The company that looked at the panic after the security alarm goes off - the 3am scramble across legal, comms, and the board - and decided to build a product for it.
Every company drills for the attack. Almost none drill for the response. This is the strange, load-bearing gap that BreachRx built a company inside of. The industry has spent two decades and untold billions on detection - firewalls, endpoint agents, threat feeds, the whole apparatus of noticing that something is wrong. What it spent far less on is the far messier question of what happens in the hours and days after you notice. Who calls legal. Who drafts the regulatory disclosure. Who decides what the board is told, and when. Who writes it all down well enough that a regulator, a litigator, or an insurer can't later argue you improvised.
BreachRx's founding observation is almost boring in its obviousness, which is usually the sign of a good one: the technical fix for a breach is frequently the easy part. The hard part is coordination. A modern incident is a cross-functional crisis that yanks in security, legal, communications, compliance, and the C-suite - each with different information, different obligations, and, crucially, different tolerances for risk. Most organizations manage that crisis with the tools nearest to hand: a spreadsheet, a hastily created Slack channel, a shared doc, a lot of phone calls. Which is to say, they manage a business-ending event with the same tools they'd use to plan an offsite.
So the company built the thing that replaces the spreadsheet-and-Slack scramble: a secure, central workspace where every stakeholder in a breach can see what's happening, know what they own, follow a tailored playbook, and - the part regulators care about - leave a defensible audit trail. BreachRx gave the whole category a name, CIRM, for Cybersecurity Incident Response Management. Coining a category is a well-worn startup move, and it's easy to be cynical about it. But there's a real argument here: response genuinely doesn't fit neatly into detection tooling, GRC platforms, or SOAR automation. It's its own discipline, and BreachRx is betting the market will eventually agree it deserves its own budget line.
Two founders make the thesis legible. Andy Lunsford, the CEO, spent fifteen-plus years in privacy law and commercial litigation - which is to say he has watched, up close, what a badly managed disclosure does to a company. Matt Hartley, the Chief Product Officer, spent two decades in cybersecurity, including a stint as an SVP at FireEye, which is to say he has watched, up close, what the attacks themselves actually look like. Law and threat intelligence under one roof. It's an unusual pairing, and it explains why the product cares as much about the regulatory clock as it does about the incident timeline.
BreachRx's core product is the Rex Platform. Around it sits a small constellation of tools - an AI engine, a regulatory scout, tabletop drills, and a mobile command channel - each aimed at a different moment in the life of an incident: before, during, and after.
The central, secure workspace where security, legal, comms, and executives coordinate a live incident - assigning ownership, running playbooks, and capturing evidence as it happens.
An agentic AI engine that assesses severity, executes playbooks, and drafts executive summaries. Its orchestration agent, Maestro, tracks progress and delegates to specialized agents.
Maps a single incident to the disclosure and reporting obligations that apply across jurisdictions - so the deadline clock isn't something a lawyer has to reconstruct at 3am.
Tabletop drills that rehearse cross-functional coordination before a real event, on the theory that practiced teams panic less.
Runs out-of-band, so responders can coordinate from anywhere - and the tool managing the breach isn't sitting on the systems that got breached.
Fifteen-plus years in privacy law and commercial litigation before founding BreachRx. He has seen what a mishandled disclosure costs - which is, in a sense, the entire premise of the product.
Two decades in cybersecurity, including SVP at FireEye, and a CISSP holder. He brings the threat-intelligence view - what attacks actually look like when the alarm sounds.
The 2025 Series A was oversubscribed and led by Ballistic Ventures, with SYN Ventures, Overline, and Silver Buckshot Ventures joining. The signal wasn't only the dollars: former Mandiant CEO Kevin Mandia took a board seat, and former New York Times cybersecurity reporter Nicole Perlroth joined as board observer. When the person who ran Mandiant bets on your response layer, the market notices.
"BreachRx is the first incident response platform built for the messy, high-stakes reality of cyber incidents today."
Nicole Perlroth • Board Observer"The most forward-thinking CISOs understand that cyberattacks and breaches are events that companies must manage with effective command and control."
Kevin Mandia • Board Member, former Mandiant CEO"Companies plan for one major incident at a time. That assumption is already broken."
Phil Venables • Ballistic VenturesAndy Lunsford and Matt Hartley start the company on a simple premise: a breach is an enterprise-wide crisis, not just an IT problem.
Seed capital, with SYN Ventures and Overline, funds the build-out of the platform.
3x year-over-year ARR growth as CIRM starts landing with enterprise buyers.
An oversubscribed round led by Ballistic Ventures pushes total funding past $23M; Kevin Mandia joins the board, Nicole Perlroth as observer.
An agentic AI incident command center, led by the Maestro orchestration agent, launches for a world of multiple simultaneous breaches.
In June 2026 BreachRx shipped the Rex Platform as an agentic AI incident command center - built, pointedly, for incidents no one has a playbook for yet. Over-permissioned agents. Manipulated models. Multiple breaches unfolding at once, which is a scenario most incident plans quietly assume away. The orchestration agent, Maestro, tracks progress and delegates to specialized agents for severity, playbooks, regulatory jurisdiction, and reporting. It's early, and the AI-causes-the-breach future is still more thesis than epidemic. But the framing is the interesting part: BreachRx keeps aiming at the moment after the alarm, and the alarms are only going to get stranger.
It makes SaaS that helps enterprises coordinate cybersecurity incident response across security, legal, communications, and executive teams - automating playbooks, tracking regulatory reporting obligations, and preserving a defensible audit trail.
Cybersecurity Incident Response Management is the category BreachRx coined. It treats a breach as an enterprise-wide business crisis requiring cross-functional coordination, rather than a purely technical incident.
It was founded in 2017 by Andy Lunsford (CEO, a former privacy lawyer) and Matt Hartley (Chief Product Officer, a former SVP at FireEye).
Over $23 million total, including an oversubscribed $15M Series A in May 2025 led by Ballistic Ventures.
More than 100 enterprise customers across financial services, technology, healthcare, and critical infrastructure - including Coinbase, American Express, and Commvault.