PLUSInsights Plus

Product Roadmap

A phased plan to grow Insights Plus into a stronger self-hosted detection and response platform — from automation foundations to anomaly detection and beyond.

Phase 1
Automation Foundation
Planned
Build a reliable backend execution foundation for automation before introducing a visual flow editor.
  • Domain event publishing and PostgreSQL outbox pattern
  • Redis integration for dedupe, cooldown, and rate limiting
  • Flow definitions with schema-versioned, DAG-compatible storage
  • Execution reliability: idempotency, retry/backoff, dead-letter queue
  • Simulation endpoint and execution audit trail
Phase 2
Threat Intel Plugins
Planned
Add a provider plugin system with high-signal, low-noise external intel aligned with UniFi observables.
  • Provider abstraction and normalized indicator schema
  • IP/CIDR feed ingestion with ThreatFox and Team Cymru Bogons
  • Matching pipeline for src/dst IP and entity-risk updates
  • Confidence fusion with existing AbuseIPDB, rDNS, ASN, and GeoIP enrichment
  • Memory-first design: DB-indexed matching and chunked ingestion
Phase 3
Incident Timeline
Planned
Create an incident-centric timeline that correlates firewall, DNS, DHCP, WiFi, anomaly, and threat-intel events into one investigation view.
  • Incident lifecycle: open, acknowledged, resolved, suppressed
  • Timeline correlation across host, IP, MAC, and session dimensions
  • Evidence cards with source, confidence, and action history
  • Drill-down investigation APIs and UI
  • Timeline-to-automation handoff for triggering flows from incidents
Phase 4
Automation Integrations
Planned
Deliver practical alert-response automations and external integrations using the automation foundation.
  • Action connectors: webhook, email, Slack, Discord, and Teams
  • Connector health checks and test endpoints
  • n8n and Node-RED webhook payload templates
  • Guided automation builder UI: trigger → conditions → actions
  • Redis-backed notification throttling and quiet-hour gates
Phase 5
Anomaly Detection
Planned
Introduce high-signal anomaly detection using transparent statistical methods that are easy to explain, tune, and trust.
  • Time-bucket baselines by hour-of-week with robust z-score (MAD)
  • EWMA for burst and drift detection against recent trends
  • Novelty rules: first-seen ASN, domain, country, or device behavior
  • Peer-group comparison across similar entities
  • Explainability fields attached to every anomaly finding
Phase 6
Starter Templates
Planned
Provide one-click deployable baseline packs so users get operational value quickly with minimal setup.
  • Template packaging format and automated installer
  • Homelab, Small Business, and MSP/Multi-site baseline packs
  • Dry-run preview before applying templates
  • Post-install drift reporting and safe re-apply
  • Template upgrade path with version tracking
Phase 7
Monetized Services
Planned
Monetize through managed services and operational value while keeping the local self-hosted runtime transparent.
  • Managed threat intel aggregation API
  • Curated detection and template packs
  • Hosted enrichment and long-retention analytics
  • Premium support and SLA tiers
  • Entitlement checks for remote services only — no hidden local locks