We're excited to share Gulp — an open-core platform for incident response and threat hunting we've been building for the past 2 years at Mentat(https://mentat.is), a small Italian cybersecurity company.
The problem: We were frustrated with existing IR tools. They're either too slow, make real-time collaboration painful during live incidents, or force you to fight with different log formats instead of actually investigating.
What Gulp does differently:
- Visual timeline analysis — Our color-coded timeline visualization lets you spot anomalies instantly. Instead of drowning in raw logs, suspicious events, correlations, and IoCs literally jump out at you. Different colors tell different stories; one look tells you where to dig.
- Actually fast — Built on OpenSearch 3.x, PostgreSQL and Redis. Horizontal scaling via load-balanced instances when you need to handle serious volume.
- Real-time collaboration — Multiple analysts working the same incident, synchronized timelines, shared notes. No more "wait, which events were you looking at?"
- Native format support — EVTX, PCAP, Suricata, Zeek, ElasticSearch, Wazuh, and more out of the box. Plus ECS mapping, SIGMA rules, and OpenSearch queries.
- AI-powered hunting — Built-in AI Assistant plugin (free in Community Edition) that flags suspicious events and correlates across sources. One click to find shared indicators.
New in 1.6.0: Rewritten collaboration engine with WebSocket-based real-time updates, real-time network sensor ingestion (see https://github.com/mentat-is/slurp-ebpf for a working eBPF example), new plugins (Suricata, MemprocFS, Zeek, AI Assistant), manual query mode + table view, and auto-saved sessions.
Gulp uses an open core model. The Community Edition is fully open source (AGPL). We also offer a Pro version with advanced plugins for better AI features, automated reporting, Velociraptor integration, plus dedicated support.
Repos: https://github.com/mentat-is/gulp (backend) and https://github.com/mentat-is/gulpui-web (web UI)
Handling an incident with Gulp: https://www.youtube.com/watch?v=fl_jtCIIS2k
This is our first major public push — we've been iterating quietly and now feel it's ready for wider use. If you do DFIR or threat hunting, we'd genuinely love your feedback. GitHub stars, issues, and PRs absolutely welcome!