Word on the Street - AI Security’s Rapid Gold Rush with Richard Stiennon

Show Notes

We reconnect with Richard Stiennon to chart how AI is rewriting cybersecurity, from the rise of 290 AI security vendors to SOC automation, investor momentum, and the criteria that separate true AI players from marketing.

• Explosion of AI security vendors since late 2022
• Criteria for defining AI-first cybersecurity companies
• Investor appetite, valuations, and looming acquisitions
• SOC automation enabling full alert triage
• Governance gains vs operational impact
• Guidance for buyers and founders on proof and outcomes

Yeah, you should definitely get my book

Josh's LinkedIn

Chapters

• 0:00: Catching Up With Richard Stiennon
• 0:49: Writing An AI Security Book
• 1:55: Defining AI Cybersecurity Vendors
• 2:53: SIM Is Dead, Data Lakes Rise
• 4:16: Investor Momentum And Unicorns
• 5:04: SOC Automation And 100% Triage
• 6:03: Governance Vs Automation Value
• 6:30: Closing Thoughts And Book Plug

Transcript

SPEAKER_00: 0:00

Richard Steenan, long time no speak. Haven't heard from you in a little while. And the last time we spoke, we were as we always did. We were looking at what's new in the investment world and with the vendor world and uh what's new with IT Harvest. So let's pick up there, right? Like no time has passed. What's new with IT Harvest? What's going on in the vendor world? And what are you seeing on the street?

SPEAKER_01: 0:23

So all came together when uh my publisher told me that they didn't want to publish Security Your Book 2026. And I had already scheduled a week to write a new version. So I figured I better write something else. And the most timely topic I can think of is writing a book about AI security. And so that's what I decided to do. And uh it's got a title, it's got a cover design, and I went off to northern Michigan and wrote solid for five days, and I'm up to 27,000 words. There are now 290 vendors of cybersecurity AI products.

SPEAKER_00: 1:11

Last time we spoke, there were probably like what? I mean, this was two months ago, 80. Yeah.

SPEAKER_01: 1:15

Yeah.

SPEAKER_00: 1:16

Wow. Yeah.

SPEAKER_01: 1:16

So a lot of that, a lot of that came from the fact that um I saw somebody else's infographic and I asked a couple of AI tools, hey, do a diff between the vendors they have and the vendors I have, and then identified, you know, 115 vendors that I did not have identified. And that was because during the early years of AI security, which is 2023 and the beginning of 2024, I didn't have an AI security subcategory. And you know, when I saw somebody that was, you know, building agents using large language models do pen testing, I said, okay, that's a pen tester. But going back, and which I did, um I spit out all the companies that have been founded since 2022, 512 of them. And I went through every single one of them and rechecked to see their, you know, if they had pivoted into AI. And that's what got the number up, the 290.

SPEAKER_00: 2:15

So what counts as an AI cybersecurity startup?

SPEAKER_01: 2:18

Yeah. Um if they started after November 30th, 2022, and they say AI, then when they found, you know, if they're a young company, then they are definitely already, you know, incorporating large language models and doing what we all now think of as leveraging AI. If they are founded in, you know, 2008 and they're claiming to be AI, then they have to pass a much higher bar, right? Because if they're just doing Bayesian filtering, you know, because they use machine learning, that's not AI as we understand it today.

SPEAKER_00: 2:53

Are there any new sim-like products out there? Because that seems to me like one of the best applications of AI.

SPEAKER_01: 3:01

Actually, that what I'm seeing is they're eliminating the SIM altogether. They just shove all the logs into one huge data lake and we'll work with it. So that's not a sim, right? The SIM is supposed to prioritize and dedupe and all the rest of that stuff. Nope, you don't need that anymore. SIM is dead.

SPEAKER_00: 3:20

So does that mean that AI cybersecurity companies are spawning new subcategories and rewriting what it means even to be a cybersecurity company?

SPEAKER_01: 3:32

There's a lot to unpack there. Mike Privet said it pretty well. He said it's there is really an AI security industry. And I tend to agree with him. But for now, you know, if you're an investor especially, you're going to look at it kind of separately. Or if you're a CISO and you want to get into using automated solutions, then you would be very interested in this book and the 290 vendors in it. But eventually, you know, all vendors will adopt AI for their solutions.

SPEAKER_00: 4:05

Interesting.

SPEAKER_01: 4:06

There's some I feel sorry for that just launched and they worked on their, I won't mention names, but like there's a new vulnerability management solution that came out that you know just was doing better vulnerability management without any AI. And that's like not gonna work.

SPEAKER_00: 4:23

Yeah. Yeah. So what does that mean for investors, do you think?

SPEAKER_01: 4:26

Well, they they like the rest of AI, um, they seem extremely excited by it and are putting pretty big rounds into it, you know, 30 to 75 million dollars for a startup with an idea is it's pretty good. Um the big ones haven't happened yet. There's gonna be some massive investments, some valuations, and massive acquisitions. And one of the guarantee, one of the ones I'm I've talked to already, um, is going to be valued at a billion dollars before the game's over. And it doesn't hasn't taken in a penny of funding yet because it's already getting customers that are paying for the product. SOC Automation is the name of the game. Um, if you think of all the problems that the security teams have doing the daily triage, hoping of to get some alert that tells you that you're under attack, um, and it's buried in thousands, if not hundreds of thousands, of alerts. Uh you just don't have the people or the time to look at every alert and think about it. But uh with AI, you can't. You can you can get to 100% alert triage.

SPEAKER_00: 5:34

So investors are betting on AI.

unknown: 5:38

Yep.

SPEAKER_00: 5:38

All right.

SPEAKER_01: 5:39

Well anything that automates security processes. So that that flows over into vulnerability management, pen testing. There are more cybersecurity companies that do governance than do SOC automation. Governance was uh one of the early ones, but they won't have as much. Yeah, that they'll be providing value, no question. But this tantalizing concept that you can turn the tide in defensive security by deploying AI is just too big an opportunity to miss.

SPEAKER_00: 6:13

All right. Well, you've got a really good track record, and people can go back to all the podcasts that we've recorded, your track record, and making these predictions have been pretty good. And I know that your philosophy is that an analyst should say it, stick with it, die on that hill. And if his if if history proves you wrong, okay, whatever. But as it often has, history has proven you right. So I'm gonna take your word for it. Thanks, Richard. Well, it was good to talk to you again. And let's make these conversations a little bit more frequent. You've got my number, I've got your number. Any last words? You want to get something in IT harvest-wise?

SPEAKER_01: 6:50

Yeah, you should definitely get my book. But more importantly, is think when you see the book, think about how the hell did he do that? He started it the week before Thanksgiving and he published it in the middle of January. How do you write a book that fast? And the answer is I've got all the data in front of me already. I just had to to pull it together into a book. Wow.

SPEAKER_00: 7:13

Yeah. Well, that's that's a pretty damn good demo of uh what what's going on at uh IT Harvest. So dang, you I saw what you did there. Hit two birds with one stone, double plugged. Yeah. All right, Richard. It was good talking to you. And uh let's catch up soon. Well then.