The questions we hear most, answered at length.

SMBs from roughly 10 to 2,000 seats. We're particularly strong with professional services firms, healthcare practices, logistics companies, manufacturing, and SaaS scale-ups. We're not a fit for individual consumers, very large enterprises (5,000+ seats), or environments classified above OFFICIAL: Sensitive.

EDR vendors give you tools. We give you outcomes. CrowdStrike will tell you a process is suspicious; we tell you what to do, do it for you when you've authorised us to, and write the post-incident report your insurer wants.

We integrate with CrowdStrike and SentinelOne — many customers run both. Bringing your existing EDR is supported and often cheaper than ripping it out.

It contains a SIEM, but the SIEM is invisible to you. Most SMBs who buy a SIEM regret it within 18 months — they bought a database and a query language, not a security outcome. We sell the outcome.

Yes — we don't replace IT. We do replace the part of IT that wakes up at 3am because something is on fire. Most customers have one or two internal IT people who handle laptops, networks, vendor onboarding, and policy. We handle the security operations layer.

Three concrete things: (1) detection scoring fuses signals from every surface using learned models rather than rule-only correlations; (2) the model drafts the response runbook for the analyst to approve, instead of the analyst writing it from scratch; (3) the owner-facing summaries are AI-generated and human-reviewed, which is how we keep them in plain English without a content team.

What it doesn't mean: a chatbot for your dashboard. We don't ship those.

Endpoints (macOS & Windows, via our native agent), plus cloud, identity, email, SaaS, and network sources connected through standard APIs and log ingestion. If a system emits logs or events, we can bring it under monitoring. More on the Platform page.

In your region. We run regional ingest, storage, and detection in AU (Sydney), UAE (Central), EU (Ireland + Frankfurt), and US (Oregon). Your telemetry never leaves your region without an authenticated, customer-authorised export.

30 days hot on Watchtower, 90 days hot on Keep, 90 hot + 365 cold on Citadel. Extended retention is an add-on (~$0.04 per event-day).

Idle: ≤ 90 MB RAM, < 0.4% CPU. Active scan window: brief spikes during the 02:00 local hash sweep. Every customer who has measured this has gone back to ignoring it.

Detection runs at the regional level with a hot-warm regional pair. Full failover RTO is 30 minutes; data RPO is 5 minutes. Telemetry buffers locally on the agent for up to 8 hours so we don't lose evidence in a region-wide outage. Past 12 months: 99.97% availability per our public status page.

Mostly no. Air-gapped collectors are available on Citadel (a small VM in your environment forwards telemetry to our SaaS). Fully self-hosted detection isn't on our roadmap — the value is in the cross-tenant intelligence we can't share if everyone's siloed.

We train detection models on aggregate features, never raw cross-tenant telemetry. When an analyst confirms or rejects a detection, that signal feeds the next training cycle. New detections backtest against 90 days of fleet telemetry before they ship.

No. Our LLM subprocessors (Anthropic, optionally OpenAI on Citadel) are configured for zero retention / no-train. Any pseudonymised event summaries we send for run-book drafting are dropped after the inference call.

Sydney and Dubai, on rotating 24×7 shifts. We hire locally; we don't outsource the SOC to a third country. Tier 3 escalation is in Sydney during business hours and on-call after.

22 analysts at time of writing — split roughly 14 Tier 1/2 and 8 Tier 3 / detection engineers. Median tenure across the SOC is 4.6 years. Hiring page on the Field Notes blog.

From the timestamp on the first signal we used to score the incident, to the timestamp on the response action that broke the attacker's path (isolation, session revoke, IP block). Q3 2025: 7m 12s across all confirmed-malicious incidents fleet-wide.

Only when triaging an active incident in your tenant, with just-in-time access that expires after 4 hours, with every query audited. Browsing customer data outside an incident is a fireable offence; we have not had to fire anyone for it.

Whatever you've pre-authorised. Most customers pre-authorise: isolate a host with confirmed-malicious activity, revoke a session for an impossible-travel sign-in, block a known-bad IP at the firewall. Anything destructive (e.g. wipe a device) requires a customer-side approval.

The same thing as 3am on a Tuesday. We don't have a "best efforts" tier of coverage. Public holidays are managed at the SOC level via the rotation between regions; you don't see them.

Six business days from contract signing to active 24×7 monitoring. Full breakdown on the Method page. We've never missed this on a Keep deployment in the last 14 months.

About 6–8 hours of IT-lead time across the week, mostly in 30-minute chunks. The connector installs are mostly self-service OAuth flows; the agent push goes through your MDM with our packaging.

We can deploy via PDQ, scripted installers, or as part of a recommended JumpCloud / Kandji rollout if you want to standardise. About 18% of our customers had no MDM at signing; all of them did within 90 days.

Yes — we have a documented runbook. We run in parallel for 30 days during transition; you cut over to us once you're confident. We'll absorb the parallel-run cost.

Weekly digest, monthly posture review, quarterly tabletop, and an always-open phone line. The full ongoing rhythm is on the Method page.

Yes. Adds are billed quarterly in arrears in 25-seat blocks. Removals adjust at next renewal. No mid-term renegotiations.

Security telemetry: process trees, logon/logoff events, network connections, DNS queries, audit logs from your IdP/SaaS/cloud, file metadata. We don't collect document contents, browsing history, keystrokes, or microphone/camera streams. The full collection schema is on the Trust page.

Yes. We're a processor; you're the controller. Our DPA includes EU SCCs (2021) and UK IDTA. Permus EU B.V. (Amsterdam) is our EU representative. DPIA template available on request.

Available on Keep and Citadel. We sign a Business Associate Agreement; the platform is annually attested against the HIPAA Security Rule by Schellman. PHI never leaves your region.

Yes. Full Parquet export to your S3/GCS/Azure bucket, with schema documentation. 30-day grace after termination before we delete. Deletion certificate available.

No customer-data breach in the company's history. We've had two operational incidents we treat as breaches-with-zero-customer-impact (a misconfigured Cloudflare cache rule in 2023, a staff laptop stolen in 2024). Both are written up in our incident registry, available on request.

You do. We're a processor, not a controller. Every contract reflects this. We have no claim to your telemetry beyond what's needed to provide the service.

Per seat, per month, plus a small platform base. No event-volume surcharges. Three tiers and a calculator on the Pricing page.

12 months on Watchtower and Keep, 24 months on Citadel. Price-locked for 24/36 months respectively.

Yes — though annual prepay is 10% cheaper. We bill in AUD, AED, USD, EUR, or GBP from the relevant Permus entity.

30-day notice on Watchtower & Keep (60-day on Citadel). No claw-back of pre-paid amounts beyond the notice period; we don't ransom your data.

Yes, for accredited MSPs and IT consultancies. Email [email protected] for the program details.

No. The price you see is the price you sign. Add-ons (forensic retainer, red team, phishing sim) are explicit line items, never assumed. Implementation is included on Watchtower and Keep.

We're EDR-agnostic. Run our own lightweight agent, or keep the EDR you already have and we'll layer on top — tell us your stack and we'll confirm the path.

The major identity providers, via standard protocols (SAML, OIDC, SCIM). If it speaks standard identity APIs, we can connect it — tell us what you run and we'll confirm.

Both. Slack/Teams audit logs feed into detection. We can also post incident notifications into a dedicated channel — many customers create #ic-soc for this.

Jira, Linear, ServiceNow, Zendesk, Freshservice. We open tickets in your tracker for every incident that touches your team, with bidirectional sync.

Yes, on Keep and Citadel. REST + webhooks for incidents, events, scores, evidence packs. The full reference is at docs.ironcastle.io/api.

Permus Information Technology LLC, a privately-held information-security holding company headquartered in Dubai with operations in Sydney. Founded 2018; profitable; bootstrapped through 2021, single growth round since.

~110 staff at time of writing. ~22 in the SOC, ~40 in engineering, the rest in sales, success, GRC, finance, and operations. Roughly 60/40 split between Dubai and Sydney with a small remote contingent in Singapore and London.

Lightly. Single Series A in 2022 from a regional growth fund. We're not chasing a hyper-growth narrative; the unit economics work and we'd rather build a 30-year company than a 30-month one.

Mariana Reyes (VP Security Operations, ex-Mandiant, ex-NSW Police digital forensics). She built our triage methodology and wrote most of our run-books. She is reachable.

Sales: [email protected] · Existing customer: portal contact button (90-second median to analyst) · Press: [email protected] · Security disclosure: [email protected]