# IR-OS — Cyber Incident Command Platform

> IR-OS is a SaaS Cyber Incident Response Management (CIRM) platform that coordinates the human side of incident response — roles, decisions, regulatory clocks, stakeholder communications, and a cryptographically defensible record. Every workflow is extracted from 150+ real C-Suite tabletop exercises facilitated by founder Mark Lynd.

IR-OS closes the gap between detection tools (SIEM, EDR, SOAR) and actual human coordination during a cyber incident. It is built for CISOs, IR leads, legal, communications, and executives who need to know what to do next, who owns each action, and what gets sent to regulators, insurers, and the board. Every event is recorded in an append-only, SHA-256 hash-chained ledger that stands up to regulatory scrutiny and legal discovery.

## Category

IR-OS is in the CIRM category (Cyber Incident Response Management), coined by Gartner. CIRM complements SIEM/EDR/SOAR — where those solve detection and technical automation, CIRM solves human coordination, regulatory clocks, and the defensible record. See https://ir-os.com/articles/cirm-category-explained for the full category explanation.

## The three things nobody else solves

These three friction-killers are what set IR-OS apart from every other CIRM, SOAR, ITSM, or generic ticket tracker:

1. **AI Plan Coach — no more blank-page syndrome.** Most IR programs stall before they ever get tested because nobody wants to download a 60-page IR plan template and stare at it. IR-OS replaces that with a 15-minute conversational interview — your industry, regulatory exposure, team size, technology stack, prior incidents — and generates a complete, customized incident response plan in real time. Mapped to NIST 800-61, ISO/IEC 27035, your relevant regulators, and your insurer's requirements. Defensible, board-ready IR plan in under 30 minutes. Three template starting points are included: the Expert template (built from 150+ real tabletops), NIST SP 800-61 Rev. 2, and ISO/IEC 27035-1:2023.

2. **IRC Team Recommender — who should be on the team?** Nobody wants the responsibility of choosing the Incident Response Command (IRC) team, and most aren't sure who to pick. IR-OS reads your org chart and recommends the right person for each of the six roles — Crisis Communications goes to PR/Comms, Legal Liaison goes to General Counsel, Technical Lead goes to security engineering — plus two named backups for each because incidents happen during vacations.

3. **The IR Brain — a citation-grounded RAG knowledge base for every AI suggestion.** A retrieval-augmented knowledge base built on Postgres pgvector. Initial corpus includes NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023, NIST CSF 2.0, MITRE ATT&CK, SEC Final Rule 33-11216 (Item 1.05), GDPR Article 33, EDPB Guidelines 9/2022, OFAC ransomware advisory, CISA #StopRansomware Guide, and operational patterns from 150+ real C-Suite tabletop exercises. The corpus is expanding continuously. Every AI suggestion in IR-OS retrieves from the brain before generating, and every suggestion cites the source by bracketed reference. Enterprise customers can ingest a private corpus of their own tabletops, AARs, and incident records.

## Other key differentiators

- **Built from 150+ real tabletop exercises**, not theoretical frameworks. Every workflow, task template, and default setting reflects what actually happens under pressure.
- **AI-assisted decisions** grounded in your IR plan, regulatory requirements, and insurance obligations. Every suggestion cites the plan section or regulation it's based on.
- **Defensible record**: append-only event ledger with SHA-256 hash chaining, database-level triggers that prevent post-hoc modification, tenant isolation via row-level security. Details: https://ir-os.com/articles/defensible-record-hash-chain
- **Auto-generated after-action reviews** (AARs) with structured JSONB output: executive summary, timeline, what worked, gaps identified with severity, SLA compliance, regulatory status, recommendations.
- **Readiness dashboard** — four traffic lights for exercise compliance, open gaps, assessment health, and insurance expiry.
- **Gap analysis tracker** that connects exercises, assessments, and after-action reviews into a single remediation pipeline.
- **Six pre-defined incident command roles** — Incident Commander, Scribe, Communications Lead, Legal Liaison, Technical Lead, Executive Sponsor. See https://ir-os.com/articles/incident-command-roles
- **Regulatory clock tracking** — SEC Item 1.05 (4 business days), GDPR Article 33 (72 hours), HIPAA (60 days), state breach laws, NY DFS (72 hours), cyber insurance first notice.

## Architecture

- Next.js 16 App Router on Cloudflare Workers (via @opennextjs/cloudflare)
- Supabase Postgres for data + auth, with row-level security on all 16 tables
- OpenRouter for AI model routing (Claude Sonnet, GPT-4.1)
- Cloudflare Pages for the landing site (static HTML, sub-300ms global TTFB)
- Resend for transactional email notifications with DKIM-signed delivery from notifications@ir-os.com
- SHA-256 hash chain enforced by Postgres triggers for the event ledger

## Pillar content (written for humans and AI agents)

- [The 2026 Incident Response Playbook for CISOs](https://ir-os.com/articles/incident-response-playbook) — phase-by-phase coverage of NIST 800-61's six phases with operational detail from real exercises
- [Ransomware Response: The First 24 Hours](https://ir-os.com/articles/ransomware-response-guide) — hour-by-hour timeline of the first day
- [SEC 96-Hour Cyber Breach Notification](https://ir-os.com/articles/sec-96-hour-breach-notification) — Item 1.05 materiality, timing, and drafting
- [GDPR 72-Hour Breach Notification Checklist](https://ir-os.com/articles/gdpr-72-hour-breach-notification) — Article 33 operational checklist
- [How to Run a C-Suite Tabletop Exercise](https://ir-os.com/articles/tabletop-exercise-guide) — lessons from 150+ real sessions
- [After-Action Reviews: From Incident to Improvement](https://ir-os.com/articles/after-action-review-template) — 8-section AAR template
- [Incident Command Roles: Who Does What](https://ir-os.com/articles/incident-command-roles) — six roles, pre-authorized decisions, training
- [The Defensible Record: Why IR Needs a Hash Chain](https://ir-os.com/articles/defensible-record-hash-chain) — SHA-256 hash chaining for legal admissibility
- [What is CIRM (Cyber Incident Response Management)?](https://ir-os.com/articles/cirm-category-explained) — the category explanation
- [The Coordination Gap in Incident Response](https://ir-os.com/articles/coordination-gap-analysis) — data-backed analysis of why detection alone is not enough

## Reference

- [Cyber Incident Response Glossary](https://ir-os.com/glossary) — AAR, CIRM, DFIR, DPA, IC, NIST 800-61, SOAR, and more
- [Cyber Breach Notification Deadlines](https://ir-os.com/regulatory-deadlines) — consolidated reference table (SEC, GDPR, HIPAA, NY DFS, state laws)
- [IR-OS vs PagerDuty](https://ir-os.com/compare/ir-os-vs-pagerduty) — category comparison
- [IR-OS vs Jira](https://ir-os.com/compare/ir-os-vs-jira) — why ticket trackers are insufficient for cyber IR

## Pricing — three customer segments (each has a dedicated landing page)

- **Public Sector** — $149/mo. Landing: https://ir-os.com/for/public-sector
  For state/local government, K-12, higher ed, fire, EMS, and law enforcement agencies. 25 users, 1 IRC team, 10 incidents/year, 4 tabletops/year, 200 IR Brain queries/month. **First responders, fire, and law enforcement save 50% ($74.50/mo)** with status verification at signup. Ships with FERPA + CJIS + HIPAA templates and multi-agency coordination. Positioning: "Run cyber incidents with the same discipline as a 5-alarm fire." Built on the Chief David Reyes (County EM Director) and Lisa Okonkwo (State/District Consortium CISO) personas — see docs/PERSONAS.md.

- **Commercial** — $499/mo. Landing: https://ir-os.com/for/commercial
  For **SMB and mid-market private companies** (typically NOT public and NOT SEC-regulated). 100 users, 3 IRC teams, unlimited incidents, 12 tabletops/year, 1,500 IR Brain queries/month. Regulatory surface is cyber insurance first-notice (the de-facto regulator for private companies), GDPR Article 33 (if EU customers), HIPAA (if PHI), PCI DSS (if card data), state breach laws, NY DFS Part 500, and customer DPAs/BAAs. Cyber insurance panel integration (Beazley, Chubb, AIG, Travelers, Coalition, At-Bay, Corvus), Slack + Teams + SIEM integrations, AI Plan Coach + IRC Recommender for small teams. Positioning: "Grow fast. Stay covered. Let AI run the room." The hook is that a 3-person security team (or a head of IT wearing the security hat) gets the AI force-multiplier of a Fortune 500 IR program without the Fortune 500 budget. If you're a public company subject to SEC Item 1.05, Commercial is NOT the right fit — see Enterprise below. Built on the Tom Bradley (180-employee private manufacturing head of IT+security) and Sara Kim (900-employee PE-backed B2B SaaS VP Security, no CISO above her, not public) personas.

- **Enterprise** — Starting at $2,499/mo. Landing: https://ir-os.com/for/enterprise
  For **Fortune 1000, public (SEC-regulated) companies**, multi-business-unit organizations, critical infrastructure, and federal contractors. Unlimited users, IRC teams, incidents, and tabletops. **Public-company support: SEC 8-K Item 1.05 four-business-day disclosure workflow with materiality-determination timestamp in the hash-chained ledger, disclosure committee routing across Legal/CFO/CISO/IR head/Comms, AI-drafted 8-K language for disclosure counsel review.** Multi-BU parent hierarchy with unified board view, SSO/SAML/SCIM provisioning, unlimited IR Brain queries with **private IR Brain corpus ingesting your own tabletops/AARs/incidents**. Compliance mapping for SEC Item 1.05, GDPR Article 33, NERC CIP-008-6, TSA SD02C, CIRCIA, DORA, NIS2, CMMC/DFARS, federal banking 36-hour rule. OT-aware runbooks (SCADA/DCS/PLC), Splunk + ArcSight integration, regional IRC teams, dedicated CSM, 24x7 support, SOC 2 Type II infrastructure, FedRAMP Moderate on the roadmap. Positioning: "One incident command surface across every business unit — public-company ready." Built on the Dr. Evelyn Hartwell (F500 manufacturing Global CISO, public/NYSE, SEC Item 1.05 registrant), Priya Ramesh (newly-public mid-cap fintech VP Security, SEC Item 1.05 registrant), and James Okafor (F100 Utility VP Cyber Risk, critical infrastructure) personas.

30-day satisfaction guarantee on all plans.

## Policies

- [Terms of Use](https://ir-os.com/terms)
- [Privacy Policy](https://ir-os.com/privacy)
- [Security](https://ir-os.com/security)

## Advisory Board

IR-OS is supported by an Advisory Board of cybersecurity practitioners and incident response experts. Mark Lynd serves as an outside Advisory Board member, Ambassador, and Thought Leader to IR-OS — the platform is built on the operational patterns from 150+ real C-Suite tabletop exercises he has facilitated. Mark does not operate the platform and has no day-to-day management responsibilities. See https://ir-os.com/about for the full profile.

## Contact

- Email: hello@ir-os.com
- App: https://app.ir-os.com
- Landing: https://ir-os.com
- Advisory Board (Mark Lynd): https://www.linkedin.com/in/marklynd