Continuous Application Security Monitoring on a $0 Budget
You don't need a $50k/year ASM contract to get continuous security monitoring. Here's the OpenTelemetry-based stack that works on the free tier of every component.
Continuous Application Security Monitoring on a $0 Budget
Application security monitoring is sold like it's enterprise-only. The marketing implies you need a $50,000/year contract, a SOC team, and an integration project. None of that is true if you're starting small. Here's the actual stack a one-person SaaS or pre-launch startup can deploy this afternoon, for nothing.
For the broader context on what ASM does and why, see the ASM pillar page.
The components
Continuous application security monitoring needs four things:
- Telemetry capture. Every request, with method, path, IP, headers, status code, and (optionally) body.
- A storage layer. Somewhere queryable, with at least 14 days of retention.
- Detection logic. Either rule-based, ML-based, or AI-assisted classification of suspicious patterns.
- An alerting/investigation surface. A dashboard or chat-based interface to act on the signals.
Each can be done free at small scale. Here's the cheapest reasonable stack.
Telemetry capture: OpenTelemetry SDK (free)
OpenTelemetry's Node SDK auto-instruments every major web framework. Install once, preload at startup:
npm install @opentelemetry/sdk-node @opentelemetry/auto-instrumentations-node
node -r @opentelemetry/auto-instrumentations-node/register app.js
This captures HTTP server spans (with method, path, status, latency), HTTP client spans, database queries, and exceptions. No code changes required, no per-request overhead beyond the standard OTel ~1ms.
For more depth in the application security context — request bodies (with redaction), full headers, IP intelligence — wrap OTel in a security-focused SDK. The SecureNow npm package does this; install adds the firewall plus richer tracing in one package.
Storage layer: SecureNow free tier or self-hosted ClickHouse
Two free options:
Option A: SecureNow free tier. 1 GB scanned per month. Covers a typical pre-launch SaaS or side project for the first 6–12 months. Sign up, point your OTel exporter at the ingestion URL, you're done.
Option B: Self-hosted ClickHouse. Run ClickHouse on a $5/month VPS or as a single Docker container. ClickHouse's storage is extremely efficient — 1 TB of compressed traces fits in roughly 100 GB of disk. The catch is operational overhead; expect 1–2 hours/month of maintenance once it's running.
If you have engineering time, self-host. If you don't, use the free tier.
Detection logic: rules + AI
Free options vary in quality. The minimum viable version is rule-based detection — alerts on patterns like:
- Authentication failure spike from a single IP / ASN
- Multiple 4xx responses to admin endpoints
- High request rate from a single source
- Requests to known-vulnerable paths (
/wp-admin,/.env,/phpinfo)
These can be implemented as ClickHouse SQL queries running on a cron, or as alert rules in any modern observability tool. The free tier of SecureNow's alert rules ships with a starter set covering the patterns above.
For AI-assisted detection — the "is this an actual attack or noise?" classification — you typically need a paid tier or your own LLM API budget. Free options exist but are limited. The realistic free version is "rule-based detection that flags patterns; you investigate manually with grep."
Alerting / investigation surface
Three free options ranked by quality:
Email alerts. Configure your detection rules to send email on match. Works fine for low-volume alerts; falls apart when you're getting more than 5 per day.
Slack webhook. Free if you already have Slack. One channel, alerts post automatically. Most teams' default.
Chat-based investigation (free tier). Tools like SecureNow's AI investigation let you ask questions in plain English ("show me requests to /admin from new IPs in the last hour"). The free tier has limited queries per month but is enough for an alert-driven workflow.
The actual setup, end to end
Putting it together for a small SaaS:
# 1. Install
npm install securenow
# 2. Sign up for the free tier
npx securenow login
# 3. Run with security capture + firewall
node -r securenow/register app.js
# 4. Verify it's working
npx securenow doctor
That's it. Within minutes you have:
- Full HTTP capture (method, path, status, IP, headers)
- A 500k-IP firewall blocking known-bad traffic
- A dashboard at app.securenow.ai
- Default alert rules for credential stuffing, scanner activity, and rate-limit violations
- Free AI investigation queries (1 GB/month)
If you'd rather DIY without vendor dependencies:
# Telemetry
npm install @opentelemetry/sdk-node @opentelemetry/auto-instrumentations-node
node -r @opentelemetry/auto-instrumentations-node/register app.js
# Storage (single-container ClickHouse)
docker run -d --name clickhouse -p 9000:9000 clickhouse/clickhouse-server
# Wire OTel collector → ClickHouse
# (config not shown; standard OpenTelemetry collector setup)
# Alerts via cron + Slack webhook
# (write SQL queries against the spans table; alert on results)
The DIY version takes 1–2 days to set up and ~2 hours/month to maintain. The vendor version takes 5 minutes to set up and ~0 hours/month to maintain. Both produce equivalent security visibility.
What to monitor first (the 5 free alerts)
If you can only set up five things, set up these in order:
- Authentication failure spike. 4xx responses to
/login,/auth,/api/auth/*exceeding 50 in 5 minutes from any single source. - Admin endpoint probing. Any 401/403/404 on paths starting with
/admin,/wp-admin,/phpmyadmin,/.env,/.git. These are bots. - Error rate spike. 5xx responses exceeding your normal rate by 5×. Often the first signal of a deploy regression or active attack.
- High volume from single IP. Any single IP exceeding 1,000 requests/hour. Tune for your normal traffic.
- Suspicious user agents. Requests with user agents containing
sqlmap,nikto,acunetix,masscan,python-requests/2.x(default scraper UA).
These five rules catch 80% of the threats a small SaaS will face in its first year.
When to start paying
Move to a paid tier when:
- You've outgrown the free tier's data quota (typically at 5–50K MAU)
- Investigation by grep has become a daily chore
- You want extended retention (90+ days) for compliance
- Your team is more than 1 person and you need access controls
Most teams cross this threshold around the time they hit Series A or 1,000 paying users. Until then, the free stack is genuinely sufficient.
Related
Frequently Asked Questions
Can application security monitoring really be done on a free tier?
Yes, for small to mid-scale applications. The OpenTelemetry SDK is free, ClickHouse can be self-hosted, and several SaaS tools (including SecureNow) offer free tiers that cover real production traffic up to ~1 GB/month.
What's the catch?
Free tiers cap the volume you can process. For a side project or pre-launch SaaS, the cap is rarely the bottleneck. For an app handling millions of requests/day, you'll outgrow the free tier in weeks.
Is the free version safe enough for production?
Yes. The detection logic is the same on free tiers as paid. The differences are usually around retention, AI investigation depth, and seat count.
When should I upgrade to paid?
When you exceed the free quota, when you need extended retention beyond 14–30 days, or when your team is large enough that you need granular access controls.
Recommended reading
If your team uses Sentry for frontend errors and needs backend distributed tracing without doubling the Sentry bill, here's the OpenTelemetry path that doesn't make you choose.
May 9Five approaches to bot blocking in Express, ranked by effort vs. effectiveness. From a 5-line allowlist to a full IP-reputation firewall — all without Cloudflare, AWS WAF, or any new infrastructure.
May 9Fastify hooks (onRequest) and the SecureNow preload both work cleanly. Here's the production setup for IP blocking and user-agent filtering.
May 9