Free & Open-Source Incident Response Platform
Track incidents, map attack paths, collaborate in real time, and generate AI-powered reports — all in one place.
Many security teams still coordinate incidents through shared spreadsheets. They're familiar and fast to set up — until concurrent edits collide, context gets lost, audit trails vanish, and there's zero integration with the tools responders actually need.
SheetStorm is a free, open-source alternative purpose-built for DFIR practitioners. It covers the full NIST incident response lifecycle and is designed to be useful whether you're a solo analyst learning the ropes, a training lab instructor, or running an enterprise SOC.
Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned
SheetStorm doesn't aim to replace commercial SOAR platforms. It fills the gap between ad-hoc spreadsheets and heavyweight enterprise tools — giving every responder access to structured, collaborative IR for free.
|
|
|
|
|
|
|
|
git clone https://github.com/7a336e6e/sheetstorm.git && cd sheetstorm
chmod +x start.sh && ./start.shThat's it. The script generates secrets, builds 6 Docker containers, runs migrations, and seeds an admin user.
| Service | URL |
|---|---|
| Proxy | http://127.0.0.1:8080 |
| Frontend | http://127.0.0.1:3000 |
| API | http://127.0.0.1:5000/api/v1 |
| MCP Server | http://127.0.0.1:8811/sse |
Default login:
admin@sheetstorm.local· password inADMIN_PASSWORDfrom.env
- Docker & Docker Compose v2
- 2 GB RAM minimum (4 GB recommended)
Configure via environment variables in .env or throught the GUI in the platform:
| Integration | Purpose |
|---|---|
| OpenAI / Gemini | AI-generated incident reports |
| VirusTotal | IOC and file reputation lookups |
| MISP | Push IOCs to a MISP instance |
| Google Drive | Cloud artifact storage per case |
| Slack | Notification webhooks |
| S3-compatible | External artifact storage backend |
| Use Case | How SheetStorm Helps |
|---|---|
| Solo analyst / student | Practice structured IR with a real tool instead of spreadsheets |
| University / training lab | Provide students with a multi-user IR platform at zero cost |
| Small security team | Coordinate response across analysts with real-time collaboration |
| CTF / red-vs-blue exercises | Track blue-team findings with MITRE mapping and kill-chain timelines |
| Enterprise SOC (lightweight) | Quick stand-up for overflow incidents or teams evaluating IR tooling |
| Document | Description |
|---|---|
| Architecture | System design, service topology, data flow |
| API Reference | REST endpoint catalogue |
| WebSocket Events | Real-time event reference |
| Configuration | Environment variables and settings |
| Development | Local dev setup, testing, contributing |
| Roadmap | Planned features and milestones |
| MCP Server | MCP integration details |
| Layer | Technology |
|---|---|
| Frontend | Next.js 14, TypeScript, Tailwind CSS, shadcn/ui, Radix UI, Zustand |
| Backend | Python, Flask 3, SQLAlchemy, Flask-JWT-Extended, Flask-SocketIO |
| Database | PostgreSQL 16, Redis |
| AI | OpenAI GPT-4o, Google Gemini (configurable) |
| Infra | Docker Compose, Nginx reverse proxy |
| MCP | Model Context Protocol server (70+ tools) |
Contributions are welcome. Please open an issue to discuss significant changes before submitting a PR.
- Fork the repository
- Create a feature branch (
git checkout -b feature/your-feature) - Commit your changes
- Push and open a Pull Request
MIT — free for personal, educational, and commercial use.