Operation Modes
AuroraSOC supports three runtime operation modes that control whether the platform is simulating, read-only, or fully active.
Mode Summary
| Mode | Primary Goal | Writes / Mutations | Typical Usage |
|---|---|---|---|
| dummy | UI and workflow showcase with synthetic behavior | Blocked | Demos, onboarding, safe previews |
| dry_run | Live observation and analysis with no state changes | Blocked | Validation and rehearsal in live-like environments |
| real | Full SOC execution and response | Allowed | End-to-end operations |
What Each Mode Means
Dummy Mode
- Returns synthetic/showcase responses for key investigation and orchestration paths.
- Blocks state-changing operations.
- Useful when you want to demonstrate workflows without dispatching real tasks or modifying systems.
Dry Run Mode
- Allows read and analysis flows.
- Blocks state-changing operations globally.
- Some endpoints return simulated previews to show what would happen.
- Useful for validating routing and investigation logic before enabling real execution.
Real Mode
- Enables full detection, analysis, and response behavior.
- Allows state-changing operations.
- Requires all required backend services and agent/tool dependencies to achieve full end-to-end behavior.
Capability Matrix
| Capability | dummy | dry_run | real |
|---|---|---|---|
| Read alerts/cases | Yes (simulated data possible) | Yes | Yes |
| Trigger investigation | Simulated | Yes (non-mutating) | Yes |
| Execute playbooks with mutations | No | No | Yes |
| Persist state changes | No | No | Yes |
| Requires full backend readiness | No | Partial | Yes |
Important Scope Note
Operation modes are backend runtime modes. The dashboard reads mode status from the API.
- If the dashboard is running without the backend API, you can still browse UI (for example with development auth fallback), but backend operation modes are not active.
- In that frontend-only case, you are not in backend
dummy,dry_run, orrealmode.
How To View and Change Mode
From the Dashboard
- Go to Settings.
- Open the Operation Mode section.
- Select
dummy,dry_run, orreal.
Required permission: system:mode:write.
Via API
# Get current mode
curl -s http://localhost:8000/api/v1/system/mode \
-H "Authorization: Bearer $TOKEN"
# Set mode
curl -s -X POST http://localhost:8000/api/v1/system/mode \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"mode":"dry_run"}'
Choosing the Right Mode
- Use dummy when training users or validating UI flows safely.
- Use dry_run when you need live reads and realistic analysis but must guarantee no mutations.
- Use real when you are ready for full operations and have confirmed service readiness.
Pre-Switch Checklist
Before switching into real mode, verify:
- Authentication and authorization are healthy.
- Agent and worker health checks are passing.
- Approval flow is configured for high-risk actions.
- Monitoring dashboards and alerts are active.
- Rollback and incident escalation path is documented.