It’s 2026, when nobody can confidently say what the future of security is going to look like. Everyone is trying (what else can we do), but judging by all the progress around AI in recent months, we are all going to be wrong. The biggest mistake we all make is assuming that the future is just a slightly more advanced version of today. That is often true, but when real paradigm shifts happen, we are way too slow to react, and even slower to imagine what comes next.

While all attention is on Mythos and AI, the reality is that AI isn’t the only fundamental shift underway. Just as impactful is the rarely discussed but equally powerful change in how security products are bought. This is exactly what today’s deep dive is about.

This issue is brought to you by... Axonius.

156% ROI. 150% More Assets Found. Real Customer Results.

Still tracking assets in spreadsheets or fragmented CMDBs? You're not alone — but you could be leaving millions on the table. Forrester's Total Economic Impact™ study of Axonius Cybersecurity Asset Management surveyed real customers and found a 156% ROI, $3.2M net present value, and 60–90% reduction in manual effort. Organizations also uncovered 150% more assets than they knew existed. Find out how — and what it means for your team's efficiency and security posture.

Get the Forrester TEI study

You can’t scare CISO into buying a new tool anymore

Some ten years ago, security teams were really struggling to get basic visibility into what was going on in their environments. It was understood that there was a lot of risk, but what’s good and what’s bad was largely unknown, or rather, not easy to figure out.

CISOs complained that they need visibility into all the badness in their environment, and the market listened. This is exactly how the entire categories of posture management solutions came about, from CSPM, DSPM, SSPM, and ASPM, to ISPM, and most recently, AISPM, to name some (I am sure I missed a few). Suddenly, security teams were finally able to see what was wrong. It almost felt like posture management tools could win the budget by finding some really risky set of misconfigurations very quickly (CSPMs famously did it really well). Security teams would freak out, saying “Gosh, how could we miss this for so long?!” and feel grateful to the vendor for surfacing the issue.

This gratitude didn’t last forever, because seeing problems isn’t the same as being able to resolve them. This is where we, as an industry, have failed. Vendors would tell security teams that “Now that you know what’s misconfigured, you can start driving remediation”. What got lost in translation is the fact that “driving remediation” means more work for the already overextended teams - more of creating tickets, more of chasing people, more of begging them to fix problems, etc. Security teams didn’t get more power to get things fixed, but now that they knew the problems, they were getting blamed when a breach would happen despite them knowing what the gaps are.

In 2026, you can’t scare a CISO into buying a new tool. Visibility remains foundational, but it’s no longer enough. As Yaron Levi said, “Visibility without action is just noise”, and most CISOs are starting to realize that. Six or seven years ago, a startup could get a CISO’s attention simply by saying that it has a next-gen tool to surface risky gaps in the customer’s environment. Fast forward to today, and the very same CISO is going to frustratingly tell the founder, “Look, I know I have many problems, and I know we have a lot of risk. I don’t need another tool to tell me that. What I need is something to actually address these problems and remediate all these findings”.

This is a complete shift in what companies can succeed in the market.

“To sell a security tool, you need to show CISO a real ROI” is easier said than done

The best advice I got when I myself was going through the process of ideation is to focus on tangible return on investment (ROI). In the end, it will always come down to the ROI calculation, so if you are an aspiring founder working on a new idea, you might as well start with the ROI calculator and walk backwards.

In security, this can be easier said than done. Here are the ways in which security products tend to try to show their value.

ROI in the form of improving efficacy (coverage)

As one of my CISO friends likes to say, security is a game of coverage and efficiency. Coverage (or efficacy) is critical because the better the coverage, the less likely the company is to get breached.

Historically, the most common pitch for security companies was precisely around improving efficacy. Not only that, but the most successful cybersecurity companies have almost always had a strong story around coverage. People bought CrowdStrike because its behavioral detection engine was designed to catch what McAfee missed. People bought Palo Alto because its application-aware firewall was able to block threats its predecessors missed. Newer email security vendors, vulnerability scanners, threat intel providers, and nearly every vendor in every category have been saying something like “Our secret sauce algorithm can catch 98% of badness when our competitors can only do under 80%.”

Welcome to 2026, when nobody can tell any more about what works and what doesn’t than we were able to do a decade ago. Given the explosion of cybersecurity startups, each of whom is (obviously!) next-gen, AI-powered, and threat-informed, CISOs are no longer jumping on the opportunity to replace their existing tools because of efficacy alone. That is, unless a startup in question is truly a step function improvement, which, let’s be honest, most of the security vendors aren’t. In this day and age, a lot of the security teams already have good enough solutions, and to convince them to deal with the pain of migrating tools, startups have to offer something really compelling, generally going beyond efficacy.

ROI in the form of improving efficiency

Another form of value that resonates with security leaders is efficiency. This makes a lot of sense because, as always, security teams are expected to do more with less. While the attack surface continues to expand (more cloud assets, more identities, more integrations, more third parties, etc.), security budgets are most definitely not growing at the same rate, despite what many would assume. Hiring and retaining people, in particular, remains really hard.

This creates a problem that even when a security team has great coverage on paper with best-of-breed tools and top vendors in the stack, it rarely has enough time to go through all the findings these tools produce. It’s not enough to just buy tools without operationalizing them, and so in too many companies the gap between what should be happening and what actually happens day-to-day gets bigger and bigger over time.

The good news is that with AI, it is finally becoming possible to automate a significant portion of the manual work that previously required continuous investment in human capital. Work that was historically expensive, slow, and inconsistent, like pentesting, threat hunting, compliance and audit preparation, user access reviews, and product design reviews, can now be partially offloaded to AI agents. More importantly, this isn’t just about automation in the traditional sense (scripts and playbooks). AI agents can reason across context, correlate information from multiple sources, and make decisions that previously required human engineers. That created an opportunity to offer a very different kind of efficiency - not just doing the same work faster, but eliminating entire categories of toil altogether.

This shift has two important implications. First, efficiency is finally becoming possible to measure. Every company promises “saving time,” but now it has become possible to quantify these savings in terms of hours spent, tickets processed, or headcount needed to maintain a certain level of security. Second, efficiency now becomes the wedge for adoption. As I’ve said, coverage alone is no longer enough to replace an existing tool. Making a team meaningfully more productive without forcing them to rip and replace their stack is a much easier sell. Startups that position themselves as force multipliers instead of replacements while still retiring old spend tend to face less resistance and faster adoption cycles.

Let me be very clear: one doesn’t need to use AI to put forward a strong efficiency story. Take Chainguard as an example, a company that has been successful in reducing vulnerabilities by selling zero-CVE container images. Security teams get containers with no CVEs, which means they no longer need to ask developers to patch. That makes it a pretty high ROI coverage & efficiency story.

ROI in the form of direct cost savings

Then, there’s ROI in the form of direct cost savings.

This one can get really tricky, and for some companies, being cheaper than competitors might turn out to be a pretty bad idea. This is because in security, people tend to associate price with quality. I have heard of many stories when a CISO was evaluating two tools, and ended up choosing the more expensive one because they assumed that the cheaper option was not going to be as good. In a market for silver bullets, price is most definitely one of the factors that shape the perception of what products can offer better security.

Most commonly, CISOs get skeptical when they see cheaper security solutions focused on detection and response. It’s a very different story for tools focused on infrastructure or doing the work. Take Cribl as an example, a company that built a highly successful business by putting forward the value proposition of saving money on Splunk. It was easy for Cribl to explain how exactly they are helping to save money, and so it worked. If, on the other hand, someone were to come in and say “Would you like a cheaper CrowdStrike?”, they would be met with a lot of skepticism.

Generally speaking, I think whatever the security startup does, it better do something that saves money. And, the clearer and more direct these cost savings are, the better it is. “We replace a bunch of old tooling you are paying a lot of money for”, “We make you much more efficient so you don’t need to hire X more engineers”, “We do the work for you so that you don’t have to spend X hours per week (or $X per month)”, or “We let you cut spending by eliminating the controls you are not using”, - all these can work, provided that they are appropriate for the market the company is competing in, and make sense for the product.

Improve security outcomes while solving operational problems and saving money

I am a big believer that in today’s world, most security problems aren’t actually security problems. They are IT and engineering problems that have downstream security consequences. Because of that, the fastest way to improve security isn’t layering on more detection tools, but fixing the underlying operational bottlenecks that create risk in the first place. This is why a lot of the security products that have real staying power are solving other problems. Zscaler and Palo Alto Networks enable connectivity, Okta handles access, and Island is creating a place where people can do the work… Right now, application security and code scanning are being eaten by the companies that make developers much more productive at coding. Even companies that started as purely security players, such as Wiz, have earned their keep by making other teams rely on them as well.

I think that some of the most successful security companies of the future are going to be companies solving non-security problems, but delivering security as one of the value propositions. CISOs will continue to want to see tangible ROI, and the ROI has to come in the form of compound value. It’s no longer about improving coverage, or improving efficiency, or reducing cost; it has to be a few (or all) of the above. If you can’t hit all three, you should at the very least do two of them.

When money was cheap and enterprises were growing at all costs, CISOs could ask for increased budgets, and in many cases, they would get them. Nowadays, every funding decision goes through a lot of scrutiny from the executive team, and CISOs know they will have to do a lot of work to build a business case and justify their asks. Naturally, when CFOs, CEOs, and boards ask CISOs about ROI, it only makes sense that CISOs will ask vendors for the same.

Basically, if you are a founder, remember one thing: whatever you build, start with the ROI calculator and walk backwards from there. In 2026, you just can’t scare a CISO into buying a new tool, but hey - good luck if you want to try it.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.