Tracecat is a modern, open source workflow automation platform built for security and IT engineers. Simple YAML-based templates for integrations with a no-code UI for workflows. Executed using Temporal for scale and reliability.
We're on a mission to make security and IT automation more accessible through response-as-code. What Sigma rules did for detection and Nuclei did for vulnerability scanning, Tracecat is doing for response automation.
Important
Tracecat is in active development. Expect breaking changes with releases. Review the release changelog before updating.
Deploy a local Tracecat stack using Docker Compose. View full instructions here.
# Download Tracecat
git clone https://github.com/TracecatHQ/tracecat.git
# Setup environment variables
./env.sh
# Run Tracecat
docker compose up -dGo to http://localhost to access the UI. Sign-up with your email and password (min 12 characters). The first user to sign-up and login will be the superadmin for the instance. The API docs is accessible at http://localhost/api/docs.
For advanced users: deploy a production-ready Tracecat stack on AWS Fargate using Terraform. View full instructions here.
# Download Terraform files
git clone https://github.com/TracecatHQ/tracecat.git
cd tracecat/deployments/aws
# Create and add encryption keys to AWS Secrets Manager
./scripts/create-aws-secrets.sh
# Run Terraform to deploy Tracecat
terraform init
terraform applyComing soon.
Have questions? Feedback? New integration ideas for the project? Join the Tracecat Community Discord and come hang out with us.
Tracecat Registry is a collection of integration and response-as-code templates.
Response actions are organized into MITRE D3FEND categories (detect, isolate, evict, restore, harden, model) and Tracecat's own ontology of capabilities (e.g. list_alerts, list_cases, list_users). Template inputs (e.g. start_time, end_time) are normalized to fit the Open Cyber Security Schema (OCSF) ontology where possible.
Having thousands of out-of-the-box playbooks is an outdated and unsustainable approach to response automation. Playbooks are rigid, hard to maintain, and don't scale.
We strongly believe in a community-driven ontology for all out-of-the-box response actions. A common ontology serves as reusable building blocks for response workflows.
The future of response automation should be self-serve and reusable, where teams link pre-defined capabilities (e.g. list_alerts -> enrich_ip_address -> block_ip_address) into customizable workflows.
Examples
Visit our documentation on Tracecat Registry for use cases and ideas. Or check out existing open source templates in our repo.
This repo is available under the AGPL-3.0 license with the exception of the ee directory. The ee directory contains paid enterprise features requiring a Tracecat Enterprise license.
Tracecat Enteprise builds on top of Tracecat OSS, optimized for mixed ETL and network workloads at enterprise scale. Powered by serverless workflow execution (AWS Lambda and Knative) and S3-compatible object storage.
If you are interested in Tracecat's Enterprise self-hosted or managed Cloud offering, check out our website or book a meeting with us.
SSO, audit logs, and IaaC deployments (Terraform, Kubernetes / Helm) will always be free and available. We're working on a comprehensive list of Tracecat's threat model, security features, and hardening recommendations. For immediate answers to these questions, please reach to us on Discord.
Please report any security issues to [email protected] and include tracecat in the subject line.
Thank you all our amazing contributors for contributing code, integrations, and support. Open source is only possible because of you. ❤️
Tracecat is distributed under AGPL-3.0