As an investor who watches technology trends for a living, Paul offers his view on how to plan your vision and budget across three generations of AI-powered security operations.

I've spent the last few years in the trenches with AI-native security companies, CISOs at Fortune-scale enterprises, and the MDRs, MSSPs, and consultancies who support them. After meeting more than five hundred companies/founders I've come to the conclusion that 90% of the AI for SecOps you see marketed today will not survive enterprise requirements. Too many tools do one clever thing, while too few solve the larger problem in a way that fits the messy, federated, compliance-constrained, acquisition-prone reality of a global security organization.

Meanwhile, security leaders are being told by their boards, CEOs, and investors to "do AI," and to do it now. For the first time in my career, this is a disruptive, transformative technology that comes with budget. Why? Because if your company leverages AI better than your competitors do, you will emerge as the winner and your shareholders will be thrilled.

You need a strategy of how to use that budget. Here is my roadmap on how to best invest across what I see as three generations of AI-powered SecOps in a way that gets results, builds trust, and keeps yourself in the driver's seat.

Generation One: The Convenience of a Quick Fix

The first wave, what I call AI SecOps 1.0, arrived fast and loud. It looks modern: sleek copilots, LLM-assisted triage, "AI-powered" widgets, and a host of new features on existing tools that promise to take work out of the system. Under the covers, however, most of these products are just point agents. They optimize a single step of the security lifecycle but lack the back-end architecture needed to integrate across the estate or act on data from across the broader business context. In polite terms, they are clever automations. In honest terms, they are orphaned automations. This is not the place to put your AI budget.

I don't doubt the ingenuity of these tools, but I doubt their ability to scale. Enterprise security is a living system that sprawls across identities, endpoints, cloud control planes, network edges, SaaS applications, and hundreds of business processes that change weekly. Accelerating individual steps is likely to push the problem downstream, for example flooding investigation, threat hunting, and remediation teams that are already underwater. What looks like efficiency at the top becomes a backlog later, and then a credibility problem when the promised improvements in end-to-end metrics like time-to-contain or time-to-remediate do not arrive. I see those tools getting ripped out faster than I anticipated, which, frankly, is good news as it means security leaders are learning fast.

"I don't doubt the ingenuity of these tools, but I doubt their ability to scale."

Why did we end up here? The speed at which AI is evolving and the eagerness to apply it means that in this cycle there's been more money than experience. The capital to create new products and companies shows up before the architecture. Many founders come out of consumer AI experiences that don't scale for an enterprise SOC. Boards authorized budgets before CISOs had a reference architecture for what "good AI SecOps" looks like. And the attackers who themselves use AI are moving faster than hiring can offset. All of which tempts teams into tactical purchases. I understand the impulse; I reject the outcome and so should you.

Generation Two: An Integrated, Full Lifecycle, Platform That Continuously Learns

AI SecOps 2.0 is where the real work begins, and where the real value shows up. The difference is architectural and philosophical. Instead of scattering smart gadgets around the SOC and calling it transformation, 2.0 platforms start by building a context-rich security data lake: a single, clean, tagged, business-aware memory of the enterprise's security-relevant data and broader operations environment. 2.0 platforms run as reasoning systems, not opaque black boxes but white box workflows with documented decision logic and configurable human approvals. And they orchestrate multiple AI agents that collaborate across the entire incident lifecycle to observe and assign, investigate how the attack happened and where the weaknesses are, and remediate with speed and accountability.

"2.0 platforms run as reasoning systems, not opaque black boxes but white box workflows with documented decision logic and configurable human approvals."

I cannot overstate how important the SecOps data lake is. In a 2.0 architecture, analysts and agents work from a single source of SecOps truth, not twenty dashboards built from twenty silos of data. You normalize what matters, tag it in the context of the business, and create the conditions for consistent reasoning. That does three things immediately. First, it raises the floor on detection quality. Second, it reduces the need to hire deep specialists for every tool in the stack, because the platform becomes an abstraction layer over your existing investments. And third, it enables a feedback loop where humans review and AI learns what to do next time. You're not ripping and replacing; you're unifying and accelerating.

Equally important is the white box nature of decisioning in AI SecOps 2.0. The fastest way to erode trust in AI is to ask an enterprise to delegate judgment to a mystery – AI workflows and decisions must be documented with extreme detail. The fastest way to build trust is to show your work, with documented workflows, reasoning traces, audit trails for every action, and human-in-the-loop approvals that you tune over time. Once a SecOps team sees that the system understands its environment and behaves consistently, approvals become more permissive, autonomy increases, and the benefits compound. This is what I see today in the most effective deployments: managed autonomy that grows with evidence.

One trend I see is that MSSPs, MDRs, and consultancies are adopting this 2.0 approach faster than I initially expected and faster than general enterprise. This makes sense as they must deliver measurable outcomes at scale, which you cannot do with disconnected gadgets. This lead means that these companies can be partners in helping enterprises stand up their AI initiatives.

If I could offer one sentence of guidance to any CISO sorting through the noise, it would be this: invest in SecOps 2.0 now. You can skip 1.0 entirely; you cannot skip 2.0 and hope to arrive at the next generation ready to win.

Generation Three: Decision-Making Speed Powered By Your Private Security LLM

A shift from defense to offense

When the data is clean, the workflows transparent, and agents are working together across the lifecycle, something profound becomes possible: you can build what is effectively a private security LLM that knows your enterprise. This is a system that understands the idiosyncrasies of your identity system, the ways your developers actually deploy, the applications that run revenue, the ghosts left by acquisitions, and the attack paths unique to your topology. This is AI SecOps 3.0.

AI SecOps 3.0 is where we move decisively from defense to offense.

Think about the leverage. Every enterprise can buy the same foundation models; the differentiator is your data and how you operationalize it. In 3.0, your security LLM is trained on your context-rich data lake, continuously updated by your live environment. This enables it to operate your security program to accelerate detection, investigation, and remediation with institution-specific judgment. This also trains the general-purpose models you already license to perform better for your use cases. That's not just a security advantage -- it's a competitive advantage.

AI SecOps 3.0 is where we move decisively from defense to offense. Instead of waiting for attackers to point out your blind spots, it hunts for systemic weaknesses, simulates exploit paths, and remediates preemptively. If you've ever tried to integrate a newly acquired company's infrastructure and data under a conventional operating model, you'll appreciate what this means in practice: ingestion and hardening at a speed we simply haven't seen before. The risk calculus around M&A, market expansion, and regulatory entry shifts in your favor because the time-to-secure compresses.

There is also a broader societal dividend here. If we reduce the number of companies "held hostage" by AI-enabled attackers, for example if ransom incidents fall because the enterprise plays offense, how much time and capital do we release back into productive work? How much board time is not spent on emergency sessions? How many CEOs don't have to go on television to explain a breach and don't have their teams calling customers and talking with lawyers? I am not naïve about adversaries' ingenuity, but I am confident that remediation speed can outpace attack speed for organizations that commit to this path. I see the early indicators of this already, and I expect the inflection to be visible across the industry by late 2026–2027.

What I Tell Security Leaders

When a CEO says, "We need to do AI," that's not a strategy, that's a budget signal. It's your job to translate that mandate into a plan that reduces risk and increases operating leverage, and to do it in a way that builds trust rather than spends it. Here's how I advise leaders to think:

First, resist the gravitational pull of SecOps 1.0 (Tactical AI agents that automate tactical workflows). These point solutions are tempting because they feel safe with narrow scope, quick wins, and a great-looking demo, backed by enough marketing spending to make sure you see them. But in the enterprise, point solutions that don't integrate is just risk deferred. You will not be judged on the demo of the new tool, but on fewer incidents, faster containment, faster remediation, and less risk carried forward. The 1.0 pattern fails these tests too often, and when it does it drains credibility and time you can't afford to lose.

"When a CEO says, 'We need to do AI,' that's not a strategy, that's a budget signal."

Second, architect for SecOps 2.0 (Trusted AI agents integrated with your business systems & lifecycle, workflows, and company data). Start with your data. If you do nothing else this quarter, stand up the security data lake and put a governance wrapper around it. Make sure it can ingest from your existing tech stack, normalize signals, and tag them in business context. Then lay in the reasoning and workflow layer with transparent decisioning and human approvals. You'll immediately see improvements in analyst productivity and cross-tool coherence, and you'll break the myth that the only way to scale is to hire specialists for every product you own. If you hire, hire for platform thinking and for operators who can supervise AI, managing the work rather than performing all of it by hand.

Third, plan openly for SecOps 3.0 (An AI system of action with full context of your business). Your executive team needs a vision for two core pieces of infrastructure to support successful AI execution "We need to do two strategic things with AI: 1) we must support crazy-fast authorization (and associated frameworks) to support real-time usages, and 2) this speed will require a trusted, private, security LLM that is made from clean business data that's used in context of our fast business…think of this as building a private security LLM for our company." Explain that 2.0 is the foundation and 3.0 is target. Explain how you will measure and report risk remediation as a business metric that shareholders, auditors, and regulators can understand. The value of this direction is not merely fewer tickets and better dashboards but security that becomes an enabler of growth, not a tax on it.

Finally, choose your partners carefully. This shift is complex, and mistakes are costly in dollars, but in trust. Hold your vendors accountable to the architectural principles above: integrate with what you have, make decision making transparent, automate across the full lifecycle, and prove risk is systematically being removed while business results are improving. If you need help, seek out MDRs, MSSPs, and consultancies that have figured out how to make AI deliver practical outcomes.

The Endgame: Enterprise Security Managed by People, Done by AI

There's an analogy I like from another domain: chess. For a long time, it was generally accepted that a computer would never match a grandmaster's intuition. And then it did. We're repeating that story in SecOps. I see AI SecOps systems already operating at the 95th percentile compared with human security analysts. This is not because humans are expendable, but because pattern recognition at machine scale, coupled with consistent reasoning over clean contextual data, gives AI an unfair advantage. As the work shifts, however, the responsibility does not. AI will do more of the work. People will manage it and will continue to do the kinds of work only people can do—strategy, supervision, communication, and the critical but often overlooked building of trust. I believe companies that embrace this approach and division of labor—intentionally, transparently, and with guardrails—will be tomorrow's big winners.

---

Read the full ebook → Security for Winners: The Art of Using AI to Secure Your Company and Get Yourself Promoted