


“Rootly turned our incident response into an operating system that scales: clearer ownership, faster resolution, stronger retros, and less reliance on heroics.”
Matthew Duren
VP of Engineering
KnowBe4 helps organizations reduce human risk by enabling better security decisions across the entire workforce, and increasingly across AI-assisted workflows. KnowBe4 operates in 11 countries and supports customers ranging from startups to the largest enterprises.
Founded: 2010 in Clearwater, Florida, USA
Size: ~2500 employees
KnowBe4’s platform spans security awareness training, phishing triage and response (including PhishER), and cloud email security. When coaching, reporting workflows, or inbox protection degrade, the consequences are immediate: missed learning moments, missed threats, and degraded trust.
KnowBe4 engineering operates with a mature SDLC (CI/CD, peer review, QA gates, staging validation, and separation between staging and production) under heavy compliance expectations, including third-party audit requirements for parts of the platform such as FedRAMP Moderate, ISO 27001, and SOC 2.
That operational bar makes incident response a core product capability, not a side process.
Before Rootly, incidents centered on a large private Slack channel with hundreds of stakeholders. Over time, it became the “scary channel.” Everything looked urgent, even exploratory issues. Prioritization got fuzzy. Ownership wasn’t explicit, so the same people often became de facto leaders simply because they were present.
The biggest pain points were operational, and they compounded during incidents:
KnowBe4 already believed in transparency. They maintained a public status page and published detailed retrospectives for higher-severity events. But internally, they lacked a consistent mechanism to ensure every incident had a single source of truth, clear roles, and reliable follow-through.
They didn’t need more communication. They needed an operational system for incidents.
KnowBe4 adopted Rootly the way durable operational change happens: in production, during real incidents, with minimal ceremony.
Instead of rolling out a sweeping “new process,” a small group of engineering leaders started using Rootly in live incidents and let the workflow prove itself. This rollout wasn’t training-driven: it was stress-tested.
What changed (clear scope):
Rootly became the incident control plane inside Slack:
Time to first value showed up within the first few incidents. Maximum value compounded over a few short months, especially as teams with fewer incidents built muscle memory.
KnowBe4’s intrinsic value from Rootly wasn’t “a nicer incident tool.” Rootly gave them something more durable: a repeatable operational system for incident response, a way to reduce the human cost of coordination, make accountability consistent, and improve resilience at scale.
KnowBe4 called out coordination overhead as the biggest technical problem Rootly solved. Rootly reduced it by defaulting incidents into one canonical workspace and automating the early steps that normally burn time:
The result: less time spent getting organized and sifting through logs, more time spent resolving.
KnowBe4 also improved velocity in acknowledging and resolving incidents, with a meaningful qualitative reduction in time to resolve, more than 40% reduction.
Before Rootly, loud voices often became de facto owners. With Rootly, ownership became explicit and repeatable. Running incidents with clear roles in a public incident channel made accountability part of the workflow, not something teams had to negotiate mid-incident.
This also made incident response safer for engineers: the process didn’t depend on tribal knowledge or “who happened to be online.”
Retrospective execution shifted dramatically. KnowBe4’s retros went from inconsistent completion to ~90% completion. Rootly’s structured workflow, AI-assistance, and Jira integration made it easier to convert incident learnings into tracked prevention work.
KnowBe4 now declares more incidents, intentionally. That’s a sign of maturity, not instability. Rootly helped remove the stigma of incidents as a “black eye,” enabling teams to triage earlier, classify low-impact issues as SEV3, and resolve them before they become customer-facing.
KnowBe4 sees predictable peak usage during Cyber Security Awareness Month (October). With a full year of Rootly in place, KnowBe4 credited improved incident attentiveness and follow-through leading into peak season with enabling meaningful performance improvements, delivering a stronger customer experience even amid external cloud-provider disruptions.
Rootly didn’t just improve incident execution: it reduced the need for KnowBe4 to build and maintain internal incident tooling. With incident response and on-call standardized in Rootly, KnowBe4 avoided spending engineering cycles on bespoke workflows and automation across Slack, paging, and ticketing.
That freed engineering to focus on the reliability and performance of KnowBe4’s core security products so customers consistently get the outcomes they depend on.
KnowBe4 adopted Rootly to standardize incident response into a repeatable, reliable, automated system. A system that keeps humans aligned under pressure, makes accountability consistent, and turns every incident into operational learning.
If your incident process still depends on heroic coordination and manual efforts, Rootly is how you graduate from effort to execution, when your customers are counting on you most.


