-cli CONFIG SET maxmemory-policy allkeys-lru # Clear application caches curl -X POST http://localhost:8000/admin/cache/clear

# Enable debug mode for all services export DEBUG=true export LOG_LEVEL=DEBUG # Start services with debug configuration docker-compose -f docker-compose.debug.yml up -d # View detailed logs docker-compose logs -f --tail=100

# Comprehensive health check script #!/bin/bash echo "🔍 Wildbox Health Check" echo "======================" services=("dashboard:3000" "security-api:8000" "identity:8001" "data-lake:8002" "guardian:8013" "sensor:8004" "responder:8018" "agents:8006" "cspm:8019" "automations:5678") for service in "${services[@]}"; do name=$(echo $service | cut -d: -f1) port=$(echo $service | cut -d: -f2) if curl -s http://localhost:$port/health > /dev/null; then echo "✅ $name is healthy" else echo "❌ $name is unhealthy" fi done # Check dependencies echo "" echo "🔗 Dependencies:" if docker exec wildbox-postgres pg_isready > /dev/null 2>&1; then echo "✅ PostgreSQL is ready" else echo "❌ PostgreSQL is not ready" fi if docker exec wildbox-redis redis-cli ping > /dev/null 2>&1; then echo "✅ Redis is ready" else echo "❌ Redis is not ready" fi

🧠 AI-Powered Security Operations

# threat-hunting-playbook.yml name: "AI-Powered Threat Hunt" description: "Automated threat hunting using AI analysis" triggers: - type: "schedule" cron: "0 */6 * * *" # Every 6 hours steps: - name: "collect_indicators" action: "data.query" params: query: "SELECT * FROM indicators WHERE confidence > 80" limit: 1000 - name: "ai_analysis" action: "ai.analyze_batch" params: indicators: "{{collect_indicators.results}}" analysis_type: "threat_hunting" - name: "generate_report" action: "ai.generate_report" params: analysis: "{{ai_analysis.results}}" template: "threat_hunting_report" - name: "alert_analysts" action: "notifications.slack" params: channel: "#threat-hunting" message: "New threat hunting report available: {{generate_report.url}}"

Intelligent Incident Classification

# Custom AI classifier for security incidents from wildbox.ai import SecurityClassifier classifier = SecurityClassifier( model="gpt-4o", training_data="incident_history.json" ) # Classify new incidents automatically incident = { "title": "Suspicious network activity detected", "description": "Multiple failed login attempts from foreign IP", "indicators": ["192.168.1.100", "admin", "ssh"] } classification = classifier.classify(incident) # Result: {"severity": "high", "category": "brute_force", "confidence": 0.92}

🌐 Multi-Cloud Security Orchestration

Cross-Cloud Compliance Monitoring

# cloud-compliance-monitoring.yml name: "Multi-Cloud Compliance Check" description: "Monitor compliance across AWS, Azure, and GCP" triggers: - type: "schedule" cron: "0 8 * * MON" # Weekly on Monday steps: - name: "scan_aws" action: "cloud.scan" params: provider: "aws" frameworks: ["cis", "nist", "soc2"] - name: "scan_azure" action: "cloud.scan" params: provider: "azure" frameworks: ["cis", "nist", "soc2"] - name: "scan_gcp" action: "cloud.scan" params: provider: "gcp" frameworks: ["cis", "nist", "soc2"] - name: "aggregate_results" action: "compliance.aggregate" params: scans: ["{{scan_aws.id}}", "{{scan_azure.id}}", "{{scan_gcp.id}}"] - name: "generate_dashboard" action: "reporting.dashboard" params: data: "{{aggregate_results}}" template: "multi_cloud_compliance"

🔍 Advanced Threat Intelligence

# Advanced threat attribution using multiple intelligence sources from wildbox.threat_intel import ThreatAttributor attributor = ThreatAttributor( sources=["mitre_attack", "threat_groups", "malware_families"], ai_enhancement=True ) # Analyze attack patterns for attribution attack_data = { "techniques": ["T1566.001", "T1053.005", "T1055.012"], "iocs": ["bad-domain.com", "malware.exe", "192.168.1.100"], "timeline": "2024-01-15T10:30:00Z" } attribution = attributor.analyze(attack_data) # Result: { # "likely_groups": ["APT29", "FIN7"], # "confidence": 0.85, # "techniques_overlap": 0.78, # "geographic_indicators": ["Russia", "Eastern Europe"] # }

🔒 Security Best Practices

# Generate strong passwords and API keys openssl rand -base64 32 # Use environment variables for secrets export WILDBOX_API_KEY=$(openssl rand -hex 32) export JWT_SECRET=$(openssl rand -hex 64) # Enable TLS/SSL for all communications ./scripts/setup-ssl.sh --domain your-wildbox.company.com # Configure firewall rules ufw allow 22/tcp # SSH ufw allow 80/tcp # HTTP (redirect to HTTPS) ufw allow 443/tcp # HTTPS ufw deny 8000:8010/tcp # Block direct service access

# network-security.yml firewall: deny_by_default: true allowed_ports: - 22 # SSH (admin access only) - 80 # HTTP redirect - 443 # HTTPS ip_whitelist: - "10.0.0.0/8" # Internal networks - "192.168.0.0/16" # Private networks - "your.office.ip" # Office IP address rate_limiting: enabled: true requests_per_minute: 100 burst_size: 20 intrusion_detection: enabled: true block_suspicious_ips: true alert_threshold: 5

Wildbox follows a modern microservices architecture with clear separation of concerns and well-defined APIs. Each component is designed to be independently deployable, scalable, and maintainable.

graph TD subgraph "Client Layer" UI[Dashboard UI] CLI[CLI Tools] API_CLIENT[API Clients] end subgraph "Gateway Layer" GATEWAY[🚪 Security Gateway] IDENTITY[🔐 Identity Service] end subgraph "Core Services" API[🔧 Security API] DATA[📊 Data Lake] CSPM[☁️ CSPM Service] GUARDIAN[🛡️ Guardian] RESPONDER[⚡ Responder] AGENTS[🧠 AI Agents] SENSOR[📡 Sensor] end subgraph "Data Layer" POSTGRES[(PostgreSQL)] REDIS[(Redis)] ELASTICSEARCH[(Elasticsearch)] end subgraph "External Services" STRIPE[Stripe] OPENAI[OpenAI] FEEDS[Threat Feeds] CLOUD_APIS[Cloud APIs] end UI --> GATEWAY CLI --> GATEWAY API_CLIENT --> GATEWAY GATEWAY --> IDENTITY GATEWAY --> API GATEWAY --> DATA GATEWAY --> CSPM GATEWAY --> GUARDIAN GATEWAY --> RESPONDER GATEWAY --> AGENTS SENSOR --> GATEWAY API --> POSTGRES DATA --> POSTGRES CSPM --> POSTGRES GUARDIAN --> POSTGRES RESPONDER --> POSTGRES AGENTS --> POSTGRES GATEWAY --> REDIS API --> REDIS CSPM --> REDIS RESPONDER --> REDIS DATA --> ELASTICSEARCH IDENTITY --> STRIPE AGENTS --> OPENAI DATA --> FEEDS CSPM --> CLOUD_APIS

Loading Service Port Protocol Authentication

Dashboard	3000	HTTP/HTTPS	JWT + Session
API Gateway	80/443	HTTP/HTTPS	API Key + JWT
Identity Service	8001	HTTP	Internal + JWT
Security API	8000	HTTP	API Key
Data Lake	8002	HTTP	API Key
Guardian	8013	HTTP	API Key
Sensor	8004	HTTPS	Certificate
Responder	8018	HTTP	API Key
AI Agents	8006	HTTP	API Key

User Registration/Login → Identity Service issues JWT
API Key Creation → Team-scoped API keys for service access
Request Authorization → Gateway validates with Identity Service
Service Access → Authenticated requests forwarded to services

Role Dashboard API Access Team Management Billing

Owner	✅ Full	✅ Full	✅ Full	✅ Full
Admin	✅ Full	✅ Full	✅ Limited	❌ None
Member	✅ Limited	✅ Limited	❌ None	❌ None
Viewer	✅ Read-only	✅ Read-only	❌ None	❌ None

The Authentication & Authorization Hub

Purpose: Centralized identity management, JWT authentication, API key management, and subscription billing
Technology: FastAPI, PostgreSQL, Stripe, JWT
Key Features:
- User registration and authentication
- Team management with RBAC
- API key lifecycle management
- Stripe integration for subscriptions
- Rate limiting and permissions

# Start Identity Service cd open-security-identity docker-compose up -d # Access: http://localhost:8001 # API Docs: http://localhost:8001/docs

The Intelligent API Gateway

Purpose: Single entry point for all Wildbox services with advanced security and routing
Technology: OpenResty (Nginx + Lua), Redis, Docker
Key Features:
- Centralized authentication and authorization
- Plan-based feature gating (Free/Personal/Business/Enterprise)
- Dynamic rate limiting with Lua scripting
- SSL/TLS termination with security headers
- Intelligent caching and request routing
- Real-time monitoring and logging

# Start Gateway cd open-security-gateway make start # Access: https://wildbox.local # Health: https://wildbox.local/health # Features: Unified entry point for all services

The Security Toolbox

Purpose: Unified API for 50+ security tools with dynamic discovery and execution
Technology: FastAPI, Redis, Docker
Key Features:
- Dynamic tool discovery and loading
- Async tool execution with timeout handling
- Schema validation and documentation
- Web interface and API endpoints

# Start Security API cd open-security-tools make dev # Access: http://localhost:8000 # Tools: 50+ security tools available

The Intelligence Repository

Purpose: Centralized threat intelligence aggregation and serving
Technology: FastAPI, PostgreSQL, Elasticsearch, Redis
Key Features:
- 50+ threat intelligence sources
- Real-time data collection and processing
- IOC lookup and enrichment
- Geolocation and reputation scoring

# Start Data Lake cd open-security-data docker-compose up -d # Access: http://localhost:8002 # Sources: 50+ threat intelligence feeds

☁️ open-security-cspm (not implemented yet)

The Cloud Security Posture Manager

Purpose: Multi-cloud security posture management and compliance scanning
Technology: FastAPI, Celery, Redis, Python cloud SDKs
Key Features:
- Multi-cloud support (AWS, Azure, GCP)
- 200+ security checks across cloud providers
- Compliance frameworks (CIS, NIST, SOC2, PCI-DSS)
- Risk-based prioritization and scoring
- Automated remediation recommendations
- Executive dashboards and reporting

# Start CSPM Service cd open-security-cspm make start # Access: http://localhost:8019 # Features: Cloud security scanning, compliance monitoring

🛡️ open-security-guardian

The Vulnerability Manager

Purpose: Comprehensive vulnerability lifecycle management with risk-based prioritization
Technology: Django, PostgreSQL, Celery, Redis
Key Features:
- Asset discovery and inventory
- Multi-scanner integration
- Risk-based vulnerability prioritization
- Compliance framework support
- Remediation workflow automation

# Start Guardian cd open-security-guardian docker-compose up -d # Access: http://localhost:8013 # Features: Vulnerability management, compliance monitoring

The Endpoint Agent

Purpose: Lightweight endpoint monitoring and telemetry collection
Technology: osquery, Python, HTTPS
Key Features:
- Cross-platform endpoint monitoring
- Real-time telemetry collection
- Centralized configuration management
- Encrypted data transmission

# Deploy Sensor cd open-security-sensor ./scripts/deploy-agent.sh # Monitor: Real-time endpoint telemetry

⚡ open-security-responder

The Automation Engine

Purpose: SOAR platform for incident response automation
Technology: FastAPI, Dramatiq, Redis, YAML
Key Features:
- YAML-based playbook definition
- Async workflow execution
- External system integrations
- Real-time execution monitoring

# Start Responder cd open-security-responder docker-compose up -d # Access: http://localhost:8018 # Features: Playbook automation, workflow orchestration

The AI Brain

Purpose: AI-powered security analysis and automation
Technology: FastAPI, Celery, LangChain, OpenAI
Key Features:
- GPT-4 powered threat analysis
- Automated report generation
- Natural language querying
- Tool orchestration via AI

# Start AI Agents cd open-security-agents docker-compose up -d # Access: http://localhost:8006 # Features: AI-powered analysis, automated insights

🖥️ open-security-dashboard

The Command Center

Purpose: Unified web interface for the entire security platform
Technology: Next.js, TypeScript, Tailwind CSS, TanStack Query
Key Features:
- Real-time security dashboards
- Multi-service integration
- Role-based access control
- Modern responsive UI

# Start Dashboard cd open-security-dashboard npm run dev # Access: http://localhost:3000 # Features: Unified security operations center

Read Entire Article