Field notes

Research,
engineering,
and what we're learning.

Grail's team has spent careers inside enterprise incident response — at the keyboard during real breaches, not writing about them from a podium. The platform is the product of that experience. This is where we publish what we're working on, what's changing, and what the field is getting wrong.

01 / Efficiency

A 45‑day
investigation,
closed by Thursday.

Traditional DFIR firms quote two to six weeks. Panels, onboarding, ticket queues, analyst availability. Grail's pipeline runs continuously — intake to admissible report — and clears most cases in a single business week.

Every hour a breach goes uninvestigated is an hour regulators, insurers, and attackers are making decisions for you.

Legacy IR
14–45 days
Mid-tier MSSP
7–14 days
Grail
< 48 hrs
Median wall‑clock time from alert intake to signed report. Based on 31 closed investigations, Q4 2025 – Q1 2026. {{ internal_benchmark }}
02 / Vision

Built for the threats coming next.
Not the ones from last decade.

Adversaries are weaponizing AI. Phishing is being written by language models, malware is being mutated at machine speed, and intrusion playbooks are running without a human at the keyboard. The DFIR firms still billing in 200‑hour blocks were built for a slower threat. Grail was built for this one — six purpose‑built AI agents running a full investigation in parallel, at the same speed your adversary moves.

Named, for the record, after knights who mostly failed the quest. We think that's appropriate.

01
Bridgekeeper intake
Scopes the incident, validates chain-of-custody prerequisites, and opens the case file.
alert ingress
scoped case
02
King Arthur collection
Orchestrates evidence collection across endpoints via Velociraptor. Hashes everything at rest.
endpoints
sealed artifacts
03
Lancelot investigation
Reconstructs the attacker timeline. Correlates process trees, network flows, registry and filesystem events.
artifacts
timeline
04
Sir Bedevere intelligence
Detonates suspicious binaries in sandbox. Maps behavior to MITRE ATT&CK and known threat actor TTPs.
binaries
TTP mapping
05
Black Knight validation
Re-grounds every finding against raw evidence. Rejects any claim not anchored to a hashed artifact.
claims
validated facts
06
Tim the Enchanter reporting
Assembles the Daubert-ready report. Executive summary, technical appendix, full evidence index.
validated facts
signed report
intake collect investigate enrich validate report
03 / Forensic Integrity

Every finding,
anchored to raw evidence.

"AI in security" usually means trust the model. Grail doesn't ask you to. Every claim in every report carries a direct reference to the artifact, the line, and the SHA‑256 hash it rests on.

The Black Knight agent re-checks every finding against source evidence before it ships. Unverifiable claims are dropped — not softened. Outputs are structured for Daubert admissibility, with chain‑of‑custody sealed end‑to‑end.

finding · F‑0427‑Δ validated
Initial access via unpatched Fortinet SSL‑VPN (CVE‑2024‑21762), at 2026‑03‑18 04:17:09 UTC, from 185.220.101.34. Attacker established persistence via scheduled task \SysUpdateCheck within 94 seconds.
Artifact
fgt01.fw.log  ·  line 14,208
SHA-256
9f3e1b0a47c2  ✓ match
Custody
sealed 2026‑03‑19 · notary#A14
Validator
Black Knight · re‑grounded 3 / 3 claims
daubert · admissible v2.4  ·  {{ tenant_id }}
Writing

More from the team.

Methodology

Anti‑hallucination in DFIR: anchoring findings to raw evidence.

Every claim Grail makes is tied to a specific artifact, line, and hash. Here's the architecture that enforces it — and why we drop unverifiable findings instead of softening them.

Mar 28, 202611 min
Industry

The economics of incident response for organizations under 500 endpoints.

A $300K retainer is mispriced insurance for a business that will spend it twice in a decade. The math behind why the SMB DFIR market has been underserved for fifteen years.

Mar 12, 20268 min
Threat Research

Dwell time is a pricing signal, not a security metric.

Why the average dwell time number you keep quoting in board decks is an artifact of how long detection vendors need to justify renewals — not how long attackers actually sit.

Feb 24, 20269 min
Engineering

Velociraptor at scale: collecting 2.4 TB in eleven minutes without tripping EDR.

A field note on how we tune collection profiles per tenant to stay within bandwidth budgets and stay quiet against the detection stack we're investigating around.

Feb 09, 202613 min
Methodology

Daubert admissibility for AI‑assisted forensic reports.

Courts are starting to see expert reports co‑written with LLMs. Here's the structural decisions we made — chain of custody, provenance, reproducibility — to keep findings admissible.

Jan 22, 202616 min
Industry

A note to carriers: your panel vendors are the constraint.

Panel DFIR is a 2011 architecture bolted onto a 2026 claims volume. What a faster, more consistent, API‑driven alternative looks like from the underwriter's seat.

Jan 04, 20267 min
The team

Built by the people who do it by hand.

I. Wilds

Founder & CEO

Lead architect of the Grail platform. Brings deep expertise in digital forensics and incident response to the problem of investigative automation — building the first system capable of producing regulatory‑compliant findings without analyst intervention.

Brad Seago

Co‑Founder & CSO

Security strategy lead for Grail. Responsible for the platform's security architecture, customer trust framework, and the forensic integrity systems that make Grail's outputs defensible in legal and regulatory contexts.

Austin Schibler

DFIR Advisor & CTO

Technical architect overseeing Grail's infrastructure, AI pipeline, and scalability model. Ensures the platform meets the performance and reliability demands of enterprise incident response at any scale.