title: CloudSlash - Mock Mode Reference description: No credentials needed. --mock generates a 10,000-node infrastructure graph: realistic enough to run the full engine, policy evaluation, and remediation pipel...
Mock Mode¶
No credentials needed. --mock generates a 10,000-node infrastructure graph: realistic enough to run the full engine, policy evaluation, and remediation pipeline against.
Enabling Mock Mode¶
cs scan --mock # One-shot scan against the mock graph
cs daemon --mock # Daemon + Web UI with mock data
cs tui # Terminal dashboard (connects to a running daemon — start one with --mock above)
When the daemon runs in mock mode, the Web Dashboard at localhost:8080 is fully functional: all tabs, charts, AI chat, and remediation pipelines work with simulated data.
Mock Graph¶
What It Contains
The chaos graph seeds 10,000 nodes across all five providers, deliberately designed to exercise every engine subsystem:
Compute Resources¶
- Ghost EC2 instances: running but consuming no CPU for 60+ days
- Stopped GCE instances left in stopped state
- Azure VMs with deallocated status but still accruing disk costs
- Over-provisioned K8s pods with 10x their actual resource usage
- Linode instances created by dev environments and never terminated
Storage Resources¶
- Unattached EBS volumes in
availablestate (30+ days) - GCS buckets with zero object access in 90 days
- Azure managed disks not attached to any VM
- Orphaned K8s PVCs not mounted by any pod
Networking¶
- Hollow NAT Gateways with <1GB traffic over 30 days
- Unused Elastic IP addresses
- Empty load balancers with no healthy targets
- Cross-cloud CIDR overlap edges (Ghost Linker discovers AWS VPC ↔ GCP VPC connections)
Serverless¶
& Managed Services - Stale Lambda functions with zero invocations (90+ days) - Idle Cloud Run services with zero requests - Empty DynamoDB tables with provisioned capacity - Idle Pub/Sub subscriptions with undelivered messages
Risk Signals¶
- Spot instances with high HMM-predicted termination probability
- Publicly accessible S3 buckets
- Security groups with 0.0.0.0/0 ingress rules
- RDS instances with
PubliclyAccessible: true - PII-classified resources (tagged
data-classification: pii) - Resources with formal reachability proofs (Internet → Database paths)
Automatic Credential Fallback¶
No need to pass --mock explicitly in CI. When the scanner detects missing or invalid credentials, it automatically falls back to mock mode:
The engine recognises 13 credential failure patterns across AWS, GCP, and Azure:
unable to locate credentialscould not find default credentialsAccessDenied,AuthenticationFailedno such host,invalid_clientcredential init failed
Your GitHub Actions workflow works on forks and open-source PRs where secrets aren't available: without any conditional logic.
Mock Mode¶
+ CEL Policies
Policies evaluate against the mock graph exactly as they would against live infrastructure:
The fastest way to test a new policy: no real infrastructure needed.
Mock Mode¶
+ AI Chat
In cs daemon --mock, the DEVI AI chat works fully. DEVI queries the mock graph via its MCP tools:
> Which resources cost the most in the mock graph?
> What's the blast radius of the mock NAT gateway?
> Generate a CEL policy to block public S3 buckets
Mock mode is useful for demoing AI capabilities to stakeholders without sharing real infrastructure data.
Mock Mode¶
When to Use
| Situation | Use Mock Mode? |
|---|---|
| Exploring CloudSlash for the first time | ✅ Yes |
| Demoing to stakeholders | ✅ Yes |
| Testing new CEL policies | ✅ Yes |
| CI pipelines without cloud secrets | ✅ Yes (automatic) |
| Developing a new plugin | ✅ Yes |
| Scanning a real AWS/GCP/Azure account | ❌ No: use real credentials |
| Generating a compliance report | ❌ No: mock data won't reflect real state |