Hacker News new | ask | show | jobs
by toomuchtodo 812 days ago
Staying within the tool to manage cases is good vs shelling out to Jira or another ticketing tool. Folks with purchasing authority typically want their analysts in the tool as much as possible (in my experience; you may find customers who want to open incidents elsewhere so keep that interface in mind).

Also a good choice in storing logs. Make a margin but don't be greedy, otherwise you turn into Splunk, where folks don't want to use the product effectively because they can't afford to. Make it easy to route logs to S3 cold storage or other "reliable enough" object storage systems based on criteria, but retaining the capability to retrieve them if needed for forensics or compliance/audit sampling. Log storage intervals are traditionally some variation of 30, 60, 90 days, a year, seven years, etc. Architect accordingly based on your customers' record retention schedule(s), control/compliance requirements, etc.
2 comments
kjs3 812 days ago
you may find customers who want to open incidents elsewhere so keep that interface in mind

My large financial (and many in our peer group that I've talked to) see "open incidents elsewhere" (WorkDay in our case) as minimum table stakes. YMMV.

link
toomuchtodo 812 days ago
This is helpful ground truth, thanks for sharing. I only see what I see, but asking everyone else what they see is free(ish).
link
kjs3 810 days ago
I only see what I see

Well...that's a problem you need to think about. If all you see is how startups or SMB do this (or what people tell you on HN), you're going to be massively missing the mark when you talk to more large/enterprise customers. Things like "well of course Discord" will be met with "we use Teams", or even worse "yeah...we're still on Notes". I had one vendor recently who said "why would we ever need to integrate with Archer?"...well, we have a GRC requirement to attest to certain actions your tool is supporting, and our auditors look at Archer as a source-of-truth, and noone wants to manually update Archer with the output of your tool. Lightbulb moment.

Tl;dr - make integrations drop dead easy, because you never know what baroque workflow you're going to need to dovetail with the make the sale.

link
neochris 812 days ago
Glad to hear we are on the right track.

Tracecat is still in alpha, but would be great to have your thoughts / opinions / feedback in our Discord community. We are anon-friendly. There's still a lot more we can innovation on.

link