Notes - Security For AI and Data Security Uprise (Pt.1)

Summary

• With AI adoption finally moving into large-scale production this year, as anticipated in our PLTR update, it is now a more appropriate time to discuss the intersection of AI and cybersecurity.
• AI-powered security products are likely to experience a smoother and earlier J-curve of adoption compared to security solutions designed to protect AI itself — though this hinges on the maturity of copilots and AI agents.
• Within the "security for AI" theme, data security stands out as the most visible opportunity and the largest addressable market segment.
• In Part 1 we outline the parallels of AI-powered security and security for AI with cloud-delivered security and security for cloud to help investors with expectations.
• In Part 2 we shall take a deeper dive into arguably the largest area of AI-related security, data security or DSPM.

Security for AI Remains in Its Infancy

What is the investment thesis for AI in cybersecurity? This is the pressing question for both public and private investors. For public markets, post-COVID tech returns have been largely driven by AI, while traditional SaaS models are waning amid budget constraints and the vulnerability of headcount-based pricing to AI-driven productivity gains. For venture capitalists (VCs), the situation is even more acute: as investment trends mirror business priorities, VCs are going all-in on AI, demanding an AI angle in every pitch. Yet, where does cybersecurity fit into this AI narrative? Betting on AI-enhanced cybersecurity with high confidence is challenging because the underlying AI stack remains unformalized and in constant flux. In contrast, other AI domains have clearer leaders:

• For AI chips, NVIDIA (NVDA) dominates the Western market, alongside custom ASICs from Broadcom (AVGO), and smaller players like Alchip Technologies and Marvell (MRVL).
• In vector databases, Pinecone holds a commanding lead.
• Among foundation models, OpenAI continues to lead in the West, with Anthropic carving out a niche in coding, xAI focusing on truthful AI, and Meta potentially rebounding with its recent updates.

However, no single AI layer has reached the $100bn scale necessary to support a dedicated, high-growth security product ecosystem dedicated to protecting that layer. At smaller scales, the total addressable market (TAM) simply isn't sufficient to spawn breakout cybersecurity startups. Investors may be jumping in prematurely, much like the multiple waves of cloud security investments from 2010 to 2020, which failed to produce runaway successes until Wiz emerged later. The math is straightforward: In 2010, the combined cloud IaaS and PaaS market was around $1 billion, surging to ~$60 billion by 2019 and $100 billion in 2020. In mature markets, security typically accounts for 5-10% of the underlying tech stack's budget. For emerging stacks, however, adoption lags as customers prioritize building over securing, often resulting in initial security spending below 1% of the total budget. Thus, cloud security TAM was a mere $10m in 2010, only hitting the $1bn threshold — critical for unicorn emergence — by 2020.

Over that decade, VCs backed several promising startups that achieved modest traction but ultimately led to mid-sized acquisitions by incumbents, such as Dome9 by Check Point (CHKP) and RedLock by Palo Alto Networks (PANW). SaaS security has followed a similar pattern, remaining undersized even today. Segments like SaaS Security Posture Management (SSPM) are often subsumed into broader platforms offered by cybersecurity giants, while Cloud Access Security Brokers (CASBs) have seen waves of leaders acquired by incumbents — e.g., CloudLock by Cisco (CSCO) and Skyhigh by McAfee. That said, the latest CASB leader, Netskope, has sustained independent growth, suggesting CASBs may represent a more substantial opportunity within SaaS security than SSPM. Even still CASB itself is mostly a network-based DLP for SaaS which can be easily subsumed by the broader SASE platform, and as a result, Netskope avoided the fate of CASB peers by not staying as a CASB-focused startup and instead focusing on becoming a compounded platform startup.

Cloud-Delivered Security Playbook

To better understand the potential trajectory of AI-delivered security, it's useful to look back at how cloud-delivered security evolved over the past decade. Cloud-delivered security — security solutions built on the cloud rather than for the cloud — succeeded because it offered clear improvements over legacy on-premises tools: faster detection, broader visibility, and superior outcomes through aggregation and analytics. In the same way, AI-delivered security products promise to outperform traditional, static security tools by bringing faster analysis, automation, and decision-making into detection and response. This historical analogy helps ground expectations: just as cloud delivery enabled the success of vendors like CrowdStrike (CRWD), AI delivery could pave the way for the next generation of cybersecurity leaders. The following sections walk through how cloud delivery transformed security segments like endpoint, network, SIEM, and IAM — offering lessons for how AI delivery might follow a similar path.

Endpoint

Cloud-delivered endpoint security offers one of the clearest historical parallels for understanding how AI-delivered security might scale. Since 2010, cloud-based Endpoint Detection and Response (EDR) solutions have fundamentally reshaped how organizations protect devices. CRWD and SentinelOne (S) emerged as category leaders by moving away from static, on-device antivirus models to cloud-based platforms capable of aggregating vast telemetry, correlating attack patterns, and generating proactive indicators of compromise (IOCs).

These platforms succeeded where traditional signature-based AV failed because they delivered faster, smarter, and more adaptive protection — benefits AI-delivered security aims to replicate, albeit through AI models rather than cloud analytics alone. While legacy AV tools relied solely on hash matching to detect known threats, cloud-delivered EDR aggregated global endpoint data to identify emerging attack behaviors in near real-time. Similarly, AI-delivered security aims to augment or replace traditional tools with systems that continuously learn, adapt, and respond more autonomously.

Early EDR pioneers like Carbon Black achieved only modest success before being acquired by VMware (VMW), later subsumed under Broadcom (AVGO). However, CRWD and SentinelOne proved the model could succeed at scale, especially as complementary solutions rather than full rip-and-replace tools. This mirrors how AI-delivered security may first gain traction: augmenting existing security operations before gradually expanding into core, trusted platforms.

Network Security

The adoption of cloud-delivered network security has lagged significantly behind EDR solutions, primarily due to the complexities of transitioning from traditional on-prem infrastructure. Zscaler (ZS) pioneered the shift to Next-Generation Secure Web Gateway (NG-SWG), or cloud-delivered SWG, which focuses on website filtering and access control. Traditional SWG solutions, such as those offered by Blue Coat (acquired by Symantec, now part of Broadcom [AVGO]), rely on on-prem appliances positioned between employees and the internet to enforce access restrictions. In contrast, NG-SWG leverages cloud-based PoPs to enforce security policies, reducing latency for geographically dispersed employees and branch offices. By utilizing a multi-tenant architecture, cloud SWG providers like ZS can offer improved performance at a lower cost compared to traditional solutions, particularly for distributed organizations.

Despite its advantages, cloud SWG adoption was initially slow. ZS, for instance, struggled to scale its ARR to $100m in its first decade. The market remained niche until 2019, when Gartner introduced the SASE framework, which integrates cloud-powered Wide Area Networking (WAN) with cloud-delivered network security. The onset of the COVID-19 pandemic in 2020 acted as a catalyst, accelerating SASE adoption as remote work and distributed operations became the norm. This environment propelled growth for key players, including ZS, PANW, Netskope, Cato Networks, and, more recently, FTNT.

Importantly, SASE illustrates how delivery model shifts — from on-prem to cloud-native — can unlock new security architectures and business models. AI-delivered security is likely to follow a similar path: adoption will hinge on organizations embracing new architectural norms that enable AI-powered security to complement, rather than replace, existing controls.

While SASE adoption is still in its early stages — primarily concentrated among large U.S. multinational enterprises — the market remains far from saturated. Although the initial hype surrounding SASE has moderated, significant growth potential persists, particularly in mid-sized enterprises and non-U.S. markets. FTNT has emerged as a leader in driving SASE penetration, capitalizing on its robust portfolio and integrated platform. We believe FTNT’s strategic focus on SASE, combined with its scalable solutions, positions it for sustained growth over the coming years. The broader SASE market is poised for expansion, offering substantial opportunities for innovative players to capture share in this evolving landscape.

SIEM, SecOps and AI-powered Security

Cloud-delivered Security Information and Event Management (SIEM) and security log data lakehouses are gaining traction, with early adoption led by PANW and its XSIAM, alongside CRWD's LogScale and S' Dataset. This shift is foundational for enabling AI-delivered security, as it provides the scalable, high-quality datasets necessary to power AI models for detection, response, and automation.

Traditional SIEM solutions, such as Splunk (SPLK), acquired by CSCO, rely on inefficient, unscalable on-prem hardware. To handle growing data storage and analytics demands, on-prem customers must invest in larger servers (i.e., scale-up) and pay substantial premiums to vendors. Consequently, SIEM has primarily served as a compliance tool for storing security logs, rather than enabling robust security outcomes. Customers face trade-offs on data retention and duration due to tightly coupled storage and compute, forcing security analysts to endure long wait times for complex queries. This limitation hinders the use of sophisticated machine learning (ML) algorithms critical for modern analytics. For deeper insights, explore our coverage on SNOW and SPLK/CSCO.