A motto that aged into a security principle
In 2014, at F8, Mark Zuckerberg quietly retired the most famous slogan in software. Move fast and break things, the mantra that had built Facebook and a generation of startups around it, was replaced by something far less catchy: move fast with stable infrastructure. The new version did not fit on a hoodie. That, more or less, was the point.
The reasoning was simple. At a certain scale, the things you break stop being your own bugs and start being other people's lives. You can iterate on a feature. You cannot iterate on a customer's trust, a regulator's patience, or a stolen database. Speed without a foundation underneath it is not speed; it is the feeling of speed, right up until the moment it isn't.
A decade on, that revised motto has quietly become the operating principle for an entire category of work it was never written for. Cybersecurity incident response.
The "boring infrastructure won" thesis
There's a thesis worth taking seriously: the unglamorous tools nobody puts in a magic quadrant - issue trackers, CRMs, ticketing systems, ERPs - turn out to be exactly what AI agents need to do real work. Not because they were designed for AI, but because they were designed, decades ago, to coordinate humans across time zones, memory gaps, and shift changes, and the primitives required for that turn out to be more or less identical to the primitives required for software agents.
Five primitives, specifically:
- Records. A durable object you can point at six months later, when someone asks what happened. Not a Slack thread that has since scrolled into the void.
- State machines. Defined transitions between defined states. Labels don't count; anyone can slap a label on anything.
- Ownership in a named field. "Probably Sam" is not a value a system can read, and it's not one a court will accept either.
- Queryable audit trails. When something goes sideways - and it will - you need to reconstruct who did what, when, and why, without interviewing six people.
- Scoped permissions. Unscoped access to anything sensitive eventually shows up in a postmortem with your name on it.
Tools that have these become substrates - surfaces through which work can actually happen. Tools that lack them become context - material an agent (or a human) can read, but not meaningfully act through. Slack and email are context. A spreadsheet of indicators is context. A well-instrumented case management system is substrate.
This distinction matters more in security than almost anywhere else.
Why security needed this even before the agents showed up
Security operations have, traditionally, been one of the most under-instrumented disciplines in the enterprise. The ironic thing about a SOC is that it spends its days demanding logs from everyone else and then runs its own incidents out of a Slack channel, a shared inbox, three browser tabs, and a heroic analyst named Sam who remembers what happened last Tuesday.
This worked, after a fashion, when incidents were rare and the consequences were contained. It does not work now. Modern incidents have:
- Regulatory clocks that start running the moment a determination is made: SEC, CIRCIA, NIS2, APRA CPS 234, the lot. Several of them require disclosure within hours, not days.
- Multiple parallel workstreams running at once: containment, forensics, legal, communications, executive briefing, customer notification, regulator notification, sometimes law enforcement.
- Cross-organizational stakeholders who do not speak SOC and should not be reading the SOC's Slack.
- Forensic preservation requirements that make casual edits and lost messages a legal problem, not just a coordination one.
Trying to run any of this on Slack and a spreadsheet is the security equivalent of move fast and break things, only the breakage just hasn't shown up yet.
CIRM as the stable infrastructure
Cybersecurity Incident Response Management (CIRM, the category Gartner formally recognized in its 2025 Hype Cycle for Security Operations) is the application of the substrate hypothesis to incidents. Where SOAR tried to automate the runbook and ITSM tried to fold security into a generic ticketing model, CIRM does something more fundamental. It treats the incident itself as the durable, structured, ownable, auditable object around which everything else organizes.
Cydarm's platform is built on those five primitives, tuned for incident response specifically. Every incident is a case with a stable identity and a complete history. The NIST 800-61 lifecycle is configured by default in the system rather than living in someone's head or a 2021 PDF. Every case, action, and artifact has a named owner; shift handoffs are first-class operations. The audit trail preserves chain of custody to a standard that holds up for regulators and lawyers, not just engineers. And the permissions model is fine-grained enough that legal sees what legal needs, comms sees what comms needs, and your DFIR firm sees only what you've actually given them.
This is, deliberately, the same shape as the issue tracker thesis. It's tuned for the operational reality of an industry where the audit trail is non-optional, the permissions matter a lot, and the cost of ambiguous ownership during a live incident is measured in millions.
The same substrate works for humans, machines, and the messy middle
A SOC made entirely of humans needs CIRM because humans forget, hand off badly, and write incident notes in places nobody can find six months later when the regulator asks. Stable infrastructure lets human teams move fast: fewer status meetings, less re-explaining, less hunting for the latest version of the truth.
A SOC that is increasingly augmented by AI - triage agents, enrichment agents, draft-the-customer-notification agents, summarize-this-700-line-log agents - needs CIRM for a different reason. Agents need durable state outside the context window, because context windows drift, summarize, and reset. They need explicit ownership, because probably is not a value an agent can read. They need a state machine, because deciding what step you are on is not something you want re-derived from scratch on every invocation. They need an audit trail, because at some point an agent will do something inexplicable and somebody will need to reconstruct what it saw, what it decided, and who, if anyone, approved it. And they need scoped permissions, because the alternative - autonomous systems with unscoped access to incident data, customer data, and remediation actions - is the kind of decision that ends careers.
A hybrid SOC, which is the realistic near-term shape of essentially every security team that intends to keep up, needs CIRM most of all. Because the hardest problem in a mixed human-and-machine team is not getting either side to do its job. It is getting both sides to share a single, coherent picture of the incident. Both sides working off the same case, the same state, the same owner, the same history. The substrate is what makes that picture possible.
If you cannot point at a single object that says "this is what we know, this is what we have done, this is who has done it, and this is what happens next", and if that object is not equally legible to a Tier 1 analyst, a CISO, a forensic specialist, an external counsel, and an LLM-driven assistant, you do not have a hybrid SOC, you have parallel operations that will be hard to reconcile when needed.
Move fast, but on something
The "move fast and break things" era taught us a real lesson: speed compounds. Iteration wins. Friction is expensive.
The "move fast with stable infra" era taught us the corollary nobody wanted to hear: speed only compounds on top of a foundation that doesn't. If the foundation is unstable, every increment of speed multiplies the eventual bill, rather than the eventual outcome.
Security teams have spent the last decade pushed by both forces. Pushed to detect faster, contain faster, disclose faster, recover faster. And pushed, simultaneously, into a regulatory and accountability environment that punishes the kind of casual breakage that Slack-and-spreadsheet operations make inevitable.
CIRM is not really a new category. It is the recognition that the same boring-infrastructure thesis that has remade every other coordination-heavy discipline applies, with extra force, to the one where the stakes are highest. The pressure of agentic operations and the pressure of modern regulation have just made the absence of a substrate too expensive to ignore.
Cydarm is that substrate. The shape of your SOC doesn't change what the foundation underneath it needs to be.