Tracecat is an open-source automation platform designed for security and IT engineers who need to orchestrate complex, event-driven responses without writing code. Built with Python, FastAPI, and TemporalIO, it provides a visual workflow editor alongside YAML-based templates for integrations. The platform unifies case management, lookup tables, and automation workflows into a single system, enabling teams to automate repetitive tasks like alert triage, user provisioning, and incident response. Tracecat is ideal for teams seeking to reduce mean time to respond (MTTR) while maintaining full control over their infrastructure through self-hosted deployment options.
Unlike generic automation tools, Tracecat is purpose-built for incident response and operational workflows. Its registry of pre-built templates (e.g., ‘list_alerts’, ‘list_cases’) ensures consistency across integrations, while its AGPL-3.0 license guarantees open access to core functionality. Enterprise features are gated behind a proprietary module, but critical security capabilities like SSO, audit logs, and IaC deployments remain free and open.
What You Get
- YAML-based integration templates - Pre-built, reusable automation templates (e.g., ‘list_alerts’, ‘list_users’) with consistent input naming for seamless integration across tools like SIEMs, ticketing systems, and cloud providers.
- No-code workflow builder - Drag-and-drop visual editor to design multi-step automation workflows without writing code, with real-time preview and execution tracing.
- Built-in case management - Track and manage security incidents with linked workflows, notes, assignees, and status tracking directly within the platform.
- Lookup tables - Centralized data stores for dynamic values (e.g., IP allowlists, user roles) that can be referenced across workflows to reduce duplication and improve consistency.
- TemporalIO orchestration - Production-grade workflow execution with built-in retry, timeout handling, and durable state management for mission-critical automation.
- Self-hosted deployment options - Deploy Tracecat via Docker Compose for local testing or AWS Fargate with Terraform for production environments, with Kubernetes support coming soon.
- Open source templates library - Community-contributed integration templates in GitHub, enabling reuse and extension of common security and IT workflows.
Common Use Cases
- Building a SOC playbook for alert triage - Automate the ingestion of alerts from Splunk or CrowdStrike into Tracecat, enrich them with data from Okta and Slack, assign to on-call engineers via Jira tickets, and log case details—all without writing custom code.
- Automating user offboarding across 10+ SaaS tools - Trigger a workflow when an employee is deactivated in HRIS, which then disables their access across Okta, AWS, GitHub, and Slack using pre-built templates with consistent parameters.
- Problem: Manual incident response delays → Solution: Tracecat - When a phishing alert is detected, security teams manually check email logs, block IPs, and notify stakeholders. Tracecat automates this: alert → enrich with DNS/IP reputation → block in firewall via API → create case in Jira → notify Slack channel.
- Team: DevSecOps teams managing cloud-native infra - Use Tracecat to automate infrastructure health checks, trigger rollbacks on failed deployments via CI/CD hooks, and auto-generate runbooks with linked workflow outputs—all self-hosted for compliance.
Under The Hood
Tracecat is a Python-based AI automation platform designed for developers seeking flexible, extensible workflow solutions. It combines a monorepo structure with modular architecture to support enterprise-grade automation, integrating backend services, frontend UIs, and registry-driven actions in a cohesive system.
Architecture
Tracecat follows a layered and modular architecture that enables scalable development and clear separation of concerns.
- The system uses a service-oriented structure with distinct modules for API, database, authentication, and registry functions.
- It implements a microservices-like design within a monorepo, organizing components into shared and isolated packages.
- Dependency injection and configuration via pyproject.toml support flexible and maintainable component interactions.
Tech Stack
The platform leverages modern Python and web technologies to deliver a robust automation environment.
- Built with Python 3.12, FastAPI for backend APIs, and SQLAlchemy for database operations.
- Integrates with Temporal.io for workflow orchestration, Redis for caching, and Postgres for data persistence.
- Frontend is developed using Next.js, React, and TypeScript to provide a responsive and type-safe UI.
- Uses uv for dependency management, Docker for containerization, and Ruff for linting and code quality.
Code Quality
Tracecat maintains a balanced level of code quality with strong testing practices and structured error handling.
- Extensive test coverage is present, particularly in frontend components and utility functions.
- Error handling is consistently applied across modules with varied patterns such as try/catch and explicit exceptions.
- Code linting and CI/CD pipelines are configured to support maintainability and consistency.
What Makes It Unique
Tracecat distinguishes itself through its registry-driven automation engine and enterprise-focused features.
- A modular workflow engine allows dynamic extension and versioning of automation components through a registry system.
- Built-in support for OAuth and SAML integrations provides flexible authentication options for enterprise users.
- Strong emphasis on organization-level access control and audit trails ensures compliance in automation workflows.
- The frontend uses TypeScript and React to enable real-time editing and interactive UIs for developers.