Tracecat is an AI-native automation platform designed for security teams to build, run, and manage automated workflows triggered by alerts, Slack messages, or other events. It enables analysts to convert natural language prompts into durable, code-native automations that integrate with enterprise tools like Gmail, Slack, SIEMs, and cloud platforms—all while enforcing security by default through sandboxed execution. Built for technical teams, it eliminates the need to juggle multiple tools by unifying agents, workflows, case management, and lookup tables in a single platform.
Technically, Tracecat leverages FastAPI and Pydantic for its backend, Next.js and TypeScript for the frontend, Temporal for durable orchestration, and nsjail for process-level sandboxing of untrusted code. It supports PostgreSQL for data storage and S3-compatible object storage, and can be self-hosted via Docker or Kubernetes. The platform integrates with existing Git repos to sync custom Python scripts as reusable tools and supports SAML/OIDC for enterprise authentication.
What You Get
- Agents - Build custom AI agents with prompts, tools, and chat interfaces using MCP servers, local npx/uvx commands, or remote HTTP/OAuth endpoints.
- Workflows - Create low-code automations with complex control flow including if-conditions, loops, parallel subflows, and Python/Bash/JS script execution powered by Temporal.
- Case Management - Track, assign, and resolve security incidents with rich metadata, timelines, and AI-assisted summaries and recommendations.
- 200+ Integrations - Connect to enterprise tools via HTTP, OAuth, SMTP, gRPC, and more—including Gmail, Slack, SIEMs, IAM systems, and cloud platforms.
- Sandboxed Execution - All agents and tools run in nsjail or PID sandboxes to isolate untrusted code and protect secrets and infrastructure.
- Custom Python Registry - Turn your existing Git-hosted Python scripts into reusable workflow steps and agent tools without rewriting them.
- Lookup Tables - Store and query structured data (e.g., IP allowlists, user mappings) to inform workflow decisions dynamically.
- Human-in-the-Loop - Require manual approval for sensitive actions via unified inbox, Slack, or email before execution.
- Workflow Version Control - Sync workflows to GitHub, GitLab, or Bitbucket for CI/CD and auditability.
- Audit Logs & SIEM Export - Export all workflow and agent actions to your existing security monitoring systems for compliance.
- SAML/OIDC & RBAC/ABAC - Enforce enterprise-grade access control for users and agents with role-based and attribute-based policies.
Common Use Cases
- Automating phishing incident response - A SOC analyst uses Tracecat to auto-isolate compromised Gmail accounts and trigger mailbox audits when a Slack alert detects a phishing email with a Tor exit IP.
- Remediating SaaS configuration drift - A cloud security engineer deploys a workflow that detects IAM policy changes, runs an AI agent to assess risk, and isolates affected accounts with human approval before action.
- Handling IT service requests at scale - An IT team automates account provisioning and deprovisioning by connecting Slack requests to Active Directory and Gmail APIs via pre-built connectors and lookup tables.
- Generating incident timelines and containment plans - A threat hunter uses the Case Copilot to auto-generate a timeline from alert data and recommend containment steps based on indicators of compromise (IOCs).
Under The Hood
Architecture
- Modular monorepo structure with clear separation between API, workflow engine, and integration providers, enforcing single-responsibility principles
- Dependency injection via FastAPI decouples HTTP routing from business logic, enabling testable and maintainable service layers
- Event-driven orchestration using Temporal with serialized Python workflow definitions executed in isolated sandboxes via nsjail for security
- Secure execution environments built with layered Docker stages and minimal runtime rootfs to limit attack surface
- Configuration-driven environment isolation through environment variables and feature flags, allowing dynamic behavior changes without code modifications
- Comprehensive CI/CD pipeline with Caddy, MinIO, Redis, and PostgreSQL orchestrated via docker-compose with health checks and versioned migrations
Tech Stack
- Python 3.12 backend powered by FastAPI and Starlette with SQLAlchemy 2.0 and asyncpg for high-performance async database operations
- Alembic with PostgreSQL-specific enum support for robust schema migrations
- Temporal.io for distributed workflow orchestration and task execution
- MinIO as S3-compatible storage with presigned URL generation for secure asset access
- Redis with hiredis for high-throughput caching and pub/sub messaging
- Multi-stage Docker builds leveraging uv for dependency management, nsjail for sandboxing, and Caddy as reverse proxy and TLS terminator
Code Quality
- Extensive test coverage across unit, integration, and edge-case scenarios with comprehensive mocking and fixture-based state management
- Strong type safety enforced through Pydantic models, strict annotations, and runtime validation for secrets, actions, and workflow definitions
- Robust error handling with structured logging, custom exception contexts, and defensive patterns for external system interactions
- Clear separation of concerns with well-defined service layers and domain-driven design, isolating DSL definitions, executors, and webhook handlers
- Consistent naming conventions and modular organization that enhance readability and maintainability
- Automated linting and test pipelines with domain-focused test organization and reusable fixtures
What Makes It Unique
- Native Git-based workflow registries enable version-controlled, self-hosted automation without reliance on proprietary marketplaces
- Dynamic, type-safe action menus with reusable components eliminate boilerplate and ensure UI consistency across diverse data types
- Zod-based form validation with real-time Git SSH validation and domain allowlisting creates a secure, developer-centric configuration experience
- Custom Tiptap editor extensions with semantic color highlighting provide intuitive visual feedback for structured case data during incident triage
- Unified case management system that tightly couples incident response with workflow automation through programmatic status and routing controls