// the find
TracecatHQ/tracecat
Open-source security automation platform for teams and AI agents
Tracecat is a security automation platform — think n8n but built specifically for SOC teams, with native case management, AI agents, and Temporal under the hood for durable workflow execution. The target is security teams that want to automate alert triage, incident response, and repetitive SecOps work without building it all from scratch.
Temporal as the workflow engine is a genuinely good call — you get durable execution, retries, and visibility without rolling your own state machine. The nsjail sandboxing for untrusted code is the right approach for a security product running customer scripts. The integration catalog (100+ connectors covering HTTP, SMTP, gRPC, OAuth) is broad enough to be useful out of the box rather than leaving you to wire everything yourself. The AGPL license with no SSO tax on the core tier is a practical choice that avoids the trap other open-source security tools fall into.
The open-core split puts some of the most operationally critical features — human-in-the-loop approvals, fine-grained RBAC, and workspace version control — behind the Enterprise paywall, so what looks free quickly becomes a conversation with sales once you're running real incident response workflows. The schema churn is visible: 100+ Alembic migrations with names like 'cleanup', 'migrate', and 'remove' suggest the data model has been rethought several times, which is a risk if you're betting production workflows on it. Self-hosting requires Temporal, which adds meaningful operational overhead that the README undersells. Documentation quality varies — the mdx files exist but anything past basic setup will send you to Discord.