Incident Binder

UAT LIVE

You cannot reason about
intent from alerts.
Only from evidence.

Incident Binder adds a deterministic, evidence-grade reasoning layer to your existing SOC operations. Powered by IRONLINE — a patent-pending vendor-agnostic reasoning engine.

See Live Demo Become a Design Partner Sign In

201+

API Endpoints

Assertion Types

Intent Hypotheses

Patent Claims

The Problem

Alerts tell you something happened.
Evidence tells you why it matters.

SIEM and SOAR platforms are essential for detection and orchestration. Incident Binder adds what they were never designed to provide: deterministic reasoning about attacker intent, court-ready evidence chains, and explainable conclusions.

Truth Source

Vendor-specific alerts

Vendor-agnostic canonical signals

Reasoning

Rule-based correlation

Deterministic intent hypothesis pipeline

Evidence

Log aggregation

Immutable chains + cryptographic anchoring

Auditability

Black box ML models

Explainable, replay-safe, same-input-same-output

Legal

No built-in evidence chain

Court-ready evidence with RFC 3161 timestamps

Multi-Vendor

Vendor lock-in

New vendor = new adapter. Core reasoning unchanged.

How IRONLINE Works

From raw telemetry to audit-grade incidents

Every security event flows through a deterministic, immutable pipeline. Same input always produces the same output with identical SHA256 fingerprints.

Signals

Facts

Raw events canonicalized into vendor-agnostic signals. Immutable, append-only.

Assertions

Claims

55 deterministic assertion types derived from signal patterns. No ML, no black boxes.

Intents

Hypotheses

8 intent types with competing hypotheses. Squared-weight confidence aggregation.

Incidents

Workspaces

Auto-created when evidence crosses tenant policy thresholds. Evidence-gated transitions.

Live Demonstration

Watch evidence converge in real time

A real Business Email Compromise scenario. Choose your lens — every audience sees different layers of the same immutable evidence chain.

Live Incident Reconstruction · Real Cloud Activity

Live Incident Reconstruction from Real Cloud Activity

This page shows a live Microsoft cloud environment processed through our deterministic reasoning engine. What you are seeing is not a simulation — it is real telemetry transformed into structured incident intelligence in real time.

Vendor-Agnostic IngestionNew vendor = new adapter · Core reasoning unchanged

Microsoft Entra IDlive

Sign-in Logs

0signals

Microsoft Entra IDlive

Directory Audit

0signals

Microsoft 365ready

Unified Audit

0signals

Microsoft Defendernext

Endpoint Detection

Wazuh / OSSECplanned

Open Source SIEM

CrowdStrikeplanned

Endpoint Protection

Okta / Auth0planned

Identity Provider

AWS CloudTrailplanned

Cloud Infrastructure

Signals Processed

Assertions Evaluated

False Positives

Incidents Created

Uptime

Auth0

Account0

Role0

Policy0

Email0

What the System Concludes Happened55 assertions · 12 tactics

Deterministic rules — not ML predictions. Reproducible outcomes from defined logic.

tactic coverage

Initial Access

TA0001

Execution

TA0002

Persistence

TA0003

Priv Escalation

TA0004

Defense Evasion

TA0005

Credential Access

TA0006

Discovery

TA0007

Lateral Movement

TA0008

Collection

TA0009

Exfiltration

TA0010

Command & Control

TA0011

Impact

TA0040

Strong (3+)

Gap — expanding (≤2)

Raw Activity Entering the System

SIGASTINTINC

Real security events from Microsoft Entra ID and M365 — converted into structured signals instead of isolated alerts.

Contextual Confidence Convergence

Same action, different context, different conclusion.

Attacker —

Admin (PIM)

Same action · same user · different context → different confidence

Why This Matters

0.08

Admin assigns Global Admin via PIM at 10:00 AM

Authorized · PIM-activated · business hours · baseline

0.85

Intern assigns Global Admin directly at 2:17 AM

No PIM · off-hours · no baseline · new account

Same action. Same system. Context changes everything.

How Well the System Detected the Activity

Kill Chains Detected

0 blocked

MITRE Coverage

0/55 mapped

Avg Detection Time

N/A

signal → incident

False Positive Rate

zero false positives

Cross-Domain

multi-domain chains

Cross-Adapter

multi-vendor

Strongest Tactics

Known Gaps

— expanding

ALL VERIFIED

Same input → same output · deviation = freeze + investigate

Run

Input Hash

Output Hash

Events

Assertions

Status

✓

Deduplication active · 0 consecutive verified runs

Every pipeline run hashes input and output independently. If SHA-256 output deviates from expected deterministic result, the run is frozen for investigation. No alert pollution — only verified facts advance.

Reconstructing What Happened — After the Fact

Reprocess historical activity using pinned logic versions to verify conclusions.

POST-BREACH DISCOVERY

Re-process historical events through updated reasoning

Because IRONLINE is deterministic, historical events can be replayed through new assertion types or updated confidence models. This discovers previously invisible attack patterns and validates detection improvements — court-ready, with full provenance.

Automatic Incident Creation · Deterministic Flow

When activity crosses defined thresholds, the system opens a structured incident workspace.

Raw Events

ingested

→

Signals

normalized

→

Enrichment

contextualized

→

Assertions

evaluated

→

Intents

competing

→

Incidents

0 false positives

sha256 verified · same input → same output · every conclusion reproducible

“You cannot reason about intent from alerts.
You can only reason about intent from facts.”

patent pending·canadian built·facts over alerts·vendor agnostic

Built For

Every stakeholder. One truth.

MSPs & MSSPs

Multi-tenant by design. One reasoning engine serves all clients with isolated evidence chains, tenant-scoped policies, and CISO-grade KPI dashboards.

✓ Tenant isolation enforced in every query

✓ Per-client policy thresholds

✓ Batch replay for historical analysis

Regulated Industries

Finance, healthcare, and government demand audit-grade documentation. Incident Binder delivers it by default — not as an afterthought.

✓ RFC 3161 timestamp anchoring

✓ Evidence contracts with prerequisite gates

✓ Legal hold with retention protection

SMEs & Startups

Enterprise-grade incident response without enterprise-grade headcount. Deterministic reasoning means consistent results without analyst fatigue.

✓ No ML training data required

✓ Works with existing tooling via adapters

✓ Playbook-guided response for lean teams

Trust & Credibility

Patent-pending. Production-deployed. Canadian IP.

Patent Claims Filed

Canadian patent covering vendor-agnostic canonicalization architecture

Implementation Slices

Complete MVP with deterministic pipeline, RBAC, evidence chains

200+

Automated Tests

CI-gated with lint, test, commitlint, gitleaks, and UI lint

Azure

Enterprise Infrastructure

Container Apps, private PostgreSQL, managed SSL, Canada Central

Ready to see evidence-grade
incident response?

We are actively seeking design partners, MSP validation pilots, and accelerator collaborations. If you want to add evidence-grade reasoning to your security operations, let's talk.

Become a Design Partner Email Us Directly

Patent-Pending · 12 Claims · Ongakatech Inc. · Canada

You cannot reason aboutintent from alerts.Only from evidence.

Alerts tell you something happened.Evidence tells you why it matters.

From raw telemetry to audit-grade incidents

Watch evidence converge in real time

Live Incident Reconstruction from Real Cloud Activity

Every stakeholder. One truth.

Patent-pending. Production-deployed. Canadian IP.

Ready to see evidence-gradeincident response?

You cannot reason about
intent from alerts.
Only from evidence.

Alerts tell you something happened.
Evidence tells you why it matters.

Ready to see evidence-grade
incident response?