Skip to content
Veteran-Owned. Built by engineers who've actually done the work.
Carbynix — Managed Detection and Response, AI-Augmented Security

Detection is the easy part.
Proving it is the product.

Every alert runs through a structured reasoning pipeline that weighs the evidence, tests the opposing explanation, and builds a forensic record a named engineer signs. Not a notification. A record your auditor, insurer, and lawyer can read.

Built by
DHS · CISA · NIH · Google Mandiant
Federal-trained detection engineers. Veteran owned.
Priced at
Guardian $15/ep/mo
Fortress $22/ep/mo
Aegis Customscoped
Published. No sales-call gating. No account minimum.
Scroll

Behind the name

Named for carbyne: the strongest material physics has ever calculated, theorized but not yet stabilized. Carbynix is that theory put into practice.

0+
Custom detection rules
mapped to MITRE ATT&CK
0
Evidence questions
per investigation, on average
0/7
Continuous monitoring
with human-approved response
0%
Escalated verdicts signed
by a named, federal-trained engineer

Method

Chapter 01The PICERL framework

Six phases between an event and an evidence chain.

Every Carbynix engagement runs the SANS PICERL incident response framework end to end: the six-phase methodology federal IR teams use, the standard your auditor and insurer already recognize.

Phase 01 · Preparation

Visibility is the foundation.

Endpoint sensors deployed, full process and script-block telemetry enabled, baselines set, the detection library mapped to MITRE ATT&CK. Without this layer, everything downstream is guessing.

Phase 02 · Identification

Every alert, interrogated.

Alerts fire across endpoints, cloud, and identity. Each one is interrogated by a structured AI reasoning pipeline: hundreds of evidence questions, counterfactual explanations ruled out before any verdict.

Phase 03 · Containment

Human-approved isolation.

Verified threats trigger human-approved isolation: endpoint quarantine, account disable, network segmentation. No autopilot, no black box. The reasoning that justified the action is preserved with it: auditable, reviewable, defensible.

Phase 04 · Eradication

Removed at forensic depth.

Persistence mechanisms, malicious artifacts, and attacker footholds removed at forensic depth. Artifact collection confirms the host returns to a known-good state, not a re-infectable one.

Phase 05 · Recovery

Back online, evidence chain intact.

Coordinated restoration of operations, cleanliness validated before reconnection, monitoring tuned for re-entry attempts.

Phase 06 · Lessons Learned

The artifact your auditor reads.

The full investigation record, every phase from preparation through recovery, is preserved as a forensic artifact: the difference between an alert log and an evidence chain.

Proof

Chapter 02What an investigation looks like

Most MDR vendors show you marketing slides. We show you the work.

A representative excerpt from a real investigation record: the artifact your team receives, your auditor reads, and your insurer reviews if a claim is ever filed.

Investigation ID  2026-04-23-71F4
Closed · Benign
LSASS Memory Access by Non-Standard Process
Rule
124102 / Credential Access Precursor
Process
powershell.exe (PID 4120)
Target
lsass.exe (PID 612)
Access
PROCESS_VM_READ, PROCESS_QUERY_INFORMATION
Host
WS-PARTNER-04 / Windows 11 Pro 23H2
Is this an interactive PowerShell session?
No. Scheduled task. Parent: svchost.exe via Task Scheduler.
Is the executing script signed?
Yes. Valid Authenticode signature. Publisher: Microsoft Corporation.
Did the session establish outbound network connections?
No. Zero outbound traffic in the 60 second post-execution window.
Does the access pattern match known credential-harvesting tools?
No. Read length 4096 bytes, single read. Mimikatz signature reads exceed 2MB across multiple memory offsets.
Counterfactual
Could this be a legitimate Defender scheduled scan?
Yes. MsMpEng.exe and Defender update jobs perform similar reads. Cross-reference confirms scheduled AV scan window 02:00 to 04:00 UTC. Event timestamp 02:14:08 UTC falls inside window.
Verdict
Benign. Microsoft Defender scheduled scan, signature update routine.
Verified by
M. Patel, Detection Engineer
Time to verdict
4 minutes 12 seconds
Record retained
365 days · available in client portal

Every investigation produces a record like this: the reasoning preserved, the verifying engineer named, the artifact retained for as long as your compliance regime requires. The evidence chain commodity MDR was never designed to produce.

Verticals

Chapter 03Who we work with

Built for the businesses regulators expect more from.

Every Fortress engagement ships documentation mapped to your industry's regulatory regime, not generic compliance. The artifacts your auditor signs.

▸ Feature · Federal SDVOSB

Federal & Defense.

We support DoD primes and federal contractors with detection programs that satisfy NIST 800-171 controls and DFARS 7012 reporting timelines. Veteran-owned end to end, built by engineers who have stood post.

  • SAMSAM.gov registered
  • CMMCAligned to Levels 1–3
  • NIST800-171 / DFARS 7012
  • VAVets First eligible
Federal capabilities
ABA Model Rule 1.6 · Formal Opinion 477R / 483

Law Firms

Reasonable-efforts documentation, client-matter segregation, and the post-incident audit trail your bar's ethics opinions expect.

GLBA · FTC Safeguards · NYDFS 500

Financial Services

Annual board attestations, vendor oversight logs, and the 36-hour breach reporting workflow your regulator already knows.

IRS WISP · FTC Safeguards · Pub. 4557

CPA Practices

Quarterly attestation, encryption-at-rest proof, access-controls audit. WISP maintained current to IRS guidance.

CMMC · NIST 800-171 · ITAR / EAR

Manufacturing & Defense

CUI handling, supply-chain monitoring, and the audit trail DoD primes look for.

HIPAA Security Rule · HITECH · PHI

Healthcare

Technical safeguards documentation, audit-log retention, BAA-ready architecture. Per-violation exposure $137–$2.1M.

NAIC Model 668 · PA PIDSA · State DOI

Insurance Agencies

Annual commissioner certification artifacts, third-party service-provider oversight log, producer-license-review readiness.

SOC 2 Type II · GDPR · Customer DPAs

SaaS & Technology

Continuous-controls evidence, sub-processor monitoring, and the customer-DPA breach clauses your enterprise prospects diligence on.

Outside Counsel Guidelines · Client SLAs

Consulting & Advisory

Client-driven security posture meeting OCG requirements, with the breach-notification and forensic-engagement language enterprise clients expect.

04 / Engagements

Three ways to engage. One platform underneath.

The same detection engine, the same reasoning pipeline, the same engineers. The tier you pick changes scope and documentation, not capability.

Guardian
$15 / endpoint / month
Core managed detection and 24/7 human-verified response. For businesses that have outgrown antivirus and want real coverage at a published price. No account minimum, no ceiling. Annual-commitment discounts available.
Fortress
$22 / endpoint / month
Everything in Guardian, plus the evidence layer. Quarterly compliance attestation mapped to your industry, 10 hours per month of incident response retainer, 365 day log retention, and proactive threat hunting. The tier built for regulated practice.
Aegis
Custom Engagement
Multi-site enterprise and federal-eligible engagements. Direct access to the engineers who built the platform. Custom SLA, SAML/SSO, dedicated detection engineering, vertical-specific rule development. SDVOSB federal set-aside eligible. No help-desk tier.
START THE CONVERSATION

Clear answers begin with a focused discussion.

Whether you are responding to an active incident or strengthening your posture before one, Carbynix is ready. Reach out to begin a confidential conversation and find the right next step.

CONTACT US