Pipeline status · nominal Autonomous DFIR · v2.4

Forensic
investigations
in hours.
Not weeks.

Grail is an autonomous incident response pipeline. Six AI agents run intake, collection, analysis, validation and reporting end‑to‑end — so your team can focus on what comes next, not what already happened.

Request a demo How it works
Time to findings
< 48hrs
Legacy benchmark
14–45days
Audit-ready output
everycase
Analyst hours required
0 
01 / Efficiency

A 45‑day
investigation,
closed by Thursday.

Traditional DFIR firms quote two to six weeks. Panels, onboarding, ticket queues, analyst availability. Grail's pipeline runs continuously — intake to admissible report — and clears most cases in a single business week.

Every hour a breach goes uninvestigated is an hour regulators, insurers, and attackers are making decisions for you.

Legacy IR
14–45 days
Mid-tier MSSP
7–14 days
Grail
< 48 hrs
Median wall‑clock time from alert intake to signed report. Based on 31 closed investigations, Q4 2025 – Q1 2026. {{ internal_benchmark }}
02 / Vision

Built for the threats coming next.
Not the ones from last decade.

Adversaries are weaponizing AI. Phishing is being written by language models, malware is being mutated at machine speed, and intrusion playbooks are running without a human at the keyboard. The DFIR firms still billing in 200‑hour blocks were built for a slower threat. Grail was built for this one — six purpose‑built AI agents running a full investigation in parallel, at the same speed your adversary moves.

Named, for the record, after knights who mostly failed the quest. We think that's appropriate.

01
Bridgekeeper intake
Scopes the incident, validates chain-of-custody prerequisites, and opens the case file.
alert ingress
scoped case
02
King Arthur collection
Orchestrates evidence collection across endpoints via Velociraptor. Hashes everything at rest.
endpoints
sealed artifacts
03
Lancelot investigation
Reconstructs the attacker timeline. Correlates process trees, network flows, registry and filesystem events.
artifacts
timeline
04
Sir Bedevere intelligence
Detonates suspicious binaries in sandbox. Maps behavior to MITRE ATT&CK and known threat actor TTPs.
binaries
TTP mapping
05
Black Knight validation
Re-grounds every finding against raw evidence. Rejects any claim not anchored to a hashed artifact.
claims
validated facts
06
Tim the Enchanter reporting
Assembles the Daubert-ready report. Executive summary, technical appendix, full evidence index.
validated facts
signed report
intake collect investigate enrich validate report
03 / Forensic Integrity

Every finding,
anchored to raw evidence.

"AI in security" usually means trust the model. Grail doesn't ask you to. Every claim in every report carries a direct reference to the artifact, the line, and the SHA‑256 hash it rests on.

The Black Knight agent re-checks every finding against source evidence before it ships. Unverifiable claims are dropped — not softened. Outputs are structured for Daubert admissibility, with chain‑of‑custody sealed end‑to‑end.

finding · F‑0427‑Δ validated
Initial access via unpatched Fortinet SSL‑VPN (CVE‑2024‑21762), at 2026‑03‑18 04:17:09 UTC, from 185.220.101.34. Attacker established persistence via scheduled task \\SysUpdateCheck within 94 seconds.
Artifact
fgt01.fw.log  ·  line 14,208
SHA-256
9f3e1b0a47c2  ✓ match
Custody
sealed 2026‑03‑19 · notary#A14
Validator
Black Knight · re‑grounded 3 / 3 claims
daubert · admissible v2.4  ·  {{ tenant_id }}
Who it's for

Two buyers. One pipeline.

In‑house security

Regulated teams
without a retainer.

You have a 1–3 person security team, a HIPAA audit on the calendar, and a board that doesn't want to hear about a $300K IR retainer you'll never use. Grail gives you incident response on demand, priced to what a breach actually costs your business.

  • Healthcare, fintech, regional infrastructure
  • 50–5,000 endpoints
  • No DFIR retainer. No 200-hour engagements.
Cyber insurance

Panel DFIR,
predictably fast.

Replace the 30‑day panel vendor with a pipeline that closes claims in days — at a tenth of the cost per policyholder. Consistent methodology, consistent output format, consistent SLA. Underwriters get their loss numbers before reserves drift.

  • Carriers, MGAs, reinsurers
  • API‑driven claim intake
  • Standardized admissible output
Comparison

Same investigation.
Different order of magnitude.

Median figures across published retainer pricing and public post‑incident disclosures. {{ comparison_source }}

Legacy IR retainers Grail
Time to findings 14–45 daysQueued against analyst availability < 48 hoursContinuous pipeline, no queue
Cost per investigation $25K–$200KHourly analyst billing Engagement-based pricingPredictable, capped per case
Analyst hours required 200–400 hrsManual evidence review 0Autonomous; analyst oversight optional
Consistency across cases Varies by analyst Deterministic methodology
Posture
Controls
SOC 2 Type II in progress
Healthcare
HIPAA aligned
Evidence integrity
SHA‑256 sealed
Legal
Daubert‑ready outputs

Close the next investigation by Thursday.

A thirty‑minute walkthrough. No slideware. We run the pipeline live against a sanitized case file.

Request a demo