Few people know the cybersecurity landscape as intimately as Richard Stiennon: Under his watch, the industry has exploded from 467 vendors in 2003 to more than 4,000 today. Richard began tracking cybersecurity vendors at Gartner, where a thirst for data led him to build comprehensive market coverage that traditional firms weren’t interested in pursuing. After Gartner, Richard spent years on the vendor side as a chief marketing officer, vice president and chief strategy officer, experience that showed him firsthand how narrow analyst coverage frustrates the companies being analyzed. In 2005, he founded IT-Harvest to do things differently: Cover the whole market, and not just the players big enough to appear on a Magic Quadrant.

That long-tail perspective has never mattered more. Richard recently joined us to discuss how artificial intelligence (AI) is simultaneously creating new attack surfaces, generating new regulations, and transforming the day-to-day work of security operations, and why the industry’s blind spots are getting more dangerous as the pace of change accelerates.

Why the long tail matters, and where AI falls short

Of the more than 4,000 vendors in cybersecurity today, only 134 appear in Gartner’s Magic Quadrants. For Richard, that gap isn’t just a business opportunity, it’s a fundamental problem with how the industry gets analyzed.

“You can’t understand a fast-moving industry that’s changing rapidly by looking at the big players,” Richard said. “By definition, big players move slowly, whereas startups, which are funded and usually have very experienced founders, recognize a problem that the industry doesn’t serve and have created a product to solve that problem. That’s where you should focus your attention as an industry analyst.”

The same logic applies to enterprise buyers. Even if a company ultimately decides to wait for the Ciscos of the world to absorb a capability into its portfolio, watching what startups are building reveals emerging threat scenarios worth preparing for today.

Building that kind of comprehensive view, of course, requires something AI can’t yet replicate. Richard tests every model that claims deep research capability with the same question: List all the cybersecurity vendors headquartered in Canada. His database shows 140. Most models return 20, and until recently, included companies like Fortinet, which has Canadian operations but isn’t a Canadian company.

“That list took years to gather,” Richard said. “Every startup from every funding round, every press release. I’ll post a list to LinkedIn, and people chime in.”

That gap has direct implications for the analyst industry itself. “AIs are still horrible at deep research,” Richard said. When pressed, models typically surface market reports from firms like MarketsandMarkets, sites Richard describes as “fake scam sites” that produce low-quality data dressed up to look authoritative. “It’ll do a deep search, find a market report from a site like that, and use that information because it looks like the real data,” he said. Bottom-up coverage built over decades isn’t something a model can reconstruct from a simple prompt.

Three drivers, one perfect storm

Over his decades tracking the cybersecurity industry, Richard has identified three forces that reliably reshape the market: Bad actors developing new attack methodologies, regulatory responses to major incidents and fundamental shifts in technology. Each has driven major industry inflection points on its own.

The 2010 APT1 report from security firm Mandiant,  APT stands for advanced persistent threat, was the first public documentation of organized Chinese state-sponsored hacking against U.S. organizations, and it transformed how the industry understood coordinated attacks. Richard shared how it immediately struck at RSAC, the industry’s largest annual security conference.

“I remember going to RSA the next week after that report came out, and there were vendors changing their message in real time,” Richard said, “They were basically shutting down their operations and starting over so that they could address APT attacks.” On the regulatory side, the Health Insurance Portability and Accountability Act (HIPAA) generated an entire category of healthcare-focused governance tools. The shift to cloud computing opened new attack surfaces and gave rise to companies like Palo Alto Networks, CrowdStrike, and Zscaler.

What makes the current moment unlike anything Richard has seen in 30 years is that all three drivers are firing simultaneously, with one catalyst behind it all.

“Right now, we are in the perfect storm and have three of those drivers all working together thanks to AI,” Richard said. “AI is a technology change that’s driving new attacks. It’s also exposing new attack surfaces because people are using AI without implementing controls around it. And regulations are happening immediately.”

The European Union AI Act passed less than a year after ChatGPT launched. U.S. federal legislation may lag, but California and Massachusetts are already moving, and companies that comply in those states effectively set policy for everyone else.

The tasks AI will eliminate

Beyond creating new threats and new regulations, AI is transforming the internal mechanics of security operations in ways Richard describes as genuinely unprecedented. The functions being disrupted aren’t peripheral, they’re among the most labor-intensive work security teams perform every day.

The clearest example is alert triage. Security operations centers (SOCs) can generate tens of thousands of alerts daily, and the longstanding challenge has been filtering the critical ones from the noise, a process that has historically meant important alerts get missed.

“We have a prospect now, and people are really deploying this, and it’s really working: Use AI to do 100 percent triage,” Richard said. “You get 10,000 alerts a day, fine. Analyze every single one of them, turn them into cases when required, call for action, or create a ticket. Whatever you do when you respond to a real alert, do all that. And quite a few of the SOC automation solutions I’m seeing have already gone further: Let’s take the remedial action. We’ve got access to the firewall. We can block attacks. We can do all that.”

Vulnerability management and penetration testing face the same disruption. “Pen testing is easy to teach and easy to learn, that’s why so many people start with it as their first job or first certification,” Richard said. “It’s all going to be done by AI.” The same applies to data loss prevention (DLP), where teams of 20 people currently review alerts for outbound sensitive data. “Just let the AI do that,” Richard said.

Taken together, Richard sees these not as incremental efficiency gains, but as a fundamental reordering of what security work looks like,  and managed security providers are already moving in that direction.

An explosion of vendors, and a wave of consolidation

When Richard began tracking AI security as a distinct category in early 2024, he didn’t anticipate how quickly it would grow. By the time of our conversation, he had identified 349 standalone, AI-native security solutions, more than he’s ever seen emerge in any new category, and enough to make AI security the fourth largest category in the entire cybersecurity market. The category, however, is already beginning to collapse into itself. 

“Guardrail companies realize they have to discover first before they can deploy guardrails, so they’re adding discovery, which makes them a governance solution,” Richard said. “Governance solutions really want to do the guardrails work, so they’re adding that. They’re already merging together.”

Consolidation will accelerate through acquisitions as well. Richard predicts at least 50 acquisitions in the AI security space this year alone. For founders who don’t get acquired, the more likely outcome isn’t dramatic failure. “They wind down the business and take a job at one of the big companies for a very large salary,” Richard said. “They’ll be in good shape.”

The category’s rapid rise, Richard argues, points toward its own disappearance. “Within 12 months, everything will be AI security,” he said. “There won’t be a company that isn’t using AI and leveraging it to grow and increase their effectiveness. It’s not going to be a separate category for very long.”

CISOs looking backward, and the gap nobody’s filling

For all the transformation AI is driving in security operations, Richard sees a troubling disconnect at the leadership level. Chief Information Security Officers (CISOs), he argues, are wired to look at yesterday’s problems, and that instinct is leading them to slow AI adoption at exactly the wrong moment.

“CISOs get lulled into a sense of, ‘It’s all about risk management,’” Richard said. “You can’t do risk management for warfare. You don’t monitor the vulnerabilities in the fences around your military base and present those to the president every morning. You do threat management. You look at the actual adversaries and what their intent is.”

That backward-looking posture is showing up in how security leaders respond to AI. “I see CISOs turning into ‘The office of no’ and trying to slow down the adoption of AI right at the most critical time for a lot of companies,” Richard said. “They should be leveraging AI to the fullest extent and helping make that happen.”

The most dangerous blind spot, however, isn’t about AI adoption at all. Richard points to supply chain attacks, where adversaries infiltrate a software vendor’s development process and distribute malware through legitimate product updates, as the most underserved problem in the market. SolarWinds, in which 18,000 customers unknowingly installed compromised software updates, is the defining example. CrowdStrike’s faulty update, which took down Windows systems globally in 2024, illustrates the same underlying vulnerability although it was not malicious.

“There is no vendor today saying, ‘You need to protect yourself against the next SolarWinds, buy our product,'” Richard said. “The vendor that does that will have an immediate sell-through to all enterprises. They have to, because that’s best practice: Deploy something that checks software updates for backdoors and malicious intent.”

It’s a gap that reflects a broader pattern Richard has observed across three decades, the industry’s tendency to solve yesterday’s problem while tomorrow’s threat goes unaddressed. In a market moving as fast as this one, that lag gets more costly by the day.