Today’s AI-powered SOC companies are tomorrow’s security service providers
AI agents for SOC vs. AI-enabled MDRs: a deeper look
There are a lot of conversations about the future of AI in security, and it makes complete sense that much of the attention is centered specifically around SOC automation. After all, that is where security teams spend most of their time. In this piece, I am discussing the trends defining the future of security in the context of security operations, unpacking the meaning of Service as Software and explaining its facets, and talking about two types of AI x SOC solutions as well as the future of AI SOC.
This issue is brought to you by… Comp AI
Open Source Alternative to Vanta & Drata
To help 100,000 companies get compliant with frameworks like SOC 2, ISO 27001 & GDPR by 2032, Comp AI is launching a new open source GRC/compliance automation platform.
Find out why Comp AI is gaining the attention of founders, CISOs & cyber security professionals worldwide.
Join the exclusive pre-launch and get:
Free access to their cloud hosted offering (Venture in Security reader exclusive)
Everything you need to get compliant, including out of the box policies, risk register & vendor management suite, cloud vulnerability tests & more.
Enterprise grade platform - with no drawn-out demos or six-figure commitments
p.s. 2 readers that sign up will get their 2025 audit costs paid for by Comp AI.
Three trends defining the future of cybersecurity
Customers get excited about AI but they don’t care about AI
AI is the topic of the day - every security startup today is citing AI as the answer to the “Why now?” question, every VC expects to see some AI story in any cyber company they invest in, and just about everything on social media is about how AI is changing the future of our industry. CISOs and CIOs I talk to say they are excited about AI, but if you look closer it’s easy to see they are actually excited about something else.
Security leaders don’t care about new shiny technology (AI or anything else for that matter); they care about the outcomes. When they hear “AI”, they don’t think about all the magical possibilities it creates - imagining the future is the job of founders and investors. When buyers of security tools hear “AI”, they hope that “maybe now this category of tools will deliver where the previous generation failed”. When buyers hear “AI", they are crossing their fingers that AI agents will solve problems that SOAR, SOC automation, workflow automation, identity, endpoint, IT, and all the other tools weren’t able to solve before.
Here is the kicker though: while buyers get excited about AI but don’t care about AI. Yes, having “AI” in marketing may compel them to agree to a demo but once they show up at that call, they don’t want to hear about AI - they want to hear about the specific problems the tool is going to solve for them.
In other words, customers care about the outcomes, not how they are delivered. If a startup can achieve an outcome that its predecessors weren’t able to, and if someone cares deeply about that particular outcome, the company will have a great future regardless of whether or not it uses AI.
Companies are continuing to delegate security to external parties
More and more companies are realizing that if security isn’t their core competency, they might as well delegate it to third parties. This isn’t specific to security as for many years, businesses have looked for ways to delegate as many supportive functions to third parties as possible.
I wrote about this trend in one of the previous issues of Venture in Security: “While tech companies have been hiring security engineers and security architects, and embracing an engineering mindset to security operations, the rest of the world works differently. The industry is maturing, but the definition of this "maturity" is much more nuanced. For tech companies, large banks, and the like, maturity may indeed mean hiring technical security practitioners (security engineers, architects, detection engineers, etc.), building customized tools to solve problems unique to their organizations, and so on. However, they represent at best 1-5% of the market. For the other 95%+ of the market, maturity means admitting that they don't have the expertise to take care of their security needs, that they will most likely never afford that expertise, and that they have no idea where to even get started. For them, the outcome of maturity will be continued delegation of security to third-party providers, which includes security products but much, much more so - security services.”
In other words, customers care about the outcomes, not how they are delivered. If a third party can do a good enough job for a fraction of the cost, from the business standpoint the trade-offs may be well worth it. I’m noticing ongoing pressure to reduce security budgets for full-time hires. Fewer companies can afford to build a dedicated SOC or sustain a high level of in-house expertise, and this number appears to be shrinking year after year.
The line between products and services is disappearing
A decade ago, anyone looking to segment and classify cybersecurity companies would first split them into two buckets: products and services. This distinction is becoming less and less relevant as product companies are adding services and vice versa. I wrote about this phenomenon at length before.
The main factor that drives security product vendors to offer services is the desire to increase their share of customer wallets, and subsequently generate more revenue. In addition, by offering professional services, product vendors can greatly increase their conversion rates, improve customer experience, and make their offerings much more sticky.
The fact that service business requires people to deliver value, makes it hard to scale. The more demand the company is seeing, the more people it needs to hire, train, and develop to deliver projects. While it’s not possible to entirely escape the limitations of the services model, it is quite realistic to optimize it. To do that, security service providers need to find a way to deliver their services at scale, which frequently means productizing and automating service delivery until it becomes indistinguishable from the product. Other reasons why service providers are incentivized to productize include achieving scale, improving valuation and exit multiples, and providing a visibility layer for their customers.
The line between cybersecurity products and services and getting more and more blurry. As we go into the future, that line is going to disappear altogether.
In other words, customers care about the outcomes, not how they are delivered. It's then up to a vendor how it delivers the outcome - by offering a product, a service, or a combination of the two.
There is much more to it than these three trends
Many more factors impact the direction the industry is going in. For example,
Cybersecurity is dominated by edge cases, and it’s impossible to account for each and every scenario within a single product. Every tool needs to be tuned to different environments, and making a generic Swiss-knife platform has proven to lead to struggles with adoption.
Security teams lack the talent to operationalize security tools. We have seen that clearly with security orchestration automation and response (SOAR) platforms which, in order to be successfully implemented, require an almost non-existent cohort of people with skills in both playbook creation and incident response.
Even when a vendor doesn’t provide services directly, a robust ecosystem of service providers often steps in to bridge the gap between what the product is able to offer and the customer’s expectations. This is true for a wide variety of vendors, especially implementation-heavy solutions such as SailPoint and Saviynt.
Making sense of Service as a Software
I see a lot of excitement in the startup community about the concept of Service as a Software. The hard part is figuring out what people mean when they use this term.
In the eyes of many, Service as a Software is about productizing services, where traditionally human-driven tasks are being transformed into software to scale more efficiently. This perspective sees Service as a Software as a way to codify and automate service-based businesses, making them more predictable, cost-effective, and scalable, similar to how traditional SaaS turned software into self-service offerings.
The idea that services can be automated and productized is very appealing because, in terms of spend, the security services market is substantially larger than the security products market. That said, a long list of nuances makes it highly unlikely that software will fully automate services. For example,
There are different types of services. Some such as managed detection and response (MDR) do indeed handle a lot of repetitive tasks like triaging alerts. A lot of these types of services can indeed be made more efficient with automation. Others such as making sense of an organization’s environment, identifying the right stakeholders, and navigating the political complexity, are much less likely to be automated.
When customers are seeking help from services, it’s often to get support from a team of people that is laser-focused on their unique needs. The reality is that most companies don’t actually know what they need, and even when they think they do, they often benefit greatly from third-party insights. We are far away from being able to automate insight and experience.
Instead of trying to fully productize services, I prefer the idea of blending software automation with real human expertise. Unlike traditional SaaS (Software as a Service), which relies on self-service tools for users to navigate solutions independently, Service as a Software would prioritize results by integrating technology with human intervention. In this model, software would efficiently handle repetitive tasks such as data processing, scheduling, and matching, while human experts would step in to provide guidance, manage exceptions, and address complex challenges. This approach, often described as “human-in-the-loop”, would ensure a more personalized and empathetic customer experience by keeping humans involved in critical decision-making points.
If we take a few steps back and look at all these debates about Services as Software, Software and Services, Outcome as a Service, AI Services, and Agentic Services, it becomes clear that customers don’t care about any of that. In other words, customers care about the outcomes, not how they are delivered. Companies that will succeed will be selling outcomes (results), vs. the ability to achieve outcomes using AI. These outcomes could be delivered by humans, augmented with AI, or fully delivered by AI agents. In the end, all of that is just software that offers a service and it’s built using AI.
Two types of AI x SOC companies
There are different ways to slice the AI x SOC market - by the way startups use AI, by the tech stack they support, etc. I believe that at the very fundamental level, there are two types of companies using AI to automate SOC operations:
Those building products (AI agents for SOC), and
Those offering services (AI-enabled MDRs).
Using AI to build products (AI agents for SOC)
There is no doubt that enterprises are struggling with alert overload. The top 1-10% of the market fortunate to have their own security operations centers (SOCs) aren’t just dealing with advanced persistent threats - they are also triaging 95-99.9% of alerts that are nothing but noise and false positives. AI agents for SOC come with the promise of cutting through the noise, identifying the few alerts that actually matter, and helping security teams handle them.
In my opinion, AI for SOC is the natural next step in the security information and event management (SIEM) and security orchestration, automation, and response (SOAR) story. Historically, SOC teams had to sift through a sea of alerts trying to find a needle in a haystack (SIEM use case). Then, they had to automate manual investigation, triage, and remediation tasks (SOAR use case). AI agents for SOC are trying to solve a combination of these two use cases in a single place.
Many of today's AI SOC customers are MSSPs that offer their own managed detection and response services. AI SOC analyst technology enables MSSPs to support more clients and maintain consistently high-quality service - something that becomes increasingly more important in the highly competitive market.
While there are massive opportunities, AI SOC players have some serious challenges to overcome. First and foremost, they are competing with established vendors such as CrowdStrike and SentinelOne that have the mindshare and are already pitching their own AI SOC solutions. Second, they are competing with established automation players like Torq which have also pivoted into AI for SOC solutions. Third, they are competing with players such as Expel that have a lot of brand recognition in the enterprise space. While competitive pressure is not necessarily a bad thing, AI SOC vendors will need to demonstrate real impact to be considered.
Using AI to build services (AI-enabled MDRs)
While there are tens of startups that position themselves as AI for SOC, there are only a handful that openly pursue the strategy of becoming an AI-enabled MDR provider.
While the AI aspect of automating services is new, at the foundational level security service providers have always been trying to automate manual parts of service delivery with scripting, playbooks, and writing code. The challenge has been that service companies are started with a different mindset and skill set than that of software companies:
While product companies are thinking about scale and automation from day one, service companies start by doing what doesn’t scale.
While product companies have access to venture funding, service companies are generally either bootstrapped or funded by other, less risk-friendly investors.
While product companies have the resources to hire software engineers, service companies need to hire people focused on service delivery.
While product companies think in terms of products and building solutions that they can sell without much customization, service companies deliver value by embracing customization.
What is different today is that AI-enabled MDR service companies are started by software engineers, with venture backing, and they think about scale from day one. Players like Arctic Wolf and Expel have been quite successful at building product-first services companies using technologies that existed when they started. The hope is that today, AI would enable the new entrants to automate even more manual work than ever before, leading to higher efficiency and better margins.
I am bullish that AI does indeed have a strong potential to make service providers much more efficient. The challenge, however, lies not in efficiency but in distribution. Expel and Arctic Wolf have already automated every aspect of alert investigations that don’t require LLMs. I’d guess they are automatically closing 90-95% of tickets and alerts. However, despite their efficiency, all venture-backed MDRs combined likely hold less than 10% of the total MSSP/MDR market share. I don’t think the obstacle that prevented Expel and Arctic Wolf from taking over the services market is automation. If it is, then LLMs and the decrease in alert noise may indeed change the game. It is, however, much more likely that AI-powered MDR players will need to solve the same problems and overcome the same obstacles their predecessors did - namely distribution and go-to-market. Outside of the enterprise, companies tend to buy security through their managed service providers (MSPs) as they are the people they know and trust. At large enterprises, there are often resellers, integrators, etc. Managed security service providers will need to find a way to reach previously underserved customer groups - and AI will enable that.
AI agent for SOC vs. AI-enabled MDR: going into the future
AI for SOC and AI-enabled MDR are quite different
Many people, when looking at AI for SOC and AI-enabled MDR, assume that the difference between the two is all about positioning and branding. In my opinion, there is much more to it.
Startups building AI agents for SOC are building product-first offerings, which assume that someone else will be operating them. I tend to believe that in the next decade, more and more customers will be outsourcing their SOC to third parties, as opposed to upleveling up their internal SOCs with better tools. There will no doubt continue to be a market for best-of-breed tools at large enterprises, but it doesn’t feel realistic that it’s a big enough market for 15-20+ companies to survive. Those that can show value and real impact, will thrive; those that don’t, will fade away.
On the other hand, AI-enabled MDRs design products that will be operated by their own teams. They abstract as much of the complexity and inner workings of their platforms as possible, only exposing to the end customers the outcome they are looking for. AI-enabled MDRs are building out internal capacity for service delivery, while AI for SOC vendors rely on the talent of their customers to get full value out of their tools.
Depending on which path startups decide to pursue, they will inevitably end up building different product offerings. Pivoting from one to another is not going to be easy either. Unless a startup invests in developing operational capabilities, building fully multi-tenant offerings, and designing a product with the assumption that it will be operated internally, it won’t easily become a service provider. To put it differently, an MDR is much more than an AI SOC plus a few SOC analysts. The same is true for changing the other way around (an AI SOC product is not an AI-enabled MDR platform operated by the enterprise’s own team).
Thinking about paths to an exit
I believe that both AI SOC & AI-enabled MDR players have four paths to an exit:
Get acquired by service companies
Get acquired by private equity and merged with service companies
Get acquired by product companies
Become a services (MDR/MSSP) company
I think most players are going to be swallowed up by existing service companies. This will allow service companies to solve some of the problems around talent shortage and the need to scale headcount with growth. Moreover, service providers are willing to do anything it takes to position themselves as product offerings. We have recently seen how these kinds of deals unfold with the combination of Arctic Wolf and Cylance. Getting acquired by private equity and merging with service companies is another strong path to an exit. Many of the smaller existing MDRs and MSSPs are owned by private equity - folks who value the idea of achieving operational efficiencies and cost reduction more than anyone else. AI may make it possible for private equity firms to achieve the level of returns that wasn’t possible before.
The probability of AI SOC & AI MDR vendors getting acquired by product companies, in my opinion, is medium to low. That is because CrowdStrike, Palo Alto, SentinelOne, and other players are investing heavily in their own automation capabilities. For them, an AI service is unlikely to become a new SKU they can sell to their customers. Internal efficiency could be a solid driver, but service providers most certainly experience the pain of manual work more acutely.
I have developed a conviction that companies attempting to build product-only AI SOC offerings will eventually evolve into hybrid "product plus service" offerings. The reason for that is simple: while AI makes it possible to automate Tier 1 or Tier 2 level analysis (and that’s where a lot of the inefficiencies are), the true real gap companies are dealing with is about attracting and retaining senior talent. Automating away some aspects of low-level security triage will certainly be helpful, but without solving the broader problem the impact will be limited at best.
When it comes to AI-enabled MDRs, I think they are much more likely to grow into service companies (think next-gen Expel and Arctic Wolf). As I’ve repeated several times throughout the article, customers care about the outcomes, not how they are delivered. That said, a delivery with humans in the loop has much more potential to unlock the market outside of the enterprise segment. In addition, services is a pretty commoditized space and a lot of the perceived value comes from personal relationships and customer experience. MDR vendors (AI-powered or not) have much more ability to build these relationships and to position themselves as a true extension of the customer’s team if they operate as services rather than product companies.
Product and service convergence will continue
Regardless of where companies start, the product and service convergence will continue. Both AI for SOC and AI-enabled MDR players will morph into a similar-looking offering of an AI-enabled, technology-forward service provider. This is why I say that today’s AI-powered SOC companies are tomorrow’s security service providers.
In the end, I think what companies are doing today at the intersection of AI and SOC is a great thing for the industry. It’s hard not to get excited picturing the world where every MDR provider has access to an AI-powered operating center where AI SOC helps them automate away alert fatigue and manual processes around SOC, AI pentesting tools help them automate a lot of the manual work around pentesting, etc. This will hopefully change the way services are delivered, and their cost structure. That is if technology can deliver on its promises.
If AI is indeed able to deliver on its promise, it can also upend the traditional security go-to-market model where security companies sell the product and leave it to the customer to rely on ecosystem partners (resellers, integrators, and consultants) and pay a lot of extra money to succeed with the product they’ve just paid for. Hopefully, we will soon see a world where security buyers finally find their long-standing challenges solved through the right blend of expertise and technology.