Open source SOAR for AI-native security teams
By Tanmay Verma, Founder · Last verified 03 Jun 2026
In short
Tracecat — Open source SOAR for AI-native security teams. Best for AI-native security teams wanting to automate triage and response with custom agents, Teams replacing legacy SOAR with open, flexible automation, Security engineers building custom workflows for cloud alert enrichment and endpoint isolation. Free to use.
Affiliate disclosure: We earn a commission when you use our links. Editorial picks are independent. How we choose.
See what real users actually say. We scan live discussions, reviews and complaints across the web and hand you an honest verdict — in under a minute.
3 free scans · no card needed · downloadable report
If you're tired of rigid legacy SOAR and want an open, agent-driven approach to security automation, Tracecat is a compelling choice. Its MCP-native architecture and human-in-the-loop design stand out, but it's still early-stage, and enterprise support requires their paid plan.
Last verified: June 2026
Tracecat enters the SOAR market with a fresh, agent-first philosophy. Instead of static workflows, you build AI agents that can triage alerts, correlate data, and propose actions — all with human approval gates. This is ideal for teams that want to scale without hiring more analysts. When to pick this: You're a security team that already uses modern stacks (CrowdStrike, Wiz, Sentinel, etc.) and wants to automate cloud alert enrichment, phishing triage, endpoint isolation, or OAuth app reviews. The open-source model means no vendor lock-in, and the MCP server integration list is impressive for an early product. When to pass: If you need a mature, battle-tested SOAR with hundreds of pre-built playbooks, Tracecat is still building its community content. Also, the self-hosted version may require significant DevOps effort. If you lack in-house automation skills, you'll likely need the Enterprise plan with the forward-deployed engineer. Comparison to Splunk SOAR or Palo Alto XSOAR: Tracecat is lighter, more developer-friendly, and AI-native. But it doesn't have the same breadth of integrations or regulatory compliance certifications (yet). It's a bet on where SOAR is going, not where it's been. Real-world caveats: The website shows a polished demo, but actual deployment at scale is unproven. The "AI-native" claim depends on model quality and your data. Human-in-the-loop is great for safety, but could slow fully automated scenarios. Community support for open source is a plus, but enterprise SLAs require paid tier.
Skip Tracecat if Skip Tracecat if you need a fully managed cloud SOAR with no DevOps overhead or if your team isn't ready to embrace AI-native automation.
Across the latest 5 updates: 3 launches, 1 community discussion and 1 news mention.
Discussion on Hacker News about supply chain issues and dependency management.
Tracecast launches open-source tool for building generative data apps using Marimo.
Research paper on normalizing trajectory models published on arXiv.
New writing app Truly Typed launched for AI-assisted writing.
Traceway offers a self-hosted observability stack with MIT license.
How likely is Tracecat to still be operational in 12 months? Based on 6 signals including funding, development activity, and platform risk.
Tracecat is an open source security automation platform designed for AI-native security teams. It enables teams to build agents, automate workflows, and triage alerts across their entire security stack. Tracecat replaces legacy SOAR with a modern, agent-driven approach that lets a team of 5 do the work of 50. Key features include a visual workflow builder with limitless control flow (loops, if-conditions, parallel subflows, and scripts), pre-built MCP servers for over 100 integrations, and human-in-the-loop agents with explicit tool approvals. The platform also provides a cases module for tracking investigations alongside AI agents that collect evidence, summarize findings, and prepare next actions. Tracecat supports hosted MCP servers to connect AI security agents to SIEM, EDR, MDM, CSPM, and more. The Enterprise plan includes a dedicated forward-deployed security engineer who helps connect tools and build custom agents over the first 3 weeks. With open source at its core, Tracecat gives teams full control and customization over their security automation. Unlike traditional SOAR solutions that rely on static playbooks, Tracecat empowers security teams to build custom agents that adapt to their specific alert queues and runbooks, offering a more flexible and scalable approach to security operations.
Tell us what you want to build — we'll match the AI tools that fit your goal, budget & existing stack.
Concrete scenarios for the personas Tracecat actually fits — and what changes day-one when you adopt it.
A Wiz cloud finding triggers a webhook. The SOC analyst agent enriches it with CrowdStrike Falcon EDR and CloudTrail logs, then proposes host isolation via Falcon. The analyst approves the action, and the endpoint is quarantined.
Outcome: Alert triaged and contained in minutes with minimal manual effort, evidence collated automatically.
A scheduled workflow (May 2026) runs weekly to review OAuth grants in Google Workspace and Azure AD. It uses scatter-for loops to split grants by user, checks risk level, and flags high-risk scopes for human approval before revocation.
Outcome: Automated OAuth hygiene reduces attack surface without manual review of hundreds of apps.
A critical npm package vulnerability (Shai-Hulud worm) hits. The incident response agent pulls affected repos from GitHub, correlates with Falcon EDR for endpoint exposure, and drafts a runbook with containment steps, all in parallel subflows.
Outcome: Full incident scope assessed in ~10 minutes, containment actions proposed for rapid response.
Open-source tier is self-managed (Docker/AWS Fargate) and lacks advanced agents, skills registry, RBAC, and SCIM. Enterprise features like AI-powered dashboards are still 'coming soon.' You must bring your own LLM API keys, adding cost. Self-hosting complexity may deter non-DevOps teams.
Project the real annual outlay, including the implied monthly cost when only an annual tier is published.
Vendor list price only. Add-on usage, seat overages, and contract minimums are surfaced under Hidden costs & gotchas.
For each published Tracecat tier: who it actually fits, and what it adds vs. the previous tier. Cross-reference the cost calculator above for projected annual outlay.
Open Source
$0/mo (self-hosted)
Ideal for
Solo security engineers or small SOC teams comfortable with self-hosting and needing unlimited automations without upfront costs.
What this tier adds
Starting tier: free forever with unlimited workflows and cases, but no advanced agents, RBAC, or enterprise support.
Enterprise
Custom (based on monthly executions)
Ideal for
Growing SOC teams requiring RBAC, SCIM, Kubernetes, and dedicated support; scales with monthly execution volume.
What this tier adds
Adds advanced agents, guardrails, skills registry, Git sync, and 24/7 support over the open-source tier.
The company stage and team size where Tracecat's pricing actually pencils out — and where peers do it cheaper.
Tracecat's open-source tier is free with unlimited workflows — a generous entry point for small-to-mid teams. Enterprise pricing is custom, but avoids per-seat licensing common in Splunk SOAR or Palo Alto XSOAR. For cost-sensitive startups, the open-source version is hard to beat. Larger organizations may find enterprise pricing opaque.
How long it actually takes to get something useful out of Tracecat — broken out by persona, not the marketing-page minute.
For a SOC analyst, deploying Tracecat via Docker can take ~1 hour. Building your first workflow (e.g., Wiz triage) may take 2-4 hours including connecting MCP integrations. Experienced users can get value within a day.
How to bring data in from common predecessors and how to get it back out — written for the switcher, not the buyer.
Pricing, brand, ownership, or deprecation changes worth knowing before you commit. Most-recent first.
Used Tracecat? Help shape our editorial sentiment research.
© 2026 RightAIChoice. All rights reserved.
Built for the AI community.
Last calculated: May 2026
Open-source security automation platform for teams and AI agents - TracecatHQ/tracecat
Turn visitors into pipeline with AI-led website conversion and routing
