# Tracecat Docs ## Docs - [AI action](https://docs.tracecat.com/agents/ai-action.md): Use `ai.action` to run a single LLM call inside a Tracecat workflow: pick a model, pass instructions and inputs, and shape structured output for downstream actions. - [AI agent](https://docs.tracecat.com/agents/ai-agent.md): Use `ai.agent` and `ai.preset_agent` for tool-calling agent runs inside Tracecat workflows: configure tools, secrets, and instructions for autonomous reasoning. - [Custom LLM providers](https://docs.tracecat.com/agents/custom-llm-providers.md): Configure custom OpenAI-compatible model providers for Tracecat agents: add a custom source, discover models, and enable them for presets and defaults. - [Secrets and variables](https://docs.tracecat.com/agents/secrets-variables.md): Pass Tracecat secrets and workspace variables to preset agent tool calls securely: scope credentials per agent run and inject values without exposing them to the model. - [Skills](https://docs.tracecat.com/agents/skills.md): Create, publish, and attach Tracecat skills to preset agents so reusable instructions and files are available during agent runs. - [Basic](https://docs.tracecat.com/authentication/basic.md): Authenticate into self-hosted Tracecat with basic email-and-password sign-in: configure user accounts, password policies, and admin bootstrap for small deployments. - [OIDC](https://docs.tracecat.com/authentication/oidc.md): Authenticate into Tracecat using OpenID Connect: register an OIDC client with your IdP, map claims, and enable SSO sign-in across the platform. - [SAML SSO](https://docs.tracecat.com/authentication/saml.md): Authenticate into Tracecat with SAML SSO: configure your identity provider, map attributes, and enable single sign-on for organization-wide access. - [Actions](https://docs.tracecat.com/automations/actions.md): Connect Tracecat actions to build workflows: configure inputs and outputs, reference upstream results, and chain core, integration, and custom actions. - [Cases](https://docs.tracecat.com/automations/cases.md): Track and resolve Tracecat cases: triage alerts, run agents and workflows on case events, manage tasks and comments, and report on outcomes. - [Attachments](https://docs.tracecat.com/automations/core-actions/case-actions/attachments.md) - [Cases](https://docs.tracecat.com/automations/core-actions/case-actions/cases.md) - [Comments](https://docs.tracecat.com/automations/core-actions/case-actions/comments.md) - [Linked rows](https://docs.tracecat.com/automations/core-actions/case-actions/linked-rows.md) - [Metrics](https://docs.tracecat.com/automations/core-actions/case-actions/metrics.md) - [Tasks](https://docs.tracecat.com/automations/core-actions/case-actions/tasks.md) - [Filesystem](https://docs.tracecat.com/automations/core-actions/memory-actions/filesystem.md) - [Tables](https://docs.tracecat.com/automations/core-actions/memory-actions/tables.md) - [Email](https://docs.tracecat.com/automations/core-actions/request-actions/email.md) - [gRPC](https://docs.tracecat.com/automations/core-actions/request-actions/grpc.md) - [HTTP](https://docs.tracecat.com/automations/core-actions/request-actions/http.md) - [SQL](https://docs.tracecat.com/automations/core-actions/request-actions/sql.md) - [SSH](https://docs.tracecat.com/automations/core-actions/request-actions/ssh.md) - [Data transforms](https://docs.tracecat.com/automations/core-actions/transform-actions/data-transforms.md) - [Python script](https://docs.tracecat.com/automations/core-actions/transform-actions/python-script.md) - [Require](https://docs.tracecat.com/automations/core-actions/transform-actions/require.md) - [Reshape](https://docs.tracecat.com/automations/core-actions/transform-actions/reshape.md) - [Run subflow](https://docs.tracecat.com/automations/core-actions/workflow-actions/run-subflow.md) - [Scatter-gather loops](https://docs.tracecat.com/automations/core-actions/workflow-actions/scatter-gather-loops.md) - [While loops](https://docs.tracecat.com/automations/core-actions/workflow-actions/while-loops.md) - [Expressions](https://docs.tracecat.com/automations/core-concepts/expressions.md): Syntax reference for Tracecat expressions: contexts, operators, functions, and JSONPath access patterns used inside workflow and agent definitions. - [Functions](https://docs.tracecat.com/automations/core-concepts/functions.md): Inline utility functions for Tracecat expressions: transform strings, dates, numbers, lists, and JSON inside workflow and agent definitions. - [JSONPath](https://docs.tracecat.com/automations/core-concepts/jsonpath.md): Path access reference for Tracecat expressions: navigate trigger payloads, action results, secrets, and variables with JSONPath syntax. - [Secrets](https://docs.tracecat.com/automations/core-concepts/secrets.md): Create, scope, and reference Tracecat secrets in workflows and agents: store API keys safely and inject them into actions through expressions. - [Variables](https://docs.tracecat.com/automations/core-concepts/variables.md): Create and reference reusable Tracecat workspace variables in workflows and agents: share configuration and constants across automations without duplicating values. - [Workflow definition](https://docs.tracecat.com/automations/core-concepts/workflow-definition.md): YAML reference for Tracecat workflow definitions: triggers, actions, inputs, outputs, control flow, and schema fields used to author and version workflows. - [MCP servers](https://docs.tracecat.com/automations/integrations/mcp-integrations.md): Connect remote and stdio MCP servers to Tracecat agents: register tools, scope authentication, and call third-party MCP tools from agent runs. - [OAuth](https://docs.tracecat.com/automations/integrations/oauth-integrations.md): Connect OAuth providers to Tracecat and reference managed OAuth tokens in expressions: configure scopes, refresh credentials, and call APIs from actions and agents. - [Prebuilt credentials](https://docs.tracecat.com/automations/integrations/prebuilt-credentials.md): Configure prebuilt credentials for Tracecat's built-in integrations: define secret schemas, scope values per workspace, and reuse them across actions and agents. - [Tables](https://docs.tracecat.com/automations/tables.md): Store and manage structured data inside Tracecat: define tables, query rows from workflows and agents, and link records to cases and workflow runs. - [Tracecat MCP](https://docs.tracecat.com/automations/tracecat-mcp.md): Drive Tracecat from your own agent harness over MCP: build, edit, and run workflows and cases through Claude, Cursor, ChatGPT, or any MCP client. - [Case triggers](https://docs.tracecat.com/automations/triggers/case-triggers.md): Start Tracecat workflows from case events: react to case creation, status changes, and field updates to drive automated triage and response. - [Comment triggers](https://docs.tracecat.com/automations/triggers/comment-triggers.md): Run Tracecat workflows from case comments and replies: parse comment text, route directives to actions and agents, and bridge analyst chat into automation. - [Error workflows](https://docs.tracecat.com/automations/triggers/error-workflows.md): Run a Tracecat workflow whenever another workflow fails: forward error context, alert on-call, and centralize incident-handling logic across automations. - [Schedules](https://docs.tracecat.com/automations/triggers/schedules.md): Run Tracecat workflows on a time-based cadence: configure cron schedules, fixed intervals, and trigger payloads for recurring automations. - [Task triggers](https://docs.tracecat.com/automations/triggers/task-triggers.md): Run Tracecat workflows from case tasks: trigger automations as tasks are created, assigned, completed, or updated to keep response work moving. - [Webhooks](https://docs.tracecat.com/automations/triggers/webhooks.md): Trigger Tracecat workflows from external systems with webhooks: configure secret URLs, parse JSON or form payloads, and validate inbound requests. - [Workflows](https://docs.tracecat.com/automations/workflows.md): Build, run, and manage Tracecat workflows: connect triggers and actions, version definitions, and orchestrate automations across cases and agents. - [Functions](https://docs.tracecat.com/cheatsheets/functions.md): Quick reference for every Tracecat expression function and operator, with signatures and examples for transforming data inside workflows and agents. - [JSONPath](https://docs.tracecat.com/cheatsheets/jsonpath.md): Quick reference for JSONPath syntax, filters, and access patterns used in Tracecat expressions to read fields from triggers, actions, secrets, and variables. - [Custom registry](https://docs.tracecat.com/custom-actions/custom-registry.md): Sync custom Python and YAML actions into Tracecat through your own registry: version, share, and reuse organization-specific automations across workspaces. - [Local development](https://docs.tracecat.com/custom-actions/local-development.md): Hot-reload custom Python and YAML actions while developing locally against Tracecat: iterate on registry code with fast feedback loops and live workflow runs. - [Python UDFs](https://docs.tracecat.com/custom-actions/python-udf.md): Build custom Python actions for Tracecat: declare inputs and outputs, package dependencies, and expose user-defined functions to workflows and agents. - [YAML templates](https://docs.tracecat.com/custom-actions/yaml-template.md): Build custom YAML template actions for Tracecat: compose existing actions and expressions into reusable, versioned building blocks for workflows and agents. - [Getting started](https://docs.tracecat.com/overview/getting-started.md) - [Welcome to Tracecat](https://docs.tracecat.com/overview/introduction.md) - [Architecture](https://docs.tracecat.com/self-hosting/architecture.md): Architecture overview for self-hosted Tracecat: services, networking, authentication boundaries, and dependencies between API, executor, worker, and frontend. - [AWS ECS Fargate](https://docs.tracecat.com/self-hosting/aws-fargate.md): Deploy self-hosted Tracecat to AWS ECS Fargate using Terraform: provision RDS, networking, secrets, and Temporal alongside Tracecat services in your own AWS account. - [Docker Compose](https://docs.tracecat.com/self-hosting/docker-compose.md): Deploy self-hosted Tracecat using Docker Compose: bring up the API, executor, worker, frontend, Postgres, and Temporal stack on a single host in minutes. - [Environment variables](https://docs.tracecat.com/self-hosting/environment-variables.md): Reference for every self-hosted Tracecat environment variable: configure auth, storage, secrets, integrations, and runtime behavior across services. - [Kubernetes](https://docs.tracecat.com/self-hosting/kubernetes.md): Deploy self-hosted Tracecat to Kubernetes with the OCI Helm chart: install Tracecat services and Temporal on EKS, GKE, or any conformant cluster. - [Security](https://docs.tracecat.com/self-hosting/security.md): Harden your self-hosted Tracecat deployment: rotate secrets, lock down network egress, configure SSO and RBAC, and meet common compliance baselines. - [AbuseIPDB](https://docs.tracecat.com/tools/abuseipdb.md): Reference for the Tracecat AbuseIPDB integration: registered actions, required secrets, expected inputs, and example workflow usage. - [AlertMedia](https://docs.tracecat.com/tools/alertmedia.md): Reference for the Tracecat AlertMedia integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Amazon S3](https://docs.tracecat.com/tools/amazon_s3.md): Reference for the Tracecat Amazon S3 integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Ansible](https://docs.tracecat.com/tools/ansible.md): Reference for the Tracecat Ansible integration: registered actions, required secrets, expected inputs, and example workflow usage. - [ANY.RUN](https://docs.tracecat.com/tools/anyrun.md): Reference for the Tracecat ANY.RUN integration: registered actions, required secrets, expected inputs, and example workflow usage. - [AWS Boto3](https://docs.tracecat.com/tools/aws_boto3.md): Reference for the Tracecat AWS Boto3 integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Azure Log Analytics](https://docs.tracecat.com/tools/azure_log_analytics.md): Reference for the Tracecat Azure Log Analytics integration: registered actions, required secrets, expected inputs, and example workflow usage. - [MITRE Caldera](https://docs.tracecat.com/tools/caldera.md): Reference for the Tracecat MITRE Caldera integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Confluence](https://docs.tracecat.com/tools/confluence.md): Reference for the Tracecat Confluence integration: registered actions, required secrets, expected inputs, and example workflow usage. - [CrowdSec](https://docs.tracecat.com/tools/crowdsec.md): Reference for the Tracecat CrowdSec integration: registered actions, required secrets, expected inputs, and example workflow usage. - [CrowdStrike](https://docs.tracecat.com/tools/crowdstrike.md): Reference for the Tracecat CrowdStrike integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Datadog](https://docs.tracecat.com/tools/datadog.md): Reference for the Tracecat Datadog integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Elastic Security](https://docs.tracecat.com/tools/elastic_security.md): Reference for the Tracecat Elastic Security integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Elasticsearch](https://docs.tracecat.com/tools/elasticsearch.md): Reference for the Tracecat Elasticsearch integration: registered actions, required secrets, expected inputs, and example workflow usage. - [EmailRep](https://docs.tracecat.com/tools/emailrep.md): Reference for the Tracecat EmailRep integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Exa](https://docs.tracecat.com/tools/exa.md): Reference for the Tracecat Exa integration: registered actions, required secrets, expected inputs, and example workflow usage. - [FalconPy](https://docs.tracecat.com/tools/falconpy.md): Reference for the Tracecat FalconPy integration: registered actions, required secrets, expected inputs, and example workflow usage. - [GitHub MCP](https://docs.tracecat.com/tools/github.md): Reference for the Tracecat GitHub MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Gmail](https://docs.tracecat.com/tools/gmail.md): Reference for the Tracecat Gmail integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google API](https://docs.tracecat.com/tools/google_api.md): Reference for the Tracecat Google API integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google Docs](https://docs.tracecat.com/tools/google_docs.md): Reference for the Tracecat Google Docs integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google Drive](https://docs.tracecat.com/tools/google_drive.md): Reference for the Tracecat Google Drive integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google Maps](https://docs.tracecat.com/tools/google_maps.md): Reference for the Tracecat Google Maps integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google SecOps Detection Engine](https://docs.tracecat.com/tools/google_secops_detection.md): Reference for the Tracecat Google SecOps Detection Engine integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google SecOps SOAR](https://docs.tracecat.com/tools/google_secops_soar.md): Reference for the Tracecat Google SecOps SOAR integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Google Sheets](https://docs.tracecat.com/tools/google_sheets.md): Reference for the Tracecat Google Sheets integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Gophish](https://docs.tracecat.com/tools/gophish.md): Reference for the Tracecat Gophish integration: registered actions, required secrets, expected inputs, and example workflow usage. - [HackerOne](https://docs.tracecat.com/tools/hackerone.md): Reference for the Tracecat HackerOne integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Have I Been Pwned](https://docs.tracecat.com/tools/hibp.md): Reference for the Tracecat Have I Been Pwned integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Hybrid Analysis](https://docs.tracecat.com/tools/hybrid_analysis.md): Reference for the Tracecat Hybrid Analysis integration: registered actions, required secrets, expected inputs, and example workflow usage. - [IPinfo](https://docs.tracecat.com/tools/ipinfo.md): Reference for the Tracecat IPinfo integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Jira MCP](https://docs.tracecat.com/tools/jira.md): Reference for the Tracecat Jira MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [LDAP](https://docs.tracecat.com/tools/ldap.md): Reference for the Tracecat LDAP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [LeakCheck](https://docs.tracecat.com/tools/leakcheck.md): Reference for the Tracecat LeakCheck integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Linear MCP](https://docs.tracecat.com/tools/linear.md): Reference for the Tracecat Linear MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Microsoft Defender for Endpoint](https://docs.tracecat.com/tools/microsoft_defender_endpoint.md): Reference for the Tracecat Microsoft Defender for Endpoint integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Microsoft Entra](https://docs.tracecat.com/tools/microsoft_entra.md): Reference for the Tracecat Microsoft Entra integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Microsoft Sentinel](https://docs.tracecat.com/tools/microsoft_sentinel.md): Reference for the Tracecat Microsoft Sentinel integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Microsoft Teams](https://docs.tracecat.com/tools/microsoft_teams.md): Reference for the Tracecat Microsoft Teams integration: registered actions, required secrets, expected inputs, and example workflow usage. - [MinIO](https://docs.tracecat.com/tools/minio.md): Reference for the Tracecat MinIO integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Notion MCP](https://docs.tracecat.com/tools/notion.md): Reference for the Tracecat Notion MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Okta](https://docs.tracecat.com/tools/okta.md): Reference for the Tracecat Okta integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Okta](https://docs.tracecat.com/tools/okta_oar.md): Reference for the Tracecat Okta integration: registered actions, required secrets, expected inputs, and example workflow usage. - [PagerDuty](https://docs.tracecat.com/tools/pagerduty.md): Reference for the Tracecat PagerDuty integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Panther](https://docs.tracecat.com/tools/panther.md): Reference for the Tracecat Panther integration: registered actions, required secrets, expected inputs, and example workflow usage. - [PhishLabs](https://docs.tracecat.com/tools/phishlabs.md): Reference for the Tracecat PhishLabs integration: registered actions, required secrets, expected inputs, and example workflow usage. - [PyMongo](https://docs.tracecat.com/tools/pymongo.md): Reference for the Tracecat PyMongo integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Rootly](https://docs.tracecat.com/tools/rootly.md): Reference for the Tracecat Rootly integration: registered actions, required secrets, expected inputs, and example workflow usage. - [RunReveal MCP](https://docs.tracecat.com/tools/runreveal.md): Reference for the Tracecat RunReveal MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [SentinelOne](https://docs.tracecat.com/tools/sentinel_one.md): Reference for the Tracecat SentinelOne integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Sentry MCP](https://docs.tracecat.com/tools/sentry.md): Reference for the Tracecat Sentry MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [ServiceNow](https://docs.tracecat.com/tools/servicenow.md): Reference for the Tracecat ServiceNow integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Slack](https://docs.tracecat.com/tools/slack.md): Reference for the Tracecat Slack integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Slack SDK](https://docs.tracecat.com/tools/slack_sdk.md): Reference for the Tracecat Slack SDK integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Splunk](https://docs.tracecat.com/tools/splunk.md): Reference for the Tracecat Splunk integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Sublime](https://docs.tracecat.com/tools/sublime.md): Reference for the Tracecat Sublime integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Tavily](https://docs.tracecat.com/tools/tavily.md): Reference for the Tracecat Tavily integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Tenable Security Center](https://docs.tracecat.com/tools/tenable_sc.md): Reference for the Tracecat Tenable Security Center integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Terraform Cloud](https://docs.tracecat.com/tools/terraform.md): Reference for the Tracecat Terraform Cloud integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Anomali ThreatStream](https://docs.tracecat.com/tools/threatstream.md): Reference for the Tracecat Anomali ThreatStream integration: registered actions, required secrets, expected inputs, and example workflow usage. - [URLhaus](https://docs.tracecat.com/tools/urlhaus.md): Reference for the Tracecat URLhaus integration: registered actions, required secrets, expected inputs, and example workflow usage. - [URLScan](https://docs.tracecat.com/tools/urlscan.md): Reference for the Tracecat URLScan integration: registered actions, required secrets, expected inputs, and example workflow usage. - [VirusTotal](https://docs.tracecat.com/tools/virustotal.md): Reference for the Tracecat VirusTotal integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Wazuh](https://docs.tracecat.com/tools/wazuh.md): Reference for the Tracecat Wazuh integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Wiz MCP](https://docs.tracecat.com/tools/wiz.md): Reference for the Tracecat Wiz MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. - [Zendesk](https://docs.tracecat.com/tools/zendesk.md): Reference for the Tracecat Zendesk integration: registered actions, required secrets, expected inputs, and example workflow usage.