Docs

Start here.

TRA-CE has three moving parts: the collector (a Docker container that lives in your network and pulls events from your SIEM/EDR/identity provider), the causal engine (the service that turns event streams into directed evidence graphs), and the investigation agents (the AI pipeline that runs against the graph to produce the WHY stack). This documentation covers all three. Read in order if you are new; jump to the section that matches your problem if you are not.

Concepts.

The causal chain

A directed acyclic graph where nodes are events and edges are causal relationships. Each edge carries one of four heuristic types (explicit system evidence, artifact correlation, MITRE technique progression, temporal proximity) and a confidence grade.

Evidence grades

PROVABLE. The edge is supported by deterministic system evidence — explicit log entries, kernel events, transaction IDs. The relationship is not in question.

MIXED. The edge is supported by some deterministic evidence and some inference. Plausible but not airtight.

INFERRED. The edge is supported by inference only — temporal patterns, behavioral correlation, MITRE technique sequencing. Use as a lead, not as a conclusion.

The WHY stack

What the investigation agents produce: a four-part structured argument — what failed, what should have caught it, what to fix, who owns it. The stack is human-readable and traceable to source events.

Integrations.

The collector ships with first-party adapters for Splunk, Datadog, AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs, Okta, Active Directory, and Microsoft Defender. Anything else with a queryable event API can be adapted; contact us for the integration brief.

See API Reference for adapter configuration and event schema.