IR-OS vs FireHydrant for Cyber Incident Response
FireHydrant is a well-built incident-management platform for engineering and SRE teams. As of December 2025 it is being acquired by Freshworks and absorbed into Freshservice as the Incident Management and Reliability layer of an ITSM suite. That is a fine fit for the SRE buyer it was built for. It is a structural mismatch for cyber incident response, where the buyer is a CISO, General Counsel, or Chief Risk Officer, the artifacts include a defensible record and regulatory filings, and the failure modes start with first-notice mismatches that void cyber insurance coverage. This page explains the difference.
The Acquisition, Stated Factually
On 2025-12-15, Freshworks announced a definitive agreement to acquire FireHydrant. The deal is expected to close in Freshworks' fiscal Q1 2026. Per the FireHydrant blog post, FireHydrant becomes "the Incident Management and Reliability layer inside Freshservice." Per the customer note: "Your FireHydrant account, pricing, support, and access stays exactly the same."
This is not a critique of either company. The acquisition is a logical fit between an ITSM suite and a strong incident-management product. The point worth flagging for security buyers is the resulting category placement. Post-close, FireHydrant is a feature inside an IT service management suite. ITSM and cyber incident response are different categories with different buyers, different vocabularies, and different success metrics. A team that needs cyber-IR specifically will want a tool built for cyber-IR specifically.
Two Different Categories, Both Called Incident Management
The word incident means very different things to different teams.
To a VP of Engineering or Head of Reliability, an incident is a Datadog alert at 3am, a deploy that broke checkout, a feature flag that needs to roll back. The success metric is mean time to mitigate (MTTM). FireHydrant's headline customer case study reports 91% MTTM reduction. That is the right metric for a reliability tool.
To a CISO, General Counsel, or CFO, an incident is the FBI just emailed, the SEC Item 1.05 clock started 14 minutes ago, the cyber insurer needs first-notice in 24 hours per the policy, and counsel needs a defensible timeline. The success metric is not MTTM. It is notification window, fine bracket, customer records in scope, insurance recovery, and the integrity of the audit trail at discovery.
Different jobs. Different tools.
What FireHydrant's Own Product Surface Says
FireHydrant's product is shaped around the SRE incident lifecycle. The three pillars on the homepage are Plan, Respond, Improve. The named features are service catalog, on-call scheduling, runbooks (for SRE actions like creating Slack channels and Jira tickets), public and private status pages, retrospectives, AI-enhanced summaries and follow-ups. The integration ecosystem is observability and DevOps (Datadog, Grafana, Honeycomb, New Relic, Sentry, Jira, Linear, GitHub, CircleCI, Terraform, Kubernetes). The headline customer is Backblaze SRE.
What is conspicuously absent from FireHydrant's product, pricing pages, and integration list as of May 2026:
- GDPR Article 33, SEC Item 1.05, NY DFS 500, HIPAA, CCPA, NIS2, DORA timers
- Breach notification drafting
- Cyber insurance policy management or carrier first-notice integration
- Panel firm directory (counsel, forensics, PR, notification vendor)
- Attorney-client privilege model (channel scope, counsel-of-record assertion)
- Hash-chained, tamper-evident event ledger
- Tabletop exercise engine
- Cyber-specific scenario library
- SIEM, EDR, threat intel, GRC, or legal hold integrations (Splunk, Sentinel, CrowdStrike, SentinelOne, Defender, Recorded Future, OneTrust, Exterro)
None of that is an oversight. It is a deliberate scope decision aimed at the SRE buyer. The Freshworks acquisition reinforces that scope: ITSM and SRE are adjacent categories. Cyber-IR is not.
What Cyber Incident Response Actually Requires
1. A defensible record
Cyber incidents produce records that get read by regulators, insurers, plaintiffs' counsel, and boards. The record must be append-only, hash-chained, tamper-evident, and third-party-verifiable. See The Defensible Record. Engineering post-mortems do not need this. They live and die in Notion or Confluence.
2. Parallel regulatory clocks
GDPR Article 33 (72 hours), SEC Item 1.05 (4 business days from materiality), NY DFS 500.17 (72 hours), HIPAA (60 days), state breach laws (varying), NIS2, DORA. Each clock has a different trigger and a different filing. Missing one can cost more than the incident itself.
3. Six named IRC roles, not engineering on-call
Incident Commander, Scribe, Communications Lead, Legal Liaison, Technical Lead, Executive Sponsor, with named backups. Pre-assigned, not paged. SRE on-call rotations are excellent for paging the right engineer. They are not the human command structure required for a regulated cyber incident.
4. Cyber-IR-grounded AI
The IR Brain retrieves from NIST 800-61, ISO/IEC 27035, MITRE ATT&CK, SEC Final Rule 33-11216, GDPR Article 33, EDPB Guidelines 9/2022, OFAC ransomware advisory, CISA #StopRansomware, and 150+ real C-Suite tabletop exercises. Every AI suggestion cites the source. FireHydrant's AI is grounded in incident summaries, status updates, and meeting transcripts. Excellent for SRE retros. Wrong corpus for breach notification drafting.
5. Cyber insurance integration
The first-notice clock starts when an incident is declared. Miss it and the policy may not pay. The CFO needs the carrier-first call before law enforcement when the policy demands it. Engineering incidents do not have an insurance carrier in the loop. Cyber incidents do.
6. Structural privilege
Privilege under a defensible cyber-IR model is set by structure, not by stickers. Channel-scoped, counsel-of-record asserted, never per-message asserted by a responder. Spurious privilege markers do not survive discovery. SRE incident channels have no privilege concept.
Feature Comparison
| Capability | FireHydrant | IR-OS |
|---|---|---|
| SRE / engineering incident coordination | Leader | Not the goal |
| On-call paging and escalation | Yes (Signals) | Webhook ingest from PagerDuty / FireHydrant |
| Service catalog | Yes | Not the goal |
| Public status pages | Yes | Integrate, not duplicate |
| Conditional runbook engine | Yes (mature) | Cyber Runbooks v2 in roadmap (cyber primitives, not generic SRE actions) |
| Append-only SHA-256 hash-chained ledger | No | Yes, DB-trigger enforced |
| Ed25519-signed Defensible Record bundle | No | Yes, third-party verifiable at /verify |
| Parallel regulatory clocks (GDPR, SEC, HIPAA, NY DFS, NIS2, DORA) | No | Built-in |
| Six named IRC roles plus backups | No (generic on-call) | Built-in |
| AI Plan Coach to generate an IR plan | No | Yes (NIST 800-61 / ISO 27035 mapped) |
| IRC Team Recommender from org chart | No | Yes |
| IR Brain (citation-grounded RAG over cyber-IR corpus) | No | Yes |
| Cyber insurance policy and first-notice integration | No | Yes |
| Pre-built cyber playbooks (ransomware, breach, BEC, insider, supply chain, phishing, DDoS) | No | 7 built-in |
| Tabletop exercise engine | No | Built-in, 12+ scenarios |
| Auto-generated 8-section AAR (regulator-ready) | Free-form retrospective | Structured JSONB |
| Structural attorney-client privilege model | No | Yes (channel-scoped, counsel-of-record asserted) |
| Customer base | SREs at Backblaze, DocuSign, LaunchDarkly, BP, Qlik, Palo Alto Networks (used for SRE) | CISOs, IR leads, GCs, CFOs at companies subject to breach notification |
Pricing
Pricing is published on FireHydrant's site. As of May 2026:
- FireHydrant Trial: free for 14 days, 10 responders, 2 runbooks, 3 integrations, 1 status page
- FireHydrant Platform Pro: $9,600 per year ($800 per month), 20 responders, 5 runbooks, 50 SMS / phone alerts per month, SSO included. AI features are not included at this tier.
- FireHydrant Enterprise: custom pricing, unlimited runbooks, AI features, private incidents, SCIM, audit logs, premium support
For comparison:
- IR-OS Squad: $299 per month ($3,588 per year), 25 users, 10 incidents per year, 4 tabletops per year, all AI features, full Defensible Record
- IR-OS Command: $499 per month ($5,988 per year), 100 users, unlimited incidents, 12 tabletops per year, all AI features
- IR-OS Theater: $799 per month ($9,588 per year), unlimited users, unlimited incidents, unlimited tabletops, all AI features, FireHydrant migration assistance included
An IR-OS Theater subscription is roughly the same annual price as a single FireHydrant Pro license without the cyber-IR capabilities. A Squad subscription costs less than half. Every IR-OS tier includes every AI feature; AI is not gated.
The Coexistence Pattern
The right division of labor in a serious security program is straightforward. We are not asking anyone to rip out FireHydrant. The two tools cover different categories of work and can run in parallel.
- FireHydrant stays as the SRE incident layer. Datadog fires, the on-call engineer gets paged, the deploy that broke checkout gets rolled back. IR-OS does not try to replace this.
- FireHydrant fires a webhook to IR-OS at the classification edge. When the alert is security-flavored (ransomware, exfiltration, BEC, insider, supply chain, phishing, account takeover), IR-OS classifies it and auto-creates a cyber-IR incident with the full command surface, regulatory clocks, and panel-firm directory engaged.
- IR-OS owns the cyber-IR command surface. Plan, roles, regulatory clocks, IR Brain, evidence chain, defensible record, AAR, gap remediation. All running while FireHydrant continues to handle the technical-ops side.
- FireHydrant tracks remediation work that comes out of an IR-OS AAR. The remediation items go into the engineering backlog and get worked there.
Post-Acquisition Considerations
For teams currently on FireHydrant or in active evaluation, the Freshworks acquisition raises a small set of practical questions worth thinking through. We do not know the answers and neither do most prospects yet:
- Will FireHydrant's roadmap remain independent during integration, or will the engineering team be redirected to Freshservice integration work?
- Will the standalone FireHydrant brand continue, or migrate to a Freshservice product line?
- Will pricing change as the product is repositioned inside an ITSM suite?
- Will the FireHydrant sales motion remain best-of-breed engineering-buyer focused, or shift to Freshservice's mid-market ITSM motion?
These are reasonable questions to raise in any current FireHydrant renewal conversation. They are not reasons to leave a tool that is working. They are reasons to be honest about what category the tool will live in over the next 24 months.
For teams that were considering FireHydrant for cyber-IR specifically, the recommendation is clearer: cyber-IR is not the category FireHydrant was built for, and the acquisition reinforces that placement. If the use case is regulated cyber incidents with insurers, regulators, and counsel in the loop, IR-OS is purpose-built for that.
When FireHydrant Is the Right Tool
- SRE incident coordination during deploys, outages, and infrastructure failures
- On-call rotations and paging escalation for engineering teams
- Public status pages for software products
- Engineering retrospective culture
- Teams whose incidents are reliability-shaped, not regulatory-shaped
When IR-OS Is the Right Tool
- Ransomware, data breach, business email compromise, insider threat, supply chain compromise, phishing campaigns, account takeover, OT and ICS compromise
- Any incident where regulatory deadlines apply (SEC, GDPR, HIPAA, NY DFS, NIS2, DORA, state breach laws)
- Any incident where a cyber insurance carrier needs first-notice
- Any incident where the General Counsel will read the timeline
- Any incident where the board will be briefed
- Tabletop exercises, after-action reviews, gap-remediation tracking
Run cyber incidents where they belong
Keep FireHydrant for SRE if you need it. Run cyber-IR in IR-OS. Connect them with a single webhook.
Start your 7-day free trial