How large cybersecurity companies fail
Losing relevancy in the new technological era
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
I’ve written in the past about how many cybersecurity companies like Wiz, Cloudflare, Zscaler, and Palo Alto Networks might fail. It’s been a while since I wrote one of these, and people have been telling me to write a refreshed version, given the advancements in AI and my new opinions on its role in the industry.
For those who don’t know, I’m extremely bullish on AI. I’ve seen it have a tremendous impact if used correctly, i.e., a multiplying factor of 5-10x. I know many security people are skeptical, but I believe this shift is similar to the cloud transition and will likely lead to the downfall of many legacy security companies and teams. More time should be spent figuring out how to use AI effectively rather than squeezing out marginal gains through bureaucracy.
The stagnation trap and the panic of the incumbents
The recent wave of acquisitions, e.g., Google buying Wiz, Cisco buying Axonius, feels like an attempt by cash-rich companies to stay relevant. Unfortunately, I don’t believe these are the “right” acquisitions; they are often expansions into shrinking or stagnant markets like legacy OT security. While I appreciate Palo Alto Networks’ focus on acquiring AI talent with the acquisitions of Protect AI and Chronosphere, there is a fundamental supply issue: AI security startups are too early, “AI for security” startups are still too rare, and AI talent in security is quite limited. However, security companies, especially the ones primarily focused on IT-driven organizations, are desperate to stay relevant in the AI era that has been dominated by developers and machine learning experts.
The real reason security companies are exiting is that the market is too competitive and over-focused on GTM (Go-To-Market) rather than innovation. This is a tough market to be in because it requires substantial capital, especially in a market where capital use has become more efficient with AI companies. This is also a signal of companies being concerned about stagnation.
How do they fail? They fail to adapt to the new technological reality. They focus on existing markets that will slowly shrink, while new players go after the fast-growing AI-first companies. These AI-native organizations will no longer want to use "legacy" security products, similar to how CrowdStrike replaced Symantec and Zscaler replaced Cisco.
The shift from gatekeepers to builders
The most profound shift AI brings to security is the democratization of code. Traditionally, security didn’t write code; we identified risks and threw them over the fence for engineering to fix. This “gatekeeper” model is dying. With AI, security can now handle its own fixes and build custom internal tools without constant engineering support.
Before, “ownership” of code was a major barrier. Security was afraid to touch production code because they lacked context. Now, AI makes it easy to ramp up on unfamiliar codebases, generate a secure patch, and maintain it. This 10x multiplier in output means that the traditional “department of fifty” is being replaced by lean, highly technical teams. When a security team can build its own automated remediation agents, the value of a bloated, per-seat license for a legacy security product collapses. If an AI agent doesn’t need a dashboard or a seat license, how do these companies maintain their multiples?
The rise of the AI-native challenger
While legacy vendors try to bolt AI onto static architectures, a “new guard” is emerging. Companies like Formal and DryRun Security are winning because they aren’t just “using AI” — they are AI-native.
(Disclaimer: I’m currently piloting Formal and have known the team for a while. I haven’t tried out DryRun Security. I’m sure there are many more, but I’m just using these two as an example because I’m somewhat more familiar with the product and the way they sell. If you also fall into this category, feel free to reach out!)
Formal provides a lightweight, highly customizable abstraction for infrastructure that is constantly changing. In the “vibe coding” era, where developers ship at machine speed, Formal offers a stable baseline that moves as fast as the code. Similarly, DryRun Security is building SAST (Static Application Security Testing) that actually works in an agentic world. They aren’t just scanning code; they are providing substantial value that a security team couldn’t just build themselves using a raw LLM.
These AI platforms have raised the bar. To sell a product in 2026, you must provide more utility than what a technical leader can prompt Claude Code or Codex to build in an afternoon.
The death of the segmented budget
One of the most significant structural changes is the death of the protected “security budget.” Security is no longer a separate silo; it is being folded into the broader engineering organization. This means security leaders must justify their spend like any other engineering manager based on output, velocity, and direct value.
In this world, the budget is a mix of compute for AI tools and a few highly skilled engineers. Segmented budgets allowed CISOs to buy “random tools” that didn’t provide direct value but checked a compliance box. That era is over. If a tool can be easily built in-house or doesn’t provide a clear 10x improvement over the “free” tools provided by AI platforms, it won’t get funded. The CISO will likely become a division of engineering where risk management is integrated into the stack, like infrastructure or DevOps. Engineering-focused and technical security hires will be highly sought after.
The competitive unbundling
We saw this with the cloud: Wiz and Cloudflare were successful because they were easier to deploy in cloud environments than their legacy counterparts. The same will happen with AI. New players will enter and not engage in the existing, competitive markets. Instead, they will go after the fast-growing AI-native market.
These companies will become irrelevant unless they can drastically change themselves to adapt to faster development cycles with AI agents writing most of the code. Organizations will change structurally, and companies will do more with fewer people. Enforcing policies will be easier with agents and AI, but the surface area for those policies will be massive. If a security product requires a long sales cycle or manual configuration that can’t be handled by an API, the new AI-native companies simply won’t work with them.
As a result, these companies will miss out on the new and fast-growing market and be forced to compete in stagnant markets, meeting the fate of the “legacy” security companies, such as Symantec, Proofpoint, and Palo Alto Networks’ firewall business, primarily used for their cash flow but with no additional investment into the product or longevity of the business.
Closing thoughts
I don’t know exactly how this will look in its final state. AI usage is evolving faster than our ability to categorize it. However, the theme is clear: the “blank check” for security is bouncing.
Adrian Ludwig recently described the future CISO as a “Chief Electrician,”
someone who ensures the infrastructure is safe so that the rest of the world can just work. But as I’ve argued, an electrician only fixes wiring; a technical security leader writes the code that makes the wiring self-healing.
The companies that fail will be the ones that stayed focused on being “tool babysitters.” They will hold on to their legacy market share until they realize that the market itself has moved under them.