Open-Source Collaborative Incident Response Platform

Created by incident responders for incident responders

IRIS v2.4.7 is out

New notes layout and timeline capabilities are now available. Check out the release notes for more details.


IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations.
It's free and open-source.

Collaborate on incidents

The primary objective of IRIS is to facilitate collaboration among analysts during engagements by organizing and streamlining the elements involved, while allowing for flexibility in the steps taken. This is achieved without imposing any real constraints, as each team works differently.


IRIS can receive alerts from SIEM or any other sources. Alerts can then be triaged, commented, linked to cases and others alerts. Once assessed, alerts can be escalated to cases.


IRIS can be extended with custom modules to fits your needs. By default it is shipped with a VirusTotal, MISP, WebHooks and IntelOwl.


Through the API, you can manage the investigations as if you are in front of the interface. Which means IRIS can be automated and integrated with existing tools.

Easy to deploy

IRIS is deployed with Docker Compose and can be set in a few minutes. No installation hassles. It can even be installed on a small laptop for roaming investigations.

In a nutshell

IRIS helps IR teams organise and share technical details during engagements. Each team member can follow who's doing what in the investigation, add new elements to it, attribute task, and much more. It also offers reporting features, effectively reducing the post-incident phase time.

Assets, IOC, notes, timeline, evidences are among the elements the analysts can input and link together in the platform. It automatically keeps track of what is done, giving an automated follow-up to which anyone can add additional inputs.

It gives insights from previous engagements such as if an IOC or asset was already seen and compromised. It can also use external sources like VirusTotal or MISP to enrich the data. And thanks to its API and modules, one can extend its capabilities and/or integrates it with existing solutions.

IRIS can also receive alerts from other systems, such as SIEM. These alerts can be attributed, assessed, commented and merged into investigations.



Overview of the IRIS capabilities


Full featured documented API

Python client to ease integration

Python modules to process files

Python modules to process IRIS data

Case management

Full featured timeline creation

Assets and IOCs management

Notes taking

Tasks management

Evidences management

Follow up


Reports generation

Automatic follow-up

Enrichments of IOC, assets, etc

Backref of IOC, assets, etc from previous cases

Some questions you might have

You can also find more answers in the FAQ.

Supporting us

As a free and open source project, we rely on the support of our community to continue development and improve our platform. If you find the platform useful and would like to help us sustain and grow, please consider supporting us financially through OpenCollective.


They support us


Deutsche Telekom Security GmbH