Identity-first incident response

Picks up where detection stops. Picks up
where
detection
stops.

InaiSec is the identity-first IR layer for everything after an alert is confirmed: collect evidence, trace the compromised credential, map blast radius, and prepare who must be notified.

Join design partner program

Built by a founding security engineer from Databricks. Previously Capital One. Co-inventor of 4 security patents.

The problem

Detection finds the threat. Everything after is still manual.

SIEM, XDR, EDR, and AI analyst tools help teams find and validate threats. But a credential incident rarely stays in one system. Analysts still collect evidence by hand, trace access paths across disconnected systems, and pull legal into the conversation before the real blast radius is clear.

26 days

Median dwell time when external entities notify the organization

When attackers are not caught fast, the post-confirmation work starts cold and stretches across weeks of fragmented evidence. Source: Mandiant M-Trends 2025.

0/12

IR platforms can do both halves of the job

Of 12 platforms analyzed, none can investigate systems they were not pre-configured for and map findings to notification obligations during the investigation.

20/20

Practitioners flagged the same two steps as highest-cost

Of 20 IR practitioners interviewed, all 20 ranked cross-environment evidence stitching and customer-impact analysis as the most expensive parts of the response.

Run real incidents through InaiSec as a design partner.

Apply now

The platform

An identity-first IR layer for the work detection does not finish.

InaiSec converges evidence retrieval, attack-chain reconstruction, blast-radius analysis, and notification readiness into one operational surface. No data lake. No log-forwarding retrofit. No compliance afterthought.

Evidence

Evidence from anywhere

Retrieve the records needed for an active investigation from cloud, SaaS, identity, and data systems without pre-ingesting every log.

Identity

Cross-system identity chain

Map every identity, role, session, and system touched by the compromised credential as the investigation unfolds.

Notify

Regulatory clarity built in

Turn blast-radius findings into live obligation timers and draft notification packets during the investigation, not after it.

Before InaiSec

  • Analyst manually searches identity, cloud, SaaS, and data systems, stitching evidence together by hand
  • Blast radius takes shape over days as findings trickle in from each system
  • Security, legal, and CISO teams reconcile impact after the fact, often days into the disclosure clock

InaiSec workflow

  • Retrieves evidence from every system the compromised credential touched
  • Maps systems touched, access used, and data at risk into one live view
  • Drafts notification packets and obligation timers as the investigation unfolds

Why now

The regulatory math no longer works.

Credential incidents span identity, cloud, SaaS, and data stores. At the same time, DORA, NIS2, GDPR, and SEC rules put disclosure clocks on work that still depends on manual evidence stitching. InaiSec is built for investigation-time clarity when the clock is already running.

DORA 4 hours

Initial notification to supervisory authority.

NIS2 24 hours

Early warning to national CSIRT.

GDPR 72 hours

Notification to supervisory authority.

SEC 4 business days

Form 8-K material cybersecurity incident.

About the founder

“Built by a practitioner.”

Kishore Fernando
Kishore Fernando

Across more than a decade of security engineering at Capital One and Databricks, including building the multi-cloud SIEM and IR infrastructure that ran through Databricks’ hypergrowth, one pattern stayed constant: IR teams doing world-class work on top of fragmented evidence and manual correlation.

InaiSec is built for that gap. It provides the speed and precision of automated identity tracing combined with the flexibility required for complex, modern environments.

FAQ

Straight answers for early conversations.

What is identity-first incident response?

It is incident response that starts from the credential, account, role, and access path. The goal is to answer what the identity touched, what data may be affected, and who must be notified.

How is this different from ITDR or AI SOC tools?

ITDR and AI SOC tools help detect and validate identity threats. InaiSec is focused on the work after validation: evidence retrieval, cross-system attack-chain tracing, blast radius, and disclosure readiness.

Does InaiSec require a data lake?

No. The product direction is on-demand evidence collection at investigation time. InaiSec should not require pre-ingesting every log into a new lake before it can produce value.

How does InaiSec handle credentials?

InaiSec is designed around scoped, read-only access, revocable connectors, audit logs, and investigation-bounded retrieval.

What systems are in scope first?

The current design center is identity, cloud, SaaS, and data systems such as Okta, Entra ID, Google Workspace, AWS, and Snowflake.

Join the design partner program

Help shape the IR platform that should exist.

InaiSec is looking for 3 to 5 paid design partners running real investigations against the systems they already use. Send a short note with your role, company, current IR tools, and the incidents you want InaiSec to help scope.

Design partners get

  • Full blast radius in minutes, not days
  • One surface for cases, evidence, and communication
  • Shape the product as it is built