The world's first all-in-one, self-hosted MQTT broker manager with built-in AI assistant, smart anomaly detection, and local automation agents.
-black?logo=x&logoColor=white){kind=icon}
- What is BunkerM?
- Quick Start
- Core Features
- Feature Comparison
- Community vs BunkerAI
- Troubleshooting
- Support the Project
- Contact & Links
- License
BunkerM is a free, open-source, containerized MQTT management platform. It bundles Eclipse Mosquitto with a full-featured web dashboard, packaging everything into a single Docker container β one command to get a production-ready MQTT broker with a management UI.
On top of the core broker management, BunkerM includes a local statistical engine (smart anomaly detection) and a local automation engine (schedulers and watchers) that run entirely inside your container. BunkerAI is the AI intelligence layer β an optional cloud service that adds a natural-language assistant to your BunkerM instance, reachable via Telegram, Slack, or a built-in web chat.
What you get out of the box:
- Pre-configured Eclipse Mosquitto broker (MQTT 3.1.1 + 5)
- Web-based ACL management β clients, roles, groups, topic permissions
- Real-time monitoring dashboard, connected clients, and event logs
- MQTT Explorer β live topic tree with publish-from-browser
- Statistical anomaly detection (Z-score, EWMA, spike, silence detectors)
- Local automation agents β cron schedulers and condition-based watchers
- AWS IoT Core and Azure IoT Hub bridge configuration
- Optional BunkerAI subscription β natural-language assistant powered by Claude
- Docker installed
docker run -d -p 1900:1900 -p 2000:2000 bunkeriot/bunkerm:latestOpen http://localhost:2000 and set up your first Admin account.
| Port | Service |
|---|---|
1900 |
MQTT broker |
2000 |
Web UI |
Default MQTT credentials: username bunker / password bunker
docker run -d \
-p 1900:1900 \
-p 2000:2000 \
-v mosquitto_data:/var/lib/mosquitto \
-v mosquitto_conf:/etc/mosquitto \
-v auth_data:/data \
bunkeriot/bunkerm:latestdocker run -d \
-p 1900:1900 \
-p 2000:2000 \
-e HOST_ADDRESS=<YOUR_IP_OR_DOMAIN> \
bunkeriot/bunkerm:latestservices:
bunkerm:
image: bunkeriot/bunkerm:latest
ports:
- "1900:1900"
- "2000:2000"
volumes:
- mosquitto_data:/var/lib/mosquitto
- mosquitto_conf:/etc/mosquitto
- auth_data:/data
environment:
- HOST_ADDRESS=localhost # change to your IP/domain for remote access
# - BUNKERAI_API_KEY=bkai_... # optional: connect to BunkerAI
restart: unless-stopped
volumes:
mosquitto_data:
mosquitto_conf:
auth_data:- Open http://localhost:2000 and create your Admin account (first-time setup wizard)
- Go to ACL β Clients and create an MQTT client with a username and password
- Connect your MQTT device or client to
localhost:1900using those credentials - Explore the Dashboard to see live broker stats
Real-time overview of your broker health:
- Connected clients count and history
- Message publish/receive rates
- Byte throughput (in/out)
- Subscription and retained message counts
- Recent MQTT connection events (connect, disconnect, subscribe, publish)
Full dynamic security management powered by Mosquitto's Dynamic Security plugin:
- Create, update, and delete MQTT clients
- Set credentials (username + password hash)
- Enable / disable clients individually
- Assign clients to groups
- Create roles with fine-grained topic ACL rules
- Define
allow/denypermissions per topic - Wildcard topic support (
#,+) - ACL types:
publishClientSend,subscribeLiteral, and more
- Create groups and assign roles to them
- Add / remove clients from groups
- Set role priorities within groups
Back up and restore your complete security configuration in one click:
- Export β downloads a JSON snapshot of all clients (including password hashes), roles, and groups
- Import β upload a previously exported JSON to fully restore your configuration; the broker reloads automatically
- Available in ACL β Clients next to the Create Client button
Inspect and interact with live broker traffic directly from the browser:
- Live topic tree β full hierarchy of all active topics, refreshed every 3 seconds
- Per-topic metadata β latest value, message count, QoS, retain flag, last-updated timestamp
- Search & filter β instantly narrow the tree by typing a topic path fragment
- Publish panel β send messages from the browser: pick a client, enter a topic, choose payload type (RAW / JSON / XML with built-in validation), set QoS and retain flag
A fully local statistical engine that continuously monitors your MQTT traffic and raises alerts when behavior deviates from the baseline. No cloud dependency β everything runs inside the container.
The engine polls the broker every 10 seconds, builds statistical baselines over 1-hour and 24-hour sliding windows, and runs four independent detectors every 60 seconds:
| Detector | What it catches |
|---|---|
| Z-score | Values that deviate more than 3Ο from the rolling mean |
| EWMA | Gradual drift via exponentially weighted moving average |
| Spike | Sudden burst in message rate (>3Γ the 30-minute baseline) |
| Silence | Topics that stop publishing for longer than 2Γ their normal interval |
Alerts are generated with severity levels: low / medium / high / critical.
| Page | Description |
|---|---|
| Metrics | Per-topic baselines β mean, std dev, message count for 1h and 24h windows |
| Anomalies | All detected anomalies with entity, type, severity, and raw detection context |
| Alerts | Actionable alert feed with severity badges and one-click Acknowledge |
A local automation engine built into every BunkerM instance. Agents run entirely on your infrastructure β no cloud connectivity required after creation.
Publish MQTT messages on a recurring cron schedule:
- Full cron expression support with built-in presets (every minute, hourly, daily, weekly, etc.)
- Live cron preview showing next 5 run times
- Tracks last fired time and total execution count
- Examples: "turn on pump every day at 06:00", "send heartbeat every 5 minutes"
Monitor MQTT topics and trigger actions when conditions are met:
- Condition operators:
><>=<===!=containsstarts_withany_change - JSON field extraction using dot-path notation (
sensors.temperature) - Response message templates with
{{value}},{{topic}},{{timestamp}} - Cooldown enforcement (minimum time between triggers)
- One-shot mode (auto-delete after first trigger)
- Real-time notification bell in the dashboard (Server-Sent Events, sub-2s delivery)
| Community | BunkerAI Starter | BunkerAI Pro / Team | |
|---|---|---|---|
| Agents (schedulers + watchers combined) | Up to 2 | Up to 2 | Unlimited |
| Local execution (no cloud required) | β | β | β |
| Agents kept after downgrade / offline | β | β | β |
| AI-created agents via natural language | β | β | β |
| Telegram / Slack watcher notifications | β | β | β |
Activation: A one-time free activation is required to unlock agent creation. BunkerM attempts this automatically on first start. For air-gapped deployments, create a free account at bunkerai.dev and paste your Community key into the dashboard β no ongoing internet connection required after that.
BunkerAI is the AI intelligence layer for BunkerM. Subscribe at bunkerai.dev to unlock a natural-language assistant that reads your live broker data, publishes messages, and creates automation agents β all through plain English conversation.
BunkerM handles your local broker. BunkerAI handles the intelligence.
- READ β query live broker stats, topic payloads, connected clients, anomaly alerts, and topic annotations
- WRITE β publish MQTT messages by describing the intent ("turn on light 1", "set thermostat to 22Β°C")
- CREATE β build schedulers and watchers through natural conversation ("alert me if temperature exceeds 80")
| Channel | Starter | Pro / Team |
|---|---|---|
| Web Chat (built-in at AI β Chat) | β | β |
| Telegram (message your dedicated bot) | β | β |
| Slack (OAuth workspace connection) | β | β |
Configure connectors at Settings β Cloud in the dashboard.
| Plan | Monthly | Interactions / month | Channels | Agents |
|---|---|---|---|---|
| Starter | $5 | 100 | Web Chat only | Up to 2 |
| Pro | $15 | 500 | Web Chat + Telegram + Slack | Unlimited |
| Team | $49 | 2,000 | Web Chat + Telegram + Slack | Unlimited |
| Business | Custom | Custom | All channels | Unlimited |
One interaction = one complete AI request/response cycle (may involve multiple internal tool calls). Manage your subscription and credit balance at Settings β Credits in the BunkerM dashboard.
Forward MQTT traffic to major cloud providers:
- Configure AWS IoT endpoint and region
- Upload device certificates directly from the UI
- Define topic mapping rules (local β cloud)
- Secure TLS mutual authentication
- Configure IoT Hub connection string
- SAS token management and rotation
- Device-to-cloud and cloud-to-device topic routing
| Feature | Community | Pro | Enterprise |
|---|---|---|---|
| Max MQTT Clients | Unlimited | Unlimited | Unlimited |
| High Availability & Clustering | β | β | β |
| Cluster Management UI | β | β | β |
| Load Balancer | β | β | β |
| Enhanced HA Monitoring | β | β | β |
| Feature | Community | Pro | Enterprise |
|---|---|---|---|
| Client Authentication (Username + Password) | β | β | β |
| Dynamic Security Plugin | β | β | β |
| ACLs (Client, Role, Group levels) | β | β | β |
| ACL Import / Export (JSON backup & restore) | β | β | β |
| Self-Signed SSL | β | β | β |
| OAuth 2.0 / JWT Authentication | β | β | β |
| Offline Authentication | β | β | β |
| Anonymous Client Access | β | β | β |
| Client Certificate Authentication | β | β | β |
| LDAP Authentication | β | β | β |
| HTTPS/TLS Termination | β | β | β |
| Audit Trail | β | β | On-demand |
| Custom CAs | β | β | On-demand |
| PSK Authentication | β | β | On-demand |
| Feature | Community | Pro | Enterprise |
|---|---|---|---|
| Broker Dashboard & Stats | β | β | β |
| Connected Clients Listing | β | β | β |
| Real-time MQTT Event Logs | β | β | β |
| Statistical Anomaly Detection | β | β | β |
| AI Metrics Engine (1h / 24h baselines) | β | β | β |
| Smart Alert Feed with Severity Levels | β | β | β |
| BunkerAI natural-language assistant | β | BunkerAI plan | BunkerAI plan |
| Anomaly alert forwarding (Telegram / Slack) | β | BunkerAI plan | BunkerAI plan |
| Behavioral Security Analysis | β | β | β |
| AI-generated ACL Recommendations | β | β | β |
| Feature | Community / Starter | Pro / Team | Enterprise |
|---|---|---|---|
| MQTT Scheduler (cron-based publishes) | Up to 2 | Unlimited | Unlimited |
| MQTT Watcher (condition-based alerts) | Up to 2 | Unlimited | Unlimited |
| Local agent execution (no cloud required) | β | β | β |
| Agents kept after downgrade / offline | β | β | β |
| Real-time notification bell (SSE) | β | β | β |
| AI-created agents via natural language | β | β | β |
| Telegram / Slack watcher notifications | β | β | β |
| Feature | Community | Pro | Enterprise |
|---|---|---|---|
| MQTT 3.1.1 | β | β | β |
| MQTT 5 | β | β | β |
| MQTT over TLS (MQTTS) | β | β | β |
| WebSockets (WS) | β | β | β |
| WebSockets over TLS (WSS) | β | β | β |
| QoS 0 / 1 / 2 | β | β | β |
| Retained Messages | β | β | β |
| Last Will Messages | β | β | β |
| Persistent Sessions | β | β | β |
| Sparkplug | β | β | β |
| Feature | Community | Pro | Enterprise |
|---|---|---|---|
| Docker (Linux, Windows, macOS, Raspberry Pi) | β | β | β |
| Kubernetes | β | β | β |
| OpenShift | β | β | β |
| ARM / RPi native | β | β | β |
| White Labeling | β | β | β |
BunkerM Community is the free, self-hosted MQTT management platform. It is open-source and always will be.
BunkerAI is a separate, optional subscription service that adds AI intelligence to your BunkerM instance. You do not need BunkerAI to run BunkerM β it simply adds a natural-language assistant and cross-channel notifications on top.
Pay for AI intelligence. Agents are yours to keep.
- Agents (schedulers + watchers) are a local BunkerM feature. They run on your infrastructure regardless of any subscription status. Once created, agents keep executing even if you cancel BunkerAI or run out of interactions.
- BunkerAI is billed monthly by interaction quota. When your quota runs out, the AI assistant pauses β your broker, agents, and all local features continue unaffected.
- Subscribing to Pro or Team removes the 2-agent ceiling and unlocks Telegram/Slack channels in addition to the larger interaction quota.
This model is designed for self-hosted, industrial, and air-gapped environments where production automations cannot be held hostage by a billing event.
BunkerM Community requires a one-time free activation to enforce the 2-agent limit:
- BunkerM silently attempts auto-activation on first start.
- For air-gapped deployments, create a free account at bunkerai.dev, copy your Community key, and paste it into the dashboard.
- The license key is stored locally and verified offline using cryptographic signatures β BunkerAI does not need to be reachable again after activation.
| Problem | Solution |
|---|---|
| Can't reach the web UI | Check that port 2000 is not in use: docker ps and lsof -i :2000 |
| MQTT clients can't connect | Verify port 1900 is mapped; check client credentials in ACL β Clients |
| Container won't start | Run docker logs <container_id> to inspect errors |
| Agents not firing | Confirm the container has internet access for one-time activation; check agent status in AI β Agents |
| BunkerAI not connecting | Verify BUNKERAI_API_KEY env var is set correctly; check Settings β Cloud status card |
| SSL/TLS errors | Ensure certificates are valid and paths are correctly mounted |
BunkerM is built and maintained by a solo developer. If it saves you time or powers your IoT projects, consider supporting its development:
Your support funds:
- New feature development
- Bug fixes and security patches
- Documentation and guides
- Community support
| π Website | bunkerai.dev |
| π§ Support | [email protected] |
| πΌ LinkedIn | mehdi-idrissi |
| π GitHub | bunkeriot/BunkerM |
| π¬ Discussions | GitHub Discussions |
| π¦ X / Twitter | @BunkerIoT |
| π Reddit | r/BunkerM |
This project is licensed under the Apache License 2.0 β free to use, modify, and distribute, including for commercial purposes.
Made with β€οΈ for the IoT community Β· bunkerai.dev
