Tracecage
Behavioral detonation, simplified.

Know what your dependencies
actually do at runtime

Your CI/CD scanner says the package is clean? Great — so did the scanner that was itself compromised last Tuesday. Static analysis reads code. Tracecage runs it, in a hardened sandbox with kernel-level telemetry, intercepting every file access, network connection and process execution. Because the only way to know what a dependency actually does is to let it try. Detonate before you deploy.

Quick start Explore features 
# Run Tracecage
docker run -d \
  --name tracecage \
  -p 3000:3000 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v tracecage-data:/app/data \
  tracecage/tracecage:latest

# Submit an artifact via API
curl -X POST http://localhost:3000/api/v1/submit \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"artifactType":"npm","source":"suspicious-pkg@1.0.0"}'

# Check the verdict
curl http://localhost:3000/api/v1/verdict/1 \
  -H "Authorization: Bearer $TOKEN"

Full behavioral visibility

Every syscall, every connection, every file touch — captured and classified in real time. Nowhere to hide.

🔎

File access interception

Kernel-level telemetry captures every file read, write, search and directory traversal inside the sandbox.

  • eBPF probes scoped to container cgroup
  • fanotify/inotify file system watchers
  • Automatic flagging of SSH keys, credentials, cloud configs
  • Blocked access to sensitive paths via seccomp-BPF
🌐

Network interception

All outbound connections, DNS queries and HTTP requests are intercepted, logged and optionally blocked.

  • Custom DNS resolver for domain-level allow/block
  • iptables logging of every TCP/UDP connection
  • IP and CIDR-based whitelist rules
  • Isolated sandbox network — no internet by default

Process monitoring

Full process tree reconstruction with command-line arguments, exec paths, fork chains and exit codes.

  • Every execve, fork, clone and exit captured
  • Process tree visualization
  • Encoded command detection (base64, hex)
  • Shell spawning and lateral movement flagging
💥

Anti-evasion detection

Detect artifacts that try to fingerprint and evade the sandbox before showing their true behavior.

  • Long sleep detection (delayed payloads)
  • Environment fingerprinting (VM checks, CPU count probes)
  • Sandbox detection attempts (/proc inspection, timing attacks)
  • Delayed outbound callback monitoring
🧬

Deception honeypots

Plant fake credentials, SSH keys, API tokens and cloud configs inside each cage. Any access is an instant red flag.

  • 9 built-in deception packs (SSH, AWS, npm, PyPI, git, Docker, K8s, cloud, .env)
  • Fake metadata service responses
  • Custom deception pack creation
  • Credential-hunting behavior detection
📑

Policy-driven verdicts

Configure per-run whitelist policies for files, IPs, domains and ports. Three verdict levels: benign, suspicious, policy-violating.

  • Reusable policy profiles per ecosystem
  • Ecosystem baseline profiles (expected vs anomalous)
  • Configurable quarantine from 10 minutes to 7 days
  • Extend running quarantines on the fly
🛠

CI/CD integration

REST API with UI-managed tokens. Submit artifacts, poll status and gate deployments on verdicts.

  • Token-authenticated API (submit, status, verdict, report)
  • JSON, CSV and text report downloads
  • Pass/fail verdict for pipeline gates
  • Scheduled re-analysis for production dependencies
🛡

Hardened sandboxing

Not just Docker — layered isolation with gVisor, seccomp-BPF and optional microVM support via Firecracker.

  • gVisor (runsc) userspace kernel for syscall interposition
  • seccomp-BPF profiles blocking dangerous syscalls
  • Read-only rootfs with tmpfs overlays
  • Resource limits: memory, CPU, PID caps
📊

Provenance and reputation

Combine behavioral analysis with artifact signatures, SBOMs, CVE scan results and ecosystem reputation scores.

  • Signature validation for published packages
  • SBOM extraction and storage
  • CVE cross-referencing with OSV/NVD feeds
  • Package reputation scoring from multiple sources
Enterprise

Managed cloud workers

Don't want to detonate suspicious packages on your own infrastructure? We'll do it on someone else's. Fully isolated cloud workers with the same telemetry, none of the risk.

Detonate someone else's malware on someone else's infrastructure.

  • Dedicated isolation per customer
  • Same eBPF/gVisor telemetry stack
  • No Docker socket exposure on your hosts
  • Auto-scaling worker pool
Enterprise
🛠

Threat intel pack

Curated detection rules, domain reputation enrichment, MITRE ATT&CK mapping, fake credential bait tuned to current campaigns, and richer verdict explanations your compliance team will actually read.

  • Curated detections updated with emerging threats
  • MITRE ATT&CK technique mapping on every verdict
  • Domain and IP reputation enrichment
  • Campaign-aware deception bait
  • Compliance-ready verdict narratives

Layered sandbox architecture

Defense in depth — every layer adds visibility without trusting the layer below it. Trust issues? We prefer "security-conscious."

Tracecage controller (SvelteKit + Node.js)
    │
    ├── Docker API → create/start/stop containers
    │     │
    │     └── Sandbox container (gVisor/runsc or runc)
    │           │
    │           ├── Artifact under test (npm/pypi/maven/binary)
    │           ├── Deception honeypots (fake creds, SSH keys)
    │           ├── Seccomp-BPF profile (block ptrace/mount/reboot)
    │           ├── Read-only rootfs + tmpfs overlay
    │           └── Isolated network (no egress by default)
    │
    ├── eBPF probes → scoped to container cgroup
    │     ├── File access tracing (openat, read, stat, getdents)
    │     ├── Process exec tracing (execve, clone, exit)
    │     └── Network connect tracing (connect, sendto)
    │
    ├── DNS interceptor (sidecar container)
    │     ├── Log all queries
    │     ├── Apply domain whitelist
    │     └── Respond or NXDOMAIN
    │
    ├── iptables logger → LOG + DROP/ACCEPT per whitelist
    │
    └── Event collector → JSONL → database → SSE to UI

For Docker image artifacts:
    DinD (Docker-in-Docker) inside sandbox container
    └── Inner daemon fully isolated in sandbox network

Optional microVM isolation:
    Firecracker via /dev/kvm passthrough
    └── Each cage runs in its own microVM (strongest isolation)

Every ecosystem, one platform

Purpose-built detonation scripts for each package ecosystem

📦

npm

Install scripts, require hooks, postinstall payloads

🐍

PyPI

setup.py hooks, import side effects, entry points

Maven / Java

JAR execution, plugin hooks, class loading behavior

💻

Binary

ELF/Mach-O executables with full strace wrapping

🐳

Docker

Docker-in-Docker with inner daemon fully sandboxed

Deception packs

Plant convincing honeypots inside every cage — if the artifact goes looking for your SSH keys, it'll find ours instead

SSH keys & config

Fake RSA/Ed25519 private keys, known_hosts with production hostnames, SSH config with interesting targets. Detects credential theft and lateral movement preparation.

AWS / GCP / Azure credentials

Fake cloud provider credentials, config files and service account keys. Catches cloud-focused supply chain attacks.

npm, PyPI & git tokens

Planted .npmrc, .pypirc, .git-credentials and .yarnrc with realistic auth tokens. Detects registry credential exfiltration.

Docker & Kubernetes configs

Fake Docker registry credentials, kubeconfig with cluster endpoints and service account tokens.

Environment files

Fake .env and .env.production files with database URLs, API secrets, Stripe keys and JWT secrets.

Custom packs

Create your own deception packs with files tailored to your infrastructure. Plant anything — if the artifact touches it, it's flagged.

Built for CI/CD pipelines

Gate your deployments on behavioral verdicts with a simple REST API. If it fails, blame the package, not the pipeline.

# GitHub Actions example
- name: Submit to Tracecage
  run: |
    CAGE_ID=$(curl -s -X POST \
      $TRACECAGE_URL/api/v1/submit \
      -H "Authorization: Bearer $TC_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{"artifactType":"npm",
           "source":"$PACKAGE_NAME",
           "quarantineDuration":600}' \
      | jq -r '.id')

    # Poll for verdict
    while true; do
      RESULT=$(curl -s \
        $TRACECAGE_URL/api/v1/verdict/$CAGE_ID \
        -H "Authorization: Bearer $TC_TOKEN")
      COMPLETED=$(echo $RESULT | jq -r '.completed')
      if [ "$COMPLETED" = "true" ]; then
        PASS=$(echo $RESULT | jq -r '.pass')
        if [ "$PASS" != "true" ]; then
          echo "Tracecage verdict: FAIL"
          exit 1
        fi
        break
      fi
      sleep 30
    done

REST API endpoints

  • POST /api/v1/submit — submit artifact
  • GET /api/v1/status/:id — poll status
  • GET /api/v1/verdict/:id — get pass/fail verdict
  • GET /api/v1/report/:id — full report (JSON/CSV)

Report downloads

Download full detonation reports in JSON, CSV or text format from the UI or API. Every event, every verdict reason, every deception hit.

UI-managed tokens

Create and revoke API tokens from the web UI with granular permissions: submit, read, admin. Tokens are shown once at creation — never stored in plaintext.

Simple, honest pricing

Full detection quality on every tier. No crippled free version. We're not that kind of company.

Community
Free
forever, self-hosted

For solo developers, OSS maintainers and the gloriously paranoid. Full engine, no compromises, no "upgrade to see results" nonsense.

  • Same detection engine as paid tiers
  • All artifact types (npm, PyPI, Maven, binary, Docker)
  • All 9 deception packs
  • Anti-evasion detection
  • 2 concurrent sandboxes
  • 200 API runs/month, unlimited manual UI
  • 7-day event retention
  • 1 admin user, local auth
  • API tokens for basic CI
  • Basic whitelist rules & policies
  • gVisor & runc runtime support
  • Report downloads (JSON, CSV, text)
  • Community support (GitHub)
Get started
Most popular
SMB
$4,990/yr
billed annually

For teams that wire Tracecage into CI and want to sleep at night. Cheap enough to expense without procurement.

  • Everything in Community, plus:
  • 10 users
  • 10 concurrent sandboxes
  • 5,000 runs/month
  • 30-day event retention
  • Unlimited API tokens
  • Ecosystem baseline profiles (npm, PyPI, Maven, Docker)
  • Reusable policy packs across projects
  • Scheduled re-analysis (cron-based)
  • Artifact provenance (signatures, SBOM, CVE)
  • Slack, webhook & email notifications
  • Signed PDF reports
  • Priority detonation queue
  • Email support
Start 14-day trial
Enterprise
$14,990/yr
starting, custom pricing available

For companies that can't afford to run unvetted code in their infrastructure. SSO, audit trails and air-gapped deployment.

  • Everything in SMB, plus:
  • Unlimited users & sandboxes
  • Unlimited runs
  • 1-year event retention (configurable)
  • SSO / SAML / OIDC authentication
  • LDAP / Active Directory
  • Full RBAC with fine-grained permissions
  • Full audit logging with export
  • Approval workflows (sign-off before deploy)
  • MITRE ATT&CK mapping on verdicts
  • Custom deception packs & detection rules
  • Air-gapped / offline deployment
  • High availability (multi-node)
  • Premium support SLA (24h response)
  • Custom onboarding
Contact sales

Stop trusting. Start detonating.

Know exactly what your dependencies do before they run in production. Or keep trusting npm install. Your call.

Get started View on GitHub Coming soon