IR-OS Cyber Incident Command Platform logo
IR-OS | Incident Response Operating System
The AI-Native Incident Command Platform

Put AI on your IR team.
Skip the drudgery.
Take command of your next cyber incident.

No more blank-page IR plans. No more "who's on the team?" committee meetings. No more 40-hour after-action reports. IR-OS is the Cyber Incident Response Management (CIRM) platform with AI that writes your plan, picks your command team, tracks every regulator, and produces a defensible record.

Start 10-Day Trial
Mark Lynd 5x CEO, CIO, & CISO IR-OS Advisory Board Member Top 5 Ranked Thought Leader for AI & Cybersecurity

Featured in and recognized by

Forbes CNBC CIO.com InformationWeek Dark Reading
NEW · April 2026
Research Report
State of Incident
Response Readiness
2026
150+
Tabletops
32
Industries
10
Key Findings
Original Research

Why do IR plans break during real incidents?

Ten findings from 150+ C-suite cyber tabletop exercises facilitated across 32 industries. The coordination, communication, and regulatory failures that no post-incident report surfaces because they get fixed before the report is written.

  • Role clarity collapses in the first 30 minutes
  • Regulatory clocks are not tracked during incidents
  • Teams call the wrong stakeholder first
  • The first executive update is usually wrong
Read the Full Report → Start Free 10-Day Trial

Free · No email required · Cited by CISOs, security journalists, and IR consultancies

See It In Action

From blank page to command center. 4 steps.

Most IR tools assume you already have a plan, a team, a practiced routine, and a process. IR-OS assumes you don't, it gets you there, then keeps you sharp.

1

Build your IR plan in 15 minutes

Conversational AI interview asks about your industry, regulators, team, and stack. Generates a plan mapped to NIST 800-61 or ISO 27035.

AI Plan Coach
What industry are you in?
Healthcare, 450 employees
Mapping HIPAA + state laws...
2

AI picks your IRC team

Upload your org chart. AI recommends the right person for each role, plus named backups, in minutes, not months.

IRC Roles
Incident Commander
Sarah Chen · VP Security
Legal Liaison
J. Martinez · GC
Comms Lead
T. Okonkwo · CMO
Tech Lead
M. Patel · Security Eng
+ 2 backups per role
3

Practice with AI-facilitated tabletops

Run quarterly tabletops on real scenarios. AI facilitates, captures findings, tracks gaps. Every exercise builds your readiness baseline, so when a real incident hits, you're not starting from zero.

Q2 Tabletop · Ransomware
Inject 3. Board briefing
✓ Role clarityPass
⚠ Regulatory clockGap
✓ Evidence preservationPass
4

Command the incident

Real-time clocks. Hash-chained record. AI copilot. Board briefing ready. Every action logged. Every regulator covered.

Regulatory Clocks. Live
GDPR Article 33
72h notification
47:23:11
HIPAA Breach
60-day notification
59d 12h
Cyber Insurance
48h first-notice
11:47:02
SEC Item 1.05
4 business days
95:23:11
Start Your 10-Day Free Trial →

No credit card · 30-day satisfaction guarantee

Nine AI-Powered Capabilities

Nine AI-Powered capabilities that change how your team runs every incident.

Each one replaces a task your team dreads and keeps doing anyway. Each one cites its source from the IR Brain, so you and your board trust the output on the first read. You buy IR-OS for the outcome, not the paperwork.

15-Minute IR Plan Generation

Conversational AI interview. Fully customized, regulator-mapped IR plan in your hand in 15 minutes, not 6 weeks of consulting or staring at a blank template.

Generating IR plan…73%
✓ NIST 800-61 mapped✓ HIPAA mapped

Was: 60-page template nobody opens   Now: 15 min

AI IRC Team Recommender

Reads your org chart. Suggests the right person for each of the six incident command roles plus two named backups. No more "who should be on the team?" committee meetings.

Incident Commander S. Chen · 98%
Legal Liaison J. Martinez · 94%
Comms Lead T. Okonkwo · 91%

Was: Months of committee   Now: Minutes

IR Brain. Cited AI Answers

Every AI suggestion is grounded in NIST 800-61, ISO/IEC 27035, SEC, GDPR, CISA, MITRE ATT&CK, and 150+ tabletop patterns and cites the source so your board trusts the output.

AI Answer · Cited Sources
NIST 800-61 ISO 27035 SEC 1.05 GDPR Art. 33 CISA

Was: Scrambling across PDFs   Now: Instant, cited

Parallel Regulatory Clock Tracking

GDPR Article 33, HIPAA, NY DFS, state breach laws, cyber insurance, NIS2, DORA, every clock auto-tracked in parallel from the moment you declare. Zero spreadsheet math.

GDPR 47:23
HIPAA 59d
Cyber Ins. 11:47
SEC 95:23

Was: Outlook calendar + prayers   Now: Auto-tracked

Auto-Generated After-Action Reviews

The moment you close the incident, IR-OS produces a board-ready AAR from the hash-chained event ledger: timeline, what worked, gaps with severity, SLA compliance, regulatory status, remediation plan with owners.

Generating AAR… ✓ Board-ready

Was: 40 hours of writing   Now: 2 minutes

Hash-Chained Defensible Record

SHA-256 hash-chained append-only event ledger. Every decision, notification, and handoff cryptographically timestamped. Regulator-proof, plaintiff-proof, board-proof under Federal Rule of Evidence 901.

a4f2c8
9e1b7d
3c8a02
now

Was: "We think that happened"   Now: Cryptographic proof

Ask-AI on Every Page

A floating AI assistant on every screen, grounded in NIST 800-61, CISA, SANS, ISO 27035, ENISA, and your org's own context. Cites the framework section, never fabricates, never takes unapproved actions.

When does the GDPR clock start?
72h from awareness [GDPR Art. 33]

Was: Google + gut feel   Now: Cited answer in seconds

MCP. Claude-Native Integration

Bring your own agent. IR-OS ships an MCP server so Claude Desktop, Claude Code, and Cursor can query your incidents, regulatory clocks, panel vendors, and IR Brain, with a scoped, revocable key you mint from Settings.

MCP tools · read-only v0.1
list_incidents get_clocks search_brain

Was: Copy-paste from dashboards   Now: Agent-native

Everything One Tap Away

Insurance policies, assessments, tabletops, gap analysis, and the AI-powered IR-OS Assistant all live in one surface. Your team stops searching across folders, tools, and tabs, which means pace and cadence go up in the moments that matter.

One tap · no searching 5 surfaces
Insurance Assessments Tabletops Gap Analysis IR-OS Assistant

Was: Hunt through five tools   Now: Everything one tap away

Every one of these works on day one. You don't wait for a 6-month implementation. You don't wait for a consultant. You log in, answer some questions, and your IR program has the AI running by lunchtime.

Pace and Cadence

IR-OS lifts your pace and cadence, and solves the two issues that wreck incident response the fastest: being slow and disorganized.

When leadership perceives the response team as slow and disorganized in the first hour or two, the downstream consequences can be disastrous. IR-OS relieves your team of both risks so you run the incident with the command, tempo, and defensibility the moment demands.

Two cybersecurity analysts working calmly and in sync in a Security Operations Center with overhead incident response dashboards
IR-OS Cyber Insurance policy detail showing carrier, reporting deadline, panel vendors, coverage limits, obligations, and exclusions ready for use during an incident
Cyber Insurance · panel vendors, reporting deadlines, and obligations ready the moment an incident is declared
The real promise of AI

Do more with fewer resources.
Deliver exponentially better outcomes.

This is what AI is supposed to deliver, and it's the biggest gap most organizations still struggle to close. Incident response is where that gap hurts most: understaffed teams, regulatory clocks that don't stop, and boardroom stakes on every decision.

IR-OS closes the gap by handing AI the work that used to steal your people's hours, so your team ships board-grade, regulator-ready outcomes on the first pass.

Five AI Agents Working For You

AI agents that work for you even when you're not looking.

IR-OS doesn't just activate during an incident. Five managed AI agents run continuously on your behalf, monitoring readiness, watching incidents, facilitating exercises, scanning threats, and building your private knowledge base. No other CIRM platform has agents that think about your organization when you're not.

AAR Builder Agent

When you close an incident, this agent automatically generates a board-ready Word document, an Excel gap analysis, and a PDF defensible record, with web-searched CVE context and hash-chained proof.

Tier: Command + Theater

Background Co-Pilot

Runs in parallel with your IRC team during live incidents. Watches the event stream, flags regulatory clock deadlines, detects decision slowdowns, and drafts notifications before you ask.

Tier: Command + Theater

Tabletop Facilitator

An AI facilitator built from 150+ real C-Suite exercises. Presents scenarios, delivers timed injects, probes weak decisions, and generates the exercise AAR with gap tracker items. Self-serve tabletops at scale.

Tier: Theater · Powered by Claude Opus

Compliance + Threat Intel Scanner

Runs weekly. Assesses your readiness posture (plan staleness, exercise compliance, insurance expiry, open gaps) and cross-references CISA advisories and MITRE ATT&CK updates against your specific environment.

Tier: Command (monthly) · Theater (weekly)

Private Brain Ingester

Upload your own AARs, IR plans, tabletop records, and policies. This agent processes them into structured, retrievable chunks that every other agent can cite, your private institutional memory, searchable by AI.

Tier: Theater

Defensible by Design

Every agent action is recorded in the SHA-256 hash-chained event ledger. AI suggestions require human approval. The agents advise your team decides. The record proves exactly what the AI recommended and when.

All tiers · FRE 901 ready

The competitive moat: these agents require a structured event ledger, a RAG knowledge base, deep tenant context, and a reasoning model capable of synthesizing across all of them. Most competitors have zero of these. IR-OS has all five.

Readiness that compounds

Most teams drill once a year and hope.
IR-OS makes readiness continuous.

Three distinct readiness surfaces, each with its own defensible record. Every module attested, every drill scored, every tabletop findings-tracked. All rolled into one tamper-evident readiness trail a regulator, insurer, or board member can inspect on demand.

Attested Training Modules

Ten role-aware modules covering the NIST lifecycle, IR roles, regulatory clocks, containment vs. evidence, breach counsel, ransom decisions, after-action discipline, and the IR-OS platform. Every completion is legally attested with IP and user-agent captured, then hash-chained into the audit log. Re-attestation required every 365 days.

Module completion ✓ Attested
NIST Lifecycle Reg Clocks AAR Discipline

Was: Annual "click through" e-learning   Now: Defensible per-member proof

AI-Facilitated Drills

Five to ten minute scenario drills any team member can run anytime. Seven threat archetypes: ransomware, data breach, BEC, insider threat, supply chain, phishing, DDoS. AI judges each decision as best, acceptable, suboptimal, or wrong, then produces an after-action report automatically. Per-member drill history and decision-quality trendlines roll up to the Readiness dashboard.

Drill · decision quality 7B · 2A · 1S

Was: One tabletop a year, unscored   Now: Weekly drills, AI-scored

Compliance-Grade Tabletops

Formal sixty-to-one-hundred-twenty minute tabletop exercises for the whole command team, facilitated by an AI that mirrors the 150+ exec tabletops this platform was modeled on. Every finding becomes a tracked remediation item with an owner and deadline. Produces the exact record your regulator, auditor, or insurance carrier asks for.

Exercise findings → Remediation plan
Coordination gap Reg clock Counsel escalation

Was: Lost PowerPoints and no follow-up   Now: Tracked findings, owners, deadlines

One readiness trail

Every module completion, every drill score, every tabletop finding is hash-chained into the same tamper-evident audit log as your live incident timelines. When a regulator, board member, or cyber insurer asks "prove you were ready," you hand them a cryptographically verifiable record instead of a PowerPoint.

The drudgery you skip.
The outcomes you keep.

Nobody's real reason for buying a CIRM platform is "I love writing IR plans." The real reason is the opposite. Here's what changes the day you turn IR-OS on.

Before IR-OS
  • Download a 60-page IR plan template. Never finish it.
  • Form a committee to pick the IRC team. Months pass.
  • Track 6 regulatory clocks in an Outlook calendar.
  • Reconstruct "who knew what when" from Slack + memory.
  • Call the broker who calls the carrier, hope you beat the clock.
  • Write a 40-hour after-action report for the board.
  • Pray your cyber insurance claim isn't denied.
After IR-OS
  • Plan Coach generates a tailored, regulator-mapped plan in 15 min.
  • IRC Recommender assigns 6 roles + 2 backups each from your org chart.
  • Every regulatory clock auto-tracked in parallel from declaration.
  • Hash-chained ledger proves to the second what was known when.
  • Insurance first-notice automated, coverage protected.
  • AAR auto-generated the moment you close the incident.
  • Board-ready proof. Regulator-ready proof. Plaintiff-ready proof.

Bottom line: you get the outcome a 6-week consulting engagement and a 40-hour AAR writing session would produce, in minutes, not months, with AI that cites every source.

IR-OS Command Center showing the Program Health Score, Readiness Scorecard, and Program Momentum panels — the live operational dashboard inside the platform
Command Center · Program Health Score and Readiness Scorecard (live view inside IR-OS)

What Is IR-OS?

TL;DR: IR-OS is a Cyber Incident Response Management (CIRM) platform that coordinates the human side of cyber incident response — roles, decisions, regulatory clocks, stakeholder communications, and a cryptographically defensible record. Every workflow is extracted from 150+ real C-Suite tabletop exercises.

IR-OS complements detection tools like SIEM and EDR. Where those answer “what is happening?”, IR-OS answers “who decides, when, and how do we prove it?” It is built on frameworks including NIST SP 800-61 and aligned to regulatory regimes including GDPR Article 33's 72-hour clock, HIPAA, state breach laws, and cyber insurance first-notice windows.

Key Takeaway: According to the Verizon Data Breach Investigations Report and the IBM Cost of a Data Breach analysis, most breach cost is concentrated in containment time which is a coordination problem, not a detection problem. IR-OS closes that gap. Read our data-backed coordination gap analysis, the 2026 incident response playbook, or our ransomware response guide.

Why It Works

Detection isn't the gap. Coordination is.

You've invested millions in detection tools. But when an incident hits, response still runs on email threads, Slack chaos, and someone's spreadsheet. IR-OS is built from 150+ real tabletops to fix the three things nobody else does, and we're opinionated about how.

The three problems detection tools ignore

Tools Don't Coordinate People

Your SIEM fires. Your EDR quarantines. But who's calling legal? Who's notifying the board? Who owns comms hold? Detection tools don't answer those questions.

Runbooks Fail Under Pressure

Static PDFs look great in audits. They collapse at 2 AM when three executives are asking different questions and nobody knows the current status.

No Record Means No Defense

If you can't prove what you did, when you did it, and who decided , regulators, insurers, and plaintiffs will write that story for you.

Built from the room, not the whiteboard

Battle-Tested Workflows

Every task template, escalation path, and status flow was extracted from real exercises with real executives. Not theoretical, pressure-tested.

AI That Knows the Playbook

AI suggestions are grounded in your IR plan, regulatory requirements, and insurance obligations, not generic best practices from a training set. Every answer cites its source.

Opinionated by Design

IR-OS doesn't ask you to configure everything. It ships with defaults that work because they came from the room, not a product committee.

Stop running incidents from spreadsheets.

10-day free trial · No credit card · 30-day satisfaction guarantee

Start Your 10-Day Trial → Read the Research →

The Timeline That Holds Up

Regulators want evidence. Insurers want proof. Plaintiffs want gaps. IR-OS gives you an append-only, hash-chained incident record that proves exactly what happened, when, and who decided.

14:03
Incident Declared
J. Chen
a3f8...c2d1
14:06
Task Assigned
IR-OS AI
7b2e...9f04
14:11
Status Update
M. Torres
e1c5...4a87
14:18
Decision Logged
S. Park
3d9a...b6f2
14:24
Notification Sent
System
f042...1e3c

Append-only, events can never be edited or deleted after creation

SHA-256 hash chain, each event cryptographically links to the previous one

Exportable, full timeline available for legal, regulatory, and insurance review

What the command center actually looks like

During a real incident, your team works across three views: the live timeline, the readiness dashboard, and the AI copilot. Here's what you'll see.

Incident Timeline
14:03DeclaredRansomware, critical
14:04TaskNotify outside counsel
14:06AISuggested: Isolate segment
14:11UpdateContainment, 3 hosts
Readiness Dashboard
3
Exercises
4
Open Gaps
0
Assessments
142d
Insurance
55% remediated25% in progress20% open
AI Suggestions
AI Suggestion 94% confidence
Engage outside counsel per IR Plan §4.2
HIPAA
Approve Dismiss
AI Suggestion 87% confidence
Issue 72-hour breach notification to DPA
GDPR
Approve Dismiss

IR-OS vs. The Status Quo

Feature Spreadsheets & Email Jira / PagerDuty IR-OS
Purpose-built for incidents Retrofitted
Tamper-evident timeline ✓ SHA-256 hash chain
AI-assisted decisions ✓ Plan-aware
Regulatory mapping ✓ Built-in
Insurance integration ✓ Policy + expiry tracking
Readiness scoring ✓ 4-pillar dashboard
After-action reviews Manual Manual ✓ Auto-generated
Exercise tracking ✓ With gap flow-through
Built from real incidents ✓ 150+ exercises
Time to operational Weeks Weeks of config ✓ 15 minutes

Why a Top 5 Ranked Cybersecurity & AI Thought Leader and Practitioner is an IR-OS Advisory Board Member

150+ executive incident response tabletops across Fortune 500s, critical infrastructure, and the public sector, with one consistent verdict on what IR-OS gets right.

Advisory Board Member
I've run more than 150 executive incident response tabletops across Fortune 500s, critical infrastructure, and the public sector. The same three failures show up every time. Coordination breaks down. Nobody can prove what was decided and when. And the after-action work never actually updates the plan. IR-OS is the first platform I've seen that fixes all three by construction, not by process discipline. Its AI-native design (cited answers on every page, a grounded IR Brain, native MCP integration) compounds on itself. Organizations that adopt it don't just respond faster. They do more with fewer responders and deliver exponentially better outcomes on every incident. That is the actual promise of AI, and one of the biggest gaps most organizations still face. IR-OS is the first platform I've seen that keeps that promise for incident command.
ML
Mark Lynd
5x CIO / CISO · Top 5 Ranked Global Cybersecurity and AI Thought Leader
IR-OS Advisory Board Member · 150+ executive IR tabletops
Enterprise-Grade Security

Built on SOC 2 Type II infrastructure.
Hardened at every application layer.

Procurement teams don't lose sleep over marketing claims, they lose sleep over audit reports. Here's the shared-responsibility reality of IR-OS: what we inherit from our providers, and what we own in our own code.

Infrastructure. Inherited certifications
Edge & Network Provider
SOC 2 Type II · ISO 27001 · PCI DSS · FedRAMP Moderate
Global CDN, fast for your team anywhere
Static assets served from 300+ cities worldwide. Sub-100ms page loads from anywhere your responders are. Volumetric DDoS absorbed at the edge before requests ever reach origin, the platform stays up for you while your attackers are trying to take it down.
Database & Auth Provider
SOC 2 Type II · HIPAA-eligible · encryption at rest
Encrypted by default, backed up continuously
Customer data encrypted at rest and in transit. Automatic backups with point-in-time recovery. Authentication, session rotation, and password hashing handled by a hardened platform, so your team never has to roll its own crypto. Multi-region redundancy absorbs hardware failures before you see them.
LLM Providers
SOC 2 Type II · ISO 27001 · ISO 42001 · HIPAA-eligible
Enterprise AI, zero training-data leakage
The models behind Ask-AI, the CISO Copilot, and MCP never train on your content. Enterprise contracts with zero-data-retention commitments. Your incidents, your plan, and your decisions stay yours, grounded answers only, no foundation-model memory of your organization.
Payment Provider
SOC 2 Type II · PCI DSS Level 1
Zero PCI scope inherited from us
All billing, card data, and chargebacks run through a PCI-Level-1 provider with 3DS and tokenization. IR-OS never stores, transmits, or processes a card number. You don't inherit our PCI scope, and we don't inherit yours. Clean line between your subscription and your compliance footprint.
Application layer. Principles IR-OS enforces

Strict tenant isolation

Your organization's data is cryptographically isolated at the database layer. Every query is bound to the caller's tenant before a single row returns. Cross-tenant reads are not possible by construction, not by convention.

Tamper-evident audit

A cryptographic audit trail records every material governance event, training, drills, account changes, settings changes. Integrity can be mathematically verified; modification after the fact is detectable.

Least-privilege API access

Integration keys are single-purpose by design, a key issued for one surface cannot reach another. Keys are stored only in hashed form, minted with strong entropy, visible to you once, and revocable in a single click.

Hardened identity & access

Short-lived authenticated sessions, modern password requirements, re-authentication for sensitive operations, and multi-factor authentication support. Privileged actions are server-gated before the page renders.

Defense in depth

Multiple independent layers protect every request, network edge, browser hardening, abuse protection, and runtime scope enforcement. No single control is the only thing standing between an attacker and your data.

AI guardrails, never autonomous

Every AI surface is advisory-only. Context is scoped to your own organization. Answers are grounded in cited sources, no fabrications, no cross-tenant exposure, no ability for the AI to modify platform state.

Detailed security documentation available to prospects under NDA [email protected]

Pricing built for how you run incidents

Three plans. Every plan includes the defensible record, the IR Brain, and every AI capability. Pick the one that matches your team size and complexity, not a segment. Federal, SLED, and enterprise teams can procure on your paper via verified POs and standard contract vehicles — see the procurement options.

Pricing is going up soon. Subscribe now and your rate is locked through your first renewal, even after published rates rise.
Public Sector
Gov, SLED & First Responders
Discounts available · see details →
Commercial · Most popular
SMB & Mid-Market
Squad or Command below →
Enterprise
Fortune 1000 & Multi-National
Theater tier · contact sales →
Monthly
Annual Save 2 months
Squad
Squad
For small teams that need AI superpowers and a defensible record without enterprise complexity.
$199/mo
  • Up to 4 users
  • 1 IRC team with 4 roles + 1 backup
  • 5 active incidents per year
  • 2 tabletop exercises per year
  • All 3 plan templates (Expert, NIST, ISO 27035)
  • AI Plan Coach + IRC Recommender
  • IR Brain queries (50/mo)
  • Hash-chained defensible record
  • Auto-generated after-action reports
  • PDF incident reports
  • Email + community support
Start 10-Day Trial or buy now, no trial needed
Most Popular
Command
The full command-center for teams running real incidents, with every parallel regulatory clock, insurance, and AI agent turned on.
$499/mo
  • Up to 20 users
  • 3 IRC teams with 10 roles + 2 backups each
  • Unlimited incidents
  • 4 tabletop exercises per year
  • Everything in Squad, plus:
  • Parallel regulatory clock tracking (GDPR, HIPAA, NY DFS, state laws, NIS2, DORA, insurance)
  • Cyber insurance policy management
  • IR Brain queries (400/mo)
  • Readiness dashboard + gap tracker
  • Slack + Teams notifications
  • SIEM + SOAR webhooks
  • 7 pre-built incident playbooks
  • IOC tracking per incident
  • Visual incident timeline
  • Alert ingestion from SIEM/EDR
  • Evidence upload with chain of custody
  • Priority email + chat support
Start 10-Day Trial or buy now, no trial needed
Theater
Theater
For enterprises and multi-national organizations. Tailored deployment, private IR Brain, configurable controls, and procurement on your paper. Priced to fit the scope and requirements of your program.
Contact Sales Custom pricing · tailored to your scope
  • Unlimited users
  • Unlimited IRC teams across business units
  • Unlimited incidents and tabletops
  • Everything in Command, plus:
  • Multi-BU parent hierarchy + unified board view
  • SSO / SAML / SCIM provisioning
  • Unlimited IR Brain queries
  • Private IR Brain corpus (your tabletops + AARs ingested)
  • NERC CIP + TSA + CIRCIA + DORA compliance mapping
  • API access, webhooks, custom integrations
  • Dedicated CSM + 24×7 support
  • SOC 2 Type II + compliance package
Contact Sales or submit an RFP / purchase order

All plans include a 10-day free trial and a 30-day satisfaction guarantee. No credit card required for the trial.

Are you a first responder, fire, EMS, or law enforcement agency? You may qualify for discounted pricing contact us and we'll take care of you. Also, state/local government, K-12, and higher ed is available upon request, you must reach out to us.

Government, SLED & Enterprise Procurement

Procure IR-OS on your paper.

Federal agencies, state and local government, K-12, higher ed, and enterprise teams can procure IR-OS through standard procurement instruments. We accept verified purchase orders and common federal and SLED procurement paperwork, including:

  • Purchase Orders (PO / SPO)
  • GSA Schedule and contract vehicles
  • Cooperative contracts (Sourcewell, NASPO, TIPS, BuyBoard)
  • SF-1449 / SF-33 federal forms
  • State and local standard POs
  • Enterprise MSA and invoicing

Submit the form below with your procurement details. We review every submission personally, verify the instrument, and respond within two business days with next steps, required documentation, and a point of contact for the rest of the process.

Submitting opens your email client with a pre-filled message to Mark for personal review. Your details are not stored on our servers.

Request prepared. Your email client should have opened with the procurement details pre-filled to [email protected]. Review, attach any supporting documents, and send. We review every submission personally and respond within two business days.

Pricing Questions

What's included in the free trial?
Every plan. Squad, Command, and Theater, includes a full-featured 10-day free trial. You get access to everything in your chosen plan with no feature restrictions. No credit card is required to start.
What happens after the trial ends?
When your 10-day trial ends, you'll be prompted to add a payment method to continue. Your data, team configuration, and incident history are preserved, nothing is deleted. If you choose not to subscribe, your account enters a read-only state until you activate a plan.
Can I upgrade or downgrade at any time?
Yes. You can switch between Squad, Command, and Theater at any time from the Billing page. Upgrades take effect immediately and are prorated. Downgrades apply at the end of your current billing period.
Is there a long-term contract?
No. All plans are month-to-month with no long-term commitment. You can cancel at any time from the Billing page, and your plan remains active through the end of the current billing period.
What payment methods do you accept?
We accept all major credit cards (Visa, Mastercard, American Express, Discover) through Stripe for Squad and Command plans.

For federal agencies, state and local government, K-12, higher ed, and enterprise teams, we also accept verified purchase orders and common procurement instruments, including GSA Schedule and cooperative contracts (Sourcewell, NASPO, TIPS, BuyBoard), SF-1449 / SF-33, state and local standard POs, and enterprise MSA with invoicing.

Submit your details through the procurement request form above. We review every submission personally, verify the instrument, and respond within two business days.
What's included in the 30-day satisfaction guarantee?
If IR-OS doesn't measurably improve your incident coordination and readiness workflow within 30 days, we'll refund your payment in full. No questions, no friction. This applies to all plans.
Do you offer discounts for first responders or government?
Yes. Fire, EMS, law enforcement, state/local government, K-12, and higher education organizations may qualify for discounted pricing. No discount is applied automatically, you must reach out to us and we'll take care of you.
How does per-user pricing work?
Pricing is per-organization, not per-user. Each plan includes a user cap. Squad supports up to 4 users, Command up to 20, and Theater is unlimited. Every user within your cap has full access to all features included in your plan.
What counts as an "active incident"?
An active incident is any incident that has been declared and is not yet closed. On the Squad plan, you can have up to 5 incidents per year (real or simulated). Closed incidents do not count against your limit. Command and Theater plans include unlimited incidents.
Can I add more users to my plan?
Each plan has a fixed user cap, 4 on Squad, 20 on Command, unlimited on Theater. If you need more users than your current plan allows, upgrade to the next tier from the Billing page. Upgrades are prorated and take effect immediately.

Frequently Asked Questions

Everything you need to know about IR-OS and incident command.

What is IR-OS?
IR-OS is an incident command platform purpose-built for coordinating the human side of incident response. It handles task assignment, role-based views, AI-assisted decision support, defensible timelines, readiness tracking, and after-action reviews, everything that happens between your SIEM firing an alert and the incident being closed. It was built from 150+ real C-Suite tabletop exercises, so every workflow reflects what actually happens under pressure.
How is IR-OS different from PagerDuty, Jira, or ServiceNow?
PagerDuty routes alerts. Jira tracks tickets. ServiceNow manages workflows. None of them were built for incident coordination, the part where executives need status updates, legal needs notification timelines, comms needs hold/release decisions, and someone has to prove to regulators what happened and when. IR-OS was built specifically for that room, by someone who's run it 150+ times. It's not a retrofit, it's purpose-built.
What is a defensible incident record?
Every event in IR-OS is stored in an append-only timeline with SHA-256 hash chaining. Events cannot be edited or deleted after creation. Each event is cryptographically linked to the one before it, creating a tamper-evident chain of custody. This record stands up to regulatory scrutiny, insurer review, and legal discovery because it's mathematically provable that no one altered it after the fact.
How does the AI assistance work?
When you declare an incident, IR-OS reads your IR plan, the incident type, severity, and regulatory context to generate task suggestions, notification recommendations, and decision prompts. Every AI suggestion cites the section of your plan or regulation it's based on. AI suggestions are advisory, a human approves or dismisses every one. The system learns from your exercises and incident patterns to improve over time.
What does "AI-native" mean for IR-OS | isn't every platform bolting on an AI chat bubble now?
Most platforms add a chat bubble that wraps a generic LLM. IR-OS is AI-native in a specific sense: (1) every AI surface is grounded in the IR Brain RAG. NIST 800-61, ISO 27035, SEC Item 1.05, GDPR, CISA, OFAC, MITRE ATT&CK, and 150+ tabletop operational patterns, with inline citations, never fabrications; (2) the AI surfaces are specialized , a CISO Copilot, a Comms Copilot, a Compliance Monitor, an Ask-AI assistant, an AI IRC Recommender, each with its own guardrailed prompt; (3) IR-OS ships an MCP (Model Context Protocol) server so Claude Desktop, Claude Code, Cursor, and any MCP-compatible agent can query incidents, regulatory clocks, panel vendors, and the IR Brain natively, no screen-scraping, no CSV exports. The AI isn't a feature on the side; it's part of the architecture.
Can I connect IR-OS to Claude Desktop or Cursor directly?
Yes. The ir-os-mcp package is a standalone MCP server that runs locally (via npx) and talks to IR-OS over HTTPS with a scoped, revocable mcp:read API key you mint from Settings → API Keys. Six read-only tools are exposed in v0.1: list incidents, get timeline, compute regulatory clocks, list panel vendors, read plan phase, and search the IR Brain RAG. Write tools (declare incident, append timeline entry) require a separate mcp:write scope that's on the Phase 2 roadmap with explicit audit-log integration.
What's your security and compliance posture?
IR-OS runs on SOC 2 Type II infrastructure across our edge, database, LLM, and payment providers, see the Security section above for the inherited-certifications summary. At the application layer we enforce strict tenant isolation, a tamper-evident cryptographic audit trail over governance events, least-privilege scoped integration keys, hardened identity and session controls, defense-in-depth across independent layers, and advisory-only AI surfaces that cannot modify platform state. Detailed security posture documentation is available to prospects under NDA at [email protected].
Can I use IR-OS in a HIPAA or regulated environment?
The underlying infrastructure we run on is HIPAA-eligible when the relevant BAAs are executed. IR-OS BAAs are available to enterprise customers as part of the Theater tier or a custom contract, email [email protected] to start that conversation. For regulated customers who need private IR Brain content (org-specific playbooks, runbooks, regulator correspondence), the Theater tier supports a private brain partition distinct from the shared public corpus.
Do I need an existing IR plan to use IR-OS?
No. IR-OS ships with a battle-tested IR plan template built from 150+ real tabletop exercises. You can use it as-is, customize it to your organization, or upload your own plan. The platform adapts its AI suggestions and task generation to whatever plan you have in place.
How long does setup take?
Most teams are operational in 15 minutes. Import your team roster, choose or upload your IR plan, set notification preferences, and you're ready to declare your first incident or run your first tabletop exercise. There's no weeks-long implementation or professional services engagement required.
What types of incidents does IR-OS handle?
Data breaches, ransomware, insider threats, system outages, third-party compromises, physical security events, and regulatory incidents. Each incident type has tailored workflows, task templates, notification sequences, and regulatory mappings. You can also create custom incident types with your own workflows.
How does the readiness dashboard work?
Four traffic-light indicators track your organizational readiness: exercise compliance (have you tested recently?), open remediation gaps (from exercises, assessments, and AARs), overdue assessments, and insurance expiry. Green means ready. Amber means attention needed. Red means act now. It gives leadership a single-glance view without digging through multiple reports.
Can I run tabletop exercises in IR-OS?
Yes. Log exercises with attendees, scenarios, findings, and action items. Every finding automatically creates a remediation item in the gap tracker. Over time, IR-OS builds a complete picture of your readiness posture by connecting exercises, assessments, real incidents, and after-action reviews into one continuous improvement loop.
What happens after an incident closes?
IR-OS auto-generates a structured after-action review (AAR): executive summary, timeline summary, what worked well, gaps identified with severity ratings, SLA compliance analysis, regulatory compliance status, and prioritized recommendations. Each identified gap can be pushed to the remediation tracker with one click, closing the loop from incident to improvement to verification.
Is my data secure?
IR-OS enforces strict tenant isolation at the database layer every query is bound to the caller's organization before any row returns. Data is encrypted at rest and in transit. The append-only event store ensures no one, including administrators , can alter the incident record after creation. Your incident data never leaves your isolated tenant. Full security posture documentation available under NDA at [email protected].
What's the trial and guarantee?
Every plan. Squad, Command, and Theater, includes a 10-day free trial and a 30-day satisfaction guarantee. If IR-OS doesn't measurably improve your incident coordination and readiness workflow within 30 days, we'll refund your payment in full. No questions, no friction. No credit card required for the trial.
Do you offer discounted pricing for first responders or SLED?
Are you a first responder, fire, EMS, or law enforcement agency? You may qualify for discounted pricing, contact us and we'll take care of you. Also, state/local government, K-12, and higher ed is available upon request, you must reach out to us.

The next incident is already being planned against you.

Every Friday afternoon ends someone's quarter. Every unpatched server is a ticking audit trail. Have an IR plan, command team, and defensible timeline ready in 15 minutes, not 15 months.

Start Your 10-Day Trial Book a Walkthrough

No credit card. Full platform access. Cancel in one click.