Tracecat

Open-source agentic security automation platform that runs AI agents and durable workflows at scale with sandboxed execution.

3.7Kstars
384forks
GNU AGPLv3
Python

Tracecat is an open-source security automation platform purpose-built for teams and AI agents who need to operate at the speed of modern threats. It lets security and IT teams turn natural-language prompts into end-to-end automations—combining agents, workflows, lookup tables, and case management in a single self-hosted platform without paying a per-seat SSO tax or relying on fragile SaaS integrations.

At its core, Tracecat pairs Temporal for durable, fault-tolerant workflow orchestration with nsjail-based process sandboxing that isolates untrusted code and agent tool calls at the kernel level. Every action runs inside a seccomp-filtered, namespace-isolated sandbox so that a compromised integration cannot reach your secrets or database. The warm worker pool architecture keeps nsjail instances alive between tasks, bringing per-action overhead down from several seconds to under 200 milliseconds.

The platform ships a low-code workflow builder with real if-conditions, loops, and parallel subflows, plus a custom Python registry that lets teams pull their existing scripts from Git and expose them as typed workflow steps or agent tools without rewriting a line. Agents are first-class citizens: they can invoke MCP servers over HTTP/OAuth or local npx/uvx commands, hand off to sub-agents, and pause for human approval before executing sensitive actions.

Tracecat supports self-hosting on Docker Compose, AWS Fargate, or Kubernetes and connects to over 100 enterprise tools via HTTP, OAuth, SMTP, and gRPC connectors. Enterprise features—fine-grained RBAC/ABAC, workflow version control synced to Git, and a managed Cloud option with US or EU hosting—are available under a separate paid license on top of the AGPL-3.0 core.

What You Get

  • AI Agents - Build custom agents with system prompts, tool sets, and chat interfaces; attach any MCP server (remote HTTP/OAuth or local via npx/uvx) or invoke sub-agents and preset agent catalogs from a shared library.
  • Durable Workflow Engine - Author low-code automations with full control flow—if-conditions, for loops, parallel subflows, and retry policies—all executed by Temporal so runs survive worker restarts and transient failures.
  • Case Management - Manage security incidents end-to-end with assignable work items, timeline views, AI-generated summaries and containment plans, and programmatic status transitions triggered by workflow actions.
  • 100+ Enterprise Integrations - Connect to Gmail, Slack, SIEMs, IAM systems, ticketing platforms, and cloud providers via pre-built HTTP, OAuth, SMTP, and gRPC connectors without writing boilerplate auth code.
  • nsjail Sandboxed Execution - Every agent tool call and custom script runs inside a Linux namespace-isolated, seccomp-filtered nsjail sandbox with no access to database credentials or host secrets.
  • Custom Python Registry - Import your existing Python scripts directly from a Git repository and expose them as typed workflow steps or agent tools, versioned and reproducible across environments.
  • Lookup Tables - Store and query structured reference data—IP allowlists, user mappings, asset inventories—and reference them dynamically inside workflow expressions and agent prompts.
  • Human-in-the-Loop Approvals - Gate sensitive tool calls behind a unified inbox, Slack message, or email approval step; agents pause and resume automatically when a reviewer acts.
  • Workflow Version Control - Sync workflow definitions to GitHub, GitLab, or Bitbucket for change tracking, code review, and CI/CD-driven promotion across environments.
  • MCP Server Exposure - Use Tracecat itself as an MCP server so external agent harnesses (Claude Code, Codex, OpenCode) can trigger workflows and query case data through a standard protocol.
  • Audit Logs & SIEM Export - Stream all workflow, agent, and case events to your SIEM for compliance reporting and threat hunting without additional middleware.

Common Use Cases

  • Phishing triage and containment - A SOC analyst configures a workflow that fires when a Slack alert flags a suspicious email; Tracecat automatically isolates the sender’s Gmail account, enriches the indicators via a VirusTotal connector, and opens a case with an AI-generated timeline—all within 30 seconds.
  • SaaS IAM drift remediation - A cloud security engineer builds an agent that watches for IAM policy changes in AWS, scores them for risk using an LLM step, and pauses for human approval before revoking permissions, keeping an audit trail in the case management system.
  • IT service request fulfillment at scale - An IT team routes Slack-submitted requests through a lookup table to determine provisioning rules, then runs parallel subflows to create accounts in Active Directory, assign license groups in Microsoft 365, and send a confirmation email—replacing a manual queue with a fully automated pipeline.
  • Vulnerability alert deduplication and prioritization - A security engineer deploys a workflow that ingests scanner alerts, deduplicates them against a lookup table of known exceptions, enriches each finding with asset criticality data, and assigns severity-ranked cases to the right team members automatically.

Under The Hood

Architecture Tracecat is structured as a Python monorepo with distinct layers for the API service, DSL workflow engine, executor backends, and agent runtime, each enforcing clear separation of concerns through dependency injection via FastAPI. The workflow engine serializes Temporal workflow definitions into a custom DSL that encodes actions, control flow, and sub-agent calls, then dispatches each action as a Temporal activity to a dedicated executor task queue. The executor tier selects one of four interchangeable backends—warm nsjail pool, ephemeral cold nsjail subprocess, direct subprocess, or in-process test runner—through a strategy pattern, allowing the system to swap isolation levels without changing workflow logic. An enterprise edition directory layers RBAC, human-in-the-loop approvals, and workspace-scoped access control on top of the open-source core without modifying it.

Tech Stack The backend runs on Python 3.12 with FastAPI and SQLAlchemy 2.0 using asyncpg for fully async PostgreSQL access, with Alembic managing schema migrations including PostgreSQL-native enum handling. Temporal provides distributed workflow orchestration and guarantees exactly-once activity execution. Agent inference uses both pydantic-ai and the claude-agent-sdk, with LiteLLM as a proxy layer enabling model routing across Anthropic, OpenAI, Bedrock, and Gemini without code changes. Sandboxing is implemented through nsjail with custom seccomp profiles and a warm worker pool that pre-imports Python dependencies to cut per-action latency from several seconds to under 200 milliseconds. The frontend is Next.js with TypeScript, React Query, and ShadCN UI; MinIO provides S3-compatible object storage and Redis handles caching, pub/sub, and OAuth state.

Code Quality The codebase demonstrates comprehensive testing discipline across unit, integration, stress, and temporal-specific test suites, with custom pytest markers separating live-network, database, LLM, and sandbox tests from pure unit tests. Type safety is enforced pervasively through Pydantic v2 models for every API boundary, DSL schema, and agent configuration, with strict runtime validation for secrets and workflow definitions. Error handling is explicit throughout: Temporal activity errors are caught and rethrown as structured ApplicationError instances, executor backends return typed result objects, and the API layer uses custom exception handlers that log structured context without leaking internals. The executor worker module ships an ASCII diagram of its own architecture in a docstring, reflecting a culture of internal documentation. CI pipelines enforce linting, formatting, and test execution across the monorepo.

What Makes It Unique The combination of Temporal-backed durability with kernel-level nsjail sandboxing is rare in the automation category: most competitors either run code in-process without isolation or offload to heavyweight VMs. Tracecat’s warm nsjail pool architecture keeps sandbox processes alive between tasks, resolving the cold-start penalty that makes ephemeral isolation impractical for high-frequency alert pipelines. The MCP server exposure—allowing external agent harnesses to call Tracecat as a tool—inverts the typical integration pattern so that Tracecat participates in third-party agent graphs rather than only owning them. The code-native Git registry means teams bring their existing Python tooling into the platform without rewriting it as no-code blocks, preserving institutional knowledge and enabling version-controlled tool evolution alongside workflow definitions.

Self-Hosting

Tracecat’s open-source core is released under the GNU Affero General Public License v3.0, which means the source code is freely available to inspect, modify, and deploy. The AGPL requires that if you run a modified version of the software as a network service, you must make your modifications available under the same license. For most self-hosting teams running Tracecat internally this copyleft clause has no practical effect, but organizations that intend to build a commercial product or managed service on top of Tracecat would need to negotiate a commercial license. Importantly, the enterprise edition—under the packages/tracecat-ee directory—is explicitly carved out of the AGPL and governed by a proprietary Tracecat Enterprise License that prohibits redistribution or commercialization without a paid subscription.

Running Tracecat yourself requires meaningful infrastructure: a PostgreSQL database, Redis for caching and OAuth state, an S3-compatible object store (MinIO works for self-hosters), and Temporal for durable orchestration—Temporal itself requires its own deployment or a managed account. The nsjail sandbox requires a Linux host with sufficient kernel capabilities; Docker deployments need seccomp and namespace support enabled. For Kubernetes, the Helm chart is distributed as a private OCI artifact under the PolyForm Shield License and requires an enterprise subscription to access. That means a full production Kubernetes deployment is not available to open-source self-hosters without engaging with the Tracecat team. Docker Compose and AWS Fargate paths are documented in the open repository and are the practical self-hosting options for most teams.

Compared to Tracecat’s managed Cloud offering, self-hosters are responsible for their own high availability, backups, Temporal cluster maintenance, PostgreSQL tuning, and security patch cadence—the project ships releases multiple times per week, so staying current requires operational attention. The managed Cloud adds US and EU hosting options, dedicated support SLAs, automatic upgrades, and access to all enterprise features including fine-grained RBAC, workflow version control with Git sync, and the full human-in-the-loop inbox. Teams that can absorb the operational overhead of a multi-service stack gain full data sovereignty and no per-seat pricing; teams that want a turnkey experience should evaluate the managed Cloud or at minimum plan for the enterprise subscription to unlock the Kubernetes deployment path.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search