AI is here to transform security services

Cybersecurity attack methods have increased in sophistication and relentlessness every year. From AI-orchestrated phishing and ransomware evolution to advanced deepfakes and malware, every new tech wave adds new complexity to organizational security. 

The onslaught of novel attacks has led to outsized performance for security leaders. In just the last 6 years, we have seen Palo Alto’s market cap swell over 6x to $110B+ since CEO Nikesh Arora took the reigns, Crowdstrike’s market cap increase over 12x since its 2019 IPO, and recently Wiz slated to become the second largest software exit of all time.

At the same time, the cybersecurity industry is facing a large and increasing labor gap. Recent reports indicate a severe shortage of 4.8 million unfilled cybersecurity jobs. There are more products, alerts, and attack surfaces for stretched businesses to manage, and less people to help them do it.

‍

‍

This imbalance of labor poses a major risk. But with every risk comes an opportunity. We believe there is an emerging and valuable market for founders with new approaches to AI-enhanced Security Services.

Here’s why:

‍

Services are a massive, underappreciated market

The largest cybersecurity companies in the world aren’t Palo Alto Networks, CrowdStrike, or Cisco – it’s Deloitte and Accenture. 

Security Services will surpass $100 billion in the next two years, accounting for over 40% of the cybersecurity market (compared to software at 46%) and growing at a 10%+ five-year CAGR.

‍

‍

This $100B opportunity, which includes common offerings like Penetration Testing, Audits, and Managed Detection & Response (MDR), grows further when factoring in how services can help close the cybersecurity labor gap. Cyber professionals command an average salary of $132K, and with millions of open jobs, this gap represents a $600B+ opportunity for security automation and outsourcing to address.

‍

‍

Services are long overdue for a renaissance  

The best defense is a good offense. 

Defensive security tools are a crowded market today (e.g., Wiz, Proofpoint, Crowdstrike, Zscaler, etc). There’s room for innovation in offensive security. Areas like penetration testing, attack simulation, and red team exercises – traditionally delivered as services – have seen little innovation and are areas where AI-native solutions can deliver exceptional new experiences.

‍

AI makes these services scalable

Whether defensive or offensive, human-powered security services are often plagued with a few issues: they are labor-intensive, lower-margin, and tougher to scale. This all changes with AI. 

Now, the three core blockers in security services — labor, latency, and margin — have become solvable through software. AI could enable scale without sacrificing quality. And we’re not just talking about LLMs that generate phishing simulations or classify alerts. We’re talking about multi-agent orchestration, autonomous playbooks, and systems that can reason about context, evidence, and decision-making paths.

Higher-quality services, at scale, can also dramatically expand a market and help fill the gap for some of the 4.8 million open jobs.

‍

The security services enterprises will need most

We believe there are three security service categories especially primed for AI disruption. 

‍

AI-driven penetration testing & attack simulation 

Penetration testing is a critical security service to identify vulnerabilities before attackers can exploit them. The market today is fragmented and costly. Some CISOs report spending up to 30% of their cybersecurity budgets on variations of pen testing, typically preferring third-party providers. Other enterprises sometimes maintain expensive in-house teams, such as Wells Fargo’s 20-25 FTEs focused on pen testing. Due to the labor-intensity, pen tests can be costly for organizations of all sizes, typically ranging from $30-100k. As a result, many companies are stuck with low-quality tests, treat them as a compliance check-the-box, or forgo them altogether. 

But now AI has the potential to transform pen testing by automating and shifting it from periodic to continuous. New AI tools can simulate real-world attacks, provide real-time insights, and scale human expertise. While Gen 2 Pentesting-as-a-Service players like Pentera and Horizon3 gained early traction, Gen 3 startups such as RunSybil, Xbow, and Staris are advancing the field with more efficient AI-driven exploit chaining and scenario modeling. The core pen testing market already exceeds $10B. When it expands for AI to capture more red-teaming and offensive security services, it could surpass $50B and dwarf major security software categories like web security, vulnerability management, and email.

‍

AI-first MDR 

Managed Detection & Response (MDR) is the third-largest segment of Security Services (a $8B+ market in 2025) with the highest growth (15% YoY). We hear about MDR contracts of all sizes, from SMB-sized to $10mn+ for enterprises. However, there’s low NPS in this space, and CISOs cite poor satisfaction with their solutions. The market has long been fragmented, with large diversified companies leading market share, like AT&T and Verizon, followed by a long tail of small players. 

Now is the time for a new MDR, with AI at the core. New AI DNA can move the industry beyond human-based playbooks, to swarms of AI Agents dynamically triaging alerts, correlating across sources, autonomously remediating, and escalating to a human-in-the-loop when necessary. Legacy MDR players will struggle to retrofit AI into their human-centric models. New companies embracing this approach include AirMDR, TENEX, and Daylight, and we expect to see more that deliver an AI SOC-as-a-Service.

‍

AI managed service provider (MSP) for SMBs

SMBs face the same threats as the Fortune 500s, but lack the budgets and expertise. As a result, the cybersecurity industry has woefully underserved SMBs and forced enterprise solutions onto them. 

With AI compressing the marginal cost of software development and service delivery, there is new potential for a full security suite to better serve SMBs. This “AI MSP” — a fully managed IT and security stack — not only becomes viable with AI, but increasingly attractive. There’s room for new software platforms that bundle IT, endpoint, email, network, identity, and more, similar to Zip Security, or offer more bundled IT services such as Fixify. Some companies might even take this further with fully managed network solutions like Meter and Nile. Lastly, there are “roll-up” opportunities, like Titan and Propulsion, where VC-backed companies can acquire sub-scale MSPs and improve margins by leveraging higher-value security and AI efficiencies.

‍

The security opportunity will continue to grow

Security software remains a hotbed of innovation, and AI is supercharging it. But to keep pace with the exploding threat landscape, security services must accelerate. Long seen as labor-heavy and margin-thin, services are being redefined by AI. What was once manual and reactive is now intelligent, automated, and scalable. This isn’t just an upgrade, it’s a chance to reinvent a $100B+ market, address a 4.8 million-person talent gap, and transform global security from the ground up.