The following is a quickstart guide. Need more help? Check out Tracecat’s full self-hosting guide.

Tracecat supports three deployment options:

  • Docker Compose
  • AWS Fargate via Terraform
  • Kubernetes via Helm (coming soon)

Docker Compose

This deployment has been tested on Ubuntu (22.04 LTS and 24.04 LTS), macOS / RHEL with Docker Desktop, and Windows Linux Subsystem (WSL). For help with other operating systems, please find us on Discord for support.

It you have SELinux installed, you’ll also need to add the :z suffix to the Caddy volume mount: ./Caddyfile:/etc/caddy/Caddyfile:z in the Docker Compose file.

Deploy a local Tracecat stack using Docker Compose. View step-by-step instructions here.

The default Docker compose configuration has basic email / password auth enabled. Basic auth is not recommended for production environments, especially if exposed to the public internet.

Please consider using a more secure authentication method such as OAuth or SAML SSO unless running in an air-gapped environment with defense-in-depth controls.

# 1. Setup .env configs and secrets (you'll be prompted for superadmin email)
curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/0.37.1/env.sh
curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/0.37.1/.env.example
chmod +x env.sh && ./env.sh

# 2. Download Caddyfile
curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/0.37.1/Caddyfile

# 3. Download Docker Compose file
curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/0.37.1/docker-compose.yml

# Run Tracecat
docker compose up -d

If you’ve deployed Tracecat into an external VM (e.g. AWS EC2, GCP Compute Engine, Azure VM), you’ll need to set PUBLIC_APP_URL and PUBLIC_API_URL in the .env file to the IP address or host you are accessing Tracecat from.

For example, if you are port forwarding Tracecat from http://localhost (port 80) inside AWS EC2 to http://localhost:8080 on your local machine, you must set PUBLIC_APP_URL to http://localhost:8080 and PUBLIC_API_URL to http://localhost:8080/api/.

Moreover, if you are using a Windows machine, make sure to set PUBLIC_APP_URL to 127.0.0.1 (not localhost).

You can set these options when running the env.sh configuration script.

Check out the generated .env file to better understand Tracecat’s configurations. You can also view the template .env.example file here.

AWS Fargate

For advanced users: deploy a production-ready Tracecat stack on AWS Fargate using Terraform. View step-by-step instructions here.

# Download Terraform files
git clone https://github.com/TracecatHQ/terraform-fargate

# Create and add encryption keys to AWS Secrets Manager
./scripts/create-aws-secrets.sh

# Run Terraform to deploy Tracecat
terraform init
terraform apply

Kubernetes

Coming soon.

Next steps

Learn how to log into Tracecat and create your first workflow.