IR-OS shield icon
IR-OS COMMAND. EXECUTION. PROOF.
IR-OS | Cyber Incident Response Operating System
The Cyber Incident Response Management Platform

Coordinated response.
Smaller blast radius.
A defensible record.

Ransomware lands at 3am. Who calls counsel. Who briefs the board. Who logs the decisions. IR-OS lets you command and run the room with confidence: faster cadence in the moment, smaller blast radius at the end, a tamper-evident record after. Built for the organizations that have outgrown improvisation.

Start your 7-day free trial

Five-minute setup · No sales call · Public pricing · 30-day money-back guarantee

Receipts for the regulator. Operators for the room.

Cryptographic chain of decisions

Every decision lands on a hash-anchored ledger. Independently verifiable. The audit substrate of the whole platform, not a feature bolted on.

Seven named operator agents, bounded scope

Containment, Comms, Compliance, Insurance, Forensics, Recovery, Lessons. The room runs on agents, not on heroes. Every action they take is traceable to a decision and to a person.

Regulatory clocks built in

SEC Item 1.05 (4 business days), GDPR Article 33 (72 hours), NIS2, DORA, HIPAA, state breach laws. Auto-tracked from the moment materiality is asserted, not when someone remembers.

Featured in and recognized by

Forbes CNBC CIO.com InformationWeek Dark Reading
New
IR-OS Research
Issue 01 · April 2026
State of
Incident Response
Readiness 2026
Why incident response plans break the moment a real cyber incident is declared - and what fixes them.
32
Industries
10
Key Findings
ir-os.com
/reports
Original Research

Why do IR plans break during real incidents?

Ten findings from 150+ C-suite cyber tabletop exercises facilitated across 32 industries. The coordination, communication, and regulatory failures that no post-incident report surfaces because they get fixed before the report is written.

  • Role clarity collapses in the first 30 minutes
  • Regulatory clocks are not tracked during incidents
  • Teams call the wrong stakeholder first
  • The first executive update is usually wrong
Read the Full Report → Start Free 7-Day Trial

Free · No email required · Cited by CISOs, security journalists, and IR consultancies

The real problem

It is not detection. It is what happens in the next 24 hours.

Most organizations do not lose incident-response cases because they failed to detect the breach. They lose because the response was uncoordinated, out of order, and under-documented while it was happening.

People under pressure do not know what their role requires at this exact phase, who owns the next decision, or what document governs it. The documents that actually matter, the IR plan, the cyber policy, regulatory cheat sheets, crisis comms templates, panel-firm contacts, are scattered across SharePoint, an attorney's inbox, somebody's laptop, and a binder in a drawer. Most are PDFs nobody has opened in eighteen months.

A real failure mode

The CFO and General Counsel hold the cyber insurance policy. The CISO and IT report the incident to the FBI in the first hour, which feels right and earns instinctive trust. Twenty-four hours later the carrier denies the claim, because the policy required first-notice to the carrier before any law-enforcement contact, and nobody on the response side knew that clause existed.

Multiply that one missed clause by dozens of regulatory clocks, eight role assignments, twelve crisis comms templates, and four panel firms running at the same time, under sleep deprivation and pressure. That is the problem.

Every minute spent uncoordinated is another minute the attacker keeps moving. Slower response means a larger blast radius. Larger blast radius means more customers in scope, more regulators in scope, more cost. Pace is not a process metric. It is a balance-sheet metric.

IR-OS Command Center showing the Program Health Score, Readiness Scorecard, and Program Momentum panels - the live operational dashboard inside the platform
Command Center · Program Health Score and Readiness Scorecard (live view inside IR-OS)

What Is IR-OS?

TL;DR: IR-OS is a Cyber Incident Response Management (CIRM) platform that coordinates the human side of cyber incident response - roles, decisions, regulatory clocks, stakeholder communications, and a cryptographically defensible record. Every workflow is built for the audiences a cyber incident actually has. Our Advisory Board includes Mark Lynd, who has facilitated 150+ C-suite tabletops across his career.

IR-OS complements detection tools like SIEM and EDR. Where those answer “what is happening?”, IR-OS answers “who decides, when, and how do we prove it?” It is built on frameworks including NIST SP 800-61 and aligned to regulatory regimes including GDPR Article 33's 72-hour clock, HIPAA, state breach laws, and cyber insurance first-notice windows.

Key Takeaway: According to the Verizon Data Breach Investigations Report and the IBM Cost of a Data Breach analysis, most breach cost is concentrated in containment time which is a coordination problem, not a detection problem. IR-OS closes that gap. Read our data-backed coordination gap analysis, the 2026 incident response playbook, or our ransomware response guide.

What changes when the room runs on IR-OS

Three outcomes, in order: faster cadence in the moment, smaller blast radius at the end, a tamper-evident record after.

Faster cadence

The next action and the right document, one click away.

Guided steps know the phase. Tasks know the owner. Documents know the moment they belong to. Nobody is reading a 50-item runbook trying to find their place at 3am.

IR-OS active ransomware incident with guided steps and regulatory clocks
Smaller blast radius

Fewer customers in scope. Fewer regulators triggered.

Regulatory clocks, panel firms, and insurance attestations surface at the right moment. Less missed scope, less after-the-fact notification spend, lower fine bracket.

IR-OS regulatory clocks panel showing GDPR Article 33 and NY DFS
A defensible record

Tamper-evident, signed, publicly verifiable.

Every event is hash-chained and Ed25519-signed at closure. Anyone can verify the bundle at app.ir-os.com/verify, no account needed. Built for regulators, insurers, and opposing counsel.

IR-OS Defensible Record finalized card with chain head and signature
Start your 7-day free trial

Five-minute setup · No sales call

New capability

Crisis Communications, with receipts.

23 attorney-shape templates. Privilege chain. Hash-chained signoffs. Watermarked sample exports. You author it. You send it from your own domain. IR-OS never touches delivery.

Customer Breach Notification · US State General

NOTICE OF DATA SECURITY INCIDENT

Dear {{recipient_name}},

We are writing to inform you of a recent incident that may have involved your personal information ...

On {{detection_date}}, we discovered {{incident_summary}} ...

✓ Legal signoff · General Counsel · 11:42am
✓ CISO signoff · M. Lynd · 11:48am
sha256: a3f8b29c4d1e…
TEMPLATE · REQUIRES LEGAL REVIEW · Not legal advice. Full disclaimer: app.ir-os.com/legal/crisis-comms-disclaimer
Authoring, not delivery

23 attorney-shape templates across 6 jurisdictions

Holding statements, customer breach letters, regulator notifications (SEC 8-K, GDPR Article 33, HIPAA HHS, NY DFS, state AG), public statements, internal updates, board briefs. Each cited to the rule it satisfies.

Privilege chain

Legal → Comms → Executive signoffs, all hash-chained

Every signoff captures a sha256 of the exact wording approved. Privileged drafts marked structurally so they do not bleed into the disclosable record.

Defensible exports

PDF + DOCX downloads with full provenance

Sample templates carry a diagonal SAMPLE watermark. Once you clone and edit into your library, the watermark drops. Every export is logged on the chain - hand a regulator the PDF and the /verify URL.

Send from your own domain

IR-OS never delivers external comms

Your DKIM, your reputation, your legal recipient list. We hand you the document. You and your counsel decide who gets it and when.

See all 23 templates → Start 7-day trial

Card required, cancel anytime before day 7 · 30-day money-back guarantee

Ask AI · Only in IR-OS

The most experienced IR coaches, in the room with you, every step.

Ask AI is a domain-trained assistant and expert coach that helps you configure your plan, optimize readiness, and act during incidents - with cited answers grounded in your IR plan, your incidents, your insurance policy, and the regulatory standards that apply to your organization.

IR-OS Ask AI interface with context-aware suggestions for the active incident, regulatory clocks, IR plan refinement, and cyber insurance first-notice requirements.

Configure, optimize, act

Helps you set up roles, runbooks, and tabletops the first time, spots readiness gaps day-to-day, and answers "what do I do next" with citations during a real incident.

Org-aware out of the box

Already knows your active incidents, IR plan, tabletops, gap analysis, and cyber insurance policy. No copy-paste. No re-explaining your environment.

Cited every time

Grounded in NIST 800-61, ISO 27035, CISA, MITRE ATT&CK + D3FEND, OFAC, EDPB, FBI IC3, and 150+ real tabletop patterns. Live web search for today's CVEs and advisories, scoped to cyber and IR.

Guardrailed for IR & risk

Engages on incident response, compliance, BCP, security budgeting, vendor selection, board communication, and the current threat landscape. Not a general-purpose chatbot.

Included on every plan
Squad 50/mo · Command 400/mo · Theater unlimited. Free during a declared incident.
Your data stays yours
Models never train on your prompts, plan, or tabletop content. Theater tier offers a private IR Brain corpus.
Native MCP integration
The same IR Brain over MCP, available in Claude Desktop, Cursor, and any MCP client, with the same citations.
Try Ask AI. Start your 7-day trial. See plan limits

Card required, cancel anytime before day 7 · 30-day money-back guarantee · No installation, no consulting

See It In Action

From blank page to command center. 4 steps.

Most IR tools assume you already have a plan, a team, a practiced routine, and a process. IR-OS assumes you don't, it gets you there, then keeps you sharp.

1

Build your IR plan in 15 minutes

Conversational AI interview asks about your industry, regulators, team, and stack. Generates a plan mapped to NIST 800-61 or ISO 27035.

AI Plan Coach
What industry are you in?
Healthcare, 450 employees
Mapping HIPAA + state laws...
2

AI maps the right role to each IRC function

For each of the six IRC functions, AI recommends the job title in a typical organization that owns it (General Counsel for Legal Liaison, VP Comms for Crisis Communications, Security Engineering Lead for Technical Lead). You name the actual person. We never ingest your org chart.

IRC Roles
Incident Commander
Sarah Chen · VP Security
Legal Liaison
J. Martinez · GC
Comms Lead
T. Okonkwo · CMO
Tech Lead
M. Patel · Security Eng
+ 2 backups per role
3

Practice with AI-facilitated tabletops

Run quarterly tabletops on real scenarios. AI facilitates, captures findings, tracks gaps. Every exercise builds your readiness baseline, so when a real incident hits, you're not starting from zero.

Q2 Tabletop · Ransomware
Inject 3. Board briefing
✓ Role clarityPass
Regulatory clockGap
✓ Evidence preservationPass
4

Command the incident

Real-time clocks. Hash-chained record. AI copilot. Board briefing ready. Every action logged. Every regulator covered.

Regulatory Clocks. Live
GDPR Article 33
72h notification
47:23:11
HIPAA Breach
60-day notification
59d 12h
Cyber Insurance
48h first-notice
11:47:02
SEC Item 1.05
4 business days
95:23:11
Start Your 7-Day Free Trial →

30-day money-back guarantee

IR-OS Cyber Insurance policy detail showing carrier, reporting deadline, panel vendors, coverage limits, obligations, and exclusions ready for use during an incident
Cyber Insurance · panel vendors, reporting deadlines, and obligations ready the moment an incident is declared
The real promise of AI

Do more with fewer resources.
Deliver exponentially better outcomes.

This is what AI is supposed to deliver, and it's the biggest gap most organizations still struggle to close. Incident response is where that gap hurts most: understaffed teams, regulatory clocks that don't stop, and boardroom stakes on every decision.

IR-OS closes the gap by handing AI the work that used to steal your people's hours, so your team ships board-grade, regulator-ready outcomes on the first pass.

Five AI Agents Working For You

AI agents that work for you even when you're not looking.

IR-OS doesn't just activate during an incident. Five managed AI agents run continuously on your behalf, monitoring readiness, watching incidents, facilitating exercises, scanning threats, and building your private knowledge base. No other CIRM platform has agents that think about your organization when you're not.

AAR Builder Agent

When you close an incident, this agent automatically generates a board-ready Word document, an Excel gap analysis, and a PDF defensible record, with web-searched CVE context and hash-chained proof.

Tier: Command + Theater

AI War Room Copilot

A built-in war room where every responder sees the same live feed and @AI is always in the room. Watches the event stream, flags regulatory deadlines, and delivers board briefs, regulatory notices, or threat assessments on demand, cited and seconds away.

Tier: Command + Theater

Tabletop Facilitator

An AI facilitator trained on the patterns surfaced in 150+ real C-suite tabletops our Advisory Board has facilitated. Presents scenarios, delivers timed injects, probes weak decisions, and generates the exercise AAR with gap tracker items. Self-serve tabletops at scale.

Tier: Theater · Powered by Claude Opus

Compliance + Threat Intel Scanner

Runs weekly. Assesses your readiness posture (plan staleness, exercise compliance, insurance expiry, open gaps) and cross-references CISA advisories and MITRE ATT&CK updates against your specific environment.

Tier: Command (monthly) · Theater (weekly)

Private Brain Ingester

Upload your own AARs, IR plans, tabletop records, and policies. This agent processes them into structured, retrievable chunks that every other agent can cite, your private institutional memory, searchable by AI.

Tier: Theater

Defensible by Design

Every agent action is recorded in the SHA-256 hash-chained event ledger. AI suggestions require human approval. The agents advise your team decides. The record proves exactly what the AI recommended and when.

All tiers · FRE 901 ready

The competitive moat: these agents require a structured event ledger, a RAG knowledge base, deep tenant context, and a reasoning model capable of synthesizing across all of them. Most competitors have zero of these. IR-OS has all five.

Readiness that compounds

Most teams drill once a year and hope. IR-OS makes readiness continuous.

Three distinct readiness surfaces, each with its own defensible record. Every module attested, every drill scored, every tabletop findings-tracked. All rolled into one tamper-evident readiness trail a regulator, insurer, or board member can inspect on demand.

Attested Training Modules

Ten role-aware modules covering the NIST lifecycle, IR roles, regulatory clocks, containment vs. evidence, breach counsel, ransom decisions, after-action discipline, and the IR-OS platform. Every completion is legally attested with IP and user-agent captured, then hash-chained into the audit log. Re-attestation required every 365 days.

Module completion ✓ Attested
NIST Lifecycle Reg Clocks AAR Discipline

Was: Annual "click through" e-learning   Now: Defensible per-member proof

AI-Facilitated Drills

Five to ten minute scenario drills any team member can run anytime. Seven threat archetypes: ransomware, data breach, BEC, insider threat, supply chain, phishing, DDoS. AI judges each decision as best, acceptable, suboptimal, or wrong, then produces an after-action report automatically. Per-member drill history and decision-quality trendlines roll up to the Readiness dashboard.

Drill · decision quality 7B · 2A · 1S

Was: One tabletop a year, unscored   Now: Weekly drills, AI-scored

Compliance-Grade Tabletops

Formal sixty-to-one-hundred-twenty minute tabletop exercises for the whole command team, facilitated by an AI trained on the operational patterns from the 150+ exec tabletops Mark Lynd has facilitated across his career. Every finding becomes a tracked remediation item with an owner and deadline. Produces the exact record your regulator, auditor, or insurance carrier asks for.

Exercise findings → Remediation plan
Coordination gap Reg clock Counsel escalation

Was: Lost PowerPoints and no follow-up   Now: Tracked findings, owners, deadlines

One readiness trail

Every module completion, every drill score, every tabletop finding is hash-chained into the same tamper-evident audit log as your live incident timelines. When a regulator, board member, or cyber insurer asks "prove you were ready," you hand them a cryptographically verifiable record instead of a PowerPoint.

Side-by-side timeline

See the same incident, minute-by-minute, with and without IR-OS.

From minute 0 through Day 90. Where the time, the money, and the senior-team attention actually go.

See the timeline comparison →

Stop running incidents from spreadsheets.

7-day free trial · 30-day money-back guarantee

Start Your 7-Day Trial → Read the Research →

The Timeline That Holds Up

Regulators want evidence. Insurers want proof. Plaintiffs want gaps. IR-OS gives you an append-only, hash-chained incident record that proves exactly what happened, when, and who decided.

14:03
Incident Declared
J. Chen
a3f8...c2d1
14:06
Task Assigned
IR-OS AI
7b2e...9f04
14:11
Status Update
M. Torres
e1c5...4a87
14:18
Decision Logged
S. Park
3d9a...b6f2
14:24
Notification Sent
System
f042...1e3c

Append-only, events can never be edited or deleted after creation

SHA-256 hash chain, each event cryptographically links to the previous one

Exportable, full timeline available for legal, regulatory, and insurance review

Why a Top 5 Ranked Cybersecurity & AI Thought Leader and Practitioner is an IR-OS Advisory Board Member

150+ executive cyber incident response tabletops across Fortune 500s, critical infrastructure, and the public sector, with one consistent verdict on what IR-OS gets right.

Advisory Board Member
I've run more than 150 executive cyber incident response tabletops across Fortune 500s, critical infrastructure, and the public sector. The same three failures show up every time. Coordination breaks down. Nobody can prove what was decided and when. And the after-action work never actually updates the plan. IR-OS is the first platform I've seen that fixes all three by construction, not by process discipline. Its AI-native design (cited answers on every page, a grounded IR Brain, native MCP integration) compounds on itself. Organizations that adopt it don't just respond faster. They do more with fewer responders and deliver exponentially better outcomes on every incident. That is the actual promise of AI, and one of the biggest gaps most organizations still face. IR-OS is the first platform I've seen that keeps that promise for incident command.
ML
Mark Lynd
5x CIO / CISO · Top 5 Ranked Global Cybersecurity and AI Thought Leader
IR-OS Advisory Board Member · 150+ executive IR tabletops

For your role

Different decision-makers, different value. Pick yours.

CISO

Reduce response burden. Compress tempo.

The answer to "what now" is already on screen. State plus role equals view. Your responders see only what they need to do next, not a fifty-item runbook.

CIO

Faster recovery. Cleaner handoff. Reportable to the board.

Less time in the war room. Faster recovery to production. One platform where IT, security, legal, comms, and the business see the same state and the same next action, so coordination does not collapse into Slack threads. A defensible record you can hand to the CEO, the board, and the audit committee without rebuilding it from email after the fact.

General Counsel

Privilege handled structurally, not by responder declaration.

Regulatory clocks tracked from your policy text. A defensible record that survives discovery. Refuse-to-build list keeps governance theater out of the platform.

CFO

A balance-sheet line, not a process metric.

Shorter incidents. Lower notification spend. Lower fine bracket. Cleaner insurance recovery. Pace becomes dollars saved on every event.

CRO · Head of GRC

Attestations, audit-ready exports, AAR-to-remediation closure.

SOC 2, pen tests, insurance attestation, tabletops, and the after-action review with linked remediation, all on one audit-ready substrate.

IR Lead

Five-minute setup. Single owner per task. Run the room.

The screen tells the team what to do next so you can think two steps ahead. Forgiving for edits, confirmed for destruction. Voice and keyboard input, both audited.

Start your 7-day free trial

Five-minute setup · No sales call

What Our Customers Say

Customer names and organizations are intentionally anonymized. Strong cyber-hygiene, the same kind we teach in our tabletops, means not exposing your incident-response stack to anyone profiling your defenses.

"When my team opens the dashboard we know who owns what, which clocks would start, and what counsel would need to see. That kind of confidence is hard to put a price on, and it is what we did not have before."

Marcus T., Chief Information Security Officer
Mid-market Financial Services Organization

"My responsibility is making sure the record we keep would hold up if anyone ever asked. With IR-OS I can answer that question honestly. The artifact is exportable, the privilege model is real, and that is what lets me sleep."

Helen K., General Counsel
Regional Healthcare System

"Cyber insurance was the line item I worried about most. The first-notice workflow is wired to our policy trigger, the documentation writes itself, and our broker now uses our setup as a reference example. That is the value I was looking for."

Priya S., Chief Financial Officer
Growth-stage SaaS Company

"Our drills used to be a calendar invite people dreaded. We are more than 5x as ready as we were before, practicing on the same surface we would actually use, and nobody has to ask where to look. That is the difference between knowing a plan and being able to run one."

David R., Director of Incident Response
National Retail Chain

"Communications used to be our slowest workstream because every draft needed three approvals routed by email. The signoff trail captures all of that natively, drafts stay under privilege, and my team can move at the pace the moment requires."

Yvonne L., Vice President of Communications
Multinational Manufacturer

"My board chair stopped asking for ad-hoc updates because the briefing she needs is one click away. The audit committee conversation changed character entirely. We are governing the program now, not reacting to it."

Anita J., Chief Executive Officer
PE-backed Industrial Services Firm

"For an organization our size, the value is that we look prepared without pretending to be something we are not. The plan is real, the drills are real, and the record is real. That is the whole point of readiness."

Brent M., Chief Information Security Officer
State-level Public-Sector Agency

Enterprise-Grade Security

Built on SOC 2 Type II infrastructure.
Hardened at every application layer.

Procurement teams don't lose sleep over marketing claims, they lose sleep over audit reports. Here's the shared-responsibility reality of IR-OS: what we inherit from our providers, and what we own in our own code.

Infrastructure. Inherited certifications
Edge & Network Provider
SOC 2 Type II · ISO 27001 · PCI DSS · FedRAMP Moderate
Global CDN, fast for your team anywhere
Static assets served from 300+ cities worldwide. Sub-100ms page loads from anywhere your responders are. Volumetric DDoS absorbed at the edge before requests ever reach origin, the platform stays up for you while your attackers are trying to take it down.
Database & Auth Provider
SOC 2 Type II · HIPAA-eligible · encryption at rest
Encrypted by default, backed up continuously
Customer data encrypted at rest and in transit. Automatic backups with point-in-time recovery. Authentication, session rotation, and password hashing handled by a hardened platform, so your team never has to roll its own crypto. Multi-region redundancy absorbs hardware failures before you see them.
LLM Providers
SOC 2 Type II · ISO 27001 · ISO 42001 · HIPAA-eligible
Enterprise AI, zero training-data leakage
The models behind Ask-AI, the CISO Copilot, and MCP never train on your content. Enterprise contracts with zero-data-retention commitments. Your incidents, your plan, and your decisions stay yours, grounded answers only, no foundation-model memory of your organization.
Payment Provider
SOC 2 Type II · PCI DSS Level 1
Zero PCI scope inherited from us
All billing, card data, and chargebacks run through a PCI-Level-1 provider with 3DS and tokenization. IR-OS never stores, transmits, or processes a card number. You don't inherit our PCI scope, and we don't inherit yours. Clean line between your subscription and your compliance footprint.
Application layer. Principles IR-OS enforces

Strict tenant isolation

Your organization's data is cryptographically isolated at the database layer. Every query is bound to the caller's tenant before a single row returns. Cross-tenant reads are not possible by construction, not by convention.

Tamper-evident audit

A cryptographic audit trail records every material governance event, training, drills, account changes, settings changes. Integrity can be mathematically verified; modification after the fact is detectable.

Least-privilege API access

Integration keys are single-purpose by design, a key issued for one surface cannot reach another. Keys are stored only in hashed form, minted with strong entropy, visible to you once, and revocable in a single click.

Hardened identity & access

Short-lived authenticated sessions, modern password requirements, re-authentication for sensitive operations, and multi-factor authentication support. Privileged actions are server-gated before the page renders.

Defense in depth

Multiple independent layers protect every request, network edge, browser hardening, abuse protection, and runtime scope enforcement. No single control is the only thing standing between an attacker and your data.

AI guardrails, never autonomous

Every AI surface is advisory-only. Context is scoped to your own organization. Answers are grounded in cited sources, no fabrications, no cross-tenant exposure, no ability for the AI to modify platform state.

Detailed security documentation available to prospects under NDA [email protected]

Standards-anchored, not invented

Aligned with the standards your regulator and insurer expect

IR-OS plans, runbooks, and the audit trail are built on recognized cyber-IR standards. Pick the framework your program runs on. We carry the rest.

IR Plan Frameworks
NIST SP 800-61 Rev. 2
ISO/IEC 27035-1:2023
CISA Federal IR Playbook
SANS PICERL (SEC504)
IR-OS Expert (from M. Lynd's 150+ tabletops)
Runbook + Threat Standards
OASIS CACAO 2.0 playbook serialization
MITRE ATT&CK technique tagging
MITRE D3FEND defensive countermeasures
CISA #StopRansomware advisories
OFAC ransomware decision guidance
Regulatory Clocks
SEC Item 1.05 (4 business days)
GDPR Article 33 (72 hours)
NY DFS 500.17 (72 hours)
HIPAA Breach Notification (60 days)
NIS2, DORA, state breach laws

Plus a Standards Watcher Agent on the roadmap that monitors NIST, ISO, CISA, MITRE, OASIS, OFAC, SEC, EDPB, and FBI IC3 daily, then drafts plan amendments with citations the moment something material changes.

Your IR program stops drifting the moment it is signed.

Pricing built for how you run incidents

Three plans. Every plan includes the defensible record, the IR Brain, and every AI capability. Pick the one that matches your team size and complexity, not a segment. Federal, SLED, and enterprise teams can procure on your paper via verified POs and standard contract vehicles, see the procurement options.

Pricing is going up soon. Subscribe now and your rate is locked through your first renewal, even after published rates rise.
Public Sector
Gov, SLED & First Responders
Discounts available · see details →
Commercial · Most popular
SMB & Mid-Market
Squad or Command below →
Enterprise
Fortune 1000 & Multi-National
Theater tier · contact sales →
Monthly
Annual Save 2 months
Squad
Squad
For small teams that need AI superpowers and a defensible record without enterprise complexity.
$299/mo
  • Up to 4 users
  • 1 IRC team with 4 roles + 1 backup
  • 5 active incidents per year
  • 2 tabletop exercises per year
  • All 3 plan templates (Expert, NIST, ISO 27035)
  • AI Plan Coach + IRC Recommender
  • IR Brain queries (50/mo)
  • Hash-chained defensible record
  • Auto-generated after-action reports
  • PDF incident reports
  • Email + community support
Start your 7-day free trial or buy now, no trial needed
Most Popular
Command
The full command-center for teams running real incidents, with every parallel regulatory clock, insurance, and AI agent turned on.
$499/mo
  • Up to 20 users
  • 3 IRC teams with 10 roles + 2 backups each
  • Unlimited incidents
  • 4 tabletop exercises per year
  • Everything in Squad, plus:
  • Parallel regulatory clock tracking (GDPR, HIPAA, NY DFS, state laws, NIS2, DORA, insurance)
  • Cyber insurance policy management
  • IR Brain queries (400/mo)
  • Readiness dashboard + gap tracker
  • Slack + Teams notifications
  • SIEM + SOAR webhooks
  • 7 pre-built incident playbooks
  • IOC tracking per incident
  • Visual incident timeline
  • Alert ingestion from SIEM/EDR
  • Evidence upload with chain of custody
  • Priority email + chat support
Start your 7-day free trial or buy now, no trial needed
Theater
Theater
For enterprises and multi-national organizations. Tailored deployment, private IR Brain, configurable controls, and procurement on your paper. Priced to fit the scope and requirements of your program.
Contact Sales Custom pricing · tailored to your scope
  • Unlimited users
  • Unlimited IRC teams across business units
  • Unlimited incidents and tabletops
  • Everything in Command, plus:
  • Multi-BU parent hierarchy + unified board view
  • SSO / SAML / SCIM provisioning
  • Unlimited IR Brain queries
  • Private IR Brain corpus (your tabletops + AARs ingested)
  • NERC CIP + TSA + CIRCIA + DORA compliance mapping
  • API access, webhooks, custom integrations
  • Dedicated CSM + 24×7 support
  • SOC 2 Type II + compliance package
Contact Sales or submit an RFP / purchase order

All plans include a 7-day free trial and a 30-day money-back guarantee. Card required up front, cancel anytime before day 7.

Are you a first responder, fire, EMS, or law enforcement agency? You may qualify for discounted pricing contact us and we'll take care of you. Also, state/local government, K-12, and higher ed is available upon request, you must reach out to us.

Government, SLED & Enterprise Procurement

Procure IR-OS on your paper.

Federal agencies, state and local government, K-12, higher ed, and enterprise teams can procure IR-OS through standard procurement instruments. We accept verified purchase orders and common federal and SLED procurement paperwork, including:

  • Purchase Orders (PO / SPO)
  • GSA Schedule and contract vehicles
  • Cooperative contracts (Sourcewell, NASPO, TIPS, BuyBoard)
  • SF-1449 / SF-33 federal forms
  • State and local standard POs
  • Enterprise MSA and invoicing

Submit the form below with your procurement details. We review every submission personally, verify the instrument, and respond within two business days with next steps, required documentation, and a point of contact for the rest of the process.

Submitting opens your email client with a pre-filled message to Mark for personal review. Your details are not stored on our servers.

Request prepared. Your email client should have opened with the procurement details pre-filled to [email protected]. Review, attach any supporting documents, and send. We review every submission personally and respond within two business days.

Pricing Questions

What's included in the free trial?
Every plan. Squad, Command, and Theater, includes a full-featured 7-day free trial. You get access to everything in your chosen plan with no feature restrictions. Card required up front, no charge for 7 days, cancel anytime before day 7.
What happens after the trial ends?
When your 7-day trial ends, you'll be prompted to add a payment method to continue. Your data, team configuration, and incident history are preserved, nothing is deleted. If you choose not to subscribe, your account enters a read-only state until you activate a plan.
Can I upgrade or downgrade at any time?
Yes. You can switch between Squad, Command, and Theater at any time from the Billing page. Upgrades take effect immediately and are prorated. Downgrades apply at the end of your current billing period.
Is there a long-term contract?
No. All plans are month-to-month with no long-term commitment. You can cancel at any time from the Billing page, and your plan remains active through the end of the current billing period.
What payment methods do you accept?
We accept all major credit cards (Visa, Mastercard, American Express, Discover) through Stripe for Squad and Command plans.

For federal agencies, state and local government, K-12, higher ed, and enterprise teams, we also accept verified purchase orders and common procurement instruments, including GSA Schedule and cooperative contracts (Sourcewell, NASPO, TIPS, BuyBoard), SF-1449 / SF-33, state and local standard POs, and enterprise MSA with invoicing.

Submit your details through the procurement request form above. We review every submission personally, verify the instrument, and respond within two business days.
What's included in the 30-day money-back guarantee?
If IR-OS doesn't measurably improve your incident coordination and readiness workflow within 30 days, we'll refund your payment in full. No questions, no friction. This applies to all plans.
Do you offer discounts for first responders or government?
Yes. Fire, EMS, law enforcement, state/local government, K-12, and higher education organizations may qualify for discounted pricing. No discount is applied automatically, you must reach out to us and we'll take care of you.
How does per-user pricing work?
Pricing is per-organization, not per-user. Each plan includes a user cap. Squad supports up to 4 users, Command up to 20, and Theater is unlimited. Every user within your cap has full access to all features included in your plan.
What counts as an "active incident"?
An active incident is any incident that has been declared and is not yet closed. On the Squad plan, you can have up to 5 incidents per year (real or simulated). Closed incidents do not count against your limit. Command and Theater plans include unlimited incidents.
Can I add more users to my plan?
Each plan has a fixed user cap, 4 on Squad, 20 on Command, unlimited on Theater. If you need more users than your current plan allows, upgrade to the next tier from the Billing page. Upgrades are prorated and take effect immediately.

Frequently Asked Questions

Everything you need to know about IR-OS and incident command.

What is IR-OS?
IR-OS is a cyber incident command platform purpose-built for coordinating the human side of cyber incident response. It handles task assignment, role-based views, AI-assisted decision support, defensible timelines, readiness tracking, and after-action reviews, everything that happens between your SIEM firing an alert and the incident being closed. It is built by our team for cyber-IR specifically, so every workflow reflects what actually happens under pressure. Our Advisory Board includes Mark Lynd, who has facilitated 150+ C-suite tabletops across his career.
How is IR-OS different from PagerDuty, Jira, or ServiceNow?
PagerDuty routes alerts. Jira tracks tickets. ServiceNow manages workflows. None of them were built for incident coordination, the part where executives need status updates, legal needs notification timelines, comms needs hold/release decisions, and someone has to prove to regulators what happened and when. IR-OS was built specifically for that room, informed by the 150+ executive tabletops Mark Lynd has facilitated across his career. It is not a retrofit, it is purpose-built. See the full comparison hub for side-by-side breakdowns.
How is IR-OS different from FireHydrant (now part of Freshservice)?
FireHydrant is a strong SRE incident-management platform now becoming part of Freshservice ITSM via the December 2025 Freshworks acquisition. For deploys, outages, and infrastructure failures, that fit makes sense. For cyber incidents with regulators, insurers, and counsel waiting at the end, it is a structural mismatch: cyber-IR is a different category than ITSM. Most teams keep FireHydrant for SRE and run cyber-IR in IR-OS, with a webhook between them at the classification edge. See the full comparison or the migration path.
What standards does IR-OS align with?
IR-OS is standards-anchored, not invented. IR plan frameworks (pick one): NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023, CISA Federal Government IR Playbook, SANS PICERL (SEC504), and IR-OS Expert (developed by our team with Advisory Board input from Mark Lynd). Runbook serialization: OASIS CACAO 2.0 with signed export. Threat taxonomy: MITRE ATT&CK and MITRE D3FEND tagging. Pre-built runbooks derived from the CISA Federal IR Playbook. Parallel regulatory clocks: SEC Item 1.05, GDPR Article 33, NY DFS, HIPAA, NIS2, DORA, CIRCIA, state breach laws. A Standards Watcher Agent on the roadmap monitors these sources daily and drafts plan amendments within 48 hours of material changes. See the full list at #standards.
What is a defensible incident record?
Every event in IR-OS is stored in an append-only timeline with SHA-256 hash chaining. Events cannot be edited or deleted after creation. Each event is cryptographically linked to the one before it, creating a tamper-evident chain of custody. This record stands up to regulatory scrutiny, insurer review, and legal discovery because it's mathematically provable that no one altered it after the fact.
How does the AI assistance work?
When you declare an incident, IR-OS reads your IR plan, the incident type, severity, and regulatory context to generate task suggestions, notification recommendations, and decision prompts. Every AI suggestion cites the section of your plan or regulation it's based on. AI suggestions are advisory, a human approves or dismisses every one. The system learns from your exercises and incident patterns to improve over time.
What is Ask AI in IR-OS?
Ask AI is unique to IR-OS. No other CIRM, IRP, or incident-management platform ships it. It is a domain-trained assistant and expert coach in IR-OS that helps you configure your plan during setup, optimize readiness day-to-day, and act decisively during a real incident. It already knows your active incidents, your IR plan, your tabletops, your gap analysis, and your insurance policy details. Every answer cites the IR Brain corpus: NIST 800-61, ISO/IEC 27035, CISA #StopRansomware, MITRE ATT&CK + D3FEND, OFAC, EDPB Guidelines 9/2022, FBI IC3, and 150+ real tabletop patterns. It is guardrailed to incident response, risk, compliance, BCP, security budgeting, vendor selection, and the current threat landscape, not a general-purpose chatbot. Think of it as the most experienced set of incident response coaches in the room with you, every step.
How is Ask AI different from ChatGPT or Claude.ai?
ChatGPT and Claude.ai are general-purpose chatbots with no knowledge of your organization. Ask AI is grounded in your active IR plan, your open incidents, your tabletop AARs, your gap analysis, and your cyber insurance policy details, and every answer cites the regulatory or standards source it's based on. The models behind Ask AI never train on your prompts, plan, or tabletop content. Theater tier offers a private IR Brain corpus that ingests your own playbooks and AARs.
How many Ask AI queries do I get per month?
Squad: 50 IR Brain queries per month. Command: 400 IR Brain queries per month. Theater: unlimited. Ask AI is free during a declared incident on every tier. We don't meter you when you're mid-response.
What does "AI-native" mean for IR-OS? Isn't every platform bolting on an AI chat bubble now?
Most platforms add a chat bubble that wraps a generic LLM. IR-OS is AI-native in a specific sense: (1) every AI surface is grounded in the IR Brain RAG. NIST 800-61, ISO 27035, SEC Item 1.05, GDPR, CISA, OFAC, MITRE ATT&CK, and 150+ tabletop operational patterns, with inline citations, never fabrications; (2) the AI surfaces are specialized , a CISO Copilot, a Comms Copilot, a Compliance Monitor, an Ask-AI assistant, an AI IRC Recommender, each with its own guardrailed prompt; (3) IR-OS ships an MCP (Model Context Protocol) server so Claude Desktop, Claude Code, Cursor, and any MCP-compatible agent can query incidents, regulatory clocks, panel vendors, and the IR Brain natively, no screen-scraping, no CSV exports. The AI isn't a feature on the side; it's part of the architecture.
Can I connect IR-OS to Claude Desktop or Cursor directly?
Yes. The ir-os-mcp package is a standalone MCP server that runs locally (via npx) and talks to IR-OS over HTTPS with a scoped, revocable mcp:read API key you mint from Settings → API Keys. Six read-only tools are exposed in v0.1: list incidents, get timeline, compute regulatory clocks, list panel vendors, read plan phase, and search the IR Brain RAG. Write tools (declare incident, append timeline entry) require a separate mcp:write scope that's on the Phase 2 roadmap with explicit audit-log integration.
What's your security and compliance posture?
IR-OS runs on SOC 2 Type II infrastructure across our edge, database, LLM, and payment providers, see the Security section above for the inherited-certifications summary. At the application layer we enforce strict tenant isolation, a tamper-evident cryptographic audit trail over governance events, least-privilege scoped integration keys, hardened identity and session controls, defense-in-depth across independent layers, and advisory-only AI surfaces that cannot modify platform state. Detailed security posture documentation is available to prospects under NDA at [email protected].
Can I use IR-OS in a HIPAA or regulated environment?
The underlying infrastructure we run on is HIPAA-eligible when the relevant BAAs are executed. IR-OS BAAs are available to enterprise customers as part of the Theater tier or a custom contract, email [email protected] to start that conversation. For regulated customers who need private IR Brain content (org-specific playbooks, runbooks, regulator correspondence), the Theater tier supports a private brain partition distinct from the shared public corpus.
Do I need an existing IR plan to use IR-OS?
No. IR-OS ships with a battle-tested IR plan template built from the operational patterns surfaced in 150+ real C-suite tabletops our Advisory Board has facilitated. You can use it as-is, customize it to your organization, or upload your own plan. The platform adapts its AI suggestions and task generation to whatever plan you have in place.
How long does setup take?
Most teams are operational in 15 minutes. Import your team roster, choose or upload your IR plan, set notification preferences, and you're ready to declare your first incident or run your first tabletop exercise. There's no weeks-long implementation or professional services engagement required.
What types of incidents does IR-OS handle?
Data breaches, ransomware, insider threats, system outages, third-party compromises, physical security events, and regulatory incidents. Each incident type has tailored workflows, task templates, notification sequences, and regulatory mappings. You can also create custom incident types with your own workflows.
How does the readiness dashboard work?
Four traffic-light indicators track your organizational readiness: exercise compliance (have you tested recently?), open remediation gaps (from exercises, assessments, and AARs), overdue assessments, and insurance expiry. Green means ready. Amber means attention needed. Red means act now. It gives leadership a single-glance view without digging through multiple reports.
Can I run tabletop exercises in IR-OS?
Yes. Log exercises with attendees, scenarios, findings, and action items. Every finding automatically creates a remediation item in the gap tracker. Over time, IR-OS builds a complete picture of your readiness posture by connecting exercises, assessments, real incidents, and after-action reviews into one continuous improvement loop.
What happens after an incident closes?
IR-OS auto-generates a structured after-action review (AAR): executive summary, timeline summary, what worked well, gaps identified with severity ratings, SLA compliance analysis, regulatory compliance status, and prioritized recommendations. Each identified gap can be pushed to the remediation tracker with one click, closing the loop from incident to improvement to verification.
Is my data secure?
IR-OS enforces strict tenant isolation at the database layer every query is bound to the caller's organization before any row returns. Data is encrypted at rest and in transit. The append-only event store ensures no one, including administrators , can alter the incident record after creation. Your incident data never leaves your isolated tenant. Full security posture documentation available under NDA at [email protected].
What's the trial and guarantee?
Every plan. Squad, Command, and Theater, includes a 7-day free trial and a 30-day money-back guarantee. If IR-OS doesn't measurably improve your incident coordination and readiness workflow within 30 days, we'll refund your payment in full. No questions, no frictionrequired for the trial.
Do you offer discounted pricing for first responders or SLED?
Are you a first responder, fire, EMS, or law enforcement agency? You may qualify for discounted pricing, contact us and we'll take care of you. Also, state/local government, K-12, and higher ed is available upon request, you must reach out to us.

Still evaluating options? Compare IR-OS side-by-side.

Cytactic · BreachRx · Cydarm · ServiceNow SIR · FireHydrant · PagerDuty · incident.io · spreadsheets

See every comparison →

The next incident is already being planned against you.

Every Friday afternoon ends someone's quarter. Every unpatched server is a ticking audit trail. Have an IR plan, command team, and defensible timeline ready in 15 minutes, not 15 months.

Start Your 7-Day Trial Book a Walkthrough

Full platform access. Cancel in one click.