Deployment Topologies
AuroraSOC adapts to any organization's existing infrastructure. This page shows the most common deployment patterns with architecture diagrams.
Topology 1: Standalone SOC (Single-Site, All-in-One)
Best for: Small businesses, branch offices, startups (≤100 endpoints, ≤2,000 EPS)
Everything runs on a single server. No external dependencies.
Deployment command:
just stack-up-min # Infrastructure
just stack-up # Full stack with agents (auto-detects GPU)
Topology 2: Enterprise SOC with Existing SIEM
Best for: Mid-size enterprises that already have Splunk/Elastic/QRadar and want AI-powered triage
Key integration points:
| Existing System | Integration Method | AuroraSOC Component |
|---|---|---|
| Splunk | HEC webhook → Vector HTTP receiver | vector:8687 |
| Elastic | Logstash output → syslog | vector:1514 |
| QRadar | Log source → syslog forwarding | vector:1514 |
| CrowdStrike | Falcon API polling | Cloud ingest worker |
| Microsoft Defender | MS Graph API | Cloud ingest worker |
| Active Directory | OIDC/SAML SSO | /api/v1/auth/oidc/login |
| Jira | Bidirectional webhook | /api/v1/integrations/jira/webhook |
Topology 3: Multi-Site with Federation
Best for: Large enterprises, MSSPs with multiple offices/data centers
Federation features:
- Critical alerts propagate across sites automatically
- Each site operates independently during network partitions
- Federated case search across all sites from HQ console
- Per-site LLM backend (GPU at HQ, CPU at branch, cloud at remote)
Topology 4: Air-Gapped / Classified Environment
Best for: Government, military, critical infrastructure with no internet connectivity
Air-gap specifics:
- All inference local via Ollama (no cloud LLM calls)
- Threat intel updates via signed offline bundles (
tools/scripts/airgap/generate-bundles.sh) - Sigma rules and YARA signatures updated via USB transfer
- Model fine-tuning done offline, bundled for deployment
- Cosign signature verification on all imported bundles
Topology 5: MSSP (Managed Security Service Provider)
Best for: Service providers managing multiple customer environments
Multi-tenant features:
- Row-level security isolates customer data
- Per-tenant API key rate limiting
- Customer-specific detection rules and playbooks
- Separate Grafana dashboards per customer
- Tenant-scoped RBAC (analyst sees only their customers)
Topology 6: Hybrid Cloud + On-Premises
Best for: Enterprises with mixed cloud and on-prem workloads
Topology 7: CPS/IoT-Focused (Industrial/Facilities)
Best for: Manufacturing, smart buildings, critical infrastructure with heavy OT/IoT
Choosing Your Topology
| Factor | Recommended Topology |
|---|---|
| < 100 endpoints, single site | Topology 1 (Standalone) |
| Existing SIEM investment | Topology 2 (Enterprise + SIEM) |
| Multiple offices/sites | Topology 3 (Multi-Site Federation) |
| Government/military/classified | Topology 4 (Air-Gapped) |
| Managing multiple customers | Topology 5 (MSSP) |
| Mixed cloud + on-prem | Topology 6 (Hybrid Cloud) |
| Heavy IoT/OT/physical security | Topology 7 (CPS-Focused) |
Hardware Sizing
| Tier | Nodes | RAM | Storage | GPU | EPS |
|---|---|---|---|---|---|
| Small | 1 server | 64 GB | 4 TB NVMe | Optional (RTX 4090) | ≤ 2,000 |
| Mid | 3 servers | 256 GB each | 8 TB NVMe each | 2x A100 40GB | ≤ 25,000 |
| Large | 5+ per plane | Per-plane sizing | Separate storage net | 4x A100 80GB | ≤ 250,000 |