The best investment returns in cybersecurity will come from startups tackling security for emerging technologies. New attack surfaces, such as those from Agentic AI, represent a 'blue sky problem' where a startup can build a category-defining company without facing incumbents.
Related Insights
When evaluating AI startups, don't just consider the current product landscape. Instead, visualize the future state of giants like OpenAI as multi-trillion dollar companies. Their "sphere of influence" will be vast. The best opportunities are "second-order" companies operating in niches these giants are unlikely to touch.
The rapid evolution of AI makes reactive security obsolete. The new approach involves testing models in high-fidelity simulated environments to observe emergent behaviors from the outside. This allows mapping attack surfaces even without fully understanding the model's internal mechanics.
Unlike human attackers, AI can ingest a company's entire API surface to find and exploit combinations of access patterns that individual, siloed development teams would never notice. This makes it a powerful tool for discovering hidden security holes that arise from a lack of cross-team coordination.
The true economic revolution from AI won't come from legacy companies using it as an "add-on." Instead, it will emerge over the next 20 years from new startups whose entire organizational structure and business model are built from the ground up around AI.
The public narrative about AI-driven cyberattacks misses the real threat. According to Method Security's CEO, sophisticated adversaries aren't using off-the-shelf models like Claude. They are developing and deploying their own superior, untraceable AI models, making defense significantly more challenging than is commonly understood.
A core pillar of modern cybersecurity, anomaly detection, fails when applied to AI agents. These systems lack a stable behavioral baseline, making it nearly impossible to distinguish between a harmless emergent behavior and a genuine threat. This requires entirely new detection paradigms.
Don't overlook seemingly "boring" industries like cybersecurity or compliance. These sectors often have massive, non-negotiable budgets and fewer competitors than glamorous, consumer-facing markets. Solving complex, high-stakes problems for large companies is a direct path to significant revenue.
Generative AI's positive impact on cybersecurity spending stems from three distinct drivers: it massively expands the digital "surface area" needing protection (more code, more agents), it elevates the threat environment by empowering adversaries, and it introduces new data governance and regulatory challenges.
Security's focus shifted from physical (bodyguards) to digital (cybersecurity) with the internet. As AI agents become primary economic actors, security must undergo a similar fundamental reinvention. The core business value may be the same (like Blockbuster vs. Netflix), but the security architecture must be rebuilt from first principles.
Many engineers at large companies are cynical about AI's hype, hindering internal product development. This forces enterprises to seek external startups that can deliver functional AI solutions, creating an unprecedented opportunity for new ventures to win large customers.
