CACAO Roaster – GitHub: https://github.com/opencybersecurityalliance/cacao-roaster 

CACAO Roaster – Live Instance: https://opencybersecurityalliance.github.io/cacao-roaster/ 

CACAO Roaster v1.3.0

The Open Cybersecurity Alliance (OCA) is pleased to announce the release of CACAO Roaster v1.3.0. 

The OCA Sub-Project, CACAO Roaster, is a web application for generating, parsing, validating, manipulating, visualizing, and now executing the CACAO playbooks. It is fully compliant with version 2 of OASIS CACAO Specification.

CACAO Roaster v1.3.0 brings many improvements, bug fixes, and new features. This release is a substantial update focused on playbook execution, execution tracking, performance improvements, and expanded interoperability by providing a seamless integration with SOARCA, a CACAO playbooks execution engine developed by TNO and open-sourced through the COSSAS project. 

Statements of Use

Luca Morgese Zangrandi, TNO: With this new release, the CACAO Roaster keeps proving itself as a fantastic open-source platform to work with CACAO playbooks – and execute them! We are thrilled to see that our open-source SOARCA, a CACAO playbook execution engine, is ever more smoothly integrated with the Roaster, allowing an increasingly seamless SOAR experience. We look forward to keep building together powerful and open access cybersecurity automation!

Charles Frick, Johns Hopkins University Applied Physics Laboratory (JHU APL): We use CACAO Roaster in our research to design, execute, and evolve standards-based playbooks for automated correlation of cyber threat alerts and for cyber response. Version 1.3.0 streamlines how we read, create, and modify CACAO playbooks, making it easier to integrate behavior-based intelligence like Indicators of Behavior (IOB) into repeatable workflows. It’s a critical enabler for operationalizing structured response at scale.

Vaughan Shanks, Cydarm and OCA PGB co-chair: The new Cacao Roaster release marks important progress for the Open Cybersecurity Alliance community. With enhanced digital signing, improved execution tracking, and faster performance, version 1.3.0 makes sharing security tradecraft between organizations more secure and efficient. The standardized data marking improvements and STIX 2.1 export capabilities allow Cydarm and other OCA members to exchange response playbooks seamlessly, strengthening the collaborative security ecosystem.

Integration with SOARCA – CACAO Execution Engine

SOARCA is an open-source CACAO playbooks execution engine complying to the CACAO v2.0 specification, allowing to orchestrate various security systems and actuators. It provides a limited set of CACAO v2.0 functionalities, as it is still under development (currently in v1.0.0). CACAO Roaster v1.3.0, has seamless integration with SOARCA’s HTTP(s) and SSH agents/capabilities. 

Executing CACAO Playbooks Through CACAO Roaster

The process is straightforward. Use CACAO Roaster to design your playbooks and add infrastructure details (agents and targets). The Playbooks are verified and validated using the official CACAO JSON Schemas, and indicated by a green label at the bottom left corner (see Fig. 1). Under the integrations dropdown click on the SOARCA icon to open the configuration window and provide the URL with your running SOARCA instance. Then, simply trigger the playbook, meaning, send it over to SOARCA for execution. 

Figure 1: A valid playbook ready to be sent for execution.  

After a playbook is triggered, CACAO Roaster requests a status update every few seconds so that you can track its execution status in near real-time. Each workflow step on the canvas has a small dot in the upper corner (see Fig. 2). The color indicates the following: blue indicates that an action step is currently in progress, green indicates a completed and successful execution, and red indicates errors during execution. 

Figure 2: A successfully executed playbook with execution status and logs. 

Figure 3: Detailed view of the execution status on the selected workflow step. 

Other Improvements in Roaster v1.3.0 Release

• Improved playbook loading performance. 
• Dockerfile has been optimized for a smaller, more secure image. 
• Various UI enhancements and multiple bug fixes. 
• Support for a .env file
  • With a demo key pair for signing and verifying playbooks.
  • URL for SOARCA endpoint. 
• The User Settings panel now features two new buttons for managing signing keys from the env file.
• Enhanced handling of data markings (IEP, TLP, and Statement).

Check out the full changelog for the v1.3.0 release: https://github.com/opencybersecurityalliance/cacao-roaster/blob/main/CHANGELOG.md  

How to get involved

Join our mailing list (send an empty email to subscribe): oca-cacao-roaster+subscribe@lists.oasis-open-projects.org

Join our Slack – OCA (#cacao-roaster channel): https://join.slack.com/t/open-cybersecurity/shared_invite/zt-1jsgt1053-oYsfBPXXChhbRO4JO5Xo1A

Check out Roaster’s code – GitHub repository: https://github.com/opencybersecurityalliance/cacao-roaster 

• Contribute with a Pull Request
• Issue tracker (report bug/new features/improvements): https://github.com/opencybersecurityalliance/cacao-roaster/issues