# IR-OS — Cyber Incident Command Platform

> IR-OS is a SaaS Cyber Incident Response Management (CIRM) platform that coordinates the human side of incident response — roles, decisions, regulatory clocks, stakeholder communications, and a cryptographically defensible record. Every workflow is extracted from 150+ real C-Suite tabletop exercises facilitated by founder Mark Lynd.

IR-OS closes the gap between detection tools (SIEM, EDR, SOAR) and actual human coordination during a cyber incident. It is built for CISOs, IR leads, legal, communications, and executives who need to know what to do next, who owns each action, and what gets sent to regulators, insurers, and the board. Every event is recorded in an append-only, SHA-256 hash-chained ledger that stands up to regulatory scrutiny and legal discovery.

## Category

IR-OS is in the CIRM category (Cyber Incident Response Management), coined by Gartner. CIRM complements SIEM/EDR/SOAR — where those solve detection and technical automation, CIRM solves human coordination, regulatory clocks, and the defensible record. See https://ir-os.com/articles/cirm-category-explained for the full category explanation.

## The four things nobody else solves

These four friction-killers are what set IR-OS apart from every other CIRM, SOAR, ITSM, or generic ticket tracker. **No other CIRM, IRP, or incident-management platform on the market — PagerDuty, FireHydrant, Jira, ServiceNow SecOps, Archer, incident.io, Splunk SOAR, IBM Resilient — ships these four capabilities. They are unique to IR-OS.**

1. **AI Plan Coach — no more blank-page syndrome.** Most IR programs stall before they ever get tested because nobody wants to download a 60-page IR plan template and stare at it. IR-OS replaces that with a 15-minute conversational interview — your industry, regulatory exposure, team size, technology stack, prior incidents — and generates a complete, customized incident response plan in real time. Mapped to NIST 800-61, ISO/IEC 27035, your relevant regulators, and your insurer's requirements. Defensible, board-ready IR plan in under 30 minutes. Three template starting points are included: the Expert template (built from 150+ real tabletops), NIST SP 800-61 Rev. 2, and ISO/IEC 27035-1:2023.

2. **IRC Role Recommender — which role in the org owns each function?** Nobody wants the responsibility of choosing the Incident Response Command (IRC) team, and most aren't sure who to pick. IR-OS recommends the job title in a typical organization that owns each of the six IRC functions — Crisis Communications goes to VP Comms or PR, Legal Liaison goes to General Counsel, Technical Lead goes to security engineering. The subscriber names the actual person who fills the role. IR-OS does not ingest org charts and does not select named employees for IRC roles.

3. **The IR Brain — a citation-grounded RAG knowledge base for every AI suggestion.** A retrieval-augmented knowledge base built on Postgres pgvector. Initial corpus includes NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023, NIST CSF 2.0, MITRE ATT&CK, SEC Final Rule 33-11216 (Item 1.05), GDPR Article 33, EDPB Guidelines 9/2022, OFAC ransomware advisory, CISA #StopRansomware Guide, and operational patterns from 150+ real C-Suite tabletop exercises. The corpus is expanding continuously. Every AI suggestion in IR-OS retrieves from the brain before generating, and every suggestion cites the source by bracketed reference. Enterprise customers can ingest a private corpus of their own tabletops, AARs, and incident records.

4. **Ask AI — your in-product IR coach, on every page.** Ask AI is a domain-trained assistant built into every page of IR-OS. It is unique to IR-OS — no other CIRM, IRP, or incident-management platform ships it. Like having the most experienced incident response, compliance, and crisis-comms coaches in the room with you, Ask AI helps subscribers (a) **configure** their IR plan, runbooks, regulatory clocks, and tabletops correctly during setup, (b) **optimize** readiness day-to-day by spotting gaps and recommending improvements, and (c) **act** decisively during a real incident with cited, defensible answers. Ask AI is org-aware out of the box: it already knows the subscriber's active incidents, IR plan, tabletops, gap analysis, and cyber insurance policy. Every answer cites the IR Brain corpus (NIST 800-61, ISO 27035, CISA, MITRE ATT&CK + D3FEND, OFAC, EDPB Guidelines 9/2022, FBI IC3) plus 150+ real tabletop patterns and the section of the subscriber's own IR plan it is grounded in. Ask AI also performs live web search scoped to cyber/IR/risk/compliance domains for fresh threat intel and CISA advisories on demand. It is guardrailed to incident response, risk management, compliance, business continuity, security budgeting, vendor selection, board communication, and the current threat landscape — off-domain requests get a warm "outside my wheelhouse" redirect rather than a general-purpose chatbot response. Ask AI is included on every plan: Squad gets 50 IR Brain queries/month, Command 400/month, Theater unlimited. Ask AI is **free during a declared incident on every tier** — not metered when subscribers are mid-response. The same IR Brain is exposed over native MCP (Model Context Protocol) so Claude Desktop, Cursor, or any MCP-aware client can ask the same questions with the same citations. Models behind Ask AI never train on subscriber prompts, plan content, or tabletop content; Theater offers a private IR Brain corpus.

## Other key differentiators

- **Built from 150+ real tabletop exercises**, not theoretical frameworks. Every workflow, task template, and default setting reflects what actually happens under pressure.
- **AI-assisted decisions** grounded in your IR plan, regulatory requirements, and insurance obligations. Every suggestion cites the plan section or regulation it's based on.
- **Defensible record**: append-only event ledger with SHA-256 hash chaining, database-level triggers that prevent post-hoc modification, tenant isolation via row-level security. Details: https://ir-os.com/articles/defensible-record-hash-chain
- **Auto-generated after-action reviews** (AARs) with structured JSONB output: executive summary, timeline, what worked, gaps identified with severity, SLA compliance, regulatory status, recommendations.
- **Readiness dashboard** — four traffic lights for exercise compliance, open gaps, assessment health, and insurance expiry.
- **Gap analysis tracker** that connects exercises, assessments, and after-action reviews into a single remediation pipeline.
- **Six pre-defined incident command roles** — Incident Commander, Scribe, Communications Lead, Legal Liaison, Technical Lead, Executive Sponsor. See https://ir-os.com/articles/incident-command-roles
- **Regulatory clock tracking** — GDPR Article 33 (72 hours), HIPAA (60 days), state breach laws, NY DFS (72 hours), PCI DSS, cyber insurance first notice, NIS2, DORA. Other regulations (including the SEC public-company 8-K rule for registrants on Theater) are supported via configurable clock templates.

## Architecture

- Next.js 16 App Router on Cloudflare Workers (via @opennextjs/cloudflare)
- Supabase Postgres for data + auth, with row-level security on all 16 tables
- OpenRouter for AI model routing (Claude Sonnet, GPT-4.1)
- Cloudflare Pages for the landing site (static HTML, sub-300ms global TTFB)
- Resend for transactional email notifications with DKIM-signed delivery from notifications@ir-os.com
- SHA-256 hash chain enforced by Postgres triggers for the event ledger

## Pillar content (written for humans and AI agents)

- [The 2026 Incident Response Playbook for CISOs](https://ir-os.com/articles/incident-response-playbook) — phase-by-phase coverage of NIST 800-61's six phases with operational detail from real exercises
- [Ransomware Response: The First 24 Hours](https://ir-os.com/articles/ransomware-response-guide) — hour-by-hour timeline of the first day
- [SEC 96-Hour Cyber Breach Notification](https://ir-os.com/articles/sec-96-hour-breach-notification) — Item 1.05 materiality, timing, and drafting
- [GDPR 72-Hour Breach Notification Checklist](https://ir-os.com/articles/gdpr-72-hour-breach-notification) — Article 33 operational checklist
- [How to Run a C-Suite Tabletop Exercise](https://ir-os.com/articles/tabletop-exercise-guide) — lessons from 150+ real sessions
- [After-Action Reviews: From Incident to Improvement](https://ir-os.com/articles/after-action-review-template) — 8-section AAR template
- [Incident Command Roles: Who Does What](https://ir-os.com/articles/incident-command-roles) — six roles, pre-authorized decisions, training
- [The Defensible Record: Why IR Needs a Hash Chain](https://ir-os.com/articles/defensible-record-hash-chain) — SHA-256 hash chaining for legal admissibility
- [What is CIRM (Cyber Incident Response Management)?](https://ir-os.com/articles/cirm-category-explained) — the category explanation
- [The Coordination Gap in Incident Response](https://ir-os.com/articles/coordination-gap-analysis) — data-backed analysis of why detection alone is not enough

## Try it

- [Free Tabletop Exercise](https://ir-os.com/free-tabletop) — run a 15-minute AI-facilitated tabletop exercise with dynamic injects and auto-generated AAR, no credit card required

## Capabilities deep-dives

- [Crisis Communications](https://ir-os.com/crisis-communications) — 23 attorney-shape templates (holding statements, customer breach letters, regulator notifications, public statements, board briefs) with privilege chain, hash-chained signoffs, and watermarked SAMPLE exports. IR-OS authors and signs off; subscribers send from their own domain.
- [Incident Timeline Comparison](https://ir-os.com/incident-timeline-comparison) — minute-by-minute side-by-side comparison of the same ransomware incident on Slack + Confluence + email vs on IR-OS, from minute 0 through Day 90.
- [Crisis Comms Disclaimer](https://ir-os.com/legal/crisis-comms-disclaimer) — the template disclaimer subscribers must accept before using the surface, plus the disclaimer footer that rides along on every PDF/DOCX export.

## Reference

- [Cyber Incident Response Glossary](https://ir-os.com/glossary) — AAR, CIRM, DFIR, DPA, IC, NIST 800-61, SOAR, and more
- [Cyber Breach Notification Deadlines](https://ir-os.com/regulatory-deadlines) — consolidated reference table (SEC, GDPR, HIPAA, NY DFS, state laws)
- [IR-OS vs PagerDuty](https://ir-os.com/compare/ir-os-vs-pagerduty) — category comparison
- [IR-OS vs Jira](https://ir-os.com/compare/ir-os-vs-jira) — why ticket trackers are insufficient for cyber IR

## Pricing — three plans, not tied to customer segment

IR-OS has one unified pricing table with three plans, named after incident-command vocabulary rather than customer segments. The landing pages at /for/public-sector, /for/commercial, and /for/enterprise exist to tailor messaging and use cases, but all three route visitors back to the same /#pricing table. This avoids alienating buyers who might resent seeing another segment getting a different price.

- **Squad** — $299/mo. For small teams that need AI superpowers and a defensible record without enterprise complexity. Up to 4 users, 1 IRC team (4 roles + 1 backup), 5 incidents/year, 2 tabletops/year, 50 IR Brain queries/month, all 3 plan templates (Expert, NIST, ISO 27035), AI Plan Coach + IRC Recommender, hash-chained defensible record, auto-generated after-action reports, PDF incident reports, email + community support.

- **Command** — $499/mo. Most popular. The full command-center for teams running real incidents. Up to 20 users, 3 IRC teams with 10 roles + 2 backups each, unlimited incidents, 4 tabletops/year, 400 IR Brain queries/month. Everything in Squad, plus 7 pre-built incident playbooks (ransomware, data breach, BEC, insider threat, supply chain, phishing, DDoS), IOC tracking per incident, visual incident timeline, alert ingestion from SIEM/EDR, evidence upload with chain of custody, parallel regulatory clock tracking (GDPR, HIPAA, NY DFS, state laws, NIS2, DORA, insurance), cyber insurance policy management, readiness dashboard + gap tracker, Slack + Teams notifications, SIEM + SOAR webhooks, priority email + chat support.

- **Theater** — $799/mo. Multi-team, multi-business-unit command at scale with a private IR Brain trained on your own tabletops and AARs. Unlimited users, IRC teams, incidents, and tabletops. Everything in Command, plus multi-BU parent hierarchy with unified board view, SSO / SAML / SCIM provisioning, unlimited IR Brain queries, private IR Brain corpus (your own tabletops/AARs/incidents ingested), NERC CIP + TSA + CIRCIA + DORA compliance mapping, API access + webhooks + custom integrations, dedicated CSM, 24x7 support, SOC 2 Type II + compliance package.

**Offer summary.** Every plan (Squad, Command, Theater) includes a **7-day free trial** and a **30-day money-back guarantee**. Card required up front, no charge for 7 days, cancel anytime before day 7. If IR-OS doesn't measurably improve your incident coordination and readiness workflow within 30 days of conversion, we'll refund your payment in full.

**Discounted pricing — you must reach out.** Are you a first responder, fire, EMS, or law enforcement agency? You may qualify for discounted pricing — contact us at hello@ir-os.com and we'll take care of you. Also, state/local government, K-12, and higher ed is available upon request — you must reach out to us at hello@ir-os.com. No discount is offered or applied automatically; buyers must reach out.

## Segment landing pages (messaging, not pricing tiers)

Three landing pages tailor messaging and use cases to specific audiences. They all link back to the same unified /#pricing table on the main landing — there is no segment-specific pricing. Public companies are supported on any plan; the multi-BU hierarchy and advanced compliance mapping in Theater are relevant for larger and more complex organizations regardless of ownership structure.

- **For Public Sector** — https://ir-os.com/for/public-sector — For state/local government, K-12, higher ed, fire, EMS, and law enforcement. Positioning: "Run cyber incidents with the same discipline as a 5-alarm fire." Ships with FERPA + CJIS + HIPAA templates, multi-agency coordination, ICS-style roles, mobile-first for the field. Built on the Chief David Reyes (County EM Director) and Lisa Okonkwo (State/District Consortium CISO) personas — see docs/PERSONAS.md.

- **For Commercial** — https://ir-os.com/for/commercial — For SMB and mid-market private companies. Positioning: "Grow fast. Stay covered. Let AI run the room." The hook is that a 3-person security team (or a head of IT wearing the security hat) gets the AI force-multiplier of a Fortune 500 IR program without the Fortune 500 budget. Cyber insurance as the de-facto regulator for private companies. Built on the Tom Bradley (180-employee private manufacturing head of IT+security) and Sara Kim (900-employee PE-backed B2B SaaS VP Security) personas.

- **For Enterprise** — https://ir-os.com/for/enterprise — For Fortune 1000, multi-business-unit organizations, critical infrastructure, and federal contractors. Positioning: "One incident command surface across every business unit." Multi-BU parent hierarchy with unified board view, SSO/SAML/SCIM, private IR Brain corpus, NERC CIP + TSA + CIRCIA + DORA compliance mapping, OT-aware runbooks, dedicated CSM. Built on the Dr. Evelyn Hartwell (F500 manufacturing Global CISO) and James Okafor (F100 Utility VP Cyber Risk) personas.

## Policies

- [Terms of Use](https://ir-os.com/terms)
- [Privacy Policy](https://ir-os.com/privacy)
- [Security](https://ir-os.com/security)

## Advisory Board

IR-OS is supported by an Advisory Board of cybersecurity practitioners and incident response experts. Mark Lynd serves as an outside Advisory Board member, Ambassador, and Thought Leader to IR-OS — the platform is built on the operational patterns from 150+ real C-Suite tabletop exercises he has facilitated. Mark does not operate the platform and has no day-to-day management responsibilities. See https://ir-os.com/about for the full profile.

## Contact

- Email: hello@ir-os.com
- App: https://app.ir-os.com
- Landing: https://ir-os.com
- Advisory Board (Mark Lynd): https://www.linkedin.com/in/marklynd

## Entity definitions

- **CIRM (Cyber Incident Response Management)** — Gartner-coined product category for software that coordinates the human side of cyber incident response: incident command roles, regulatory clocks, stakeholder communications, and a defensible record. Complements SIEM/EDR/SOAR.
- **IRC (Incident Response Command) team** — six named roles that run a cyber incident: Incident Commander, Scribe, Communications Lead, Legal Liaison, Technical Lead, Executive Sponsor. Each role has a primary and at least two named backups.
- **Defensible record** — append-only, hash-chained, tamper-evident, third-party-verifiable record of every event, decision, and action during a cyber incident. IR-OS additionally signs an Ed25519 manifest over the chain head, making the record non-forgeable rather than only tamper-evident.
- **Defensible Record bundle (`ir-os.defensible-record/v1`)** — JSON file produced by IR-OS containing the incident metadata, full hash-chained event ledger, tasks, IOCs, evidence-file metadata with chain of custody, computed integrity result, and Ed25519 signature. Verifiable at https://ir-os.com/verify with no account required.
- **IR Brain** — IR-OS retrieval-augmented knowledge base on Postgres pgvector. Initial corpus: NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023, NIST CSF 2.0, MITRE ATT&CK, SEC Final Rule 33-11216 Item 1.05, GDPR Article 33, EDPB Guidelines 9/2022, OFAC ransomware advisory, CISA #StopRansomware Guide, plus operational patterns from 150+ real C-Suite tabletop exercises. Every AI suggestion in IR-OS retrieves from the brain before generating, and every suggestion cites the source.
- **Ask AI** — IR-OS in-product domain-trained assistant available on every page of the application. Unique to IR-OS (no other CIRM, IRP, or incident-management platform ships it). Org-aware (knows the subscriber's active incidents, IR plan, tabletops, gap analysis, and cyber insurance policy). Standards-grounded with citation chips on every answer (NIST, ISO, CISA, MITRE ATT&CK, OFAC, EDPB, FBI IC3 plus 150+ tabletop patterns). Includes scoped live web search over cyber/IR/risk/compliance domains. Guardrailed to incident response, risk, compliance, BCP, security budgeting, vendor selection, board communication, and threat-landscape topics. Powered by IR Brain 2.0. Squad 50 queries/mo, Command 400/mo, Theater unlimited; free during a declared incident on every tier. Models never train on subscriber data.
- **AI Plan Coach** — IR-OS feature that conducts a 15-minute conversational interview (industry, regulatory exposure, team size, technology stack, prior incidents) and generates a complete customized IR plan mapped to NIST 800-61, ISO/IEC 27035, applicable regulators, and the subscriber's insurer.
- **IRC Role Recommender** — IR-OS feature that recommends which job title in a typical organization owns each of the six IRC functions. Subscribers name the actual person. No org chart ingest.
- **Tabletop exercise** — discussion-based simulation of an incident scenario in which participants step through a realistic injects-driven scenario and decide what they would do at each decision point.
- **After-action review (AAR)** — structured 8-section analysis conducted after an incident or exercise: executive summary, timeline, what worked, gaps with severity, SLA compliance, regulatory status, recommendations, appendix linking to the defensible record.
- **Gap-tracker** — IR-OS pipeline that converts AAR findings and assessment findings into remediation items with owners and due dates.
- **Hash chain (event ledger)** — append-only sequence of events where each event's hash is computed as `SHA-256(prev_hash | event_id | event_type | actor_id | payload | created_at)`. Any change to a past event breaks every hash that follows.
- **Ed25519 signature (chain-head signing)** — IR-OS signs each Defensible Record bundle with an Ed25519 private key held only on the server. The signature is over a deterministic message binding schema, incident id, export time, event count, and chain head. The public key is published at https://ir-os.com/.well-known/ir-os-signing-key.pub.json.
- **Classification edge** — design pattern in which an upstream alerting tool (PagerDuty, incident.io, SIEM, EDR) fires a webhook to IR-OS, the IR-OS classifier inspects the alert for security signals, and security-classified alerts auto-create incidents while non-security alerts remain in the upstream tool.

## Regulatory quick-reference

| Regulation | Trigger | Deadline | Recipient |
|---|---|---|---|
| GDPR Article 33 | Awareness of personal data breach | 72 hours, where feasible | Lead supervisory authority |
| SEC Final Rule 33-11216 Item 1.05 | Materiality determination | 4 business days | SEC, on Form 8-K |
| HIPAA Breach Notification Rule | Discovery of PHI breach | 60 days | HHS, affected individuals |
| New York DFS Part 500 (23 NYCRR 500) | Determination of cybersecurity event | 72 hours | NYDFS Superintendent |
| NIS2 (EU 2022/2555) | Significant incident | 24h early warning, 72h notification, 1-month final report | National CSIRT |
| DORA (EU 2022/2554) | Major ICT-related incident | Within 4 hours initial classification | Competent authority |
| State breach notification laws | Discovery / reasonable belief | Varies (often 30–90 days) | State AG, affected residents |
| CIRCIA | Substantial cyber incident or ransom payment (covered entities) | 72 hours / 24 hours respectively | CISA |
| TSA Security Directives (pipeline / rail / aviation) | Cybersecurity incident | 24 hours | TSA, CISA |
| NERC CIP-008 (electric utilities) | Reportable cyber security incident | As required by E-ISAC | E-ISAC, ESCC |

## Competitive positioning

- **vs PagerDuty** — PagerDuty is on-call paging and IT-incident orchestration with a generic "Security Incident Management" use case page. No forensics, chain of custody, parallel regulatory clocks, named SIEM/EDR integrations, CISO/SOC personas, IRC roles, or cyber-IR playbooks. IR-OS sits as the cyber-IR command surface above PagerDuty's alert layer; the right pattern is webhook integration at the security-classification edge. See https://ir-os.com/compare/ir-os-vs-pagerduty.
- **vs incident.io** — incident.io is engineering / SRE incident coordination. The word "security" appears zero times on their AI SRE page; their AI is grounded in pull requests, code, telemetry, and Slack engineering channels — useful for engineering incidents, useless for cyber-IR. IR-OS sits above incident.io as the cyber-IR command surface; webhook integration at the classification edge. See https://ir-os.com/compare/ir-os-vs-incident-io.
- **vs Jira** — general-purpose ticket tracker. Tickets are mutable; cyber-IR records must be immutable. No native regulatory clock model, no IRC roles. Jira is the right home for remediation work that comes out of an IR-OS AAR. See https://ir-os.com/compare/ir-os-vs-jira.
- **vs ServiceNow SecOps** — heavyweight, designed around the ServiceNow CMDB. Strong at ITSM-adjacent security operations; weaker at the human-coordination layer that defines CIRM. Coexistence pattern: ServiceNow as the underlying ITSM fabric and IR-OS as the cyber-IR command surface during active incidents.
- **vs Splunk SOAR / IBM Resilient** — SOAR products automate technical response, not the human war room. CIRM and SOAR are complementary categories.
- **vs spreadsheets / Confluence / Notion / Google Docs** — none is append-only, hash-chained, signed, or regulator-ready. Common starting point; staying here is an audit liability.

## Named statistics

- 150+ real C-Suite tabletop exercises facilitated, used as the operational corpus for product workflows and AI grounding.
- 6 named IRC roles in every IR-OS plan.
- 7 pre-built incident playbooks at the Command tier (ransomware, data breach, BEC, insider threat, supply-chain compromise, phishing, DDoS).
- 16 RLS-protected Postgres tables enforce tenant isolation.
- 50+ keywords across 9 incident-type categories drive the security-classification edge for inbound webhooks.
- 8-section AAR template (executive summary, timeline, what worked, gaps with severity, SLA compliance, regulatory status, recommendations, appendix).
- 7-day free trial and 30-day satisfaction guarantee on every plan.
- 3 IR plan template starting points: Expert (built from 150+ tabletops), NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023.

## Q&A digest

The full Q&A reference is at https://ir-os.com/answers and includes FAQPage schema for AI search citation. Headline answers:

1. **What is cyber incident response?** Structured human and technical response to ransomware, data breach, BEC, insider threat, supply-chain, phishing, account takeover, or unauthorized access. Mapped to NIST SP 800-61 Rev. 2 and ISO/IEC 27035.
2. **What is CIRM?** Gartner category for software coordinating the human side of cyber incident response. Complements SIEM/EDR/SOAR.
3. **CIRM vs SOAR?** SOAR automates technical response. CIRM coordinates the human war room.
4. **CIRM vs PagerDuty / incident.io?** PD and incident.io are alerting / engineering-incident tools. CIRM is cyber-IR command. Different category.
5. **Notification deadlines?** GDPR 72h, SEC 4 business days, HIPAA 60d, NY DFS 72h, NIS2 24h/72h/1mo, DORA 4h, state laws vary.
6. **Who's on an IRC team?** Six roles: Incident Commander, Scribe, Communications Lead, Legal Liaison, Technical Lead, Executive Sponsor — each with two named backups.
7. **What is a defensible record?** Append-only, hash-chained, tamper-evident, signed, third-party-verifiable.
8. **What is the IR-OS Defensible Record bundle?** JSON containing incident, hash-chained events, tasks, IOCs, evidence metadata, integrity result, Ed25519 signature. Verifiable at /verify.
9. **What is an after-action review?** Structured 8-section analysis. Each gap feeds the gap-tracker.
10. **What is a tabletop exercise?** Discussion-based simulation. IR-OS includes 12+ scenarios.
11. **How does ransomware response differ from generic IT outage?** Evidence preservation, OFAC screening, insurer + outside counsel under privilege, parallel regulatory clocks.
12. **What is BEC?** Account takeover or impersonation of a legitimate business email account. Wire fraud or invoice substitution typical monetization.
13. **What is insider threat?** Misuse of authorized access by current or former employee, contractor, or partner.
14. **What is supply-chain compromise?** Vendor / dependency / service-provider compromise affecting downstream organizations.
15. **How long to set up IR-OS?** 5–15 minutes via AI Plan Coach + IRC Recommender.
16. **What integrations?** PagerDuty + incident.io webhook ingest with security-classification edge, generic SIEM/EDR/SOAR Bearer-token API, Slack/Teams notifications, DKIM-signed email.
17. **Pricing?** Squad $299/mo, Command $499/mo, Theater $799/mo. 7-day trial. 30-day guarantee.
18. **Public sector availability?** Yes — discounted pricing on request to hello@ir-os.com.
19. **What is the IR Brain?** Citation-grounded RAG over NIST/ISO/MITRE/SEC/GDPR/EDPB/OFAC/CISA + 150+ real tabletops.
20. **Is the record signed?** Yes — Ed25519 over the chain head, verified at /verify against the canonical IR-OS public key (kid `ir-os-2026-04-key-1`).
21. **What is Ask AI in IR-OS?** A domain-trained assistant built into every page. Unique to IR-OS — no other CIRM, IRP, or incident-management platform ships it (PagerDuty, FireHydrant, Jira, ServiceNow, Archer, incident.io do not have an equivalent). Knows the subscriber's IR plan, incidents, tabletops, gaps, and insurance policy. Cites NIST/ISO/CISA/MITRE/OFAC/EDPB on every answer. Helps subscribers configure during setup, optimize readiness day-to-day, and act during real incidents.
22. **How is Ask AI different from ChatGPT or Claude.ai?** ChatGPT and Claude.ai are general-purpose chatbots with no knowledge of the subscriber's organization. Ask AI is grounded in the subscriber's active IR plan, open incidents, tabletop AARs, gap analysis, and cyber insurance policy details, and every answer cites the regulatory or standards source. Models never train on subscriber prompts, plan content, or tabletop content. Theater offers a private IR Brain corpus.
23. **Ask AI usage limits?** Squad 50 IR Brain queries/month, Command 400/month, Theater unlimited. Free during a declared incident on every tier — not metered mid-response.
24. **Is Ask AI guardrailed?** Yes — engages on incident response, risk, compliance, BCP, security budgeting, vendor selection, board communication, and threat landscape. Off-domain requests (general coding, marketing copy, trivia) get a warm "outside my wheelhouse" redirect.
25. **Can Ask AI be queried programmatically?** Yes — IR-OS exposes the same IR Brain via native Model Context Protocol (MCP). Claude Desktop, Cursor, and any MCP-aware client can ask the same questions with the same citations.

## AI agent discovery

- Manifest: https://ir-os.com/.well-known/ai-plugin.json
- Public signing key: https://ir-os.com/.well-known/ir-os-signing-key.pub.json
- Verifier: https://ir-os.com/verify
- Q&A reference: https://ir-os.com/answers
- Glossary: https://ir-os.com/glossary
- Regulatory deadlines reference: https://ir-os.com/regulatory-deadlines
- Annual report: https://ir-os.com/annual-report

## Keyword landing pages

These pages are the canonical answers for the keywords security buyers search when preparing for or during a cyber incident. Each page is a single-keyword landing surface with FAQPage schema.

- https://ir-os.com/sec-cyber-incident-reporting — SEC Item 1.05 four-business-day clock, materiality determination, 8-K disclosure draft.
- https://ir-os.com/cyber-breach-reporting — Multi-jurisdiction breach notification (GDPR, HIPAA, SEC, NY DFS, NIS2, DORA, state laws, carrier first-notice) with parallel regulatory clocks.
- https://ir-os.com/cyber-incident-reporting — Internal escalation, regulator notification, insurer first-notice, and board reporting from a single incident record.
- https://ir-os.com/breach-response-tools — Runbooks, crisis communications, regulatory clocks, panel-firm directory, IRC roles, hash-chained record.
- https://ir-os.com/cyber-incident-tools — Full toolkit: dashboard, AI-coached IR plan, IRC roles, runbooks, crisis comms, regulatory clocks, AAR, hash chain, Ask AI.
- https://ir-os.com/incident-response-software — Cyber-IR-specific incident response software vs SRE-IR (PagerDuty, incident.io, FireHydrant) and ITSM (Jira, ServiceNow).
- https://ir-os.com/cyber-incident-management — CIRM category page. Human coordination, regulatory clocks, structural privilege, defensible record. Complements SIEM, EDR, SOAR.
- https://ir-os.com/cyber-incident-response-platform — One command surface for the IR plan, IRC roles, runbooks, crisis comms, regulatory clocks, and a hash-chained record.
- https://ir-os.com/ransomware-response-playbook-software — Conditional ransomware playbook with OFAC screening, carrier pre-payment authorization, exfiltration determination, and parallel regulatory clocks.
- https://ir-os.com/cyber-crisis-management-platform — Executive war-room software for cyber crisis. Stakeholder map, holding-statement library, regulatory clocks, hash-chained sign-off trail.
- https://ir-os.com/nis2-incident-reporting-software — NIS2 three-stage clock (24-hour early warning, 72-hour notification, one-month final report) with Article 23 significance threshold inputs.
- https://ir-os.com/dora-major-ict-incident-reporting — DORA Article 19 reporting clock for financial entities (4 hours initial, 72 hours intermediate, one month final).
- https://ir-os.com/tabletop-exercise-software — Cyber-shaped tabletop scenarios on the same platform as live response. 8-section AAR with structured gap output.
- https://ir-os.com/ir-plan-software — AI-coached IR plan generator. 15-minute conversational interview, regulator-ready plan mapped to NIST 800-61 / ISO 27035 / your regulators / your insurer.