The operating system for cyber incidents.

IR-OS is the platform an incident commander, a general counsel, a CFO, and a board chair can all sign off on by the close of the same week. Operator-first, receipts-first, standards-anchored, and priced where the work happens. This is what we believe, what we ship, and what we refuse to build.

What we believe

Cyber Incident Response Management is now a Gartner-formalized category. It exists because detection has been solved a dozen times over while the room that runs the incident has not. Five beliefs guide every decision the IR-OS team makes about the platform.

1. Coordination is the bottleneck, not detection. The cost of a modern breach is set by what happens in the first 72 hours after detection, not before it. We build for that room.
2. Receipts beat narratives. A defensible record is not a story your team writes after the fact. It is a tamper-evident chain produced as the decisions are made. Regulators, insurers, and plaintiffs trust math, not memory.
3. Operators outperform chatbots. Cyber-IR runs on seven bounded operator agents with named scopes, not a general-purpose assistant. The room needs the next action, not a paragraph.
4. The room and the regulator share one timeline. Separating operational logs from regulatory filings is how organizations lose breach litigation. Both land on the same hash chain.
5. Procurement should not gate readiness. A platform that requires a six-figure procurement cycle to evaluate is not a platform for the room. Our pricing is on a web page.

What we ship

The platform is the credential. Numbers below are the working state of the product today, not a roadmap claim.

• A seven-agent operator architecture covering Containment, Comms, Compliance, Insurance, Forensics, Recovery, and Lessons. Each agent has a documented scope and writes to the same ledger as the humans in the room.
• A cryptographic hash chain on every incident decision, with an independent verifier at ir-os.com/verify and a published signing key at /.well-known/ir-os-signing-key.pub.json. No IR-OS account required to verify.
• Regulatory clock orchestration for SEC Item 1.05 (4 business days), GDPR Article 33 (72 hours), NY DFS 500, NIS2, DORA, HIPAA, and state breach laws. Auto-tracked from the moment materiality is asserted.
• A crisis communications pillar with stakeholder mapping, a holding statement library, structural privilege channels, and an outbound log.
• A defensible-record export in both JSON and PDF, mapped to the carrier-relevant buckets your cyber-liability insurer asks about during a claim review.
• A readiness substrate covering exercises, gap analysis, assessments, and insurance, trended over time so the program improves on a measurable cadence.

How we work

The IR-OS team is distributed and lean by design. Lean is not a constraint we apologize for. It is the reason the platform ships in five-minute self-serve onboarding instead of a multi-quarter systems-integration engagement, and the reason the price is on the pricing page instead of behind an enterprise sales motion.

Three commitments shape our cadence.

• Public pricing, public roadmap, public artifacts. Pricing is on /pricing. The defensible-record bundle and verifier are public. Our security posture is on /security. There is nothing about IR-OS you have to take our word for.
• Ship in slices that satisfy a buyer-committee role. Every release maps to a need from a CISO, a General Counsel, a CFO, an incident commander, or a board reviewer. We do not ship features without a named role asking for them.
• Operate the way we ask customers to operate. Our internal incidents run on IR-OS. Our chain has the same integrity guarantees as yours. The verifier accepts our records.

Standards we are anchored to

IR-OS is standards-anchored, not invented. Every IR plan, runbook, and audit artifact is built on recognized cyber-IR standards. Subscribers select the framework their program runs on. We carry the rest.

• IR plan frameworks: NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023, CISA Federal Government IR Playbook, FIRST Cyber Incident Management Maturity Model, and a baseline framework for organizations selecting their first plan.
• Threat taxonomy: MITRE ATT&CK, MITRE D3FEND.
• Regulatory references: SEC Item 1.05, GDPR Article 33, NIS2, DORA, HIPAA, NY DFS 500, EDPB Guidelines 9/2022, OFAC ransomware advisory, CISA #StopRansomware.
• Cryptography: SHA-256 hash chain, Ed25519 signature, published public key, third-party verifier.

Our Advisory Board

The platform is built and operated by the IR-OS team. An outside Advisory Board of cybersecurity practitioners, regulatory specialists, and incident response thought leaders provides experience and product input without operating the platform day-to-day. Advisors do not have access to customer data, do not approve releases, and do not speak for IR-OS in any operational capacity.

We did not assemble a board to look bigger. We assembled one to make better decisions about a category that is still being defined. The relationship is explicit, bounded, and disclosed on every page that mentions any individual.

What we will not build

A refusal stance is a confidence signal. Three things we will not ship, ever.

• Mid-flight redaction of the chain. The defensible record is append-only by design. If a record could be edited after the fact, it would not be defensible. We refuse this even when a customer asks for it.
• Responder-asserted privilege. Privilege is a legal status with specific elements. We will not let a responder click a button that retroactively asserts privilege over an event in the chain. Privilege is scoped by counsel, channel, and time, captured live.
• Governance theater integrations. Any integration that captures some channels and not others, that lets users self-exempt from logging, or that encourages off-system coordination - we will not build it. Comms-platform integrations either obey the governance capture principle or they do not exist in IR-OS.

How to evaluate us

An adult procurement process should not require an NDA to inspect the basics. Everything below is public.

• Pricing: three published tiers, monthly or annual, with a 7-day free trial and a 30-day money-back guarantee.
• Security posture: /security covers tenant isolation, encryption, authentication, and the security disclosure process.
• Defensible record: download a sample bundle from any incident, drop it at ir-os.com/verify, confirm chain integrity and Ed25519 signature without an IR-OS account.
• Editorial standards: we publish how we talk about ourselves and the people associated with us. The footer of every page on this site states the relationship explicitly.
• Head-to-head comparisons: side-by-side analyses against every CIRM peer and adjacent platform buyers actually evaluate.

Working with IR-OS

Sign up at app.ir-os.com/signup. The default IR plan is generated automatically; tune it inside the first drill. If you get stuck, write to [email protected] and a member of the IR-OS team responds, often within the hour during business hours, always within one business day.