Read-only investigation mode
Recommended for initial deployment — SOCPilot can investigate without write access to any connected tool.
Last updated 4/18/2026
Read-only mode is the default for new SOCPilot deployments. The product investigates, scores, correlates and documents without taking any action in connected tools.
What stays available in read-only mode
- All triage, investigation, briefing and compliance workflows
- Recommendations for response actions, marked as "would do" instead of executed
- Full audit trail and notification flow
What is disabled in read-only mode
- Host isolation, account disablement, credential rotation, domain blocking and any other destructive integration write
- Auto-approved playbook steps (every step queues as a recommendation)
How to leave read-only
Read-only is toggled per-integration and per-environment under Settings → Security controls. Leaving read-only requires owner-level approval and is recorded in the audit log. Most teams stay in read-only for the first 2–4 weeks while they validate verdict quality.
Related articles