Documentation
Architecture, deployment, integration, and API reference for TRA-CE.ai.
How TRA-CE builds
causal proof
Four inference heuristics. Every link graded independently. Every conclusion traceable to source events.
TRA-CE is a causal intelligence platform for security operations. It ingests normalized security events, constructs directed causal graphs, and outputs evidence-graded findings mapped to MITRE ATT&CK.
It sits beside your SIEM. It does not replace Splunk, Sentinel, CrowdStrike, or any existing tool. It takes their output and answers the question they cannot: why did this happen, and can you prove it?
Explicit Evidence
Direct system artifacts linking parent to child — PID chains, file handles, network sockets.
Artifact Correlation
Shared indicators across events from different sources — hashes, IPs, domains, user accounts.
MITRE Progression
Attack stages that logically follow one another — initial access, execution, persistence, lateral movement.
Temporal Proximity
Events within a configurable time window on the same entity. Used only when other heuristics are unavailable.
How TRA-CE compares to
what you already run
TRA-CE is not a replacement. It is the causal layer that sits on top of your existing stack and answers the question none of them can: why.
| Capability | Splunk Enterprise Security |
Microsoft Sentinel |
CrowdStrike Falcon |
Palo Alto Cortex XSIAM |
Google Chronicle |
TRA-CE |
|---|---|---|---|---|---|---|
| Detection & Correlation | ||||||
| Log ingestion & search | ✓ | ✓ | — | ✓ | ✓ | — |
| Rule-based alerting | ✓ | ✓ | ✓ | ✓ | ✓ | — |
| Alert correlation (time-based) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Behavioral / ML anomaly detection | Add-on | Limited | ✓ | ✓ | Limited | — |
| Endpoint telemetry (EDR) | — | Via MDE | ✓ | ✓ | — | — |
| Causal Analysis | ||||||
| Causal chain construction | — | — | — | — | — | ✓ |
| Per-link evidence grading | — | — | — | — | — | ✓ |
| Cross-source event lineage | — | — | — | Partial | — | ✓ |
| Directed acyclic graph (DAG) output | — | — | — | — | — | ✓ |
| Confidence grade propagation | — | — | — | — | — | ✓ |
| Investigation & Response | ||||||
| Incident timeline view | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| AI-assisted investigation | Splunk AI | Copilot | Charlotte | XSIAM AI | Gemini | ✓ |
| Autonomous root-cause analysis | — | — | — | — | — | ✓ |
| SOAR / automated playbooks | ✓ | ✓ | ✓ | ✓ | ✓ | — |
| Campaign / multi-stage detection | Rules only | Fusion | Overwatch | Rules only | Rules only | Automatic |
| Compliance & Output | ||||||
| MITRE ATT&CK mapping | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Structured evidence export (audit-ready) | — | — | — | — | — | ✓ |
| Court-ready chain-of-custody output | — | — | — | — | — | ✓ |
| Transport & Security | ||||||
| Post-quantum encryption (FIPS 203/204) | — | — | — | — | — | ✓ |
| 30-second session key rotation | — | — | — | — | — | ✓ |
| Air-gapped / on-prem deployment | ✓ | — | GovCloud | Limited | — | ✓ |
TRA-CE does not replace your SIEM or EDR. It does not ingest raw logs, run endpoint agents, or execute playbooks. It takes the output your existing tools already produce and builds the causal evidence layer they cannot.
How TRA-CE makes your
existing tools better
Your SIEM detects. Your EDR responds. TRA-CE proves why it happened and whether the response was justified.
Splunk & Elastic
Your SIEM fires 11,000 alerts a day. TRA-CE takes those alerts and builds directed causal chains between them. Instead of a flat list of detections, your analysts get a graph showing which alerts are causally related — and which are noise. The alert that matters is the one with a provable chain behind it.
CrowdStrike & SentinelOne
Your EDR sees process trees on individual endpoints. TRA-CE connects those process trees across hosts, across identity providers, across cloud platforms. Lateral movement is not visible from a single endpoint. TRA-CE builds the cross-source lineage your EDR cannot.
Sentinel & Chronicle
Your cloud SIEM correlates by time window and shared IOCs. TRA-CE applies four inference heuristics to determine whether that correlation is provable, mixed, or merely inferred. You stop reporting correlations as conclusions. You start reporting evidence.
- Alerts
- Detections
- Telemetry
- Chain construction
- Evidence grading
- Root-cause analysis
- Audit-ready chains
- MITRE ATT&CK mapping
- Court-ready export
What you cannot get
without TRA-CE
These capabilities do not exist in any SIEM, XDR, or SOAR platform. They require a causal engine.
Per-link evidence grading
Every edge in a causal chain is independently graded as PROVABLE, MIXED, or INFERRED. No other platform grades individual links. They grade the alert — not the evidence behind it.
Cross-source causal lineage
Your EDR sees one host. Your SIEM sees logs. Your IdP sees auth events. Nobody connects them into a single directed graph with source attribution on every node. TRA-CE does.
Confidence propagation
If one link in a chain is INFERRED, every downstream conclusion inherits that uncertainty. No platform propagates confidence through a graph. They report high/medium/low on the alert, not on the evidence path.
Autonomous root-cause analysis
AI copilots in existing tools assist with queries and summaries. TRA-CE autonomously traces causal chains backward to identify the root event — the actual first cause — without human prompting.
Court-ready chain of custody
Compliance teams need structured evidence that holds up under legal scrutiny. A SIEM dashboard is not evidence. A graded causal chain with full source attribution and temporal metadata is.
Post-quantum transport
No SIEM or EDR vendor ships ML-KEM-768 + X25519 hybrid key exchange with 30-second rotation. Harvest-now-decrypt-later attacks target security telemetry. TRA-CE encrypts it with FIPS 203/204 compliant post-quantum cryptography.
How TRA-CE fits
your stack
No endpoint agents. One Docker collector. All data encrypted via Avon post-quantum transport.
Your SIEM / EDR / IdP
Events pulled from existing data sources via Docker collector.
Avon PQ-Encrypted
ML-KEM-768 + X25519 hybrid key exchange. 30-second session rotation.
Causal Intelligence
Causal graph construction, AI investigation, evidence-graded output.
ML-KEM-768 + X25519
Hybrid post-quantum key encapsulation. FIPS 203 compliant.
ML-DSA-65
Post-quantum digital signatures. FIPS 204 compliant.
AES-256-GCM
Every payload encrypted. Session keys rotate every 30 seconds.
Deploy in minutes,
not weeks
Cloud or on-premises. No infrastructure changes required.
docker pull trace/collector:latest
docker run -d --name trace-collector \
-e TRACE_EXCHANGE_CODE=your-code \
trace/collector:latest
Outbound only — no inbound ports required. Configuration is handled through a guided setup wizard.
Full REST API
All platform capabilities available via authenticated endpoints. API keys scoped per organization.
List causal chains with filtering and pagination.
Chain detail with full evidence graph.
Export structured evidence for audit.
Ingest security events into the platform.
AI investigation results and WHY stacks.
Detection alerts with confidence scores.