Projects STRLCPY tracecat Files
Enable build support by adding .buildspec.yml
.github Loading last commit info...

Open source Tines / Splunk SOAR alternative


License Commit Activity Docs

Next.js FastAPI Pydantic v2 Discord

Disclaimer: Tracecat is currently in public alpha. If you'd like to use Tracecat in production, please reach out to us on Discord or [email protected]! Want to take Tracecat for a spin? Try out our tutorials with Tracecat Cloud or self-hosted.

Tracecat is an open source automation platform for security teams. We're building the features of Tines / Splunk SOAR with:

It's designed to be simple but powerful. Security automation should be accessible to everyone, including especially understaffed small-to-mid sized teams.

SOAR (Security Orchestration, Automation and Response) refers to technologies that enable organizations to automatically collect and respond to alerts across different tooling. Though Tracecat is built for security, it's workflow automation and case management system can be applied to other alerting environments (e.g. site reliability engineering, DevOps, and physical systems monitoring).

Check out our quickstart and build your first AI workflow in 15 minutes. The easiest way to get started is to sign-up for Tracecat Cloud. We also support self-hosted Tracecat.


Getting started

Let's automate a phishing email investigation, collect evidence, and generate a remediation plan using AI. You can follow the tutorial here.


Build AI-assisted workflows, enrich alerts, and close cases fast.

  • Workflows
    •  Drag-and-drop builder
    •  Core primitives (webhook, HTTP, if-else, send email, etc.)
    •  AI Actions (label, summarize, enrich etc.)
    •  Secrets
    •  Batch-stream data transforms (expected April 2024)
    •  Formulas (expected May 2024)
    •  Versioning (expected June 2024)
  • Case management
  • Event logs
    •  Unlimited logs storage
    •  Logs search
    •  Visual detection rules
    •  Piped query language
  • Data validation
    •  Pydantic V2 for fast data model and input / output validation in the backend
    •  Zod for fast form and input / output validation in the frontend
  • Teams
    •  Collaboration
    •  Tenants
  • AI infrastructure
    •  Vector database for RAG
    •  LLM evaluation and security
    •  Bring-your-own LLM (OpenAI, Mistral, Anthropic etc.)

Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. Our aim is to give technical teams a Tines-like experience, but with a focus on open source and AI features. What do we mean by AI-native?.


Tracecat is Cloud agnostic and deploys anywhere that supports Docker. Learn how to install Tracecat locally.

  •  Authentication
    •  Supabase
    •  Auth.js
    •  Supertokens
  •  Deployment
    •  Docker Compose
    •  AWS
    •  Azure
    •  GCP

Is Tracecat enterprise ready?

We are currently in Public Alpha. We don't recommend using Tracecat for production until Public Beta is out! Nevertheless, we are building remarkably fast and expect to get there in the next 3-4 months.

There are two "flavors" of Tracecat. Tracecat Embedded, which runs on a single instance and scales vertically, and Tracecat Distributed, which scales horizontally with self-healing / resillience. Tracecat Embedded is designed to run automation workflows, store event logs, and run search queries with extreme efficiency on a single instance (e.g. EC2, laptop).

Embedded Tracecat should already scale beyond Tines' free tier (3 workflows, 500 workflow runs daily) given sufficient memory, cpu, and network capacity. With Tracecat on Quickwit, you can also store events logs in S3 at unlimited scale and time length.

For enterprise use-cases that require 99.99% SLAs, however, we recommend waiting for Tracecat Distributed!

  •  Embedded architecture
    •  Flunk: homegrown workflow engine based on Flink
    •  LanceDB
    •  Polars
    •  Tantivy
  •  Distributed architecture
    •  Apache Flink
    •  LanceDB / Lantern
    •  Quickwit

If you'd like to stress test Tracecat, please ping us on Discord and we can help you get started!


  •  Public Alpha: Anyone can sign up over at but go easy on us, there are kinks and we are just getting started.
  •  Public Beta: Stable enough for most non-enteprise use-cases
  •  Public: Production-ready

We're currently in Public Alpha.

Community & Support

Join us in building a newer, more open, kind of automation platform.

Integrations and pre-built workflows

We are working hard to reach core feature parity with Tines. Integrations and out-of-the-box automations will be prioritized according to user feedback. If you've got any suggestions, please let us know on Discord 🦾.

Here are a few integrations on our roadmap:

  •  Slack
  •  Microsoft Teams
  •  GitHub
  •  CrowdStrike
  •  Terraform
  •  AWS CloudTrail
  •  Vanta


Looking to report a security vulnerability? Please don't post about it in GitHub issue. Instead, refer to our file.


What does it mean to be "practitioner-obsessed"?

Core features, user-interfaces, and day-to-day workflows are based on existing best-practices from best-in-class security teams. We won't throw in a Clippy chatbot just for the sake of it.

Does the world really need another SOAR?

  • Big enterprise SOARs are too expensive. They also lack transparency regarding their AI features.
  • Open source SOARs were popular two years ago, but failed to mature from side-projects into enterprise-ready software.
  • Most SIEMs are bundled with a SOAR, but lack flexibility for security teams (e.g. MSSPs) that work across multiple SIEMs or no SIEM at all.

Why build open source?

  • We love using and building open source tools.
  • Existing "AI" security products hide behind demo-ware, sales calls, and white papers. We want to build in the open: open community, open tutorials, and open vision.
  • Create a safe space for practitioners to experiment with open source AI models in their own isolated environments.

What does AI-native mean?

We believe the most useful AI is "boring AI" (e.g. summarization, semantic search, data enrichment, labelling) that integrates with existing workflows, but with modern UI/UX and robust data engineering.


Whether it's big or small, we love contributions. There's plenty of opportunity for new integrations and bug fixes. The best way to get started is to ping us on Discord!

Open source vs paid

The Tracecat codebase is 100% open source under Apache-2.0. This includes (soon-to-be-built) enterprise features such as SSO and multi-tenancy. We offer a paid Cloud version for small-to-mid sized teams. Moreover, we plan to charge service fees to enterprises that want to deploy and maintain a self-hosted distributed version of Tracecat.



Please wait...
Page is in error, reload to recover