Disclaimer: Tracecat is currently in public alpha. If you'd like to use Tracecat in production, please reach out to us on Discord or [email protected]! Want to take Tracecat for a spin? Try out our tutorials with Tracecat Cloud or self-hosted.
Tracecat is an open source automation platform for security teams. We're building the features of Tines / Splunk SOAR with:
- Enterprise-grade open source tools
- Open source AI infra and GPT models
- Practioner-obsessed UI/UX
It's designed to be simple but powerful. Security automation should be accessible to everyone, including especially understaffed small-to-mid sized teams.
Check out our quickstart and build your first AI workflow in 15 minutes. The easiest way to get started is to sign-up for Tracecat Cloud. We also support self-hosted Tracecat.
Let's automate a phishing email investigation, collect evidence, and generate a remediation plan using AI. You can follow the tutorial here.
phishing.mov
Build AI-assisted workflows, enrich alerts, and close cases fast.
- Workflows
- Drag-and-drop builder
- Core primitives (webhook, HTTP, if-else, send email, etc.)
- AI Actions (label, summarize, enrich etc.)
- Secrets
- Batch-stream data transforms (expected April 2024)
- Formulas (expected May 2024)
- Versioning (expected June 2024)
- Case management
- SMAC (status, malice, action, context)
- Suppression
- Deduplication (expected 1st week April)
- AI-assisted labelling (e.g. MITRE ATT&CK)
- Metrics
- Analytics dashboard
- Event logs
- Unlimited logs storage
- Logs search
- Visual detection rules
- Piped query language
- Data validation
- Pydantic V2 for fast data model and input / output validation in the backend
- Zod for fast form and input / output validation in the frontend
- Teams
- Collaboration
- Tenants
- AI infrastructure
- Vector database for RAG
- LLM evaluation and security
- Bring-your-own LLM (OpenAI, Mistral, Anthropic etc.)
Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. Our aim is to give technical teams a Tines-like experience, but with a focus on open source and AI features. What do we mean by AI-native?.
Tracecat is Cloud agnostic and deploys anywhere that supports Docker. Learn how to install Tracecat locally.
- Authentication
- Supabase
- Auth.js
- Supertokens
- Deployment
- Docker Compose
- AWS
- Azure
- GCP
We are currently in Public Alpha. We don't recommend using Tracecat for production until Public Beta is out! Nevertheless, we are building remarkably fast and expect to get there in the next 3-4 months.
There are two "flavors" of Tracecat. Tracecat Embedded, which runs on a single instance and scales vertically, and Tracecat Distributed, which scales horizontally with self-healing / resillience. Tracecat Embedded is designed to run automation workflows, store event logs, and run search queries with extreme efficiency on a single instance (e.g. EC2, laptop).
Embedded Tracecat should already scale beyond Tines' free tier (3 workflows, 500 workflow runs daily) given sufficient memory, cpu, and network capacity. With Tracecat on Quickwit, you can also store events logs in S3 at unlimited scale and time length.
For enterprise use-cases that require 99.99% SLAs, however, we recommend waiting for Tracecat Distributed!
- Embedded architecture
- Flunk: homegrown workflow engine based on Flink
- LanceDB
- Polars
- Tantivy
- Distributed architecture
- Apache Flink
- LanceDB / Lantern
- Quickwit
If you'd like to stress test Tracecat, please ping us on Discord and we can help you get started!
- Public Alpha: Anyone can sign up over at tracecat.com but go easy on us, there are kinks and we are just getting started.
- Public Beta: Stable enough for most non-enteprise use-cases
- Public: Production-ready
We're currently in Public Alpha.
Join us in building a newer, more open, kind of automation platform.
- Tracecat Discord for hanging out with the community
- GitHub issues
We are working hard to reach core feature parity with Tines. Integrations and out-of-the-box automations will be prioritized according to user feedback. If you've got any suggestions, please let us know on Discord ๐ฆพ.
Here are a few integrations on our roadmap:
- Slack
- Microsoft Teams
- GitHub
- CrowdStrike
- Terraform
- AWS CloudTrail
- Vanta
Looking to report a security vulnerability? Please don't post about it in GitHub issue. Instead, refer to our SECURITY.md file.
Core features, user-interfaces, and day-to-day workflows are based on existing best-practices from best-in-class security teams. We won't throw in a Clippy chatbot just for the sake of it.
- Big enterprise SOARs are too expensive. They also lack transparency regarding their AI features.
- Open source SOARs were popular two years ago, but failed to mature from side-projects into enterprise-ready software.
- Most SIEMs are bundled with a SOAR, but lack flexibility for security teams (e.g. MSSPs) that work across multiple SIEMs or no SIEM at all.
- We love using and building open source tools.
- Existing "AI" security products hide behind demo-ware, sales calls, and white papers. We want to build in the open: open community, open tutorials, and open vision.
- Create a safe space for practioners to experiment with open source AI models in their own isolated environments.
We believe the most useful AI is "boring AI" (e.g. summarization, semantic search, data enrichment, labelling) that integrates with existing workflows, but with modern UI/UX and robust data engineering.
Whether it's big or small, we love contributions. There's plenty of opportunity for new integrations and bug fixes. The best way to get started is to ping us on Discord!
The Tracecat codebase is 100% open source under Apache-2.0. This includes (soon-to-be-built) enterprise features such as SSO and multi-tenancy. We offer a paid Cloud version for small-to-mid sized teams. Moreover, we plan to charge service fees to enterprises that want to deploy and maintain a self-hosted distributed version of Tracecat.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent