Open source security automation platform for teams and AI agents

Tracecat helps security teams build agents and automate work.

Book a demo Self-host today

Workspace

Create session Inbox

Workspace

Workflows Cases Agents Tools Tables

Members Variables Connections

Review required 2

Isolate Gmail account from Slack request

now

Awaiting approval

Investigate Q4 metrics

Found 3 anomalies

In progress 1

Handle IT request

IT Requests · Processing...

Completed 2

Customer: API rate limits

15m

Resolved

Draft weekly report

Report generated

Isolate Gmail account from Slack request

Trigger

Slack request

Lookup Gmail account

gmail.find_user

Isolate Gmail account

gmail.isolate

⌘N⌘Y

Isolate Gmail account given Slack request

• What Slack signal should trigger the workflow?

• Which Gmail account fields are required for isolation?

I can wire this to a Slack request and then isolate the matching Gmail account. Which Slack request type should trigger this?

Security request: Isolate Gmail account

Slack (OAuth connected)

Gmail (OAuth connected)

I found a single action for this request: Isolate Gmail account. It will disable the account and revoke active sessions.

Trigger: Slack request received

Lookup Gmail account by email

Isolate Gmail account

Ready to add the Isolate Gmail account action to your workflow.

Trusted by security builders in mission-critical environments

Turn security ideas into scalable, auditable automations through chat.

Learn about Automations in Tracecat →

Enterprise integrations

Over 200 connectors for security, IT, and infrastructure tools.

Sandboxed by default

All actions and agents are run in a sandbox, isolated from secrets.

Limitless control flow

Run loops, if-conditions, parallel subflows, and scripts (Python, Bash, Javascript).

Human-in-the-loop agents

Run agents in workflows with explicit tool approvals.

SaaS drift remediation

Drag to pan

Trigger

SaaS drift alert

@alert.type == 'iam'

@alert.type == 'other'

Scatter

Split by account

Close alert

No drift found

For loop

IAM analyst agent

AI Agent

Isolate user

Isolate device

Notify owner

Run subflow

Access quarantine

Work alongside agents built by your team.

Learn about Cases in Tracecat →

CasesCASE-234966

Created 1 month agoLast edited 3 days ago

Status

In progress

Priority: High

Assignee: Unassigned

TTA 12m

TTR 4h 32m

Severity: High

phishing

credential compromise

marketing

email gateway

Phishing attack with successful credential compromise - marketing department user

MFA enforcedYes

Impact scopeSingle user

Data exfiltrationUnknown

Containment completeNo

Employee sarah.chen@company.com reported a suspicious email impersonating IT requesting a password verification. The phishing email compromised corporate credentials and enabled lateral movement attempts.

Detection details

User report at 09:42 UTC, gateway alert at 12:15 UTC
2.5 hour detection delay
Initial access via spoofed domain email link

Indicators of compromise

Sender: itsupport@company-verify.net
Reply-to: support.verify@protonmail.com
Login IP: 185.220.101.45 (Tor exit node)

Recommended actions: reset credentials, revoke sessions, and run targeted mailbox audit for related phishing campaigns.

Case copilot

Ready

Summary drafted from the case description.

Suggested next steps

Disable compromised IAM and corporate email accounts
Run mailbox search for the spoofed sender
Check for lateral movement attempts

Can you generate a timeline and recommend containment steps?

I can generate a timeline and pre-fill containment actions based on the IOC list.

Ask the copilot for containment guidance...

Build your security workforce with agents.

Learn about Agents in Tracecat →

Build agents through chat

Runbooks/Incident response agent

Incident response agent

SIEM

Log search

Asset inventory

On-call

Goal

Triage security alerts, enrich with context, and recommend containment steps.

Instructions

1. Pull related alerts from SIEM and on-call logs.

2. Correlate with auth and network telemetry.

3. Propose containment and rollback steps.

Use agents to resolve cases

SRE AssistantIncident 421

Latency spiked on the payments API after the latest deploy.

Detected p95 regression in us-east-1

Rollout window aligns with spike

I recommend pausing the rollout and checking the new cache invalidation path.

Compare latency before/after release `v2.7.1`
Inspect DB connection pool saturation

Can you draft a rollback checklist and page the on-call?

Drafting now. I’ll also pull the last successful deploy notes and summarize impact.

Rollback to `v2.7.0` in us-east-1
Verify error budget burn rate normalization

Give agents data securely

Tables

incidents

SRE • incident timeline

Active

alerts

Infra • paging history

Active

access_reviews

Security • quarterly audits

Active

change_requests

IT • approvals and rollbacks

Active

Tracecat is mission ready.

Learn about the Enterprise Edition →

Fine-grained access controls

Open source audit logs

Self-hostable anywhere

Sandboxed by default

SOC2 Type II

SLAs

Reserved compute and autoscaling

Git sync for workflows

Bring-your-own-LLMs

Build for free

Sign up to Tracecat

Continue

By signing up, you accept our Terms of Use and confirm that you have taken note of our Privacy Policy.

Already have an account? Sign in

Loved by security teams building with AI

CNLRER

Security engineer @ Depop

Tracecat copilot has changed my life. I can finally create the workflows I've been envisioning and turn ideas into reality. I never had enough time to build and experiment around my other responsibilities. Now I can ask Tracecat copilot to whip something up, then spend my time iterating until it's right.

Dirk, Security lead @ Neo Financial

A genuine thank you to the team. I built an end-to-end IoC enrichment pipeline with Claude and Tracecat MCP and created more value for our SOC in a day than I probably would have in weeks on my own. You're making my one-man SOC assignment possible.

Security lead @ Saronic

Tracecat is a cheat code for corporate security teams that want to build and own their own agentic future.