Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
RSA was quite a conference this year. Honestly, I’m exhausted even though I didn’t spend much time on the actual show floor. It didn’t help that San Francisco is “back.” But I loved how high the energy was and how people were eager to lean into the good vibes and catch up in person.
Of course, the happy hours were filled with talk about Delve’s fake compliance reports. But I don’t think that news deserves its own blog post. While it makes for juicy gossip, it’s ultimately uninteresting. There’s no reason to waste breath on a startup trying to cheat on reports that aren’t even that hard to create honestly, in the first place.
Instead, I want to talk about the deeper conversations I had regarding the thoughts in my previous newsletter.
The most fascinating part of these conversations wasn’t people’s general opinions on AI, but how nuanced those opinions were based on how “AI-native” their specific organization was. I dug deeper and found that AI-native companies are structured differently across the entire organization, not just security. It’s no surprise that a giant like Meta is undergoing a massive reorganization. When AI changes the fundamental way work is performed, the old structures and management assumptions simply stop working.
The spectrum of evolution
Different companies evolve at different rates technologically. I’m not here to argue that every company should evolve faster, but rather to state a fact: companies now exist on a wildly diverse spectrum of AI literacy.
We’ve seen this movie before. When the cloud arrived, it ushered in faster release cycles and the emergence of DevOps. Security was left behind because it treated infrastructure like legacy IT, while the rest of the org treated it like engineering. That disconnect created a vacuum filled by companies like Semgrep and Snyk. But when those companies first arrived, they weren’t in the Gartner Magic Quadrant. They weren’t considered “real players” by the traditional research firms because they didn’t fit the existing checkboxes.
The Gartner paradox
I have strong beliefs that Gartner lacks a true practitioner’s view — a view required to navigate today’s nuance. However, I’ll also defend them for a moment: they have an impossibly difficult job.
In the “old world,” most companies had similar setups: on-prem servers, waterfall development, and Active Directory. It was easy to categorize products because the environments were homogeneous. Today, companies have wildly different stacks. Some are hybrid, some are all-Mac, some are pure-cloud.
AI has made this heterogeneity explosive. I know companies where 95-100% of the code is written with AI, and others where it’s less than 10%. How do you create a “security category” that encompasses that divide? You can’t. Any report that tries to average those two extremes ends up being useless to both.
As someone deep in the AI space, I don’t know a single person who still reads Gartner and trusts the results for modern stacks. It doesn’t mean they aren’t useful for legacy environments, but Gartner has to make assumptions about what a “typical” company needs to determine if a product is “good.” In 2026, those assumptions are broken.
Consider Privileged Access Management (PAM). This category has been well-defined for years by companies like CyberArk. But those tools make zero sense if you don’t use Active Directory, live in the cloud, and give your engineers local admin rights on their Macs. Let’s not forget that CyberArk started by selling a physical appliance.
In AI, things move even faster. The use of AI evolves so quickly that it shocks even me. I can’t imagine how fast it feels to people who don’t operate in it every day. You can’t do a few interviews, talk to some practitioners, and push a research report six months later. By the time the PDF is published, the category has already shifted.
The practitioner’s pivot and what I’m going to do about it
I’ve become disillusioned with traditional “research.” I prefer to talk about products and contextualize them for the environments they actually serve. That’s why I started this newsletter: to provide a direct, nuanced view that research firms can’t offer.
I believe former practitioners, like Mike Privette with Return on Security, provide a much better ROI than the big analyst firms. Especially with AI, where fear and uncertainty are rampant, having a “live” view of categories is more important than ever.
What I realized at RSA is that I need to use this platform to define the categories that research firms are missing. I plan to discuss AI-native categories in real-time. Staying at the forefront will help companies catch up and evolve without scrambling to adapt an outdated report to a modern organization.
This is a mini-announcement: I will be writing more posts that define and analyze these emerging categories. I’m looking for categories that wouldn’t even exist without AI — tools that are designed for the AI-side on the spectrum of heterogeneity. It’s a space and position I feel comfortable discussing. I’m also doing this without paywalls!
The first category I’m diving into is AI-enabled product security. As many of you who follow my newsletter may know, I was trained as a software engineer and have always been somewhat fascinated by the role of application and product security. When LLMs came out, I did see that there was a clear disruption in this space.
At the end of that post, I wrote that I don’t know what a good AI-enabled appsec company will look like, but I’m amazed to see this emerging category of companies applying AI to threat modeling and security reviews. It’s clear that there needs to be disruption, and the current set of mature companies might not take us into the next phase. I haven’t formed an opinion on whether this will be the right next-gen, but it’s certainly clear that a set of companies is defining a new security category meant for AI-native companies.
I’m talking about companies like Clearly AI, Clover Security, DevArmor, and Prime Security. These teams are using AI to assist with application security, threat modeling, and security reviews. It’s a fascinating category because its effectiveness depends entirely on the engineering culture and environment it’s dropped into.
I’m still working on the exact naming and boundaries of this category. If you’re at one of these companies, reach out. Send me a demo video. I’m going to go through the marketing materials and sites to develop a practitioner’s perspective on this space.
We need more practitioners helping to figure out these emerging categories. Gartner and the legacy firms are no longer enough. To stay ahead of the trend, we have to build the map as we move, rather than waiting for a research report to tell us where we’ve already been.