Tracecat - Open source Tines / Splunk SOAR alternative for security engineers.
blog2

Tracecat: The Ultimate Tool for Efficient and Effective Security Management

Tracecat is a groundbreaking open-source platform designed to serve as an alternative to well-known security orchestration, automation, and response (SOAR) tools like Tines and Splunk. Established in 2023, Tracecat emerged with a mission to revolutionize the way security operations are managed. Headquartered in the tech hub of San Francisco, Tracecat was founded by Chris Lo and Daryl Lim, who bring a wealth of expertise and experience to the table. The platform is specifically designed for security engineers, offering them an innovative solution to build AI-assisted workflows that automate investigations and incident responses. By doing so, Tracecat aims to help security teams combat burnout and significantly reduce the mean time to respond (MTTR) to security threats.

The creation of Tracecat was driven by the founders' recognition of the growing challenges faced by security teams in managing the increasing volume and complexity of security alerts. Traditional SOAR tools, while powerful, often come with limitations such as high costs, proprietary restrictions, and a steep learning curve. Tracecat seeks to address these pain points by offering a flexible, open-source alternative that empowers security engineers to customize and optimize their security operations without being constrained by proprietary software.

Who Are the Founders Behind Tracecat?

The visionary minds behind Tracecat are Chris Lo and Daryl Lim. Chris Lo, who serves as the CEO, has a rich background in data and machine learning engineering, having previously worked at PwC. He is also the creator of functime, a notable project that showcases his technical acumen and innovative thinking. Chris's experience and leadership are instrumental in steering Tracecat towards achieving its mission.

Daryl Lim, the CTO of Tracecat, brings a diverse and impressive portfolio of experience to the team. He has worked as a software engineer at renowned companies such as Meta, Maven Securities, and AMD/Xilinx. Daryl holds a degree from Imperial College London in Electrical Engineering and Computer Science (EECS), underscoring his technical expertise and problem-solving skills. Together, Chris and Daryl form a dynamic duo committed to transforming the landscape of security automation through Tracecat.

How Does Tracecat Serve Security Engineers?

Tracecat is meticulously designed to cater to the unique needs of security engineers. The platform stands out as an open-source alternative to traditional SOAR tools, providing a comprehensive solution for building AI-assisted workflows, orchestrating tools, and swiftly closing security cases. Security engineers can leverage Tracecat to automate a wide range of tasks, from routine investigations to complex incident responses, thereby enhancing efficiency and effectiveness.

One of the key benefits of Tracecat is its focus on flexibility and ease of use. The platform supports both code and no-code approaches, allowing users to choose the method that best suits their skills and preferences. For those who prefer a coding approach, Tracecat offers extensive customization options using Python. Conversely, users who favor a no-code approach can take advantage of the platform’s intuitive click-and-drag workflow builder. This dual approach ensures that Tracecat is accessible to security engineers of all skill levels, from seasoned programmers to those who are less technically inclined.

What Features Does Tracecat Offer?

Tracecat is equipped with a robust set of features that make it a powerful and versatile tool for security operations:

  • Click-and-Drag Workflow Builder: Tracecat’s user-friendly workflow builder allows users to automate security operations using pre-built actions such as API calls, webhooks, data transformations, and AI tasks. This feature requires no coding skills, making it accessible to all users.
  • Built-in Case Management System: The platform includes a comprehensive case management system that enables users to open, track, and manage security incidents directly from their workflows. This integration ensures seamless management of security cases within a single platform.
  • Unlimited Workflows: Tracecat allows users to create and trigger an unlimited number of workflows. These workflows can be set to respond to specific alerts or run on a scheduled basis, providing flexibility and scalability in automation.
  • Collaboration and Tenant Management: Tracecat plans to introduce features that facilitate team collaboration and tenant management. These features will enable multiple users to edit workflows and manage cases collectively, while isolating sensitive data and credentials between different users.
  • Alert Monitoring and SLO Tracking: The platform offers automated tracking of alert trends, including the number of alerts processed and cases resolved. This feature helps security teams monitor their performance and continuously improve their response strategies.
  • Pre-built Integrations: Tracecat comes with a wide range of pre-built integrations essential for every security operations (SecOps) team. Additionally, users can build their own integrations using Tracecat's Python SDK and share them with the open-source community.

What Makes Tracecat’s AI Special?

Tracecat leverages advanced AI models to enhance the security automation process. These AI models are designed to label, summarize, and enrich alerts, providing contextual information that is crucial for effective incident response. By utilizing internal evidence and external threat intelligence, Tracecat’s AI ensures that security alerts are not only identified but also contextualized. This comprehensive approach enables security teams to respond to threats more efficiently and accurately.

Moreover, Tracecat’s AI models are open-source, promoting transparency and collaboration within the security community. Users can contribute to the development and improvement of these models, ensuring that they remain cutting-edge and relevant. This open-source approach also eliminates the black-box nature of many proprietary AI solutions, giving users full visibility into how the AI models operate and make decisions.

How Does Tracecat Handle Workflow Customization?

One of Tracecat’s standout features is its flexibility in workflow customization. The platform supports both configuration-as-code and no-code approaches, catering to a wide range of user preferences and skill levels.

For users who prefer coding, Tracecat provides extensive customization options using Python. This allows users to create highly tailored workflows that meet their specific needs. The platform’s configuration-as-code approach also ensures that workflows are easily reproducible and maintainable, promoting best practices in software development and security operations.

For users who favor a no-code approach, Tracecat’s intuitive click-and-drag builder offers a seamless and efficient way to build workflows. This feature requires no programming skills, making it accessible to users who may not have a technical background. By providing both code and no-code options, Tracecat ensures that all users can build and customize workflows according to their preferences and requirements.

What is the Licensing Model of Tracecat?

Tracecat operates under the AGPL-3.0 license, which emphasizes an open vision, open community, and open development. This licensing model ensures that Tracecat remains open-source, allowing users to freely use, modify, and distribute the platform. It also encourages collaboration and contribution from the community, fostering a vibrant and dynamic ecosystem.

The AGPL-3.0 license promotes transparency and trust, as users have full access to the source code and can participate in the platform’s development. This open-source approach aligns with Tracecat’s mission of empowering security engineers and enhancing security automation through community-driven innovation.

How Can Users Get Started with Tracecat?

Getting started with Tracecat is straightforward and accessible. Users can experiment with the platform for free by deploying it on their own infrastructure. Tracecat provides public playbooks that guide users through the initial setup and help them quickly familiarize themselves with the platform’s features and capabilities.

This approach ensures that users can test and implement Tracecat’s features without a significant initial investment, making it an attractive option for organizations of all sizes. By offering a free and open-source solution, Tracecat lowers the barriers to entry and enables more security teams to benefit from advanced security automation.

What are the Future Plans for Tracecat?

Tracecat has an ambitious roadmap that includes several exciting features and enhancements. One of the key future developments is the introduction of collaboration features and tenant management. These features will enable teams to work together more effectively by allowing multiple users to edit workflows and manage cases collectively. Tenant management will provide an additional layer of security by isolating sensitive data and credentials between different users.

Additionally, Tracecat plans to expand its integration options, ensuring that the platform remains compatible with a wide range of tools and technologies used by SecOps teams. The platform’s AI capabilities will also continue to evolve, incorporating new models and techniques to enhance the accuracy and effectiveness of security automation.

Why Should Security Teams Consider Tracecat?

Security teams should consider Tracecat for several compelling reasons. First and foremost, Tracecat offers a comprehensive and flexible solution for automating and managing security operations. Its open-source nature ensures that users have full control over the platform and can customize it to meet their specific needs.

Tracecat’s focus on reducing burnout and improving response times addresses two of the most significant challenges faced by security teams today. By automating routine tasks and providing AI-assisted workflows, Tracecat enables security engineers to focus on more strategic and impactful activities.

The platform’s extensive features, including the click-and-drag workflow builder, built-in case management system, unlimited workflows, and pre-built integrations, make it a powerful and versatile tool for security operations. The planned collaboration and tenant management features will further enhance its capabilities, enabling teams to work together more effectively.

Finally, Tracecat’s commitment to transparency, community-driven development, and open-source licensing ensures that users can trust the platform and participate in its continuous improvement. This collaborative approach fosters innovation and ensures that Tracecat remains at the forefront of security automation technology.

In conclusion, Tracecat is an innovative and powerful platform that offers a comprehensive solution for security automation. With its flexible approach, advanced AI capabilities, and commitment to open-source principles, Tracecat is poised to transform the way security teams operate and respond to threats. Security engineers and teams looking for an efficient, customizable, and community-driven solution should consider Tracecat as their go-to platform for security orchestration, automation, and response.