Read-only investigation mode

Recommended for initial deployment — SOCPilot can investigate without write access to any connected tool.

Last updated 4/18/2026

Read-only mode is the default for new SOCPilot deployments. The product investigates, scores, correlates and documents without taking any action in connected tools.

What stays available in read-only mode

  • All triage, investigation, briefing and compliance workflows
  • Recommendations for response actions, marked as "would do" instead of executed
  • Full audit trail and notification flow

What is disabled in read-only mode

  • Host isolation, account disablement, credential rotation, domain blocking and any other destructive integration write
  • Auto-approved playbook steps (every step queues as a recommendation)

How to leave read-only

Read-only is toggled per-integration and per-environment under Settings → Security controls. Leaving read-only requires owner-level approval and is recorded in the audit log. Most teams stay in read-only for the first 2–4 weeks while they validate verdict quality.

Related articles