Field Note #11 ∷ On Cultivating Trust as a Reflex

I. March 2021¶

On 2 March 2021, Microsoft published an out-of-band advisory for four vulnerabilities in Exchange Server. Two of them, when chained, gave an unauthenticated remote attacker arbitrary file write on a publicly reachable Exchange instance. From there, full domain compromise was a matter of patience. Microsoft's advisory named a state-aligned actor already exploiting the chain in the wild: HAFNIUM.

By the time the advisory dropped, the exploitation window had been open for some weeks. Within forty-eight hours of disclosure, automated scanning had reached most of the Exchange surface on the public Internet. By the end of the first week, tens of thousands of organisations were compromised. Web shells were being dropped indiscriminately.

What followed was one of the largest distributed incident response efforts in our field's history.

Most of the visible work was technical. Patching, scanning, eviction, remediation, hunting for the second-stage tooling that had landed on boxes compromised before the patch shipped.

The patches get CVEs and post-mortems; the conferences add panels; MITRE ATT&CK adds TTPs; the ticketing systems get archived. What does not get written about, because it is harder to see and harder to publish, is the trust fabric that made the technical work possible.

For weeks, people who had never been in the same room — who did not work for the same organisation, the same country, sometimes not even the same sector — were sharing indicators of compromise, triage patterns, and operational intelligence at speeds that no formal information-sharing agreement could have authorised. The work was being carried by individuals who knew, from prior contact under prior pressure, which of their counterparts could be trusted with what kind of information, on what kind of timeline, with what kind of confidentiality expectation.

That trust fabric exists because people invest, over years and sometimes decades, in keeping it alive. And during the response to HAFNIUM, it was load-bearing infrastructure for a substantial fraction of global incident response.

In the informal back-channels, rumours circulated that the exploit chain — or something close to it — had been seen in operational use years earlier. They were never substantiated; what mattered was that experienced practitioners found them plausible enough to act on, and that the channel carrying the rumour was the same trust fabric carrying the response.

After Stuxnet, after SolarWinds, after NotPetya, after HAFNIUM, after fast16 — every defender must work under the assumption that some capability of similar class is already deployed and not yet discovered. The confirmation of even one such instance obliges the defender to carry the entire attack class in their threat model. The adversary needs no such update; they already know what they hold.

This is the essay we wanted to write about the things that could not be written in March 2021.

II. Trust is not a contract¶

The dominant metaphor for trust in modern security culture is contractual. The phrase "trust, but verify" comes up at least once at every conference. You verify credentials, enforce policy, and audit access. You adopt zero-trust, where no request is trusted on origin alone.

None of this is wrong. But this is also not what carried the response to HAFNIUM.

What carried the response to HAFNIUM was something different entirely: a wager, placed quickly, between people who had reason to believe in each other's competence and good faith. Trust in this sense is not the absence of verification. Verification is expensive. Trust is what lets you act before verification completes — which, in incident response, is often the only kind of acting that matters. The boxes are being compromised now. The decisions are being made now. The information needs to flow now. If the only path to action is through a process that requires legal review, you will lose. You will lose because the adversary's process does not require legal review.

This is not an argument against process. The absence of process produces failure modes of its own. Our argument is narrower: in the operational tempo of a serious incident, trust networks are what allow process to be applied where it matters rather than everywhere uniformly.

Trust, in this sense, is operational bandwidth — built slowly, through the accumulated record of how someone behaves under pressure. The trust network you have on Thursday morning is the bandwidth available to you when the advisory drops on Friday afternoon.

III. Trust is not a credential¶

There is a tempting shortcut, especially for organisations that need to make trust decisions at scale: use credentials as a proxy — the certification, the title, the institutional affiliation, the security clearance.

A security clearance is an institution's record of everything about you that could be used to coerce you. This is not nothing. It is also not what one needs to know about whether to share an indicator of compromise with a counterpart at 3 AM. And a credential is only as trustworthy as the institution issuing it.

Credentials can carry substantial information. But they are a poor substitute for what trust networks actually transmit, which is closer to: this person has handled situations like this one before, and I have seen how they act under pressure, and I know what they can and cannot deliver on, and I know how they treat information that is not theirs to share.

That is not a credential, but rather a longitudinal record of behaviour, accumulated over time, distributed across a network of people who have observed the same person from different angles and compared notes informally enough that the comparison did not have to be defended.

Credentials can be falsified. Behaviour under pressure cannot — at least, not for long, and not within a community that maintains the conditions for honest comparison. The trust networks that carried the response to HAFNIUM were not made of certified incident handlers. They were made of people whose track record was visible to enough other people that the network, collectively, had a reasonable idea of what each person could do.

When organisations begin to substitute credentials for relational trust — when "is this person CISSP-certified?" replaces "have I or someone I trust seen this person work?" — the trust fabric frays. The fraying can be invisible until pressure arrives. Then the absence is visible all at once.

IV. Trust is contextual, not binary¶

One of the failure modes of contractual trust is that it tends to be binary. Either you are inside the trust boundary or you are outside it. Either you have access or you do not. Either you are cleared or you are not.

Operational trust does not work this way, and pretending it does produces brittle systems.

In a real incident, trust is graduated and contextual. You may trust a counterpart with a specific indicator of compromise but not with the broader context of the incident. You may trust them with the technical detail but not with attribution. You may trust them within their professional capacity but not within their organisation's communications channels. And the trust you extend this week, on this incident, at this scope, says nothing yet about the next.

This is how operational trust works between adults who understand that information flow has consequences beyond their own desk.

Operational trust can hold even across adversarial relationships, on narrowly bounded mission categories, when both parties recognise a shared stake that outweighs the broader hostility. States whose intelligence services are otherwise in open opposition have nonetheless sustained cooperation on specific categories of crime that both regard as intolerable.

This is not exotic; the existence of trust between otherwise adversarial entities strengthens our claim about operational trust. If trust can be scoped tightly enough to function despite political hostility, it can certainly be scoped to handle the ordinary frictions of incident response.

That said, a different type of caution is in order regardless of the scope of operational trust. Cultures around the world respect credentials and hierarchy very differently from one to the next. When crossing national borders, or even neighbourhood boundaries, we must be open to these differences and appreciate them. The goal is to find spaces where information can move to the people who need it; where messengers are not shot; and where the reflex under pressure is to share, not hoard.

Systems designed for binary trust force these gradations into the informal layer, where they cannot be audited, taught, or maintained when individuals leave. Systems designed for graduated trust make the gradient visible — which lets them be reasoned about, contested, and improved.

The TLP framework — Traffic Light Protocol — is one of the few formal artefacts that recognises this. RED, AMBER+STRICT, AMBER, GREEN, CLEAR. The labels are not security classifications. They are explicit declarations of trust scope: who can see this and who it can be shared with. TLP works because it formalises part of what trust networks were already doing informally, and gives them a vocabulary they can hand to people who were not in the original conversation.

The essay you are reading is TLP:CLEAR. The presentation it is based on was also TLP:CLEAR. Most of the work that made that presentation possible — and the trust fabric it was about — was not.

V. Trust must circulate¶

A trust network that does not circulate dies. This is one of the points where the operational reality is most counterintuitive to people who have not been inside an incident response community at scale.

You might think a strong trust network is one where trust is carefully accumulated and tightly held. The strongest networks would be the ones where every person verifies every other person before any information flows.

This is wrong. It produces a failure mode called signal extraction, whereby the trust fabric becomes a one-way membrane, through which individuals draw down on the collective trust account without contributing to it. The account drains. By the time the next incident arrives, there is nothing in the account to draw on.

Trust networks survive by circulation of information. People introduce people. People credit each other's work. They share what they know with people who could not have asked, because asking would have required information not yet available. They do favours that are not strictly necessary, because today's favours are how a network keeps its capacity to do the favours that will be necessary tomorrow.

The rituals of circulation are not social niceties layered on top of the real work — they are the real work, or part of it. The conference coffee-queue shoulder-tap, the unsolicited indicator, the "you should talk to my colleague" introduction, the laptop sticker quietly given, the credit in a write-up to someone whose contribution could have been silently absorbed; and the more personal exchanges too: the shared recipe, the candid pet photo, the sounding board offered over something that has nothing to do with work. None of these are optional. They are how trust networks refresh their operational capacity, and when they atrophy, the capacity to absorb the next incident atrophies with them.

One of the things that broke during 2020–2022 was the in-person conference circuit that had been carrying a substantial fraction of trust circulation. Two years of remote-only events meant the introduction of new people into established networks slowed dramatically. The trust networks did not collapse — the existing relationships held — but the inflow of newcomers who would, a decade later, become the load-bearing members of the next generation slowed to a trickle.

That cost has not yet been paid. It will come due in some future incident, in the conversations that did not happen because the people who would have had them were never introduced. When the shared substrate is removed, the trust fabric does not fail immediately. The damage shows up later — which is precisely why it is so easy to let the substrate go.

VI. Trust must sometimes be given before it is earned¶

This one is hard.

The official model says trust must be earned first. The streetwise model says trust may be given provisionally, calibrated to a demonstrated track record where available. Both are reasonable in steady-state conditions.

In fast-moving, distributed incident response, the official model simply fails: there is no time to earn trust first, and insisting on it means losing the moment. The streetwise model does better, because it lets you act on the trust you can assemble rather than the trust you wish you had. But this too has a limit. Calibrating to a track record works only where a track record exists, and the hardest moments are precisely the ones where it does not — where the person who has the information you need, or needs the information you have, is someone you have never met. Perfection is rarely on offer in incident response. The question is what you do when the track record you would want to consult is not there.

Trust networks that handle this well do not abandon caution. They locate the trust commitment differently. They trust the introducer rather than the introduced — this person is here because someone who is already trusted is willing to vouch — and extend a provisional, scoped, time-bound trust on that basis. If the trust is honoured, it becomes durable. If it is broken, trust networks correct, and the introducing person bears the cost of the mistaken vouch.

This is how new people enter a trust network without having to wait years to be useful. It is also how trust networks maintain their capacity to grow. A network that requires every new participant to spend five years earning trust from scratch is a network that is dying — slowly, but reliably.

The implication for community design is operational: the onboarding pathway must be more than a probation period with gatekeeping. It must be an opportunity for new participants to do meaningful work, observable by people the network already trusts, in conditions where the cost of error or bad faith is bounded but the upside of contribution is real.

And steady-state conditions are themselves increasingly the exception. The quiet in which trust could be earned slowly is not the world most of us now work in. Which is why this one is hard, and getting harder.

VII. Silence corrodes¶

When trust is damaged, the most common response is silence. The fracture happens — sometimes from a real betrayal, more often from misunderstanding or operational pressure or someone simply having a bad week — and the affected parties simply stop talking to each other.

The silence feels safer than the hard conversation. It is not. Silence does not heal damaged trust; it calcifies the damage. It compounds. What could have been a brief, low-stakes conversation becomes, with time and accumulated interpretation, a far harder one.

The original incident becomes mythologised in the silence. The other party's motivations are filled in by the imagination, which can tend toward the worst plausible version. By the time the silence breaks — if ever it does — involved parties are reasoning about divergent versions of events that may all have drifted far from what actually occurred.

To survive over decades, trust networks must embrace the practice of intentional repair.

Not forgetting, not moving on, not pretending the fracture did not happen, but explicitly naming and explicitly attempting restoration. The repair does not always succeed. It is not always possible. But the cultural permission to attempt it — with grace, without converting the repair into a status game — is what distinguishes resilient trust networks from brittle ones.

The mechanics are not complicated. Mostly they are:

• I think we have a problem.
• Here is how I see it.
• I am open to being wrong about how I am seeing it.
• Are you open to talking about it?

The mechanics are not hard. They require setting down the protective armour of grievance and exposing the relationship to an actual conversation.

Trust networks that cannot do this lose people permanently to fractures that could have been repaired. The losses accumulate, fracture by fracture. By the time the fraying becomes visible to the trust network itself, the fabric is much thinner than anyone realised.

VIII. Westrum¶

In 1989, Ron Westrum — a sociologist working on safety and reliability in high-consequence industries — published a six-page paper called A Typology of Organisational Cultures. It is one of those rare pieces of academic writing that turns out to describe, with unsettling precision, what most working professionals already feel from the inside. It deserves to be read in full — ten minutes, no more.

Westrum's argument is that organisations can be sorted into three categories based on how they handle information — particularly information that is operationally important, time-sensitive, and inconvenient.

Pathological cultures suppress information. Messengers are shot, bad news is buried, and failure is pinned on individuals rather than examined as a property of the system. Novelty is a threat; cross-team bridging, a liability. The information that flows freely is whatever flatters whoever holds power.

Bureaucratic cultures compartmentalise information. Messengers are tolerated but not heard; bad news moves through the appropriate channels at the appropriate pace, which is rarely the pace at which it matters. Failures are filed as procedural anomalies, and new ideas as problems to be managed. Bridging between teams is permitted, provided the forms are correct. Information flows — but slowly, through channels built to protect the existing structure rather than to surface what is actually happening.

Generative cultures actively seek information. Messengers are trained, trusted, and rewarded; bad news travels fast, because the people closest to it know it will be received seriously rather than punished. Failures are examined as properties of the system, not faults of a person, and new ideas are welcomed even when they disrupt settled arrangements. Bridging between teams is encouraged and resourced. Information flows because the culture is built on the premise that flow itself is what produces resilience.

Westrum's central observation is that the typology is predictive. The way a culture handles information is the clearest available signal of how that culture will perform under pressure.

What HAFNIUM made vivid is that Westrum's typology applies not just to single organisations but to the trust networks that span them.

The same three modes appear at the level of the community — except a trust network has no management to set its culture; the culture is simply whatever its members enact. A pathological network treats shared information as a weapon: signal extracted without contribution, access gatekept for status. A bureaucratic one shares at formal speed, which is to say too slowly to matter. A generative one shares operationally — right scope, right moment — and when something goes wrong, corrects without staging a purity test.

The difference between these three modes is not in the protocols, the technology, or even the formal agreements between organisations. It is in the trust fabric, and whether the fabric is being maintained or extracted from.

IX. Anti-patterns¶

These are behaviours that erode trust networks from the inside, often without the people performing them realising what they are doing. They are worth naming, because most of us have done some of them, and the first defence against doing them again is recognising the anti-patterns and giving them labels.

Credential inflation. Substituting titles, certifications, and institutional affiliations for the longitudinal record of behaviour under pressure. Asking are you credentialed? when the operative question is have you or someone I trust seen this person work?

Signal extraction. Treating community trust as a resource to be drawn down rather than a fabric to be maintained. Taking information without giving information. Asking for introductions without making them. Drawing on trust networks' capacity without contributing to their replenishment.

Gatekeeping by default. Prioritising control over participation. Treating new participants as threats to be managed rather than future load-bearing members to be developed. Designing onboarding pathways as probation rather than apprenticeship.

Ritual mimicry. Performing the visible markers of community trust — the shout-out, the introduction, the public credit — without honouring the substantive practice they encode. The ritual becomes a status display rather than an act of genuine care. The trust fabric is not refreshed; the fabric is exploited for performative appearance.

Silent withholding. Choosing silence over repair when relationships fracture; allowing damaged trust to calcify rather than attempting the difficult conversation that might restore it. The withholding is often viewed as protective; it is in fact corrosive.

These behaviours are not exotic. They are the default failure modes of any human community under pressure. The defence is not their elimination — they will always recur — but their recognition, named clearly enough that participants can call them out in themselves and in each other before the damage compounds.

X. Faster than fear¶

Our presentation closed on a single claim:

The difference between a resilient system and a brittle one is not redundancy. It is whether trust can circulate faster than fear.

Fear is fast. This is a feature of human cognition, not a defect. Under pressure, people transmit threat at the speed of reflex, automatically, across whatever channel is to hand. It is the oldest signal we have, older than language, and it travels accordingly.

Trust is slow. It runs on effort, intention, and time. And that is the whole problem, because the two are not racing on equal terms: in any system under pressure, fear moves at the speed of reflex while trust moves at the speed of relationship. Fear wins the opening exchange every time — unless the relationship was already there before the pressure arrived.

That is the entire operational case for building trust networks before you need them. In calm conditions, the speed gap does not matter; fear and trust coexist. Under pressure, the gap is decisive. Without prior investment — established channels, known allies, the rituals of circulation, the practice of repair — fear takes the field while trust is still lacing its boots.

A functioning trust network gives trust a head start. The relationship was built on Monday; the pressure arrives on Tuesday. The trust does not have to be built under fire — it only has to be activated, and activation is fast. Fast enough to match fear. Sometimes fast enough to beat it. But only because the slow work was already done.

That is what resilience actually is. Not redundant infrastructure. Not a better playbook. Resilience is whether the fabric was maintained in the quiet — so that when the fire comes, the trust is already moving before the fear can take hold.

XI. What this means for design¶

Build for operational tempo, not perfect verification; for graduated trust, not binary access; for circulation over accumulation; and repair over purity. Build onboarding that is apprenticeship, not probation. And build for the cost: the trust fabric is maintained by individuals, individuals are not infinitely durable, and a community that cannot acknowledge the cost of its own load-bearing infrastructure will extract from it until the infrastructure fails.

These are institutional implications, and they matter. But most readers of this essay do not run institutions; they work inside ones they cannot redesign at will. For the individual practitioner, the question is narrower and more immediate: what does this look like on Monday morning?

Two simple tools which may prove useful: The Hippocratic Oath of the Cybersecurity Practitioner names a shared ethical floor: what the work is for, and what it is not; The Friend Protocol is a small open document for hard conversations among people who want to do them well — including the ones that happen between trusted counterparts under operational pressure, where state, capacity, and timing all bear on what can be said and heard. Between them, they describe at the scale of the individual what this essay has described at the scale of the network.

And if you take only one thing from this Field Note, take this: read Westrum's paper. Six pages, ten minutes. It will reorganise how you think about every organisation you have worked in, every community you have been part of, and — if you let it — your own conduct inside both.

Pathological. Bureaucratic. Generative.

Most of us move between all three — different organisations, different days, sometimes different rooms in the same building. The only question that matters is which one we are building toward, in the small operational decisions that are our actual contribution to the trust fabric we live inside.

XII. Between watches¶

This essay was written by two people, and the trust it describes is one we have extended to each other across more years and more hard conversations than either of us will detail here. That we could write it together — and disagree inside it without the disagreement becoming the subject — is itself a small instance of what this essay is about.

But everything in it — the circulation, the vouching, the repair, the generative reflex to move information toward the people who need it — is carried by individuals. This is the part the systems language obscures. We speak of trust networks and trust fabric, and the metaphors are useful, but they quietly imply a resilience that should not be assumed. A well-designed system has redundancy: lose a component and another bears the load. The fabric is people. And people are not infinitely durable.

The hardest part to convey is what carrying the load actually feels like from the inside. An essay can attempt to describe that from the outside; it cannot put you in the room. Much of what keeps the lights on in the world today is carried by a broad spectrum of people, working across silos within load-bearing trust networks. We have attempted to the best of our ability to take you inside how trust networks actually function, when they function well. The rest is up to you.

— Trey & Tom

If you received this via email, the canonical archive version lives here: propertools.be/fieldwork/field-note-11-on-cultivating-trust-as-a-reflex/