How AI will reshape the security market
What companies will do well and what companies won't
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve written before about how security will change in an AI-first world — but I haven’t yet talked about how this shift will affect the security market. Specifically, which companies will thrive in an AI-driven landscape, and which will struggle to adapt?
Who Wins in the Age of AI?
Broadly, there are two types of companies that will benefit from the rise of AI:
Companies positioned to meet new or intensified needs AI creates
Companies that can successfully adopt and integrate AI into their own offerings
The first group wins by default; the second group wins by execution. There’s overlap between them, but it’s useful to consider them separately. Specifically, the first group can also expand its lead by using AI.
Let’s start with the first group—those poised to benefit from AI’s downstream consequences. While AI is creating many disruptions, I believe the two biggest trends are:
A dramatic increase in developer and operational efficiency
The rise of AI-native applications and systems
While there’s a growing market for “AI security” as its own category, I’ve previously argued that most of this functionality will get absorbed by existing security categories. To keep this post simple, I’ll assume that standalone “AI security” companies won’t define a major new category. Instead, the incumbents who evolve will take that share.
1. Application Security
One of the clearest changes we’re already seeing is “vibe coding” — a few engineers shipping software at the pace of much larger teams. This hyper-productivity is impressive, but it comes with predictable tradeoffs: more code, written faster, often with less review or oversight. That means more bugs, more security holes, and more need for automated safeguards.
A recent study from OX Security on Cursor’s code output reinforced this point. The takeaway? Application security is about to boom.
Semgrep is well-positioned here with its strong SAST product and developer-first integration. With more code being written in-house, static analysis tools that fit into the developer workflow will become even more critical. Companies like Snyk, which is more focused on SCA, will also benefit from increased dependency usage, but Semgrep’s frictionless remediation—now accelerated with AI—gives it an edge.
Bottom line: developer velocity is going up. Guardrails have to scale with it.
2. Infrastructure Security
AI may be collapsing the “middle layer” of engineers. Junior engineers will likely be more productive thanks to AI copilots, while senior engineers will focus on high-level systems architecture. This bifurcation will accelerate infrastructure changes and increase the risk of misconfiguration or architectural drift.
As Gokul Rajaram has pointed out, engineering organizations are evolving rapidly in response. That means more infrastructure churn, less human oversight, and a stronger need for visibility.
Combine that with AI-native operating models like MCP (Model Context Protocol), where AI agents request access to systems autonomously, and you’ve got a new class of runtime and observability problems. Monitoring these systems isn’t just operational— it’s security-critical.
3. Data Security
Data is the fuel for AI. As more AI applications ingest, process, and act on data, the stakes of data security increase.
Fortunately, AI also improves contextual understanding, which means better detection of sensitive data and fewer false positives. But this isn’t enough on its own. With AI-native architectures, data flows more widely and dynamically, especially if you’re giving MCPs access to it.
That makes data inventory, lineage, and access controls more important than ever. The companies that win here will be the ones that can map, classify, and protect data in real time as it moves through increasingly complex systems.
What About the Traditional Categories?
Categories like endpoint security, email security, MDR, and IAM aren’t going anywhere. They’ll remain essential even in an AI-first world. Every company will still have endpoints and email. Users will still need access controls. Security teams will still need to detect and respond to threats—though now those threats will be faster, more automated, and harder to spot.
These companies stand to benefit from better AI integration. Tools like CrowdStrike, Tanium, and Okta already have operational hooks that make them indispensable. As AI shrinks team sizes, leaner organizations will need more autonomous IT and security management. That’s exactly what these platforms are evolving toward. In fact, Tanium is already marketing this shift explicitly.
Okta, meanwhile, has a clear path to boost access efficiency with AI, helping teams automate away the repetitive parts of identity and governance workflows.
Who Doesn’t Make It in an AI-First World?
The list of security markets that will completely disappear is surprisingly short. Most won’t vanish—they’ll transform. But companies that fail to evolve with the times will be left behind, just as they were in past platform shifts.
Take application security, for example. The shift to agile development and continuous delivery left a generation of AppSec vendors behind. Companies like Snyk and Semgrep thrived because they were built for speed and developer-first workflows. The same pattern is repeating now. As “vibe coding” becomes mainstream, AppSec vendors will need to evolve fast.
In this new environment, it’s not enough to just use AI. AppSec tools need to become the AI-powered application security engineer. They’ll need to proactively surface and remediate issues in near real time, integrate tightly with developer tools, and keep up with the velocity of AI-assisted teams. If today’s incumbents don’t build that, someone else will—and they’ll be perfectly timed to capture the market’s next efficiency wave.
Another group at risk: IT and security automation platforms like Tines and Tray.ai. These tools emerged to help non-developers build and automate workflows without writing code. But in an AI-driven world, the need for traditional no-code logic-building decreases. Why build a brittle drag-and-drop workflow when you can describe the intent and let an AI do it?
Tray.ai seems to understand this shift — they’re pivoting toward helping IT and security teams leverage AI directly, which is smart. But their core identity is still centered on automation. Unless they fully reposition as AI-native platforms, they risk being outpaced by in-house AI tooling or superseded by MCP-style capabilities from OpenAI, Anthropic, and others.
Tines, on the other hand, remains focused on traditional automation. If they can’t shift from “workflow builder” to “autonomous operator,” their relevance may fade as AI increasingly handles routine IT and security tasks without human-constructed logic trees.
Finally, there’s the long tail of “simple” SaaS security tools—tools built with the assumption that security teams aren’t developers, offering UI-heavy, low-config solutions to handle basic tasks. These tools were helpful in a slower, more manual era, but they’re quickly becoming obsolete.
These are also the kinds of tools that workflow platforms like Tines have aimed to eliminate—and AI will accelerate that trend. With better coding copilots and smarter internal tools, it will be easier than ever to recreate these point solutions with minimal effort. Anything that only does basic data analysis, metric tracking, or alert routing is at risk of being either automated away or rolled into broader platforms.
With that said, new security tools will likely require a lot more technical and product depth to differentiate them from these general platforms with MCPs and other autonomous capabilities that can facilitate building a lot of basic tools.
The bottom line: AI won’t eliminate security markets—it will reshape them. The biggest winners will be the companies that align with new needs and move fast to integrate AI into their DNA. AppSec, infrastructure, and data security are poised to grow, while legacy automation tools and simple point solutions risk fading into irrelevance. In a world where smaller teams move faster, security products will need to be smarter, more autonomous, and deeply embedded in workflows—or risk getting left behind.