PerilNex

Who Pays

Incident response teams within enterprise Security Operations Centers (SOCs) – specifically Tier 2 and 3 analysts responsible for deep-dive investigation and containment.

Painful Problem

Incident responders cannot correlate disparate telemetry across endpoints, network logs, and cloud services quickly enough to reconstruct the full attack chain during initial analysis, causing prolonged dwell times and greater lateral movement before containment.

Why Now

1) The market is growing 20% CAGR due to rising threat volumes (Grand View Research). 2) SOC analyst burnout is at an all-time high, making automation a retention tool. 3) AI correlation models have become reliable enough to replace manual triage for common attack patterns. 4) Compliance regulations (SEC breach disclosure, GDPR, HIPAA) now mandate faster reporting, forcing teams to adopt tools that speed up root-cause analysis.

Why This Domain Fits

The name 'perilnex' combines 'peril' (immediate danger) and 'nex' (from nexus, meaning connection). It evokes both the urgency of an active incident and the product's core function: connecting disparate data sources into a coherent nexus. The '.nex' suffix also subtly suggests 'next generation' and speed, aligning with the 'fast correlation' brand angle.

First Customer Profile

A SOC manager at a $5B+ healthcare or financial firm with a team of 8-12 analysts, already using CrowdStrike and Palo Alto, dealing with 50+ alerts per day, and frustrated that manual correlation takes 3-4 hours per incident. They have budget from the security tools line (replacing $200k/year of overtime or contract IR support). Their pain signal is 'we can't keep up with the volume and repeatedly miss lateral movement.'

Economic Engine

Subscription-based per analyst seat, with a flat platform fee of $1,500/month per team of up to 5 analysts, then $300/month per additional analyst. Target ACV: $60,000–$120,000 per customer (teams of 10–20 analysts). Gross margin ~80% (cloud infrastructure + AI inference). Expansion path: add more telemetry source connectors as upsells ($5,000 per connector per month).

Why It Wins

Unlike existing SIEMs and SOARs that require manual rule writing or complex playbooks, PerilNex uses a pre-trained correlation model trained on 10,000+ real incident chains. It delivers a ready-to-use attack chain timeline out of the box, without tuning. It also auto-generates an audit-ready incident report with every analysis, converting a workflow tool into a compliance–documentation asset.

Pricing Assumptions

See economic engine. Also offer an annual plan at 20% discount. For enterprise with 20 analysts + 5 connectors, ACV ~$180k. Gross margin ~80% (inference cost ~$0.05 per incident reconstructed, charged $50 per analyst per month – huge margin). Expansion: add memory and data connectors as paid modules.

Market Size

Global incident response market valued at ~$25.7B in 2023, growing at ~19.9% CAGR to $87.5B by 2030 (Grand View Research). Our TAM is the subset of SOC teams using CrowdStrike, AWS, and Palo Alto (estimated 15% of 10,000+ large enterprises). That's around $3.8B addressable with our initial wedge.

Market Wedge

First focus on enterprises that already deployed CrowdStrike EDR, AWS CloudTrail, and Palo Alto NGFW – the 'holy trinity' of mid-market SOCs. These teams spend heavily on analyst time and often have explicit dwell-time reduction goals. Targeting SOC managers at financial services and healthcare companies (compliance-heavy) because they have regulatory pressure to document incidents within 48 hours.

Buyer & Sales Motion

Economic buyer: VP of Security Operations or CISO (budget $500k–$2M for tooling). Champion: SOC manager (daily user). Procurement will require a SOC 2 Type II report and data residency controls. Pilot shape: 30-day trial with a single data source (e.g., CrowdStrike only) on a test environment, then expand to full triad. Sales cycle: 3-6 months. We bypass lengthy RFPs by offering a self-service sandbox for champions to demo to their boss.

Competition

1) SIEMs (Splunk, Azure Sentinel): built for search, not correlation; require heavy manual work. 2) SOARs (Palo Alto Cortex XSOAR, Splunk SOAR): require playbooks to be written. 3) EDR-native correlation (CrowdStrike Falcon): limited to endpoint data. 4) Threat intelligence platforms (Recorded Future): focus on indicators, not attack chain reconstruction. 5) Manual services (e.g., CrowdStrike Falcon OverWatch): expensive ($200k/year). PerilNex wins by being purpose-built, plug-and-play, and cheaper than a full-time analyst for small teams.

Distribution

1) Direct outreach to SOC managers in our wedge (via LinkedIn, security conferences like RSA, Black Hat). 2) Partnerships with CrowdStrike and Palo Alto (initially via their marketplace, eventually reseller). 3) Content marketing: publish 'How we reconstructed 100 attack chains in <1 minute' whitepapers. 4) Offer a free 'Attack Chain Audit' tool that analyzes uploaded logs and gives a report – converts to trial.

Moat

1) Proprietary correlation model trained on a growing corpus of real incident chains (data network effects). 2) Deep integrations with specific tools that become sticky (custom parsers for CrowdStrike API changes). 3) Automated compliance report generation becomes a dependency for audit prep. 4) First-mover density in the 'CrowdStrike+CloudTrail+Palo Alto' niche makes switching costly.

Quality Strengths

• Very specific integration wedge (CrowdStrike + AWS + Palo Alto) reduces risk and focuses messaging.
• Clear value proposition: reduce attack chain reconstruction from hours to under 60 seconds.
• Compliance angle (audit-ready PDFs) gives a non-obvious buying trigger beyond speed.
• High gross margin (80%+) and expansion path through connector upsells.
• MVP scope is well-defined and achievable in 90 days with a clear concierge validation step.

Quality Weaknesses

• Evidence quality is poor; no customer interviews or third-party data to back key claims.
• Long enterprise sales cycle (3-6 months) is typical but risky for a seed-stage startup.
• Requires access to raw logs, which some companies restrict for security reasons.
• Must prove AI reliability to skeptical analysts – trust barrier could slow adoption.
• Defensibility relies on proprietary model training data that doesn't yet exist.

Missing Evidence

• SOC manager quotes confirming manual correlation takes 2-4 hours and that they'd pay $60k+/year for a solution.
• Data on the prevalence of the CrowdStrike+AWS+CloudTrail+Palo Alto combo in mid-large enterprises.
• Competitive analysis showing why existing SIEM/SOAR solutions cannot easily replicate this feature.
• Validation that the bite-sized pilot (CrowdStrike only) generates enough value to convert to a full triad commitment.