Part 4 of a five part series on the cybersecurity industry.

AI Has Two Roles in Cyber. Stop Conflating Them.

I sat through three AI security pitches in one week earlier this year. Two of them used identical slides. Same Total Addressable Market ("TAM") chart, same competitive landscape, same buyer persona. One company was selling a Large Language Model ("LLM") firewall to protect customer facing chatbots. The other was selling an agentic Security Operations Center ("SOC") platform to replace human analysts. Same deck. Completely different markets, completely different buyers, completely different durability.

This is the conflation that is muddying every AI cyber conversation in 2026. There is AI being used to do security work. Autonomous SOC analysts, agentic pen testing, AI augmented detection. And there is security work aimed at AI itself. Runtime guardrails in front of LLMs, model scanning, shadow AI discovery, agent security. Both are real markets. Both are attracting serious funding. Agentic AI security startups have pulled in roughly $3.6 billion in venture capital and triggered $96 billion in M&A activity in the last 18 months (LinkedIn / CRN).

Two halves, one acronym

AI for security is the part most likely to displace existing line items in a Chief Information Security Officer ("CISO") budget. Security for AI is the part most likely to create entirely new line items in budgets that did not exist three years ago. Investors should care about both, but for different reasons.

Part 1: AI for security

Agentic AI SOC platforms

The most discussed category in cybersecurity right now is the agentic SOC. The idea is straightforward. An LLM powered set of autonomous agents ingests alerts from Endpoint Detection and Response ("EDR"), Security Information and Event Management ("SIEM"), cloud and email tools, then plans and executes investigations at Level 1 ("L1") and Level 2 ("L2") depth without human triage. The mature platforms claim a 60% to 95% reduction in analyst toil (D3 Security). Gartner places the category at the "Technology Trigger" phase with single digit market penetration, but the move from Proof of Concept ("POC") to production is happening faster than any major analyst expected.

The buyers fall into three groups. Mid market and enterprise SOCs drowning in alert volume. Managed Security Service Providers ("MSSPs") trying to scale without linear headcount growth. And lean security teams that simply cannot staff 24/7 coverage. Prophet Security, Dropzone AI, 7AI, D3 Morpheus, ReliaQuest GreyMatter and Google Security Operations all lead this category (Prophet Security, ReliaQuest). Dropzone AI is publicly priced from around $36,000 annually for 4,000 investigations (Dropzone AI). Israeli vendors include Radiant Security, Torq, which does hyperautomation with agentic AI, and Intezer, which markets itself as an autonomous SOC analyst (Tracxn).

For investors, this is the category most likely to produce a re platforming opportunity comparable to the move from on prem antivirus to cloud delivered EDR. The legacy SIEM market (Splunk, IBM QRadar, ArcSight) is structurally exposed.

Autonomous penetration testing and offensive AI agents

The offensive twin of the AI SOC. These are AI agents that plan and execute multi stage offensive operations against a target environment continuously, rather than in point in time engagements. Recon, exploitation, lateral movement. The category sits at the boundary of traditional pen testing, red teaming and Breach and Attack Simulation / Adversarial Exposure Validation ("BAS/AEV"). XBOW crossed a $1 billion valuation. RunSybil, founded by OpenAI's first security hire, raised $40 million from Khosla Ventures for autonomous pen testing (LinkedIn / CRN).

The buyers are application security teams, internal red teams and CISOs who want continuous offensive validation instead of an annual pen test report. XBOW, RunSybil and Pentera are the names that come up most. Israeli vendors include Pentera and XM Cyber, which is extending its attack path platform with agentic capabilities.

AI augmented detection, triage and threat hunting

This is the path of least resistance for most CISOs. The existing SIEM, Extended Detection and Response ("XDR") and EDR vendors are bolting agentic AI into their platforms. Splunk Enterprise Security now ships agentic AI for triage and malware reversal, and Microsoft Security Copilot, CrowdStrike Charlotte AI, SentinelOne Purple AI and Palo Alto's XSIAM agents all play here (Prophet Security). SentinelOne Purple AI is built by an Israeli founded company, and Israeli startups like Hunters and Dream are pushing similar capabilities.

The buying behavior here is different from the rest of the AI category. Buyers typically do not make a separate purchase. They activate the AI as part of an existing license. That is good news for the incumbents and bad news for the standalone disruptors trying to displace them.

AI native identity security for non human identities

Every AI agent an enterprise deploys is a new identity. Every service account, every machine to machine credential, every workflow token. Non Human Identities ("NHI") now vastly outnumber human users at most enterprises, and traditional Identity and Access Management ("IAM") was never designed for them. Oasis Security, founded by Danny Brickman and Amit Zimerman, has built a platform purpose built for this problem (LinkedIn / CRN).

IAM and platform teams at enterprises deploying AI agents at scale, especially in financial services, technology and Software as a Service ("SaaS"), are the buyers. The category is dominated by Israeli teams. Oasis Security, Astrix Security, Token Security, Apono and Entitle, acquired by BeyondTrust, all originated in Israel.

Part 2: Security for AI

This is the other half of the wave, and it is genuinely new. None of these categories had measurable revenue three years ago.

AI Security Posture Management (AI SPM)

The AI era analog of Cloud Security Posture Management ("CSPM"). AI Security Posture Management ("AI SPM") platforms give visibility and control over the three components of AI security that matter: the data used for training or inference, the integrity of the models themselves and access to deployed models (Palo Alto Networks). Palo Alto's Prisma AIRS extends this with model scanning, automated red teaming and runtime protection in a single platform (CybersecTools).

CISOs, AI governance officers and cloud platform teams at enterprises deploying Generative AI ("GenAI") in production are the buyers, particularly in regulated industries. Palo Alto Prisma AIRS, Wiz AI SPM, SentinelOne Singularity and HiddenLayer compete here. Israeli vendors include Wiz, SentinelOne Singularity, Aim Security and Pillar Security.

LLM firewalls, guardrails and AI gateways

This is the runtime protection that sits between users and AI applications, inspecting prompts and responses in real time to block prompt injection, jailbreaks, sensitive data leakage and toxic outputs. Some vendors add a retrieval firewall for the data pulled in via Retrieval Augmented Generation ("RAG") (Securiti). The category is increasingly framed as protection against the Open Web Application Security Project ("OWASP") Top 10 for LLMs and the National Institute of Standards and Technology ("NIST") adversarial Machine Learning ("ML") threat catalog.

Product and platform teams shipping customer facing GenAI features are the primary buyers, with the security team writing the second check for internal copilots. Lakera Guard, Akamai Firewall for AI, Securiti LLM Firewalls, PromptGuard, Protect AI, Straiker Defend AI and Cloudflare Firewall for AI are the common picks (Akamai, NeuralTrust). Israeli vendors include Prompt Security, Aim Security, Pillar Security and Lasso Security.

AI model scanning and supply chain security

The tooling that scans proprietary, open source and vendor models before they enter production. It looks for malware, deserialization attacks, backdoors, integrity issues and malicious scripts hidden in model weights. Outputs include an AI Bill of Materials ("AI BOM") and model lineage tracking (HiddenLayer).

ML platform teams, Application Security ("AppSec") teams and security architects at any organization pulling models from Hugging Face, vendor APIs or internal model registries are the buyers. HiddenLayer, Protect AI (Guardian) and Palo Alto AI Model Security lead the category. Israeli vendors include Apex Security and Deep Instinct, which applies deep learning model integrity to broader malware and AI workloads. Open source equivalents include ModelScan, Garak and the broader Machine Learning Security Operations ("MLSecOps") tool ecosystem (OpenSSF MLSecOps Whitepaper).

Automated AI red teaming

Continuous, automated adversarial testing of GenAI applications. Running thousands of prompt injection, jailbreak, data extraction and tool abuse attempts to find vulnerabilities before attackers do. This is distinct from human led AI red team services in the offensive market. HiddenLayer frames automated red teaming as one of four foundational pillars of AI security, alongside discovery, supply chain and runtime (HiddenLayer).

Foundation model labs, enterprises deploying customer facing AI and governance teams that need pre deployment assurance are the buyers. HiddenLayer, Straiker Ascend AI, Lakera, Protect AI, Mindgard and Promptfoo are the major names (Straiker). Israeli vendors include Aim Security, Apex Security and Pillar Security.

Shadow AI discovery and governance

The category that identifies which AI services employees are actually using, sanctioned or not, tracks what sensitive data is entering them and provides governance controls like blocking, redacting and alerting. More than 90% of employees reportedly use personal AI tools at work, which is why this is now a category every large enterprise has to address (CodeBrewTools).

CISOs, data governance teams and IT leadership at any enterprise where employees have access to ChatGPT, Claude, Gemini or Copilot are the buyers. Knostic, Lasso Security, Netskope, LayerX, Island, Zluri and Prisma Access lead the space. Israel is unusually well represented. Knostic, Lasso Security, LayerX Security, Island and Talon Cyber Security, acquired by Palo Alto, all originated in Israel (Netwrix).

Agent security and runtime guardrails for agentic apps

A purpose built layer for securing autonomous AI agents. Protecting against indirect prompt injection (where attacker content reaches the agent via tools or documents), validating tool calls before execution, monitoring agent behavior for anomalies and applying real time guardrails (PromptGuard, Straiker). This is rapidly becoming its own subcategory as enterprises move from chatbots to multi step agentic workflows.

Engineering and security teams at companies deploying production agents are the buyers. Customer support automations, sales agents, internal copilots and developer facing agents all create demand. Kai recently emerged from stealth with a $125 million round led by Evolution Equity Partners. Noma Security, Straiker Defend AI, Galileo, PromptGuard and Lasso Security are also notable players. Israeli vendors include Noma Security, Lasso Security, Pillar Security, Aim Security and Trustmi, which sells agent driven payment fraud defense (RegTech Analyst).

MLSecOps and secure ML pipelines

Embedding security into every stage of the machine learning lifecycle. Secure data management, model security (adversarial training, model signing), infrastructure and Application Programming Interface ("API") protection, continuous monitoring for drift and governance. The category borrows open source frameworks like Supply chain Levels for Software Artifacts ("SLSA"), Sigstore and Open Source Security Foundation ("OpenSSF") Scorecard, adapted for AI / ML pipelines (OpenSSF).

ML platform teams, Machine Learning Operations ("MLOps") engineers and security architects building production ML systems are the buyers, especially in financial services, healthcare and tech where model integrity has regulatory implications. Tooling spans Databricks, Protect AI Guardian, HiddenLayer, plus open source ModelScan, Garak and Adversarial Robustness Toolbox. Israeli vendors include Deep Instinct, Aporia, which sells ML observability and guardrails, and Granica, which sells data security for AI training pipelines.

Our view: where the hype runs ahead of the revenue, and where it does not

A few honest observations for anyone building a thesis on this wave.

The agentic SOC category has real revenue and real customer retention. Several of the leaders are publishing renewal cohorts that look healthier than the average application layer Software as a Service ("SaaS") company at the same stage. The displacement story against legacy SIEM is plausible enough that incumbents are pricing acquisitions accordingly. This is the most defensible AI cyber category in 2026.

The LLM firewall and guardrail category has more vendors than is sustainable. Expect heavy consolidation in 2026 and 2027. The winners will be the ones that get baked into the cloud platform contracts (AWS Bedrock guardrails, Azure AI Content Safety, Google Cloud Model Armor) rather than the standalone tools sold to security teams.

Agent security is the most genuinely new category and the one with the longest runway. It is also the one where the buyer is least settled. Sometimes it is the AI platform lead, sometimes the CISO, sometimes the head of engineering. Sales cycles are slow because the buyer is figuring out their own org chart.

The category to be most skeptical of in 2026 is anything labeled "AI SPM" that does not have a clear point of view on either data, models or access. The acronym has gotten ahead of the substance, and the consolidation pressure will be brutal.

The most underappreciated category is non human identity. It is structurally analogous to what Okta did for human identity twenty years ago. The leaders here will look obvious in retrospect, and a disproportionate share of them are Israeli founded.

Final Thoughts

If you take only one thing from this post, take this. AI for security and security for AI are not the same market. They have different buyers, different sales cycles, different durability and different competitive dynamics. The investors who do well in the AI cyber wave will be the ones who do not buy the same deck twice.