Welcome to AuroraSOC

AuroraSOC is an AI-powered Security Operations Center platform designed to help teams detect, investigate, and respond to security events faster while keeping humans in control of high-risk decisions.

It combines:

• A FastAPI backend and Next.js dashboard
• A multi-agent investigation system (1 orchestrator + 13 specialist agents)
• Domain tools through MCP (SIEM, SOAR, EDR, threat intel, CPS/IoT, and more)
• Event-driven processing with Redis Streams, NATS, and MQTT
• Security-by-design features such as role-based access and human approval gates

Start Here in 60 Seconds

If this is your first time, follow this order:

1. Read Learning Paths and pick your role.
2. Complete Quick Start.
3. If you want the real agent mesh, continue with AI Agent Fleet Deployment.
4. Open Dashboard Overview.
5. Run one end-to-end workflow from Common Workflows.

If you are already running AuroraSOC, jump directly to the topic you need in the sidebar.

Mental Model (Beginner-Friendly)

Think of AuroraSOC as a coordinated SOC team:

• The orchestrator receives a task.
• It delegates sub-tasks to specialist agents.
• Specialists call domain tools to gather evidence.
• Results are correlated and returned to API/UI.
• Human approval is required for high-impact actions.

What AuroraSOC Solves

Problem	Traditional SOC Pain	AuroraSOC Approach
Alert overload	Analysts manually triage high volume	AI-assisted triage, enrichment, and prioritization
Slow investigations	Context scattered across tools	Multi-agent evidence gathering + unified case flow
Inconsistent response quality	Depends on analyst experience	Standardized playbooks and guardrails
CPS/IoT visibility gaps	OT/IoT data not correlated with cyber	Physical-cyber correlation and attestation workflows
Poor auditability	Difficult to reconstruct decisions	Structured logs, traces, and investigation timeline

Key Concepts You Should Know

Term	Meaning
Orchestrator	The coordinator agent that routes work to specialists
Specialist Agent	Domain-focused agent (e.g., Threat Hunter, Malware Analyst, CPS Security)
MCP Tool	A capability exposed through a tool server (search logs, isolate endpoint, run playbook, etc.)
A2A	Agent-to-agent communication protocol between orchestrator and specialists
Investigation	A structured execution path for an alert/case from triage to resolution
Approval Gate	Human decision point required before high-risk actions

Learn by Role

SOC Analyst / Operator

Start with:

• Quick Start
• Dashboard Overview
• Alerts Management
• Case Management

SOC Lead / Manager

Start with:

• Operation Modes
• Agent Fleet
• SOAR Playbooks
• Threat Intelligence

Security Engineer / Platform Engineer

Start with:

• Developer Architecture Overview
• Settings System
• REST API Endpoints
• Monitoring

First Real Workflow (10-15 Minutes)

1. Launch the stack from Quick Start.
2. Log in and open the alerts queue.
3. Pick one high-severity alert.
4. Trigger investigation.
5. Review generated findings and timeline.
6. Move alert to a case and apply a playbook in dry-run mode.
7. Complete or close with notes.

After this flow, you will understand the core AuroraSOC operating model.

Frequently Asked Questions

Is AuroraSOC fully autonomous?

No. AuroraSOC automates analysis and recommendations, but high-impact operations can require human approval.

Do I need to understand all 14 agents before I can use the platform?

No. Start with dashboard workflows first. You can learn agent internals incrementally.

Where should developers start?

Use Developer Architecture Overview, then Settings System, then API Reference.

Where can I find complete setup paths by role?

See Learning Paths.