When a major cyber incident unfolds, the difference between a controlled response and a five-day nightmare often comes down to one thing: whether your team has a real system of record. Vaughan Shanks, Co-Founder and CEO of Cydarm Technologies, joins Sean Martin at RSAC Conference 2026 to explain why purpose-built case management for the SOC is not a luxury -- it's the foundation for accountability, faster decisions, and continuous improvement.
In the middle of a major incident, security teams face a brutal paradox: the faster things move, the harder it becomes to capture what's actually happening. Cydarm Technologies was built to solve exactly that. Vaughan Shanks, Co-Founder and CEO, describes the platform as a system of record for the SOC -- a purpose-built case management tool that captures who knew what, when, and why, in real time, throughout the lifecycle of an incident.
Most of Cydarm's customers sit in government, defense, and critical infrastructure -- organizations where the pressure of regulatory compliance, legal accountability, and board-level reporting is highest. But the value extends well beyond compliance. Shanks draws a direct line from his time in Australian federal government to the philosophy behind Cydarm: good record keeping is good governance. When a capital-I incident is declared, legal, HR, communications, the C-Suite, and the board all need a view in. Cydarm's fine-grained, attribute-based access control makes it possible to give each stakeholder exactly the access they need -- and no more.
What sets Cydarm apart from the ticketing systems most teams already have? Shanks puts it plainly: ITSM was built for IT service management, not adversarial cyber threats. The volume, velocity, and variety of SecOps are simply different. Cydarm is designed to feel more like WhatsApp and less like ITSM -- rich data format support, Easy Connect integrations, and a collaborative experience built specifically for high-frequency security operations. Teams that have built workarounds in existing tools know the maintenance burden that comes with it. Cydarm eliminates that mess.
The post-incident dimension is where the system of record pays compounding dividends. Shanks outlines three paths: individual incident reports with adjustable significance levels for different audiences; longitudinal metrics capture that reveals the threat environment your controls aren't blocking; and resource justification data that gives security leaders the evidence to defend headcount and budgets. One customer -- a security leader at a major household brand -- had never experienced a breach, and had long struggled to justify the size of their team. With Cydarm's metrics, they finally had the data to make the argument.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Vaughan Shanks, Co-Founder and CEO, Cydarm Technologies
https://www.linkedin.com/in/vaughan-shanks/
RESOURCES
Cydarm Technologies: https://www.cydarm.com
KEYWORDS
Vaughan Shanks, Cydarm Technologies, Sean Martin, brand spotlight, brand story, brand marketing, marketing podcast, cyber incident response, SOC case management, security operations, incident management platform, system of record, RSAC Conference 2026, NIST incident response, playbook management, SecOps, ITSM alternatives, post-incident review, threat metrics, CISO accountability
When Every Second Counts, Who Knew What and When? | A Brand Spotlight at RSAC Conference 2026 with Vaughan Shanks, Co-Founder and CEO of Cydarm Technologies
Sean Martin: [00:00:10] Yep. Guys, look at that. Here we are. Vaughan, you made it.
Vaughan Shanks: I did
Sean Martin: a few, a few minutes on the plane. And you arrived in San Francisco.
Vaughan Shanks: Right. Yep.
Sean Martin: How is it? How's RSAC Conference?
Vaughan Shanks: RSAC is amazing as always. Yeah. Just really exciting time. Catching up with a lot of people, seeing what's happening in the vendor space. Very exciting.
Sean Martin: Very good. We'll talk about some of the conversations you had before we get into all the fun and goodness of what RSAC Conference brings. Maybe a few words about yourself and your role with Cydarm.
Vaughan Shanks: So I'm the co-founder and CEO at Cydarm Technologies. And we are a cyber incident response management platform -- put simply, case management for SOC.
Sean Martin: Case management for SOC. And what is the biggest challenge that most of your customers face when they're putting their SOC program together?
Vaughan Shanks: [00:01:10] Usually people need a way to record information. Often that's to track status on what threats they're currently facing in real time. Often it's so they can go back and do lessons learned or look at metrics over a period of time. And increasingly we're seeing regulators wanting to get a very accurate and detailed description of who knew what, when. So Cydarm is, if you will, your system of record for recording what goes on in the SOC so that you can come back later and provide information to all those stakeholders.
Sean Martin: System of record. Do many organizations actually think about that or do they just kind of run free and do the response willy-nilly?
Vaughan Shanks: It depends on the type of organization. Most of our customers are either in government -- state and federal government, defense -- or critical infrastructure. Some industries, the threshold for regulatory compliance and the need to get better at cyber operations is not as strong. But certainly in government and regulated organizations, I used to work in federal government and they had a saying: good record keeping is good governance. That's a very strongly held belief with those organizations and that's why they see value in it.
Sean Martin: [00:02:10] In the states we've seen some movement here, and obviously you do work in the states as well. Have you seen a shift where cyber insurance and perhaps even some legal teams want to have that system of record as well?
Vaughan Shanks: Definitely. There are many stakeholders now that have a view in on incident response. The ones you just mentioned -- plus communications people. As an incident escalates, when you call it a capital-I incident, it's declared as an incident. At that point you need to get legal involved. If it's an insider threat, HR might even have a role to play. Communications, C-Suite, board -- everyone has a part to play. Privacy teams, vulnerability management -- it often goes beyond the SOC. There are many adjacent teams up and down and outside the organization.
Sean Martin: So how does Cydarm help bring those people together and give them a space to do what they need to do?
Vaughan Shanks: [00:03:10] First of all, we have a fine-grained access control system. It starts with multi-tenancy -- we can have multiple organizations on the same platform. We do this in one major government organization where they have several adjacent teams that each have effectively a siloed set of case management. We think of them as risk owners, and those risk owners can actually share cases between them, or even transfer cases when they need to collaborate. And because the access control is very fine-grained -- it's attribute-based -- you can give people the exact access they need and no more. It's very much balancing need to know with need to share, and that's a very federal government thing to say.
Sean Martin: [00:04:10] If organizations have done something to coordinate activities, it's probably through one of the many ticket systems they have in place. What are the challenges when they try to use that as a means to manage this?
Vaughan Shanks: Good question. Ticketing systems are everywhere. People trying to get by doing SecOps with ITSM -- the problem is it's not built for it. A change outage or a system upgrade or a broken keyboard is not the same as an adversarial cyber threat. You're not dealing with the same volume, velocity, or variety. Just the scale and speed and the false positives that you get in SecOps -- ITSM just isn't built for that. And a lot of the ticketing systems are clunky -- it's typing text in a box and that's pretty much all you get. We provide more of a rich experience that's better designed for high-volume, high-frequency information. The guidance to the development team is: make it feel more like WhatsApp and less like ITSM. We have support for different data formats that are commonly used in SecOps. It's really that quality of life built specifically for SecOps that you just don't get in ticketing systems. People come to us because they want a better solution.
Sean Martin: Right.
Vaughan Shanks: You can build it in house by modifying existing software, but then you have to maintain a mess. We just make it nicer.
Sean Martin: [00:05:10] Does everybody then come into Cydarm? Or are there ways that they still operate in their own world as well, depending on their role in the response? And if so, how do you enable that?
Vaughan Shanks: It really depends on the organization and how they wish to organize their operations beyond the SOC. In some cases we've had multi-tenanted setups where we're sharing information between different sub-organizations on one system. In other cases, they want to be able to send emails off-platform. So we can start an email thread, loop some people in, and then track that email thread and keep returning the replies onto the case. They don't get access to the case management. You can also send notifications -- all of the popular messaging apps are supported. So different ways to keep people involved and collaborating without necessarily having them logged in on the platform.
Sean Martin: Got it. What about integrations? How does that work?
Vaughan Shanks: [00:06:10] We have this concept of platform events. Platform events can trigger an automation to fire. We've taken a very thoughtful approach to architecture -- we have external components that handle the integration, and they're highly configurable, but we provide out-of-the-box configuration that's very simple to use. We call it Easy Connect. You simply open a dialogue, drop in an API key, check boxes for the features you want, hit submit, and it just works.
Sean Martin: Okay.
Vaughan Shanks: But if you want to go really deep and edit the templates and change the type of information you're sending to the remote platform or how responses are formatted, you can do that as well.
Sean Martin: [00:07:10] Every business is different, every sector is different -- certainly technology stacks underneath all the SOC. The teams build a process to match what they have. How do you help a team walk from A to Z in line with how they need to manage that response based on who's involved and what's going on? I'm talking about playbooks and tabletop exercises. How do you map what they want to what you offer?
Vaughan Shanks: [00:08:10] Good question. We have a NIST-aligned workflow at the basic level. And I want to throw out an idea -- process is collaboration. A process exists to enable collaboration at the various points. So we clearly identify what stage of a response we're in, and within that we have a set of actions performed that often involve notifying people where you're up to and performing handoffs or tasking. We have that NIST-aligned workflow at one level -- you can customize it if you want a variation. And then we have specific playbooks for different incident types: phishing, compromised credentials, DDoS, and more. We provide some out of the box; you can also make your own, duplicate the existing ones, and modify them. We have two types of playbooks -- checklists, which are textual descriptions of what you might do at each step, and a branching playbook system based on OASIS CACAO, which allows decision points and more process rigor if you want it.
Sean Martin: [00:09:10] What's the experience like for a CISO managing all of this, especially during a significant incident with a lot of stress?
Vaughan Shanks: [00:10:10] The biggest problem I believe is just being aware of what's going on -- having that information capture. I know a security leader at a very well-known household brand who told me they once went for nearly five days without sleep. The days were spent basically walking around the SOC floor with a spiral-bound notebook, jotting down notes about where everybody was, where they were up to, what they'd observed, what they were doing. Then taking all that data back to their computer and creating a deck with a situation report so that at 0800 hours next morning they could show the board and executive where a large-scale incident was up to, and what resources needed to be brought to bear.
Sean Martin: Right.
Vaughan Shanks: [00:11:10] That kind of nightmare situation -- going without sleep, having to do this manually -- by the time you collect that data, it's already out of date. It's obsolete. You're giving an aged sit-rep by the time you do it. They successfully navigated through that incident. But this person said they never want to have to live that way again. If you've got a platform that's a system of record but easy to use, so you don't have to force people to use it -- they're going to use it as their scratch pad. No more email drafts. No more notepad. You're putting the data straight into the case management system, and so it's immediately visible when you need an update on where things are at.
Sean Martin: Right. It's easy to get information because they're probably sitting in front of a SIEM or a SOAR and probably a bunch of other systems providing context that maybe those other platforms didn't have access to at the time. So it's easy to pull all that information in and into Cydarm.
Vaughan Shanks: So Cydarm deals with -- if you think about the information hierarchy of data, information, knowledge, and optionally wisdom above that -- it's contextual. Data in context is information, information in context is knowledge. Cydarm sits more at the boundary of information and knowledge. [00:12:10] What we're doing is not trying to capture full log take or bulk data -- though you can store that if you want to preserve an artifact. Really it's about preserving what is important. What were the observations critical to determining the status of the incident? What were the significant actions taken and why?
Sean Martin: Right.
Vaughan Shanks: What important decisions were made, when, and by whom -- recording that sort of information, with supporting evidence along the way, is what we do.
Sean Martin: [00:13:10] Going back to the system of record -- you talked about decisions being made, having the information to make a good decision quickly -- because indecision is horrible. And then the context leading up to why that decision was made and who made it. I'm assuming that's all part of the system of record, which is good for look-back, but also somebody's probably going to be looking in, in some cases. As a CISO, I'd want to know that I'm doing it in the right way to support the business recovery, but also in the right way that I'm protecting myself and my team -- that we did in fact make the right decision based on the information we had.
Vaughan Shanks: Yeah. I think accountability is very important. Knowing what we knew at a given time and why we did something -- maybe if we'd known more, we would have done it differently. If we'd known this incident was going to escalate, but at the time we did it with the best information we had. Having that accountability, that decision awareness, allows you -- it gives you the confidence to move faster and make better decisions.
Sean Martin: [00:14:10] So on the other side of the coin -- post-response analysis. How do you see organizations coming out of that and applying the learnings from Cydarm to prepare better for the next one? Or perhaps to say, we need to change our mitigating controls, our risk management, or a policy -- whatever got us here in the first place because we left some exposure and weren't able to respond like we wanted. How does that close the loop, and maybe some examples of customers that have done it?
Vaughan Shanks: There are three different ways you can use a system of record to better prepare. One is at the individual incident level -- or you can analyze an incident group where you've put a number of cases together into one group -- generating a report. In Cydarm you can switch on and off significance levels. [00:15:10] What you send to an executive audience will not have the same granularity as what you use internally for a PIR. So you generate a report on the incident and go through with timestamps in your time zone -- we have very precise time zone settings -- and figure out who did what when, and perform an analysis as a team of how you could do better, what you can learn from it. Can you build a new playbook? Can you adjust the playbook based on how the incident went? That's one way. The second is when you look at data over a period of time. With good metrics capture -- and we enable mandatory collection of metrics, so tagging metadata: what are you recording about each incident, the disposition, the type, severity level, systems targeted, systems producing the alerts. [00:16:10] All of this is valuable metrics you can collect and observe over time. Your controls aren't going to tell you this because if they were working a hundred percent, you wouldn't need a SOC. What you're doing in this environment is capturing what's left after you apply all the protective controls -- a dataset you can use to inform decisions around your control posture. Where do we need to shore up? Do we need better email filtering? Protective DNS? Where are we seeing the most threat activity? You're also gathering data on the efficacy of the response -- how long are we spending in triage, analysis, containment -- and that can be used for resource justification. I know a security leader at a household brand who has never had a breach. They have a really hard time justifying why they have this huge team and all these resources. [00:17:10] But if you can capture the metrics and demonstrate how long it takes to respond, you can demonstrate why this is just enough --
Sean Martin: Right.
Vaughan Shanks: Or maybe not quite enough. So you're justifying your next purchase from one of the vendors on the floor there, or justifying why you need more headcount.
Sean Martin: [00:18:10] Yeah, absolutely. Some great examples there, Vaughan. The idea that I could not have to lose sleep for five nights -- that's a selling point enough for me. I'm sure you have a gazillion examples of how customers can save time and headache and actually catch some sleep and run their team in a way that they're not killing themselves. I'd encourage everybody to connect with Vaughan, connect with the Cydarm team, and chat with Vaughan. I'm sure you have plenty of other case studies and use cases you can share.
Vaughan Shanks: Thanks, Sean. Really appreciate it.
Sean Martin: Yep. Good stuff. Thanks everybody. Stay tuned for more.