Field notes

Research,
engineering,
and what we're learning.

Grail's team has spent careers inside enterprise incident response — at the keyboard during real breaches, not writing about them from a podium. The platform is the product of that experience. This is where we publish what we're working on, what's changing, and what the field is getting wrong.

01 / Field Note

The 200‑hour engagement is a billing artifact. Not a methodology.

The standard DFIR engagement bills 200 to 400 analyst hours not because that is how long the investigation takes, but because that is how long the firm needs to amortize a senior analyst's payroll across enough billable cases. The methodology was reverse‑engineered from the cost structure, then dressed up as rigor.

Strip the analyst out of the critical path and the math collapses. Most of those hours are queue time, ticket triage, manual artifact parsing, and re‑writing the same executive summary for the seventh insurer this quarter. None of that is forensic work. It is the human tax on a 2011 operating model that the industry has spent fifteen years pretending is a craft.

The honest version is shorter. A real investigation has roughly the same number of decisions in it whether the case file is a phishing payload or a domain‑wide ransomware event — what changes is the volume of evidence the responder has to carry through those decisions. Carry it with software and the engagement closes in days, at a price that lets a 200‑endpoint clinic actually afford an answer instead of a retainer they will never use.

02 / Field Note

Anti‑hallucination is not a prompt problem. It is an architecture problem.

Most of the "AI in security" discourse treats model hallucination as a prompting failure — better instructions, better grounding, better retrieval, and the model will stop making things up. It will not. A language model will always produce plausible text faster than it can verify the underlying claim. That is the job. Asking the same model to be both author and auditor is asking the witness to grade their own deposition.

Forensic findings have to survive a different standard. A Daubert challenge does not care how confident the model sounded. It cares whether the claim is anchored to a specific artifact, whether the artifact's integrity can be independently verified, and whether the methodology that produced the claim is reproducible. None of those properties live inside a prompt. They live in the architecture surrounding the model — in a separate validator that re‑grounds every claim against raw evidence, in hash‑anchored provenance on every reference, in a system that drops unverifiable claims rather than softening them into hedged language.

The DFIR firms experimenting with LLM‑assisted reporting are going to learn this in front of opposing counsel before they learn it in a design review. The market is going to bifurcate quickly between systems that produce findings and systems that produce admissible findings. The architectural decisions that separate those two categories are being made right now, by people who will not be able to retrofit them later.

03 / Field Note

The gap between attacker tempo and responder tempo is the real threat surface.

Adversaries crossed the machine‑speed line two years ago. Initial access brokers are running automated reconnaissance at a cadence that would have required a team in 2022. Phishing copy is being generated and personalized by the same models defenders are still arguing about deploying. Ransomware affiliates have playbooks that fire end‑to‑end without a human at the keyboard for stretches measured in minutes, not hours.

The response side has not moved. The intake queue at the average panel DFIR vendor is still measured in business days. The kickoff call still happens on Tuesday for a breach that hit on Friday. The first analyst still touches evidence on day four of an incident where the attacker was finished by hour three. Every one of those gaps is dwell time the regulator, the insurer, and the attacker all get to use against the victim before the responder shows up.

That gap — not the malware, not the unpatched VPN, not the misconfigured S3 bucket — is the actual threat surface no one is pricing. The next decade of incident response is going to be defined by which providers close it and which providers pretend it does not exist. The math is not subtle: a responder operating in days against an attacker operating in minutes is not a slower competitor. It is a different category of service entirely.

Writing

More from the team.

Methodology

Anti‑hallucination in DFIR: anchoring findings to raw evidence.

Every claim Grail makes is tied to a specific artifact, line, and hash. Here's the architecture that enforces it — and why we drop unverifiable findings instead of softening them.

Mar 28, 202611 min
Industry

The economics of incident response for organizations under 500 endpoints.

A $300K retainer is mispriced insurance for a business that will spend it twice in a decade. The math behind why the SMB DFIR market has been underserved for fifteen years.

Mar 12, 20268 min
Threat Research

Dwell time is a pricing signal, not a security metric.

Why the average dwell time number you keep quoting in board decks is an artifact of how long detection vendors need to justify renewals — not how long attackers actually sit.

Feb 24, 20269 min
Engineering

Velociraptor at scale: collecting 2.4 TB in eleven minutes without tripping EDR.

A field note on how we tune collection profiles per tenant to stay within bandwidth budgets and stay quiet against the detection stack we're investigating around.

Feb 09, 202613 min
Methodology

Daubert admissibility for AI‑assisted forensic reports.

Courts are starting to see expert reports co‑written with LLMs. Here's the structural decisions we made — chain of custody, provenance, reproducibility — to keep findings admissible.

Jan 22, 202616 min
Industry

A note to carriers: your panel vendors are the constraint.

Panel DFIR is a 2011 architecture bolted onto a 2026 claims volume. What a faster, more consistent, API‑driven alternative looks like from the underwriter's seat.

Jan 04, 20267 min
The team

Built by the people who do it by hand.

I. Wilds

Founder & CEO

Lead architect of the Grail platform. Brings deep expertise in digital forensics and incident response to the problem of investigative automation — building the first system capable of producing regulatory‑compliant findings without analyst intervention.

Brad Seago

Co‑Founder & Chief Strategy Officer

Brad leads Grail's go‑to‑market strategy and the work of translating an autonomous DFIR platform into measurable business impact for the security teams, carriers, and channel partners who buy it. His career has been built on bridging the gap between AI and ML technologies and the operational realities of enterprise buyers — identifying where emerging capability actually changes the customer's math, and structuring the partnerships and commercial motions that make adoption durable.

At Grail he owns the commercial architecture of the company: pricing model, partner network, complex enterprise sales cycles, and the cross‑functional alignment between product, engineering, and the field. He is responsible for ensuring Grail's technology does not just demonstrate well in a lab — it lands inside regulated organizations, scales across cyber insurance panels, and produces the revenue and reference customers a category‑defining platform requires.

Austin Schibler

DFIR Advisor & CTO

Technical architect overseeing Grail's infrastructure, AI pipeline, and scalability model. Ensures the platform meets the performance and reliability demands of enterprise incident response at any scale.

Stay close

Subscribe for new research.

A note when we publish — usually twice a month. No promotion, no webinar invitations, no newsletter sludge.

No spam. Unsubscribe in one click.