Tracecat’s current signal is not star-count virality. It is release intent. ToolVitals measures 21 release events in 30 days and 30 releases in 90 days, while the recent release notes keep circling the same target: security agents that can use MCP servers, work with case data, create artifacts from chat, and run inside sandboxes. That makes Tracecat less like a generic automation builder and more like an owned agent runtime for security teams.

What Tracecat says it is

The official Tracecat site frames the product as an “open source security automation platform for teams and AI agents.” Its homepage is not shy about the buyer: AI-native security teams replacing legacy SOAR, with agents, workflows, and cases they own. The page uses concrete security tasks as the product story, including revoking risky Google OAuth grants, isolating endpoints from Falcon alerts, auditing GitHub OAuth app installs, and investigating a Shai-Hulud package advisory.

That matters because SOAR tools often collapse into ticket routing plus brittle runbooks. Tracecat is pitching something narrower and more ambitious: analysts build agents around real alert queues, cloud findings, endpoint telemetry, and incident runbooks. The site says those agents can collect evidence, summarize findings, prepare next actions, and escalate sensitive actions through approval gates.

The GitHub repository backs up that positioning. Its README describes Tracecat as “the agentic security automation platform” and says teams can build prompt-to-automations with agents, workflows, cases, and tables from their own agent harnesses, naming Claude Code, Codex, and OpenCode as examples. It also calls out code-native automation through custom Python scripts synced from Git, self-hosting across Docker, Kubernetes, and AWS Fargate, and runtime isolation through nsjail with Temporal for durable workflow execution.

There are two details an engineering lead should not skim past. First, the repository says Tracecat includes agents with prompts, tools, chat, and MCP servers, including remote HTTP or OAuth servers and local servers launched through npx or uvx commands. Second, it pairs that agent layer with workflow control flow, case management, lookup tables, variables, RBAC, ABAC, OAuth scopes for humans and agents, audit logs, and human approvals. The product is not just “chat with your security tools.” It is trying to make agent behavior governable enough for SOC work.

The notable part is the agent infrastructure, not the UI pitch

The strongest evidence is in the release trail. Tracecat’s homepage says teams can connect SIEM, EDR, MDM, CSPM, CNAPP, ticketing, email, and cloud systems, then set tool policies for read actions, write actions, and sensitive actions. That is a risk-control story. The recent GitHub releases show the same story turning into platform plumbing.

Tracecat 1.0.0-beta.48, released on May 21, added Slack assistant templates, Slack streaming chat templates, a SentinelOne Purple MCP link for actions, and support for a RunReveal MCP OAuth host. In the same release, the agent section included chat stream resumption, a Bedrock converse knob, custom model-provider cleanup, removal of a hard-coded one-hour execution timeout for chat workflows, MCP bridge identity encoding, and pending approval cleanup. Those are not landing-page flourishes. They are the unglamorous pieces you touch when agents stop being demos and start running inside work queues.

The 1.0.0-beta.49 release candidates make the direction clearer. RC.1 added Google API SDK UDFs, split MCP servers into their own page, added DuckDB CLI to the sandbox, prebuilt built-in sync artifacts, dropped destructive case delete tools, upgraded the Temporal SDK, and initialized UX smoke testing. RC.2 added session artifact storage, normalized sandbox runtime paths, bounded for_each iteration concurrency, allowed API keys to manage workspace variables, case attachments, case rows, agent resources, and workspace tables, scoped org-wide RBAC assignments by organization, and enabled cluster sandbox by default.

Then RC.3 went straight at workspace chat artifacts: persistent sandbox work directories, workspace chat artifact streams, mounting workspace chat artifacts, binding workspace chat domain tools, creating workflow artifacts from chat, smoothing workspace chat streaming, per-session tools and MCP integrations, and agent skill CRUD UDFs. RC.4 followed with smooth reasoning-token streaming and a capabilities-first tools picker with browsable integrations.

That sequence reads like a product team hardening the boundary between agent conversation, tool access, artifacts, and workflow execution. The interpretation is mine, but the pattern is first-party: artifacts, sessions, MCP, sandboxes, approvals, API scopes, and streaming are repeated across the official site, repository, and release notes.

ToolVitals metrics show high shipping pressure with beta-stage caveats

ToolVitals gives Tracecat a 96 ToolVitals score, 92 health score, 98 shipping score, and 217.9 hot score. The repository has 3,630 GitHub stars in the ToolVitals payload. Release activity is the headline: 21 release events in 30 days and 30 GitHub releases in 90 days, with 100 data confidence.

Those numbers support a simple claim: Tracecat is actively shipping. A 98 shipping score is not a vibes score. It reflects recent release activity, and the 21 release events in 30 days show sustained public movement. For a security automation platform, that cuts both ways. Fast iteration can mean the team is responding to real integration and agent-runtime problems. It can also mean buyers should expect churn, especially because several recent events are release candidates, not calm long-term-support releases.

The missing fields matter too. ToolVitals does not report GitHub commits in the last 30 days for this payload, and it does not report active contributor count. The GitHub page we inspected shows a live repository with thousands of commits and recent activity, but the ToolVitals metrics for commits and active contributors are null. So the safe metric-backed claim is about releases, score, stars, and confidence, not about exact commit volume or contributor breadth.

Stars are also a weak proxy here. Tracecat’s 3,630 stars are modest beside broad developer tools, but security automation is a narrower category than general workflow automation. The more useful signal is alignment between product claims and release content. Tracecat says it is building agents, workflows, cases, MCP connections, and approvals for security teams. The release notes are shipping exactly in those areas.

Licensing and ownership need precise language

ToolVitals classifies Tracecat as OSI-approved OSS with an AGPL-3.0 license signal. That means it is fair to call Tracecat open source under the ToolVitals openness field. The repository also says the code is available under AGPL-3.0 with exceptions, including packages/tracecat-ee under a paid Enterprise Edition license, deployments/k8s as a PolyForm Shield licensed submodule, and code that gates enterprise features.

That is not a reason to avoid Tracecat. It is a reason to read the license boundary before building a commercial deployment around it. AGPL-3.0 is a serious copyleft license. The repository’s own exceptions make the enterprise boundary explicit. If your company needs managed cloud, enterprise licensing, or Kubernetes deployment artifacts, treat those as commercial conversations, not assumptions baked into the OSS core.

There is one more subtle point. ToolVitals reports no hosted pricing tracked, but the GitHub repository mentions an Enterprise License and managed Cloud offering, and the official site includes “Book a demo” and describes Tracecat Enterprise as including a dedicated security engineer. So the correct reading is not “Tracecat has no paid offering.” The correct reading is “ToolVitals has not tracked hosted pricing for this payload.”

Compared with nearby tools, Tracecat is smaller but sharply focused

The closest related automation comparison in the payload is n8n. n8n has 191,353 GitHub stars, a 100 shipping score, 62 release events in 30 days, and a 225.0 hot score. It is also classified as fair-code, not OSI-approved open source, under the Sustainable Use License. Tracecat has far fewer stars and fewer release events, but it is pointed at security automation and AI-agent governance rather than general workflow automation.

LangChain is another useful comparison, but only if you keep category differences in view. LangChain has 138,669 stars, a 100 shipping score, and 19 release events in 30 days. Tracecat has 3,630 stars and 21 release events in 30 days. That does not make Tracecat “bigger” than LangChain. It says Tracecat’s public release cadence is comparable in this 30-day window while solving a much more specific operational problem.

Agent-of-empires sits closer in scale, with 2,524 stars, a 100 shipping score, and 15 release events in 30 days. Tracecat is ahead on stars and release events in the payload, but the category labels are broad. The better comparison is buyer intent. If you need a playground or general agent framework, Tracecat may be too opinionated. If you need a security automation workbench with cases, approvals, MCP, and self-hosting, that opinionated shape is the point.

What ToolVitals cannot infer

ToolVitals sees public signals: stars, release events, scores, SSL, uptime, and tracked activity. It does not see code quality. It does not see whether the product is pleasant at 2 a.m. during an incident. It does not see customer retention, revenue, support quality, false-positive reduction, or whether a given Falcon, Wiz, Okta, Slack, or RunReveal integration behaves well in your tenant.

The official site claims 500+ integrations across security systems and more than 100 pre-built MCP servers. I used that as first-party positioning, not as an independently counted ToolVitals metric. The GitHub release notes corroborate recent MCP work, including MCP support for agents, MCP OAuth host support, MCP bridge identity handling, per-session MCP integrations, and MCP tooling cleanup. They do not prove every advertised integration is production-ready for every buyer.

A skeptical engineering lead should evaluate Tracecat by testing the dangerous paths first. Can the platform separate read-only enrichment from containment actions? Are approval gates hard to bypass? Do audit logs capture tool calls and agent decisions clearly enough for post-incident review? Does RBAC work the way your SOC and platform teams actually divide responsibility? Does sandboxing survive malicious or messy Python scripts? Those are the questions the metrics cannot answer.

Maintainers should take a different lesson from the same data. The shipping story is strong, but the density of release candidates makes upgrade clarity critical. The repository already warns that Tracecat is in active development and tells users to review the release changelog before updating. Keep leaning into that. Buyers will forgive beta churn when the changelog is crisp, the migration path is explicit, and the security boundary is described without marketing fog.

Recommendation

If your team is building security automation around AI agents, MCP-connected tools, and human-approved containment actions, evaluate Tracecat now. Do not evaluate it as a drop-in generic automation platform. Evaluate it as a self-hostable security agent runtime with workflows, cases, approval gates, and artifact handling.

The right pilot is narrow. Pick one alert family, such as phishing triage, risky OAuth grants, or a cloud privilege-escalation finding. Connect only the systems needed for that workflow. Start with read-only enrichment, then add write actions behind approvals. Watch how Tracecat handles case state, tool permissions, chat artifacts, audit logs, and sandboxed execution. If those controls hold up, the release cadence suggests you will be buying into a platform that is moving fast in the exact direction its homepage promises.

If your team mainly wants generic SaaS automation, n8n has much more star gravity and far more release events in this 30-day window. If your team wants an open source, AGPL-3.0 security automation platform built around agents you can own and govern, Tracecat is the sharper bet.

Sources