About IR-OS
IR-OS exists because cyber incident response has always been coordinated in the wrong tools — and the coordination gap is the largest remaining source of preventable breach damage.
Why IR-OS Was Built
After facilitating more than 150 C-Suite tabletop exercises across regulated industries, the same pattern appeared over and over again. Technical detection was usually fine. What broke — every time — was the coordination between CISO, Legal, Finance, Communications, and the executive team during the critical first 72 hours. The decisions were wrong because the process was wrong, not because the people were wrong.
The security industry had platforms for every part of the problem except this one. SIEM and EDR handled detection. SOAR handled technical automation. ITSM tracked remediation. But no product covered the actual command structure of a cyber incident — the roles, the decisions, the regulatory clocks, the stakeholder communications, and the defensible record. That product category is now called Cyber Incident Response Management (CIRM), and IR-OS is built for it.
What IR-OS Is
IR-OS is a SaaS incident command platform. It provides:
- Six pre-defined incident command roles with task assignment
- Regulatory clock tracking for SEC Item 1.05, GDPR Article 33, HIPAA, and state breach laws
- An append-only SHA-256 hash-chained event ledger
- A library of 12+ tabletop exercise scenarios based on real incidents
- Auto-generated structured after-action reviews
- A readiness dashboard covering exercises, gaps, assessments, and insurance
- A gap analysis tracker that connects exercises, assessments, and AARs into a single remediation pipeline
Every workflow, task template, and default setting reflects what actually happens under pressure — extracted from the 150+ exercises described above and from live incidents our team has supported.
About the Founder — Mark Lynd
Mark Lynd is a CISO, consultant, author, and speaker focused on cyber incident response and executive decision-making under pressure. He has facilitated more than 150 real C-Suite tabletop exercises across financial services, healthcare, critical infrastructure, and mid-market enterprise — the same exercises that form the operational backbone of IR-OS.
Mark is a recognized voice on CISO strategy and incident command, frequently interviewed and quoted on cyber incident response, regulatory disclosure, and the intersection of security and governance. He has served on advisory boards and written extensively on cybersecurity leadership.
Areas of expertise: incident command, tabletop facilitation, SEC cyber disclosure, GDPR breach notification, ransomware response, CISO strategy, security governance, cyber insurance.
Connect: LinkedIn · [email protected]
How IR-OS Is Built
- Next.js 16 App Router on Cloudflare Workers via
@opennextjs/cloudflare - Supabase Postgres for data and auth, with row-level security on every table
- OpenRouter for AI model routing (Claude Sonnet, GPT-4.1) with plan-grounded citations
- Cloudflare Pages for the landing and content surface
- Resend for transactional email notifications with DKIM signing from
[email protected] - SHA-256 hash chain enforced by database triggers for the event ledger
Principles
- Defensibility first. If it cannot stand up to a regulator, it is not good enough.
- Mobile-first. Incidents never start when you are at your desk.
- Real-world provenance. Every workflow traces back to a specific real-world exercise or incident pattern.
- AI with citations. Every AI-assisted decision cites the plan section or regulation it is based on.
- Privacy and tenant isolation. Row-level security end to end. No cross-tenant data access is possible.
Start with IR-OS
Free for small teams. Paid tiers for Professional, Business, and Enterprise. 30-day satisfaction guarantee.
Start free