From agent install to incident response to compliance evidence. Updated every release. If something is missing, email [email protected] and we'll add it.
Twelve guides. Each one a focused 5-15 minute read. Anchored to the in-product UI, so screenshots stay accurate.
From signed contract to first event ingested. Tenant setup, named-analyst introduction, what to expect in the first week.
Signed .pkg install with full-disk access and LaunchDaemon registration. Verifies in < 60 seconds.
Authenticode-signed MSI. Group Policy / Intune-ready. Runs as SYSTEM with anti-tamper protection.
Home, incidents, assets, reports, settings. Owner view vs. analyst view. The five things you should check weekly.
What happens when AI Guardian fires. How the auto-cascade works. How to read the audit log. How to pause auto-response.
Connect your identity, cloud, and SaaS sources via OAuth — no API keys to manage. New sources added on request.
For MSPs and resellers. Partner portal setup, tenant onboarding, white-label branding, analyst seats.
Pull SOC 2, ISO 27001, HIPAA, CIS evidence directly from the portal. Auditor share-link with read-only scope.
Pull incidents, push custom events, hook your SIEM. Tokens scoped per tenant. Rate-limit-friendly.
Suppress known-good actors, add custom Sigma rules, manage the hash blocklist, allowlist exec paths.
View quarantined binaries, inspect VirusTotal / MalwareBazaar verdicts, release if false positive, delete forever.
User management, SAML / SCIM, RBAC, audit log, billing, data residency, data export, account deletion.
Within 4 business hours, your named analyst introduces themselves over email and books a 30-minute kickoff. We provision your tenant on the region you selected (UAE / AU / EU) and send you the portal invite.
Single-tenant data isolation is enforced at the database row level — no shared infrastructure between you and any other customer.
1. Sign in to portal.ironcastle.io with the invite link.
2. Enable MFA on your owner account.
3. Add 2-3 admins from your IT team.
4. Connect M365 or Google Workspace (5-minute OAuth).
5. Deploy the agent to one pilot endpoint to verify telemetry.
By the end of day 6, you should have: all endpoints covered, identity + cloud connected, the first weekly digest in your inbox, and the security score at 70+. If you're below 70, your analyst will reach out with a specific list of items to close.
A Rust binary signed with Permus's Apple Developer ID and notarised by Apple. Runs as a LaunchDaemon under root with Full Disk Access. Approximately 9 MB on disk, < 90 MB RAM idle, < 0.5% CPU under normal load.
Download the signed .pkg from the portal (Settings → Agents → Download). Double-click. Approve the system extension prompt. The agent registers within 30 seconds.
# Headless install (MDM) sudo installer -pkg IronCastle-Agent-0.1.17.pkg -target / # Verify sudo launchctl list | grep io.ironcastle.agent
The agent runs with KeepAlive=true on the LaunchDaemon, plus an internal watchdog heartbeat. Attempts to pkill, launchctl unload, or remove the plist will respawn the agent within 1-2 seconds and emit a critical incident with the attacker's PID and command line.
Every event runs through five detection layers in series: Sigma rules → threat intel → hash blocklist → YARA scan → AI Guardian. A critical match triggers the auto-cascade: kill the process, quarantine the file, tenant-wide blocklist the SHA256, isolate the host. All four actions execute within seconds.
Every incident in the customer portal has a transparency panel that logs every analyst and AI action with timestamp and actor. The 🤖 AI Guardian icon attribution means an autonomous action was taken; a named analyst means a human action.
Settings → Response → Auto-cascade has a single switch. Disabling it queues critical actions for analyst approval instead of auto-executing. Used during change windows, pen-tests, or when you want a tighter human-in-the-loop.
Email your named analyst, or write to support — 4-hour response during business hours, 30 minutes on Keep, 5 minutes on Citadel.