FIG. 03 The platform

Detection, response, and a dashboard your owner will actually open.

IronCastle is one platform with two faces — a calm, plain-English portal for the business owner, and a dense, professional console for our analysts. Underneath, a single AI-native pipeline correlates events from your endpoints, cloud, identity, and network into a small number of incidents worth your time.

FOR THE OWNERLIVE
Security score
A single number, trended weekly, with the three things to fix this month.
FOR THE ANALYSTSAMPLE
Triage queue
Multi-tenant, MITRE-tagged, with response actions one click away.
22:14acme-corpSSO impossible travel
22:13north-baySuspicious PowerShell
22:11fielder-coEDR — credential dump
UNDER THE HOODCLICKHOUSE
Event fabric
Sub-second queries across 90 days of telemetry. Hot storage, cold storage, one schema.
CAP. 01 / OWNER PORTAL

A dashboard for someone who has better things to do.

Built for the business owner — not the security analyst. One score. Three things to fix. A weekly digest you can read in the lift between meetings.

94 / 100
FLEET SCORE
↑ 6 this week
THIS MONTH'S FIXES
Patch 3 endpoints (macOS 14.2)MED
Enable MFA for billing@HIGH
Retire 1 unused service accountLOW

One score, weekly.

Score 0–100 trended over time, with a one-paragraph plain-English explanation of why it moved.

Three fixes, prioritised.

Never more than three actions at a time. Estimated effort and who on your team should do them.

Asset coverage map.

See what's protected — endpoints, cloud accounts, identity, network — and what's still uncovered.

Talk to a human.

One-click "Contact analyst" routes you to the on-shift Tier 2 in Sydney or Dubai. Median response: 90 seconds.

CAP. 02 / SOC CONSOLE

A console our analysts actually want to live in.

Multi-tenant queue, MITRE-tagged triage, in-line response actions, and a sub-second event timeline. Designed with our own SOC team — not bolted on after the fact.

Queue · 22:14
● Acme CorpSSO ⤴︎
● North Bay LogisticsPSH
● Fielder & CoEDR
● Hatch StudioDNS
● Westmark LegalPOLICY
INC-2026-08841 · ACME CORP
Impossible travel — [email protected]
CRITICAL · 92
TA0001 Initial Access T1078 Valid Accounts T1110.003 Password Spraying Identity / SSO

Multi-tenant, by design.

One queue, every customer. Filter, pin, and own across the fleet without context switching.

MITRE ATT&CK native.

Every detection mapped to tactics & techniques, with kill-chain visualisation per incident.

Response in one click.

Isolate, block, reset, escalate — actions wired through to EDR, identity, firewall, and ticketing.

Run-books, AI-drafted.

The model proposes the response plan; the analyst approves or rejects. Always a human in the loop.

CAP. 03 / DETECTION

A five-layer cascade. Built for autonomous attackers.

Every process start, every login, every connection runs through five independent detection layers in series. Most attacks are caught and contained before they finish loading.

DETECTION CASCADE · PER process.start EVENT
Layer 1 · Sigma rules
~9 macOS · ~14 Windows
Layer 2 · Threat intel
MalwareBazaar · OTX
Layer 3 · Hash blocklist
per-tenant SHA256
Layer 4 · YARA scan
signed rule pack
Layer 5 · AI Guardian
Latest frontier models
→ Critical incident
auto-contained

Sigma engine.

Field-level matching against an open, auditable rule set. ~9 macOS + ~14 Windows rules in production. New rules ship every week.

Threat intel, joined live.

MalwareBazaar + AlienVault OTX hash and IP feeds matched on every event. Mandiant + Recorded Future on Keep and Citadel.

YARA on-device.

Every non-Apple-signed process scanned against a signed rule pack before it finishes spawning. Catches Mimikatz, Cobalt Strike, Mythic implants in-memory.

AI Guardian on top.

The latest frontier models read every fired incident, assign MITRE technique, recommend action — in seconds, with cited evidence.

CAP. 04 / RESPONSE

From detection to contained, in minutes.

When something real happens, our analysts move fast — and you see exactly what was done, when, and why. Every action logged. Every action reversible.

INC-2026-08841 · CONTAINMENT TIMELINE
22:11:42 · DETECTION
Impossible-travel score 92. SSO sign-in from SG ↔ AU within 11 min.
→ ic.engine v4.8
22:11:48 · ENRICH
Joined to user [email protected] · 2 sessions active · 1 admin role
→ ic.engine
22:12:33 · TRIAGE
Picked up by analyst on shift. AI-drafted runbook reviewed.
→ M. Reyes (Tier 2, SYD)
22:13:01 · ACTION
Sessions revoked, password reset forced, MFA re-enrolment required.
→ M. Reyes via Okta
22:13:18 · NOTIFY
Customer paged via SMS + portal banner. Owner: Sarah K.
→ ic.notify
22:18:00 · RESOLVED
Confirmed legitimate user travel. Sessions restored. Lessons logged.
→ M. Reyes

Median time to contain

7 minutes 12 seconds

Auto-cascade.

Critical detection? Kill the process, quarantine the file, blocklist the hash tenant-wide, isolate the host — all queued automatically. Analyst picks up the cleaned-up incident.

Network isolation.

pf-based, IPv6-aware. Cloudflare CIDR allowlist + DNS only — the host can still talk to us, nothing else. One-click reverse from the portal.

You stay in control.

"Pause auto-response" is a single switch. Every action logs to the incident audit trail and is reversible from the portal.

CAP. 05 / ENDPOINT DEFENSE

A Rust agent that refuses to die.

Signed, sandboxed, tamper-resistant. Runs on macOS and Windows with negligible footprint. Streams telemetry, scans live processes, and respawns within 2 seconds of any kill attempt.

AGENT · TAMPER-ATTEMPT EVENT
14:02:11.402 · TAMPER
pkill ironcastle-agent executed by user 'attacker' (uid 501) · pid 28114
→ agent.watchdog
14:02:11.418 · EMIT
Event agent.tamper_attempt sent · attacker_pid=28114 · cmd=pkill
→ collector
14:02:11.580 · INCIDENT
Critical incident created · auto-isolate queued (non-root tamperer)
→ detection engine
14:02:12.103 · RESPAWN
launchd KeepAlive triggered · agent online · pid 28117 · heartbeat OK
→ launchd
14:02:13.211 · CONTAIN
Host MBP-HEALTH-04 isolated via pf · network blocked
→ agent.pf

Signed & notarised.

Apple Dev ID signed + notarised on macOS. Authenticode-signed on Windows. No kernel extensions required.

KeepAlive + watchdog.

LaunchDaemon respawn within 1-2s of any kill. Heartbeat monitor exits if telemetry stalls — forcing a respawn from a clean state.

YARA scan on every spawn.

Non-Apple-signed processes resolved via proc_pidpath, hashed, cache-checked, then scanned in-memory. SHA256 cached per binary so repeat spawns are free.

Forensic snapshot, on click.

One button captures process tree + open sockets + loaded kexts + system metadata — stored forever, schema-versioned, exportable.

CAP. 06 / FOR MSSPS

A platform you can run as your own.

Partners run their own SOC under their own brand on our infrastructure. Three-tier hierarchy: super admin → partner → tenant. Per-tenant data isolation enforced at the database row level.

PARTNER HIERARCHY · ROW-LEVEL ISOLATION
SUPER ADMIN · [email protected]
  └── PARTNER · acme-cyber.com (white-label brand, own SOC)
      ├── TENANT · Northwind Co (84 endpoints)
      ├── TENANT · Fabrikam Ltd (212 endpoints)
      └── TENANT · Contoso (47 endpoints)
  └── PARTNER · regional-soc.ae (Arabic UI, GST timezone)

// every query carries partner_id + tenant_id;
// Postgres RLS rejects cross-tenant reads at the row.

White-label, end-to-end.

Your domain, your logo, your email templates. Customers see your brand; the IronCastle infrastructure is invisible.

Analyst seats, included.

Your SOC team gets full partner-portal access — same view as our analysts — across every tenant you manage.

Row-level security.

Postgres RLS policies enforce isolation. qual: true policies are banned by build-time check. No cross-tenant leaks possible.

Margin you can keep.

Resellers get a flat margin; partners get wholesale pricing. The economics work for a 5-customer MSP and a 500-customer MSSP.

CAP. 07 / COVERAGE

Everywhere your business already runs.

Open by design. IronCastle ingests from wherever your business runs — endpoints, identity, cloud, SaaS, and network — through one API-first pipeline. If a system emits logs or events, we can bring it under monitoring. No professional-services engagement required.

ENDPOINT & SERVER
Native agent — macOS & Windows Servers & other systems via log / API ingestion Lightweight by design — minimal footprint
IDENTITY
Your identity provider — sign-in & session signals Connected via standard identity APIs Privileged-access change auditing
CLOUD & SAAS
Cloud platforms — audit & activity logs Business SaaS — via native APIs New sources connected on request
NETWORK & EMAIL
Firewalls & network gear — via syslog / API Email-security telemetry DNS-layer signals

Connect anything that emits logs.

Endpoints, cloud, identity, SaaS, network — if it produces telemetry, our pipeline can take it in. New sources added on request.

Onboard in days, not quarters.

No professional-services engagement and no rip-and-replace — coverage starts fast.

Bring your own stack.

Keep the tools you already run — IronCastle layers on top with detection, response, and a 24/7 human SOC.

Air-gapped, on request.

For regulated tenants, we can deploy a tenant-isolated collector with relayed telemetry.

24/7Always-on monitoringHuman SOC + autonomous AI, every day.
MinutesAuto-cascade containmentFrom first signal to attacker isolated.
AI+humanEvery alert verifiedAutonomous detection, human verdict.
2SOC regionsSydney + Dubai · 24×7×365.