Disclaimer: Tracecat is currently in public alpha. If you'd like to use Tracecat in production, please reach out to us on Discord or [email protected]! Want to take Tracecat for a spin? Try out our tutorials with Tracecat Cloud or self-hosted.
Tracecat is an open source automation platform for security teams. We're building the features of Tines / Splunk SOAR with:
- Enterprise-grade open source tools
- Open source AI infra and GPT models
- Practitioner-obsessed UI/UX
It's designed to be simple but powerful. Security automation should be accessible to everyone, including especially understaffed small-to-mid sized teams.
Check out our quickstart and build your first AI workflow in 15 minutes. The easiest way to get started is to sign-up for Tracecat Cloud. We also support self-hosted Tracecat.
Note
SOAR (Security Orchestration, Automation and Response) refers to technologies that enable organizations to automatically collect and respond to alerts across different security tooling (e.g. Crowdstrike, Microsoft Defender, SIEM) and data sources (e.g. AWS CloudTrail, Okta system logs).
Let's automate a phishing email investigation, collect evidence, and generate a remediation plan using AI. You can follow the tutorial here.
phishing.mov
Build AI-assisted workflows, enrich alerts, and close cases fast.
- Workflows
- Drag-and-drop builder
- Core primitives (webhook, HTTP, if-else, send email, etc.)
- AI Actions (label, summarize, enrich etc.)
- Secrets
- Batch-stream data transforms (expected April 2024)
- Formulas (expected May 2024)
- Versioning (expected June 2024)
- Case management
- SMAC (status, malice, action, context)
- Suppression
- Deduplication (expected 1st week April)
- AI-assisted labelling (e.g. MITRE ATT&CK)
- Metrics
- Analytics dashboard
- Event logs
- Unlimited logs storage
- Logs search
- Visual detection rules
- Piped query language
- Data validation
- Pydantic V2 for fast data model and input / output validation in the backend
- Zod for fast form and input / output validation in the frontend
- Teams
- Collaboration
- Tenants
- AI infrastructure
- Vector database for RAG
- LLM evaluation and security
- Bring-your-own LLM (OpenAI, Mistral, Anthropic etc.)
Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. Our aim is to give technical teams a Tines-like experience, but with a focus on open source and AI features. What do we mean by AI-native?.
Tracecat is Cloud agnostic and deploys anywhere that supports Docker. Learn how to install Tracecat locally.
- Deployment
- Docker Compose
- AWS
- Azure
- GCP
- Public Alpha: Anyone can sign up over at tracecat.com but go easy on us, there are kinks and we are just getting started.
- Public Beta: Stable enough for most non-enteprise use-cases
- Public: Production-ready
We're currently in Public Alpha.
Join us in building a newer, more open, kind of automation platform.
- Tracecat Discord for hanging out with the community
- GitHub issues
We are working hard to reach core feature parity with Tines. Integrations and out-of-the-box automations will be prioritized according to user feedback. If you've got any suggestions, please let us know on Discord 🦾.
Here are a few integrations on our roadmap:
- Slack
- Microsoft Teams
- GitHub
- CrowdStrike
- Terraform
- AWS CloudTrail
- Vanta
Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
Tracecat takes security issues very seriously. If you have any concerns about Tracecat or believe you have uncovered a vulnerability, please get in touch via the e-mail address [email protected]. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.
Core features, user-interfaces, and day-to-day workflows are based on existing best-practices from best-in-class security teams. We won't throw in a Clippy chatbot just for the sake of it.
- Big enterprise SOARs are too expensive. They also lack transparency regarding their AI features.
- Open source SOARs were popular two years ago, but failed to mature from side-projects into enterprise-ready software.
- Most SIEMs are bundled with a SOAR, but lack flexibility for security teams (e.g. MSSPs) that work across multiple SIEMs or no SIEM at all.
- We love using and building open source tools.
- Existing "AI" security products hide behind demo-ware, sales calls, and white papers. We want to build in the open: open community, open tutorials, and open vision.
- Create a safe space for practitioners to experiment with open source AI models in their own isolated environments.
We believe the most useful AI is "boring AI" (e.g. summarization, semantic search, data enrichment, labelling) that integrates with existing workflows, but with modern UI/UX and robust data engineering.
Whether it's big or small, we love contributions. There's plenty of opportunity for new integrations and bug fixes. The best way to get started is to ping us on Discord!
The Tracecat codebase is 100% open source under Apache-2.0. This includes (soon-to-be-built) enterprise features such as SSO and multi-tenancy. We offer a paid Cloud version for small-to-mid sized teams. Moreover, we plan to charge service fees to enterprises that want to deploy and maintain a self-hosted distributed version of Tracecat.