Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
As many of my subscribers and fellow security professionals know, I’m a selective buyer of tools. In fact, I’ve written in the past that security has too many tools, and the increased funding to create more tools is actually doing the industry a disservice.
However, don’t get me wrong. Having more tools has made security much easier, but perhaps too easy. One of my major criticisms is that security believes tools are the ultimate solution to their problems, when they are really just facilitators. In the past, I’ve discussed how I think about build vs. buy, and how I don’t actually plan to keep most of the tools I buy. I’ve also been a huge advocate of security teams building more of their own tools, and I believe that AI is the catalyst that finally makes this possible.
The structural shift
This isn’t to say all security companies are doomed. Instead, innovation is changing the type of useful security tools. People are underestimating how much the structure of work and organizations will change under AI, and it’s important to address this first to provide context on how this affects the tools that provide value.
First, security organizations must accept that headcount will be limited going forward. We are seeing startups doing much more with fewer people, and larger companies cutting staff in favor of increased AI usage. Companies are looking to cut the “zero-interest rate” bloat of the 2010s. Successful organizations will be those that reallocate resources from headcount to AI compute and agentic workflows. Whether that’s the most efficient use of money is still yet to be seen. I think the the ideal state likely lies in moderation.
Second, simply adding AI into existing workflows, i.e., the “Copilot” approach, won’t be effective. The way security does “work” has to change. I am bearish on “AI SOC” companies that simply apply AI to the current broken assembly line. When machines were introduced to car manufacturing, it didn’t just speed up manual labor; it led to the invention of the assembly line, which fundamentally changed the role of the worker.
In security, this means we will see a rise in generalists who can solve high-level problems and integrate AI guardrails, while specialists will transition into training AI models or contract roles. Security will spend less time on manual operations and “paperwork” and more time on engineering fixed workflows with built-in security primitives. To succeed and move fast, security will need to hire more engineers rather than just tool administrators.
The “seat apocalypse”: usage-based vs. per-user
The traditional B2B software model is built on the “seat,” charging per user, per month. But AI has broken this correlation. We are entering what some call the “Seat Apocalypse.” Charging per seat punishes a customer for becoming efficient with AI.
I believe this will likely kill per-seat models in favor of usage-based or infrastructure-based pricing. For the vendor, this is actually better. It reduces sales overhead because it eliminates the complicated margin calculations that the per-seat model created. It aligns the cost of the tool with the actual compute or risk-mitigation value it provides. While some vendors offer “insurance-like” warranties, I’m skeptical; for now, these feel more like marketing ploys than fundamental shifts in risk transfer.
Why the old calculus is dead: From click-ops to code
Historically, the build vs. buy argument was about what was “strategic.” Since engineering resources were limited, building security tools was a non-starter. This led to tool sprawl and shelfware, because “buying” was perceived as cheaper than hiring developers.
But AI has demolished this barrier. AI agents and assistants have introduced a 5-10x multiplier in engineering output. Tasks that used to be buried in “click-ops” because they were too slow to code are now being automated at machine speed.
Take infrastructure deployment. It used to take forever to write Terraform, so people resorted to “click-ops” in the console—a practice that is insecure and impossible to audit at scale. Today, it’s easy to do this with code and AI assistants, although we still require human review on the most critical parts to prevent hallucinations. This 10x multiplier means security engineers can build custom internal tools without a backlogged engineering team.
Characteristics of a “buy” in 2026
So, what is actually worth buying? I believe security tools must now meet three specific characteristics to justify their place in a modern budget:
1. Autonomous Operation & Zero Maintenance A tool must run without human management. It should be “set and forget,” learning from your environment so it requires less input over time. If a tool requires a dedicated “administrator” or specialized certifications to operate, it has failed the efficiency test.
2. Outsourced Specialized Talent The most attractive tools provide a “slice of talent” that isn’t strategic for you to hire full-time. For example, Formal provides a lightweight proxy platform that is a stable abstraction for infrastructure that regularly changes, something most companies shouldn’t build and manage themselves. It makes sense to treat these specialized teams as an outsourced function. I’ve discussed how AI might lead to these types of structural and organizational changes in the past.
3. Customizability and Agent-Readiness The modern security tool must have robust APIs that allow it to be easily automated by AI agents or prompts. A tool that is hard to customize will be replaced by a custom agent that builds a better interface on top of raw data.
In the short term, AI will likely widen the security poverty line. There will be a massive gap between the teams that understand how to orchestrate AI and the ones that don’t. Teams that can use agents to deploy infrastructure as code will move 10x faster than those still clicking through consoles.
However, as AI becomes more democratized, leading to easier access and creation of tools, this gap might eventually shrink. Security is moving into a new era where we aren’t just buying applications; we are buying specialized building blocks that allow our lean, engineering-focused teams to ship secure code at machine speed.
Conclusion: The return to building
The ultimate conclusion of this pivot is that security needs to build again. AI has raised the bar needed for a team to buy a security product. If a tool doesn’t provide substantial value on top of what an engineer can build with Claude or Codex, it won’t survive the next budget cycle.
Security is no longer a separate silo; it is being folded into the broader engineering organization. This means security leaders must justify their spend based on velocity and direct value. It’s a great time to be a problem solver who knows how to orchestrate talent rather than just click through a dashboard.