How cybersecurity budgets will evolve in the AI world
More deliberate spending
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
Sorry for the brief hiatus! I went on vacation and had to handle some busyness at work. But the extra time away gave me space to step back and think. For the past few weeks, I’ve been writing about various markets and categories that I believe are completely misunderstood by legacy security research firms who haven't caught up to the realities of AI.
While evaluating specific tech blocks like product security is useful, I realized I missed the macro picture: the cybersecurity budget itself.
Markets are created through spending, and spending flows entirely from how budgets are allocated. If we don’t understand how the security dollar is morphing, we can’t accurately predict which startups are going to win.
I’ve talked in the past about how cybersecurity is facing an efficiency reckoning. The industry was neglected pre-2010s, which led to a historic wave of high-profile hacks. The reaction was a decade of blank checks. Security teams got used to spending without justification, hiding behind fear, uncertainty, and doubt (FUD) to balloon their headcount. In my new year’s predictions over the last couple of years, I’ve consistently argued that this era is over. Security is finally being forced to justify its existence as a business function, and AI is acting as the ultimate catalyst for that pressure.
The target market: AI-forward vs. legacy
Security has always had a spectrum of markets tailored to different types of organizations with different appetites for risk. I’m not going to focus on legacy companies here. They will evolve slowly, their budgets will remain tied to legacy infrastructure, and they aren’t where market-defining shifts happen. This is exactly like the early days of the cloud; cloud security budgets didn’t come from old-school enterprises dragging their feet. They came from the companies rapidly building on SaaS and AWS.
My focus is on AI-forward companies, i.e., the ones where the vast majority of new code is AI-generated, and the companies aggressively trying to catch up to them.
Right now, broad enterprise AI adoption is still relatively slow. But when it accelerates, it will happen much faster than the cloud transition did. Moving to the cloud required massive, multi-year architectural and infrastructure overhauls. Moving to AI is operationally trivial by comparison; you open an API or a chatbot and start interacting with it. As autonomous agents improve, the friction to adopt drops to near zero.
When an organization pivots to this level of velocity, its security budget undergoes a structural transformation across three main buckets: governance, headcount, and tooling.
Governance and compliance (The automated baseline)
We aren’t escaping the need for governance. Customers still demand proof of compliance, and navigating audits like SOC2 or ISO requires real operational work.
Depending on your customer volume and how consistent your compliance needs are, this will either live in-house or get outsourced. Historically, compliance scaling was linear: more headcount meant more systems, which meant more auditors and more internal program managers to babysit them.
In an AI-forward shop, team size stays small, meaning internal compliance friction scales much slower. My best estimate for the total cost of this bucket is roughly 3-4x the hard cost of the audit itself to account for tooling and baseline operational support. It’s a mandatory cost, but it’s no longer a headcount driver. It’s an optimized baseline.
The elite engineering premium and the post-ZIRP reality
The real structural shift happens in headcount. The traditional security organization is top-heavy, filled with specialized analysts whose primary job is manually triaging alerts or running internal processes.
In our current post-ZIRP world, we finally have to talk about the hidden cost of those large teams: management overhead and organizational bureaucracy. In the zero-interest rate environment, companies didn’t care about throwing managers at broken processes. Today, every layer of human management requires justification. If you look at the recent layoffs in tech, they are flattening the org to pre-2010s era.
In an AI-forward org, that model completely flips. The absolute magnitude of your security team shrinks dramatically because you no longer build vast, bureaucratic empires. Instead, your engineering ratios tighten to about 1 security engineer for every 30 developers. That number sounds crazy on paper, but it works because the overall team size is small. In fact, it might seem small in magnitude.
You aren’t hiring junior analysts to look at dashboards. You are hiring an elite tier of versatile security generalists, specifically software engineers who know how to automate defense. They will command a massive premium over traditional developers because they know how to scale themselves using autonomous agents.
We are currently in a massive state of transition. We are going to see real wage compression for commodity security roles, but the top-tier engineers who can design autonomous systems will be highly sought after. They don’t require armies of program managers or layers of executive bureaucracy to tell them what to do. They build the automated enforcement loops that auto-remediate infrastructure as developers deploy code at machine speed. When security work is slow, they jump into product and infrastructure code. They focus entirely on outcomes, swapping administrative waste for highly leveraged engineering.
Tooling: one-shot context over SaaS markups
Because headcount is shrinking, the remaining budget is flowing directly into AI tooling and model compute. But the mechanics of how we pay for this are changing fast.
Much like the early database and cloud markets, raw model compute is rapidly becoming a commoditized utility like AWS. As the market becomes hyper-competitive, model costs are going to plummet. Sophisticated buyers are already waking up to this reality and demanding to Bring Your Own Key (BYOK) for their security software. They want to avoid paying massive SaaS markups to tier-3 startups that are just passing model costs down with an arbitrary premium.
This brings us to a critical inflection point for vendors: If raw model access is cheap and commoditized, what is the actual value of a security product?
The value is expert context.
Right now, a lot of tools are just glorified chat interfaces. They require a user to have a continuous back-and-forth conversation with an AI to get a task done. That is not a product; that is a chore.
Good context means providing the LLM with the exact prompt infrastructure, code history, and environmental metadata it needs to operate autonomously. A winning product allows the AI to execute in a one-shot manner. It should see an infrastructure change, ingest the exact context required, make the correct security decision, and execute the fix without human intervention.
Specialized vendors will be rewarded not for their access to AI models, but for their ability to deliver these clean, highly optimized context layers. They will replace legacy application security platforms by removing the need for janky professional services, complex internal workarounds, and manual prompt-engineering. They will sell an out-of-the-box product experience that is easy to tailor to a company’s specific codebase.
There will still be things that remain cheaper for a human to do than a model. The economics of what tasks to hand over to an agent are still sorting themselves out, and you will still have a fixed baseline spend for foundational infrastructure primitives like Cloudflare or AWS that manage physical data distribution.
The new market reality
When you roll all of this together, the picture becomes clear: the cybersecurity budget of the future is shifting away from human management overhead and janky middleware, moving straight toward highly compensated generalists and autonomous, context-rich software.
Organizations will be completely flat. For security vendors, the legacy GTM playbook is officially an artifact of the ZIRP era. If your product relies on adding more tasks to a dashboard or requires a massive team of human analysts to justify its value, your budget slice is actively being reallocated. The future belongs to the platforms that enable elite generalists to run autonomous, one-shot defense at the speed of code.