At a Glance:
Tracecat is an open source, agentic security automation platform that combines AI agents, low-code workflows, case management, and 100+ integrations, designed to be self-hosted via Docker or Kubernetes for technical teams.
Overview:
Tracecat is an open source security automation platform built for security teams and AI agents. It consolidates multiple capabilities into a single system, allowing users to build prompt-based agents, design low-code workflows with durable execution, manage security cases, and connect to over 100 external tools. The platform supports a code-native approach, letting users sync custom Python scripts from a Git repository to power agent tools and workflow steps. Tracecat runs sandboxed-by-default using nsjail and is built on Temporal for reliable execution. It can be self-hosted on Docker, Kubernetes, or AWS Fargate, and exposes an MCP server to allow interaction from external agent harnesses.
Key Decision Points:
Self-hosted deployment: Runs on Docker, Kubernetes, or AWS Fargate, catering to teams that manage their own infrastructure.
Agent-driven automation: Users can build custom agents with prompts and tools, and the platform itself is accessible via an MCP server from other agent harnesses like Claude Code or Codex.
Sandboxed execution: Runs untrusted code and agents within nsjail sandboxes, which is a critical consideration for running community or AI-generated scripts.
Code-native extensibility: Custom Python scripts can be synced from a Git repository and directly turned into agent tools and workflow steps via a custom registry.
All-in-one architecture: Combines agents, workflows, lookup tables, and case management in a single platform, eliminating the need for separate tools. Human-in-the-loop approvals for sensitive actions are an enterprise-only feature.
Core Features:
Prompt-based agents: Build custom agents with defined prompts, tools, and chat interfaces that can connect to any MCP server.
Low-code workflow builder: Design automations with complex control flow like if-conditions and loops, backed by Temporal for durable execution.
Case management: Track, automate, and resolve work items directly within the platform using agents and workflows.
MCP server interface: Interact with and manage Tracecat from external agent harnesses using its native MCP server.
Custom registry: Convert Python scripts from a user-controlled Git repository into reusable agent tools and workflow steps.
100+ pre-built integrations: Connect to enterprise tools using a wide array of protocols including HTTP, SMTP, gRPC, and OAuth.
Use Cases:
Developers and security engineers can build end-to-end automations, from triaging alerts to generating reports, using a combination of custom Python scripts and low-code workflows.
Teams managing their own infrastructure can deploy a self-hosted, all-in-one automation platform that handles both AI-driven tasks and structured case management without relying on a separate SaaS.
Users of AI coding assistants can interface with Tracecat through its MCP server, allowing agents in harnesses like Claude Code to directly trigger and manage security workflows.
Open-Source Alternative Value:
As an open source platform, Tracecat offers a self-hostable option that combines agentic AI and security automation in one system, which can be customized through a code-native registry that syncs user-created Python scripts from Git. Its sandboxed-by-default execution model, using nsjail for untrusted code, provides a specific architecture for safely running community or AI-generated automations that is transparent in its implementation. The platform includes SAML/OIDC support without an enterprise surcharge and exposes audit logs for SIEM export, aspects often locked behind paid tiers in comparable SaaS automation products.
