Security automation for teams who can’t afford Splunk SOAR or Tines — honestly reviewed.

TL;DR

What it is: Open-source (AGPL-3.0) security automation platform — think Tines or Splunk SOAR, but self-hosted with AI agents, case management, and workflow orchestration built in [README][3].
Who it’s for: Security teams and SOC analysts at small-to-mid-sized companies who need real SOAR capabilities but can’t justify the five-figure contracts that Splunk SOAR or Tines require [3][4].
Cost savings: Tines and Splunk SOAR don’t publish pricing because it starts high and climbs fast — six figures annually is common for enterprise deals. Tracecat self-hosted runs on your own infrastructure; the software is free [README].
Key strength: Full SOAR stack in one platform — agents, workflows, case management, lookup tables, and 100+ security-specific connectors — with no SSO tax (SAML/OIDC included in the community edition) [README].
Key weakness: AGPL-3.0 license creates complications for companies who want to embed it in a commercial product; the enterprise features that matter most at scale (RBAC, human-in-the-loop approvals, version control sync to GitHub) are gated behind the paid Enterprise Edition; and at 3,530 GitHub stars it’s smaller and less battle-tested than the established SOAR incumbents [README][4].

What is Tracecat

Tracecat is a self-hosted security automation platform built by IndexHub, Inc. [1]. The product positions itself directly against Tines and Splunk SOAR — proprietary SOAR tools that dominate enterprise security budgets — but with open-source code and a self-host-first model [3].

The core idea is that security teams spend enormous amounts of manual time triaging alerts, enriching IOCs, running playbooks, and managing cases — work that is highly repetitive but also sensitive enough that routing it through a third-party SaaS creates data sovereignty problems. Tracecat puts the orchestration layer inside your network [README][3].

What distinguishes it from generic workflow automation tools like n8n or Activepieces:

First, it’s security-domain-specific by design. The 100+ pre-built connectors target enterprise security, IT, and infrastructure tooling — SIEMs, EDR platforms, identity providers, ticketing systems — rather than marketing or CRM tools [README][website].

Second, it runs on Temporal for durable workflow execution. This is a meaningful engineering choice — Temporal handles retries, long-running processes, and failure recovery at the infrastructure level rather than with application-level hacks. For security playbooks that might wait hours for an analyst approval before proceeding, this matters [README].

Third, execution happens inside nsjail sandboxes, which is unusual for self-hosted workflow tools. Untrusted code and agent actions are isolated by default — a real consideration when you’re running Python scripts that touch live security infrastructure [README].

Fourth, it includes a case management system natively. Most workflow tools stop at automation; Tracecat adds a ticket-like system for tracking incidents with timelines, IOCs, severity, and AI-assisted recommendations, so you’re not duct-taping your automation layer to a separate Jira instance [README][website].

The company describes the project as “the AI automation platform built for security teams and agents” [GitHub]. As of this review it sits at 3,530 GitHub stars [merged profile] — meaningful traction for a security-specific tool, though well behind general-purpose automation platforms.

Why people choose it

The market Tracecat is addressing is genuinely underserved. Commercial SOAR platforms — Tines, Splunk SOAR, Palo Alto XSOAR — are priced for enterprise security budgets. A 50-person company with a two-person security team can’t justify a $100K+/year platform contract to automate their Okta alerts and phishing triage.

The aimultiple CISO-authored review [4] lists Tracecat among the top five open-source SOAR tools alongside n8n, StackStorm, Shuffle, and TheHive/Cortex, which gives a rough picture of the competitive landscape. The star counts tell the story: n8n dominates at ~160K stars, but that’s because it’s a general-purpose automation tool that security teams can use — not a SOAR tool. Tracecat, Shuffle, and TheHive are clustered under 20K stars, reflecting the narrower security-specific audience [4].

The kalilinuxtutorials write-up [3], which covered Tracecat during its public alpha, captures why technical security teams are attracted to it: “We’re building the features of Tines / Splunk SOAR with enterprise-grade open source tools.” That’s a direct, honest pitch. The reviewers specifically call out that it’s designed for understaffed small-to-mid-sized teams who need automation but don’t have a dedicated security engineering headcount to build bespoke tooling [3].

Versus n8n for security use cases. n8n is technically capable and vastly more popular, but it’s a general-purpose tool with security use cases bolted on. Tracecat has case management, security-specific connectors, nsjail sandboxing, and analyst-facing UX that n8n doesn’t have natively [4]. If you’re running a SOC and need your automation platform to speak the language of incidents, IOCs, and playbooks rather than “workflows” and “nodes,” Tracecat is a more natural fit.

Versus Shuffle. Shuffle is another open-source SOAR contender and is probably the most direct competitor to Tracecat. Shuffle uses an AGPL license too, has roughly comparable stars, and focuses on no-code security response orchestration. The aimultiple review [4] lists both without declaring a winner — the honest answer is that this is a toss-up depending on your team’s technical sophistication and which connectors you need.

Versus TheHive/Cortex. TheHive is focused on case management and IOC analysis, not workflow automation. Teams often run both TheHive and a separate SOAR. Tracecat’s value proposition is doing both in one platform [4][README].

On the AI angle. Tracecat leans into AI agents harder than most SOAR tools. You can build agents through prompts, connect any MCP server (remote HTTP/OAuth or local via npx/uvx), and have agents participate in cases with explicit tool approval flows [README]. The website demo of an “Incident response agent” that pulls SIEM logs, correlates auth telemetry, and proposes containment steps is a reasonable picture of what the product targets [website]. Whether AI agent quality meets that promise in production is something the available reviews don’t fully validate — the kalilinuxtutorials piece was from the alpha period [3] and the aimultiple review focuses on the SOAR category broadly [4].

Features

Based on the README and website:

Workflow engine:

Low-code drag-and-drop builder with complex control flow: if-conditions, loops, parallel subflows [README]
Durable execution via Temporal — retries, long-running processes, and failure recovery handled at the infrastructure level [README]
HTTP, SMTP, gRPC, OAuth connector support [README]
Webhooks and scheduled triggers [README]
Custom Python scripts synced from a Git repo and exposed as workflow steps or agent tools [README]
Lookup tables for storing and querying structured data across workflows [README]
Variables reused across workflows and agents [README]

Agents:

Build agents via prompts with tools and chat [README]
Any MCP server as a tool source — remote HTTP/OAuth or local via npx/uvx [README]
MCP server mode: control Tracecat from your own agent harness [README]
Human-in-the-loop: agents can pause and request analyst approval before executing sensitive tool calls [README]

Case management:

Native case tracking with status, priority, severity, assignee [website]
Timeline and IOC tracking [website]
AI case copilot for summaries, containment plans, and stakeholder notifications [website]
Linked to automation — workflows can open, update, and close cases automatically [README]

Integrations:

100+ pre-built connectors for security, IT, and infrastructure [README]
Website claims “over 200 connectors” [website] — connectors appear to be growing
Covers SIEMs, EDR tools, identity providers, ticketing, and cloud infrastructure [website]

Security and compliance:

Sandboxed execution with nsjail by default [README]
Audit logs exportable to your SIEM [README]
SSO included (no SSO tax): SAML/OIDC support in the community edition [README] — this is notable because most self-hosted tools gate SSO behind paid tiers
Deployable on Docker, Kubernetes, AWS Fargate [README]

Enterprise Edition (gated, not open source):

Fine-grained RBAC, ABAC, OAuth2.0 scopes for humans and agents [README]
Human-in-the-loop inbox with Slack and email approval [README]
Workflow version control synced to GitHub, GitLab, Bitbucket [README]
Metrics and monitoring for workflows, agents, and cases [README]
Helm chart and EKS deployment templates (PolyForm Shield license) [README]

Pricing: SaaS vs self-hosted math

This is where the data gets thin. Tracecat’s website doesn’t publish pricing — it’s “Book a demo” territory for the Enterprise Edition, and the cloud offering is “Sign up free” with no public tier breakdown [website]. The Terms of Service references “applicable Order Form or SOW” for invoicing [1], which is the language of enterprise sales contracts, not self-serve SaaS.

What is clear:

Self-hosted community edition: Free. AGPL-3.0 for the core; Enterprise Edition features are under a separate paid license [README].
Managed cloud: Exists, pricing not public.
Enterprise Edition: Paid commercial license, contact sales [README].

Comparison against the incumbents Tracecat is displacing:

Tines pricing is not public but commonly reported in the security community at $500–$2,000+/month for teams, scaling into six figures for enterprise. Splunk SOAR (formerly Phantom) is enterprise-only pricing, typically sold as part of a broader Splunk contract.

For a 10-person security team that would otherwise be evaluating Tines, the self-hosted Tracecat math is straightforward: software cost $0, VPS or Kubernetes cluster on your existing infrastructure, one-time setup effort. Even if you put that setup effort at 40 hours of an engineer’s time at $150/hour, you break even on year one versus a $7,200/year Tines entry contract within months — and you own the infrastructure going forward.

The AGPL license matters here: it’s free to self-host internally, but if you’re a vendor who wants to embed Tracecat in a product you sell to customers, AGPL requires you to open-source your modifications. For internal corporate security automation, this rarely matters. For a security software vendor, it’s a blocker.

Deployment reality check

The README lists Docker, Kubernetes, and AWS Fargate as deployment targets [README]. The Helm chart exists but is under a separate PolyForm Shield license and requires an Enterprise agreement for production use [README] — meaning the path to a well-managed Kubernetes deployment involves the enterprise sales conversation.

What you actually need for self-hosted Docker:

A server with enough RAM for Temporal (memory-hungry) plus the Tracecat services — plan for at least 4–8GB RAM in production
Docker and docker-compose
PostgreSQL (likely bundled or external)
S3-compatible object storage for artifacts [README]
A reverse proxy for HTTPS
Your choice of identity provider if you’re using SAML/OIDC SSO

Tech stack complexity: This is a more involved deployment than a simple single-container tool. Temporal is an external dependency with its own operational overhead — it requires its own persistence layer and scales as a separate service. For teams already running Kubernetes, this is a known problem. For a team deploying their first self-hosted tool on a VPS, this is a full day of work minimum, possibly a weekend [README].

What can go sideways:

The kalilinuxtutorials piece [3] caught Tracecat in public alpha, where the feature list included several “expected [month] 2024” items. The product has matured significantly since then, but anyone evaluating it should check the current changelog before assuming feature parity with the current README.
Enterprise Kubernetes deployment (Helm/EKS) requires the Enterprise license — self-hosters without an enterprise contract are on Docker Compose for now [README].
The agent and MCP features are newer additions. Production maturity of the AI agent components in high-volume SOC environments isn’t well-documented in available third-party reviews [3][4].

Realistic setup estimate for a technical engineer familiar with Docker Compose and Temporal: half a day to a working instance, another day to configure integrations and SSO. For a team without that experience, plan for a week including troubleshooting.

Pros and cons

Pros

No SSO tax. SAML/OIDC is included in the community edition [README]. This is genuinely unusual — most self-hosted enterprise tools gate SSO behind a paid tier, which means teams with mandatory SSO requirements have to pay even for “free” software.
Security-specific from the ground up. The connector library, case management, and UX are built around security operations, not adapted from a general automation tool [3][4]. You’re not adapting a Zapier clone to do SOAR work.
Sandboxed execution. nsjail isolation for agents and code steps is a meaningful security posture for a platform that touches live security infrastructure [README].
Temporal for durable execution. Playbooks that need to pause for analyst approval, retry on transient API failures, or orchestrate across hours don’t break. This is production-grade infrastructure rather than cron-job automation [README].
Audit logs to SIEM included in the community edition — not gated [README].
MCP-native. Tracecat exposes itself as an MCP server, letting you control it from Claude Code, Cursor, or any other MCP-capable harness. For teams building AI-augmented security workflows, this is forward-looking [README].
Case management included. Eliminates the common setup of running a separate SOAR + a separate case management tool [README][website].
Code-native custom actions. You can sync Python scripts from your own Git repo and use them as workflow steps or agent tools — no vendor lock-in on your custom detection logic [README].

Cons

AGPL-3.0 license. Stricter than MIT or even n8n’s “Fair-code” license in some commercial contexts. If you’re a security vendor wanting to embed this in your product, AGPL forces you to open-source your modifications or negotiate a separate commercial license [README].
Key enterprise features are gated. RBAC, human-in-the-loop approval inbox, workflow version control (GitHub/GitLab sync), and Kubernetes Helm deployment are all behind the Enterprise Edition [README]. A mature SOC will likely need at least some of these.
Temporal operational overhead. The durable execution guarantee comes at the cost of running and maintaining Temporal, which is a non-trivial dependency. This isn’t a concern for teams already on Kubernetes, but it’s a meaningful hurdle for smaller deployments [README].
Small community at 3,530 stars. Less community-contributed content, fewer tutorials, fewer people who’ve hit and solved your specific deployment problem compared to n8n (160K stars) or even Shuffle [4]. Stack Overflow answers for niche Tracecat issues may not exist yet.
Alpha-era reputation risk. The kalilinuxtutorials review [3] covered Tracecat as a public alpha. The product has shipped significantly since, but the third-party review corpus is thin — there’s less independent validation of production reliability than there would be for more established tools.
No public pricing. Enterprise Edition pricing is opaque — “Book a demo” [website]. For teams with tight budgets who need to plan costs, this is friction.
Connector count is smaller than general automation tools. 100–200 security-focused connectors covers the major platforms, but if you need to automate workflows touching less common internal tools, you’re building custom HTTP integrations [README].

Who should use this / who shouldn’t

Use Tracecat if:

You’re a security team or SOC at a company that can’t afford Tines or Splunk SOAR, and you need a real SOAR platform — not a generic automation tool patched with security connectors.
Your team has SSO requirements. Tracecat’s no-SSO-tax stance means you get SAML/OIDC without paying for an enterprise tier.
You need case management and workflow automation in one platform rather than duct-taped across Jira and n8n.
You have at least one engineer who can manage Docker Compose and is comfortable with Temporal’s operational model.
You want to run AI agents in security workflows with human-in-the-loop approval gates.

Skip it (consider Shuffle instead) if:

Your team is non-technical and needs no-code setup. Shuffle’s UX is simpler at the cost of less power.
You need a faster path to production without Temporal’s operational complexity.

Skip it (consider n8n instead) if:

You need a large catalog of non-security connectors alongside security automation — your workflows touch HubSpot and Slack and internal tools alongside your SIEM.
You want a massive community, abundant tutorials, and a tool with production deployments at scale documented in detail [4][5].
Your team is primarily developers who want JavaScript/Python in a function node.

Skip it (consider TheHive/Cortex instead) if:

Your primary need is structured threat intel case management and IOC analysis, not workflow automation. TheHive is more mature in the pure case management space [4].

Skip it (stay on Tines or Splunk SOAR) if:

Your compliance requirements mandate a vendor-supported platform with SLAs and enterprise support contracts.
Your team doesn’t have the operational capacity to manage a self-hosted platform — even a well-designed one.
The Enterprise Edition features (RBAC, version control sync, Kubernetes Helm) are mandatory from day one, and you’d need to negotiate commercial licensing before you can evaluate it in production.

Alternatives worth considering

Tines — the direct commercial comparison. Better supported, larger integration library, and a polished UX that’s SOAR-specific, but priced for enterprise budgets with no self-host option.
Splunk SOAR — the incumbent enterprise SOAR. Deeply integrated with the Splunk ecosystem; priced accordingly.
Shuffle — the closest open-source SOAR competitor. Also AGPL, roughly comparable feature set, simpler operational model (no Temporal dependency), smaller connector library.
TheHive + Cortex — mature open-source case management and threat intel analysis. Better for pure case management; needs a separate automation layer.
n8n — general-purpose automation that security teams co-opt. Vastly larger community and integration library, but not SOAR-native. Worth considering if your automation needs span security and business ops [4][5].
StackStorm — event-driven, infrastructure-level automation and remediation. More DevOps-oriented than SOC-oriented [4].

Bottom line

Tracecat fills a real gap: it’s the first credible open-source SOAR platform that looks like a product rather than a research project. The combination of security-specific connectors, Temporal-backed durable execution, nsjail sandboxing, case management, AI agents, and no-SSO-tax pricing puts it far ahead of trying to adapt n8n for security operations. The trade-offs are real — AGPL complicates commercial embedding, the enterprise features worth having require the paid tier, and Temporal adds operational overhead that makes this a heavier lift than simpler self-hosted tools. But for the team that’s been told “Tines is $X,000/month” and walked away, Tracecat is the serious alternative that’s actually worth evaluating. At 3,530 stars and with Temporal under the hood, this isn’t a weekend project someone pushed to GitHub — it’s the foundation of a platform that could legitimately replace the expensive incumbents for security teams willing to own their infrastructure.

If setting up and running that infrastructure is the blocker, that’s exactly the kind of deployment work upready.dev handles for clients — one-time, done, you own it.

Sources

Terms of Service | Tracecat — tracecat.com. https://www.tracecat.com/terms
Privacy Policy | Tracecat — tracecat.com. https://www.tracecat.com/privacy
Tracecat – Revolutionizing Security Automation With Open Source Excellence — kalilinuxtutorials.com. https://kalilinuxtutorials.com/tracecat/
Top 5 Open Source SOAR Tools — aimultiple.com. https://aimultiple.com/open-source-soar
FilterHN: n8n added native persistent storage with DataTables (community discussion) — filterhn.com. https://filterhn.com/post/45450044

Primary sources:

GitHub repository and README: https://github.com/tracecathq/tracecat (3,530 stars, AGPL-3.0)
Official website: https://tracecat.com
Legal entity: IndexHub, Inc.

Features

Authentication & Access

OAuth / Social Login
Role-Based Access Control
Single Sign-On (SSO)

Integrations & APIs

Slack Integration
SMTP Support

Automation & Workflows

Workflows

Collaboration

Version History

Analytics & Reporting

Metrics & KPIs

Replaces

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0