Gesamt — DFIR Platform for Incident Response & Recovery

/ɡəˈzamt/ — German for total

Prepare. Respond. Recover.
Total incident lifecycle. One unified platform.

Request DemoSee the platform →

Who we serve

Built for the teams that respond when it matters most

IR Firms

Spin up a case in minutes, not hours. Unified tooling from collection to court-ready reporting — no more stitching five platforms per engagement.

MSPs & MSSPs

Proactive telemetry your clients actually pay for. Fixed-cost continuous collection means you're not selling a tool that only works on their worst day.

Enterprise Security

In-house IR capability without the infrastructure overhead. Per-tenant isolation, RBAC, and data residency built in from day one.

Legal Teams

Chain of custody maintained through every phase. Evidence-grade collection, tamper-proof audit trails, and reports ready for litigation.

Cyber Insurance

Faster claims resolution with structured forensic data. Standardized reporting across all engagements — no more inconsistent deliverables.

Law Enforcement

Digital evidence processing at scale. Court-ready chain of custody, in-jurisdiction data residency, and unified timelines across seized devices.

The platform

Everything a DFIR team needs. Nothing it doesn’t.

Forensic Engine

Unified schema. Sub-second search.

Zeitline (/ˈzaɪtlaɪn/ — like 'timeline') parses 400K+ events per second into a single normalized schema — endpoint, cloud, and identity data in one table. Sub-second query response across billions of events.

  • Unified events schema across Windows, M365, Entra ID
  • Zeitline: Rust-native parser for speed and correctness
  • Per-tenant data isolation by default
  • 1 year data retention included — no archive fees

// Unified timeline — one query, all data sources

SELECT timestamp, data_type, message, hostname

FROM events

WHERE tenant_id = 'acme'

AND data_type IN (

'windows:evtx:record',

'm365:sign_in',

'entra:audit'

)

ORDER BY timestamp DESC

Investigation

DFQL + SQL. Your choice.

DFQL is a purpose-built forensic query language that speaks your investigation workflow. Prefer raw SQL? Use that instead. Both query the same unified timeline.

  • DFQL: natural forensic syntax — 'logons for svc_admin last 7 days'
  • SQL mode: full SQL with tenant isolation
  • Unified timeline across all artifact types
  • Concept-based queries: 'lateral movement', 'persistence', 'exfiltration'

DFQL

logons for svc_admin last 7 days where logon_type = "10" on endpoint DC01
lateral movement for svc_admin between 12:03 and 12:04 on 2025-06-17
process execution where command_line contains "mimikatz" last 48 hours

Workflows & Automation

Agentic DFIR. Automated response.

Build investigation workflows that chain forensic queries, enrichment, and response actions. Automate the repetitive parts of IR so analysts focus on the adversary, not the plumbing.

  • Visual workflow builder — drag-and-drop nodes and edges
  • Agentic DFIR: chain queries, enrichment, and triage automatically
  • Automated response actions — isolate, block, remediate
  • M365 forensic collection, IP enrichment, webhook integrations

Workflow: Lateral Movement Response

Trigger

Alert ingested

Query

DFQL: lateral movement

Enrich

ipinfo → Spur

Triage

Score > 80?

Respond

Isolate endpoint

5 nodes · 4 edgesActive

Also included

Collection

Rust-native forensic collector. Proactive telemetry + reactive forensics.

  • Fixed-cost forensic collection, upload, parsing & storage
  • Consumes less than 25% system resources
  • Target disk and memory for collection.

Case Management

Self-contained workspace per engagement. Tasks, findings, notebooks, and audit trail.

  • Role-based permissions (Manager, Analyst, Viewer)
  • Per-case data residency
  • Activity audit trail — every action logged

Reporting

From evidence to executive briefing. Attack graphs, branded templates, PDF export.

  • Kill chain visualization
  • Brand assets + tone-of-voice per analyst
  • Evidence appendix linked to findings

Recovery

Restore AD, GPO, and shares from pre-incident baselines. Rebuild from evidence, not memory.

  • AD/GPO restoration with permissions intact
  • Automated remediation workflows
  • Chain of custody maintained

See the difference

Forensic timeline parsing: Zeitline vs. Plaso

Same triage package. Same machine. Real-time comparison.

ZeitlineRust-native
Plaso/log2timelinePython· 39.5x timelapse

Democratizing DFIR

Enterprise incident response software, accessible to everyone

Data gaps slow down investigations. Slower investigations mean longer business interruption after a data breach. Gesamt delivers DFIR readiness from day one — capturing everything IR professionals need to rapidly understand the scope of compromise.

Flip the SIEM model

Traditional SIEMs charge per GB ingested. You learn to be economical with data — filtering, sampling, dropping logs you might need later. Gesamt replaces that SIEM migration headache with a fixed cost per endpoint. We ingest everything you need, continuously.

Traditional SIEM

Pay per GB ingested

Economize data. Miss evidence.

Gesamt

Pay per endpoint

Ingest everything. Miss nothing.

Your worst day, handled

When the call comes at 2 AM, your baselines are already collected. Your analyst opens a case and starts investigating — not installing agents, not waiting for data.

0 minCase created. Data already available.
10 minFirst DFQL queries running against timeline.
25 minLateral movement mapped. Scope understood.
1 hrContainment actions deployed via workflow.

Pricing

Fixed cost per endpoint. Per identity.

No per-GB surprises. No ingestion taxes. One predictable price that scales with your environment, not your data volume.

  • Proactive telemetry + reactive forensics
  • DFQL + SQL investigation
  • Full case management suite
  • Report generation + attack graphs
  • Agentic workflows + automation
  • Recovery tooling from baselines
  • Unlimited cases and analysts
  • 1 year data retention included
Get pricing

Partner Program

The first cyber platform that pays you to use it

Deploy Gesamt to your clients and earn revenue on every endpoint. They get continuous protection. You get paid.

Revenue share

Recurring revenue on every client endpoint

White-label ready

Brand the platform for client-facing work

Priority support

Direct access to engineering

Co-marketing

Joint case studies and conference presence

Become a partner

Partner Dashboard

Active client endpoints2,847
Monthly revenue share$4,270
Active engagements12
Clients onboarded8
Last 30 days+23% MoM

Get started

See Gesamt in action

Book a demo with your own forensic data. No credit card required for the trial.