Security giants’ data platforms are not built for AI. What will happen to them?
Today’s security giants have all become data platforms: from the traditional SIEMs (Security Information and Event Management) like Splunk, to CSPMs (Cloud Security Posture Management) like Wiz, to network security companies like Palo Alto Networks and endpoint security companies like Crowdstrike.
They are deeply entrenched with enterprises, and seem nearly impossible to rip out.
But they were designed for human analysts, and often don’t do that job particularly well: many enterprises complain about paying millions to store security data they can barely use.
Meanwhile, cybersecurity is in an escalating arms race of autonomy. Attackers are using AI agents to infiltrate systems at an unthinkable scale and pace. To counter, defenders are replacing slow, manual workflows with AI agents to triage alerts, hunt threats, and close vulnerabilities before they’re exploited.
Operating at agentic scale will push security data infrastructure to its breaking point. But these platforms aren’t easy to change. They are large, complex, mission-critical systems.
So what will happen to these data giants? Their moats are strong for now, but we think AI security agents will be a trojan horse for a dramatic platform shift.
Security data analysis: from humans to agents
Security teams already struggle with their data platforms today. Data volumes and costs are ballooning; enterprises often see their security data volumes grow 30-40% yearly. And making use of that data is hard: analysts write queries across multiple complex systems and languages, wait minutes to hours for them to run, then wrangle results in spreadsheets. It’s hard to figure out what’s already happened, let alone develop proactive detections and defenses.
We already see this being transformed by AI. Security agents (like Theory portfolio companies Dropzone in security operations and Maze in vulnerability management) will have superhuman knowledge of every platform in their domain. They’ll know every query language and schema quirk. They can wrangle data like the best analyst, and reason about attack patterns like an expert security researcher.
The result? Simple natural-language search and analysis; smarter, context-informed behavioral detections; and a rapid shift from a small number of human-led analyses to a massive amount of queries executed by AI agents.
Should AI security agents sit on top of the existing data stack or build their own?
If you were building an AI security agent that queries massive volumes of data 24/7, should you sit on top of the existing data stack or build your own?
There are strong arguments on both sides:
Sitting on top of the existing stack (sometimes called a federated or overlay model) is compelling because it’s easy. Customers don’t need to worry about a migration. They can keep using their existing tools and analysts don’t need retraining. AI systems will be able to deliver value practically from day one.
An objection to this model is often cost. If a company already spends millions on their core security data platforms, can they justify spending millions more on agents just to make that data useful? It can be a tough pitch for a CISO to make to their CFO, though AI’s ability to improve security posture and automate labor is undeniable.
Building your own integrated/consolidated stack is the best way to make AI systems work well. It’s easier for agents to make use of data with clean, consistent, and normalized schemas. You don’t need to worry about maintaining a suite of connectors and integrations. You can drive better cost and performance on a cheap, modern database like ClickHouse. And you can build more intelligent systems, like deciding how to ingest, transform, and retain data based on downstream AI agent needs.
But this approach comes with massive switching costs. For most enterprises, a security data migration is slow, expensive, and risky. For some, it is practically impossible due to regulatory requirements or legacy/on-prem infrastructure. Despite the benefits of an integrated platform, the prospect of a long, costly migration to realize them can be insurmountable.
Incumbent data moats are strong, but won’t last forever
Despite the benefits of an integrated data stack for AI, high switching costs means the security data giants are safe for now. But the way they could be unseated is clear.
AI-native entrants can enter as an overlay, integrating with existing data platforms and running analysis on top. It’s more work for the startup: they have to handle messy legacy data sources, maintain integrations, and demonstrate hard ROI (e.g. from time/labor savings). But it lets them provide value to customers instantly with minimal implementation risk.
These AI products will abstract away underlying platforms as agents take over most data interactions. When their contract for an underlying data platform is up, customers will wonder if they really need the expensive legacy infrastructure, when the AI system on top of it can provide a cheaper, more performant option using raw logs, commodity storage, and open-source databases.
This path will break the stranglehold of today’s security giants, and shift value from the data layer to the AI layer over time. It creates a generational opportunity to build massive, foundational new security companies that will rival today’s behemoths.
If you have thoughts on the evolution of security data platforms, I’d love to hear from you: at@theoryvc.com.
