Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/TracecatHQ/tracecat

The open source Tines / Splunk SOAR alternative for security and IT engineers. Built on simple YAML templates for integrations and response-as-code.
https://github.com/TracecatHQ/tracecat

automation cybersecurity event-driven fastapi incident-response llm low-code monitoring nextjs openapi orchestration pydantic security temporalio workflow-engine

Last synced: 23 days ago
JSON representation

The open source Tines / Splunk SOAR alternative for security and IT engineers. Built on simple YAML templates for integrations and response-as-code.

Awesome Lists containing this project

README 

        


  The workflow automation platform for security and IT response engineering.







![Commits](https://img.shields.io/github/commit-activity/m/TracecatHQ/tracecat?style=for-the-badge&logo=github)

![License](https://img.shields.io/badge/License-AGPL%203.0-blue?style=for-the-badge&logo=agpl)

[![Discord](https://img.shields.io/discord/1212548097624903681.svg?style=for-the-badge&logo=discord&logoColor=white)](https://discord.gg/H4XZwsYzY4)

















[Tracecat](https://tracecat.com) is a modern, open source workflow automation platform built for security and IT engineers. Simple YAML-based templates for integrations with a no-code UI for workflows.

Executed using Temporal for scale and reliability.



We're on a mission to make security and IT automation more accessible through **response-as-code**. What Sigma rules did for detection, YARA for malware research, and Nuclei did for vulnerabilities, Tracecat is doing for response automation.



## Getting Started



> [!IMPORTANT]

> Tracecat is in active development. Expect breaking changes with releases. Review the release [changelog](https://github.com/TracecatHQ/tracecat/releases) before updating.



### Run Tracecat locally



Deploy a local Tracecat stack using Docker Compose. View full instructions [here](https://docs.tracecat.com/self-hosting/deployment-options/docker-compose).



```bash

# Download Tracecat

git clone https://github.com/TracecatHQ/tracecat.git



# Generate .env file

./env.sh



# Run Tracecat

docker compose up -d

```



Go to [http://localhost](http://localhost) to access the UI. Sign-up with your email and password (min 12 characters). The first user to sign-up and login will be the superadmin for the instance. The API docs is accessible at [http://localhost/api/docs](http://localhost/api/docs).



### Run Tracecat on AWS Fargate



**For advanced users:** deploy a production-ready Tracecat stack on AWS Fargate using Terraform. View full instructions [here](https://docs.tracecat.com/self-hosting/deployment-options/aws-ecs).



```bash

# Download Terraform files

git clone https://github.com/TracecatHQ/tracecat.git

cd tracecat/deployments/aws



# Create and add encryption keys to AWS Secrets Manager

./scripts/create-aws-secrets.sh



# Run Terraform to deploy Tracecat

terraform init

terraform apply

```



### Run Tracecat on Kubernetes



Coming soon.



## Community



Have questions? Feedback? New integration ideas? Come hang out with us in the [Tracecat Community Discord](https://discord.gg/H4XZwsYzY4).



## Tracecat Registry



![Tracecat Registry](img/tracecat-template.svg)



Tracecat Registry is a collection of integration and response-as-code templates.

Response actions are organized into [MITRE D3FEND](https://d3fend.mitre.org/) categories (`detect`, `isolate`, `evict`, `restore`, `harden`, `model`) and Tracecat's own ontology of capabilities (e.g. `list_alerts`, `list_cases`, `list_users`). Template inputs (e.g. `start_time`, `end_time`) are normalized to fit the [Open Cyber Security Schema (OCSF)](https://schema.ocsf.io/) ontology where possible.



The future of response automation should be self-serve, where teams rapidly link common capabilities (e.g. `list_alerts` -> `enrich_ip_address` -> `block_ip_address`) into workflows.



**Examples**



Visit our documentation on Tracecat Registry for use cases and ideas.

Or check out existing open source templates in [our repo](https://github.com/TracecatHQ/tracecat/tree/main/registry/tracecat_registry/templates).



## Open Source vs Enterprise



This repo is available under the AGPL-3.0 license with the exception of the `ee` directory. The `ee` directory contains paid enterprise features requiring a Tracecat Enterprise license.



Tracecat Enteprise builds on top of Tracecat OSS, optimized for mixed ETL and network workloads at enterprise scale.

Powered by serverless workflow execution (AWS Lambda and Knative) and S3-compatible object storage.



*If you are interested in Tracecat's Enterprise self-hosted or managed Cloud offering, check out [our website](https://tracecat.com) or [book a meeting with us](https://cal.com/team/tracecat).*



## Security



SSO, audit logs, and IaaC deployments (Terraform, Kubernetes / Helm) will always be free and available. We're working on a comprehensive list of Tracecat's threat model, security features, and hardening recommendations. For immediate answers to these questions, please reach to us on [Discord](https://discord.gg/H4XZwsYzY4).



Please report any security issues to [[email protected]](mailto:[email protected]) and include `tracecat` in the subject line.



## Contributors



Thank you all our amazing contributors for contributing code, integrations, and support. Open source is only possible because of you. ❤️





  














  **`Tracecat`** is distributed under [**AGPL-3.0**](https://github.com/TracecatHQ/tracecat/blob/main/LICENSE)