FireHydrant Migration to IR-OS for Cyber Incident Response

The acquisition, stated factually. On 2025-12-15, Freshworks announced a definitive agreement to acquire FireHydrant. The deal is expected to close in Freshworks' fiscal Q1 2026. Per the FireHydrant blog post, FireHydrant becomes "the Incident Management and Reliability layer inside Freshservice." Per the customer note, "Your FireHydrant account, pricing, support, and access stays exactly the same" in the near term. This page is for security teams thinking about what that means for cyber-IR specifically.

Why this page exists

If you currently use FireHydrant primarily for SRE incidents, you probably do not need to do anything. FireHydrant is well-built for that job and the Freshworks fit makes sense for ITSM-adjacent reliability work. Keep using it.

If you currently use FireHydrant for cyber incidents (or have been considering it), the acquisition reinforces a placement question that was already true: cyber incident response and IT service management are different categories. Cyber-IR has regulatory clocks, breach counsel, cyber insurance, structural privilege, and a defensible record obligation. Those are not ITSM features. They are not on FireHydrant's roadmap. The Freshworks integration does not change that.

This page is the practical migration path if cyber-IR is what you actually need.

What changes for FireHydrant customers (our read)

We are not insiders to the deal. The following are reasonable inferences from the public announcement and standard post-acquisition patterns:

Roadmap during integration. Engineering attention typically pivots to acquirer integration work for 12 to 18 months after a deal of this shape. Net-new product features tend to slow during that window.
Sales motion. Freshworks GTM is mid-market ITSM. Standalone best-of-breed sales motions tend to consolidate into the acquirer's existing playbook.
Brand. "FireHydrant by Freshworks" today, fully absorbed into Freshservice product naming within 24 months is the typical pattern.
Pricing. Custom Enterprise pricing tends to align with the acquirer's tier structure over time.

None of these are reasons to leave a working tool. They are reasons to be honest about what category the tool will live in over the next 24 months, and to verify that category still matches your need.

The structural mismatch (the real reason cyber teams are looking)

FireHydrant has no concept of:

Regulatory clocks

GDPR Article 33 (72 hours), SEC Item 1.05 (4 business days), NY DFS 500.17 (72 hours), HIPAA (60 days), state breach laws, NIS2, DORA. Each clock has a different trigger.

Hash-chained record

Append-only, SHA-256 chained, Ed25519-signed, third-party verifiable at /verify. The artifact regulators, insurers, and opposing counsel ask for at the end of an incident.

Privilege model

Channel-scoped attorney-client privilege, counsel-of-record asserted at the org level. Not per-message stickers. Spurious privilege markers do not survive discovery.

Cyber insurance

Carrier first-notice clocks. Policy clause as a computable entity. The first-notice mismatch is the most common cause of voided coverage.

Panel firms

Counsel of record, forensics, PR, notification vendor. Surfaced in workflow at the moment they are needed, not as a contact list in a binder.

Tabletop and AAR

Cyber-specific scenario library (ransomware, BEC, insider, supply chain, data breach, cloud compromise) with structured 8-section AAR scoped to cyber lessons and control improvements.

None of those are oversights. They are not on FireHydrant's roadmap. They are also not features Freshservice ITSM is going to ship after the acquisition closes.

Migration offers (active customers and active evaluations)

Two paths, depending on where you are

White-glove migration on Theater tier

Active FireHydrant customer? Theater tier ($799 per month) includes white-glove migration setup. We help you map relevant runbooks to cyber primitives, import incident history if useful, and stand up the cyber-IR command surface in working state. Typical setup: one week.

Side-by-side trial on Squad or Command

Not ready to commit? Run IR-OS for cyber incidents alongside your existing FireHydrant deployment for 30 days. SRE incidents stay where they are. Cyber incidents go to IR-OS. After 30 days, decide.

The coexistence pattern

The right division of labor is straightforward. We are not asking anyone to rip out FireHydrant. The two tools cover different categories and can run in parallel:

FireHydrant stays as the SRE incident layer. Datadog fires, the on-call engineer gets paged, the deploy that broke checkout gets rolled back. IR-OS does not try to replace this.
FireHydrant fires a webhook to IR-OS at the classification edge. When the alert is security-flavored (ransomware, exfiltration, BEC, insider, supply chain, phishing, account takeover), IR-OS classifies it and auto-creates a cyber-IR incident with the full command surface engaged.
IR-OS owns the cyber-IR command surface. Plan, roles, regulatory clocks, IR Brain, evidence chain, defensible record, AAR, gap remediation.
FireHydrant tracks remediation work that comes out of an IR-OS AAR. The remediation items go into the engineering backlog and get worked there.

Pricing side-by-side

Item	FireHydrant	IR-OS
Trial	14 days, 10 responders, 2 runbooks, 3 integrations	7 days, all features, 25 users, no credit card
Mid tier	Pro $9,600/yr ($800/mo), 20 responders, AI not included	Command $5,988/yr ($499/mo), 100 users, AI included
Top tier	Enterprise custom, AI features included	Theater $9,588/yr ($799/mo), unlimited users, AI included, FireHydrant migration assistance included
AI features	Enterprise tier only	Every tier
Cyber-IR features (regulatory clocks, hash chain, privilege, insurance, tabletops)	Not in product	Native, every tier

Common questions

Are you saying FireHydrant is a bad product?

No. FireHydrant is well-built for SRE incident management. Their runbook engine is genuinely strong. Their integration ecosystem (37+) is broad. The argument is not quality. The argument is that cyber-IR is a different category, FireHydrant was not designed for it, and the Freshworks acquisition reinforces that placement. If your incidents are SRE-shaped, keep FireHydrant. If your incidents are cyber-shaped, you need a tool built for that.

Will my FireHydrant data import into IR-OS?

Most of it does not need to. FireHydrant tracks SRE incidents (deploys, outages); IR-OS tracks cyber incidents (ransomware, breaches, BEC). The data shapes are different. What we can import: relevant incident history if you want it for retro, team and contact data, integration configs that overlap (Slack, SSO). On Theater tier, white-glove setup includes this work. We are explicit upfront about what does and does not transfer cleanly.

What about FireHydrant's runbooks specifically?

FireHydrant's runbook engine is mature. Generic SRE runbooks (create a Slack channel, file a Jira ticket) translate directly to existing IR-OS workflows. Cyber-specific runbook patterns will get a dedicated home in our Runbooks v2 build (sequenced for days 61-90 post launch). The Runbooks v2 step library is cyber-shaped: open privileged channel, start regulatory clock, draft breach notification, surface panel firms, hash-chain step emission. Different primitives, same conditional pattern.

How long does migration take?

For a side-by-side trial: 5 minutes to sign up, 30 minutes for the AI-coached IR plan to generate, ready to use the same day. For white-glove Theater migration: about one week including runbook review, team and contact import, and a working tabletop scheduled. Net-new IR plans (no FireHydrant data to bring) can be live faster.

Do we have to leave FireHydrant?

No. The recommended pattern is coexistence. FireHydrant for SRE, IR-OS for cyber, webhook between them at the classification edge. Many security teams will run both tools indefinitely.

What if Freshworks adds cyber-IR features post-integration?

Possible. Likely it would be cyber-flavored ITSM features (incident logging, simple notification templates) rather than the full cyber-IR command surface (parallel regulatory clocks, structural privilege, hash chain, insurance carrier integration, panel firm directory, tabletop engine, cyber-corpus AI). If Freshworks does ship a serious cyber-IR product, the category will look different and we will compete on features. As of the acquisition announcement, none of that is on the public roadmap.

Migrating from FireHydrant for cyber-IR