Detection Modes

VaultDEC operates with two independent mode settings: a Detection Mode that controls sensitivity, and an Action Mode that controls response behavior.

Detection Modes

STANDARD

The default mode. Balanced between security and tolerance for normal traffic variation.

Requires more rules to trigger before action
Longer measurement windows for sustained behavior analysis
Best for environments with variable but predictable traffic patterns
Recommended for initial deployment and baseline establishment

Use when: You're first deploying VaultDEC and want to establish what "normal" looks like before tightening restrictions.

STRICT

Elevated sensitivity with tighter thresholds.

Fewer rules need to agree before action
Shorter measurement windows catch anomalies faster
More aggressive large-packet analysis
May generate occasional false positives during unusual but legitimate activity

Use when: You've established a baseline in STANDARD mode and want stronger protection. Your traffic patterns are well-understood and predictable.

VAULT

Maximum security. Zero tolerance for anomalous upload behavior.

Minimal rules required to trigger
Shortest measurement windows
Any significant deviation from baseline triggers response
Accepts higher false positive rate in exchange for near-instant detection

Use when: The data being protected is critically valuable and a brief connection interruption is an acceptable trade-off for maximum security. Appropriate for environments where the protected server has no legitimate reason to upload significant data.

Action Modes

Action modes determine what VaultDEC does when the detection threshold is reached.

TEST

For initial setup and verification.

Rules evaluate normally
No alerts generated
No connection kills
All metrics logged
Dashboard shows what would trigger

Use when: First connecting VaultDEC to understand your traffic patterns.

AUDIT

Detection without enforcement.

Rules evaluate normally
Alerts are generated and logged
Heartbeat reflects alert status
No connection kills
Full logging of all triggered events

Use when: You want to verify that VaultDEC would catch real threats without risking disruption to legitimate traffic. Recommended for at least 48 hours before switching to LIVE.

LIVE

Full enforcement mode.

Rules evaluate normally
Alerts are generated and logged
Heartbeat reflects status in real time
Connection is killed when threshold is reached
Bridge interfaces are brought down, severing the protected server from the network

Use when: You've validated behavior in AUDIT mode and are confident in your threshold settings.

Mode Combinations

Detection × Action	Behavior
STANDARD + TEST	Loose evaluation, no response. Learning mode.
STANDARD + AUDIT	Loose evaluation, alerts only. Initial monitoring.
STANDARD + LIVE	Loose evaluation, real kills. Production default.
STRICT + AUDIT	Tight evaluation, alerts only. Pre-production validation.
STRICT + LIVE	Tight evaluation, real kills. Enhanced production.
VAULT + AUDIT	Maximum sensitivity, alerts only. Final validation before lockdown.
VAULT + LIVE	Maximum sensitivity, real kills. Maximum security.

Recommended Deployment Sequence

Day 1-3: STANDARD + TEST — Establish baseline, observe traffic patterns
Day 4-7: STANDARD + AUDIT — Verify detection accuracy against known-good traffic
Week 2: STANDARD + LIVE — Enable enforcement with balanced sensitivity
Week 3+: STRICT + LIVE — Tighten if baseline is stable and predictable
Optional: VAULT + LIVE — For maximum security environments only

Changing Modes

Modes can be changed via the ephemeral dashboard or through the management API:

# Enable dashboard first
ssh vaultdec@<mgmt-ip> enable-dashboard 15m

# Then use the web UI to change modes
# Or use the API directly:
curl -X POST http://<mgmt-ip>:8080/api/config \
  -H "Content-Type: application/json" \
  -d '{"detection_mode": "STRICT", "action_mode": "LIVE"}'

Mode changes take effect immediately. No restart required.

Detection Modes

On this page