Tracecat
Book a demo

Open source security automation platform for teams and AI agents

Tracecat helps AI-native security teams build agents and automate work.

Book a demoSelf-host today
/
Workspace
New task
Suggestions
Workspace
Workflows
Cases
Agents
Skills
Tools
Tables
Members
Variables
Integrations
Review required 2
In progress 1
Completed 2
Triage Wiz cloud finding

Wiz alert

wiz.finding.created

SOC analyst agent

Wiz MCP · Falcon MCP

Isolate host

falcon.isolate_host

⌘N⌘Y

Triage this Wiz finding: privilege escalation on a prod IAM role.

• Pull associated assets and CloudTrail context via Wiz MCP

• Correlate with EDR telemetry from Falcon MCP

I can route this through the SOC analyst agent — it will tune the finding into an actionable case, correlate EDR telemetry, and propose containment.

Yes — open a case and prepare containment.

WizWiz (MCP connected)
CrowdStrike FalconCrowdStrike Falcon (MCP connected)

Found Isolate host in Falcon. It will quarantine the endpoint and revoke active session tokens while you review.

Trigger: Wiz finding ingested
SOC analyst agent: enrich and classify
Isolate host on approval

Ready to run Isolate host on i-0a7f…. Approve to proceed.

Trusted by security builders replacing legacy SOAR

Saronic
Wealthsimple
SANS
Depop
Acumen
DEVCOM
CyberUp
Neo

Turn ideas into secure agentic workflows through chat.

Learn about Automations Copilot in Tracecat →
Enterprise connectors

200+ integrations across SIEM, EDR, CNAPP, and IdP — Splunk, Sentinel, Falcon, Wiz, Okta, Google Workspace, Entra.

Agentic integrations

MCP-native: Wiz, Falcon, Splunk, Sentinel, GitHub API, and any LLM. All sandboxed.

Limitless control flow

Run loops, if-conditions, parallel subflows, and scripts (Python, Bash, Javascript).

Human-in-the-loop agents

Run agents in workflows with explicit tool approvals.

OAuth grant review
Drag to pan

Trigger

New OAuth consent

@grant.scope == 'high_risk'
@grant.scope == 'low_risk'

Scatter

Split by user

Close alert

Allowlisted app

For loop

OAuth analyst agent

AI Agent

Google WorkspaceRevoke Google grant
Microsoft EntraRevoke Entra grant
SlackNotify owner

Run subflow

Account quarantine

Work alongside agents built by your team.

Learn about Cases in Tracecat →
Case copilot
Ready

Summary drafted from the case description.

Suggested next steps

  • Pin clean versions across 7 affected repos
  • Rotate npm and GitHub PAT tokens org-wide
  • Isolate WS-042, WS-118, WS-203 via Falcon
Can you draft a containment runbook and notify the affected repo owners?

I can draft a containment runbook and pre-fill actions from the IOC list — token rotation, endpoint isolation, and repo owner notifications.

Ask the copilot for containment guidance...

Build your security workforce with agents.

Learn about Agents in Tracecat →
Build agents with skills
Runbooks/Incident response agent

Incident response agent

Splunk
Sentinel
Elastic
Wiz (CNAPP)Wiz (CNAPP)
Falcon (EDR)Falcon (EDR)
CloudTrail
On-call

Goal

Triage and tune cloud alerts into actionable findings, then draft an IR runbook with containment steps.

Instructions

1. Pull related alerts from SIEM, EDR, and CNAPP.

2. Correlate with CloudTrail and identity logs.

3. Draft an IR runbook with containment and rollback steps.

Use agents to resolve cases
SOC analyst agentAlert ALT-8742
Falcon flagged a malicious npm post-install on WS-042.
Cross-referencing GitHub advisories — matches Shai-Hulud campaign
WS-042 ran post-install for @ctrl/tinycolor@4.1.2

Looks like Shai-Hulud exposure. Recommend isolating WS-042 in Falcon and auditing the 7 repos that reference @ctrl/tinycolor.

  • Quarantine WS-042 via Falcon
  • Block outbound traffic to known C2 domains
Open a case and rotate our org's npm tokens.

Drafting now. I'll also pull endpoint inventory from MDM to find any other exposed hosts.

  • Create CASE-234967 with full IOC list
  • Rotate npm + GitHub PAT tokens via GitHub API
Give agents data securely

Tables

alerts
SIEM • detection history
Active
endpoint_inventory
EDR • Falcon host inventory
Active
cloud_findings
Wiz • CNAPP findings
Active
oauth_grants
Identity • consented OAuth apps
Active

Tracecat is mission ready.

Learn about the Enterprise Edition →
Fine-grained access controls
Open source audit logs
Self-hostable anywhere
Sandboxed by default
SOC2 Type II
SLAs
Reserved compute and autoscaling
Version control for workflows
Bring-your-own-LLMs

Build for free

Sign up to Tracecat

Continue

By signing up, you accept our Terms of Use and confirm that you have taken note of our Privacy Policy.

Already have an account? Sign in

Loved by security teams building with AI

CNLRER
+3

Security Engineer @ Depop

Tracecat copilot has changed my life. I can finally create the workflows I've been envisioning and turn ideas into reality. I never had enough time to build and experiment around my other responsibilities. Now I can ask Tracecat copilot to whip something up, then spend my time iterating until it's right.

Senior Security Engineer @ Neo Financial

A genuine thank you to the team. I built an end-to-end IoC enrichment pipeline with Claude and Tracecat MCP and created more value for our SOC in a day than I probably would have in weeks on my own. You're making my one-man SOC assignment possible.

Principal Threat Researcher @ Saronic

Tracecat is a cheat code for corporate security teams that want to build and own their own agentic future.