Hi HN, we are building Tracecat (
https://tracecat.com/), an open source automation platform for security alerts. Tracecat automates the tasks a security analyst has to do when responding to a security alert: e.g. contact victims, investigate security logs, report vulnerability.
The average security analyst deals with 100 alerts per day. As soon as an alert comes in, you have to investigate and respond. An average alert takes ~30 minutes to analyze (and 100 x 30 min = 50 hours > one whole day) Lots of things get dropped, and this creates vulnerabilities. Many breaches can be traced back to week old alerts that didn’t get properly investigated.
Since the risks and costs are so high, top security teams currently pay Splunk SOAR $100,000/year to help automate alert processing. It’s a click-and-drag workflow builder with webhooks, REST API integrations, and JSON processors. A security engineer would use it to build alert automations that look like this: (1) webhook to receive alert (e.g. unusual powershell cmd) from Microsoft Defender; (2) send yes/no Slackbot to ask employee about the alert; (3) if confirmed as suspicious, send malware sample to VirusTotal for report (4) collect evidence from previous steps and dump it into a ticket.
If $100k a year seems wildly expensive for a Zapier-like platform, you’d be half right. Splunk SOAR is actually a Zapier + log search + Jira ticketing system.
Log storage—that’s how Splunk turns a $99/month workflow automation tool into a pricey enterprise product. Every piece of evidence collected (e.g. Slackbot response, malware report, GeoIP enrichment) and every past workflow trail has to be searchable by a human incident responder or auditor. Security teams need to know why every alert escalated to a SEV1 or not.
My cofounder and I are data engineers who fell into this space. We heard our security friends constantly complain about being priced out of a SOAR (security orchestration, automation, and response platform) like Splunk SOAR.
We both wrote a lot of event-driven code at school (Master’s thesis) and work (Meta / PwC). We’re also early adopters of Quickwit / Tantivy, an OSS alternative to Elasticsearch / Apache Lucene that is cheaper and faster. It didn’t seem that difficult to build a cheaper open source SOAR, so we decided to do it.
Tracecat is also different as it can run in a single VM / laptop. Splunk SOAR and Tines are built for Fortune 10 needs, which means expensive Kubernetes clusters. Most security teams don’t need that scale, but are forced to pay the K8s “premium” (high complexity, hard to maintain). Tracecat uses OSS embedded databases (SQLite) and an event processing engine we built using Python 3.12 asyncio.
So far, we’ve just got a bare-bones alpha but you can already do quite a few things with it. e.g. trigger event-driven workflows from webhooks; use REST API integrations; parse responses using JSONPath; control flow using conditional blocks; store logs cheaply in Tantivy; open cases directly from workflows; prioritize and manage cases in a Jira-like table.
Tracecat uses Pydantic V2 for fast input / output validation and Zod for fast form validation. We care a lot about data quality! It’s also Apache-2.0 licensed so anyone can self-host the platform.
On our roadmap: integrations with popular security tools (Crowdstrike, Microsoft defender); pre-built workflows (e.g. investigating phishing email); better docs; more AI features like auto-labeling tickets, extracting data from unstructured text etc.
We’re still early so would love your feedback and opinions. Feel free to try us out or share it with your security friends. We have a cloud version up and running: https://platform.tracecat.com.
Dear HN readers, we’d love to hear your incident response stories and the software you use (or not) to automate the work. Stories from security, site reliability engineering, or even physical systems like critical infrastructure monitoring are all very welcome!
Edit: Keep in mind, the folks who operate this are typically not engineers. They are security analysts and other non dev infosec/cybersec stakeholders. Refer to how Palo Alot XSOAR uses drag and drop playbooks [1] (somewhat like n8n's workflow builder [2], a Zapier competitor). I recommend building a library of default playbooks that customer SOCs and other detection response consumers of your product can adopt (based on customer product feedback and conversations), like you adapt your business to SAP vs customizing SAP to your business.
[1] https://xsoar.pan.dev/docs/playbooks/playbooks-overview
[2] https://docs.n8n.io/courses/level-one/chapter-4/
(head of infosec in finance, xsoar comes out of my spend)