As soon as Anthropic revealed the tremendous power of Mythos to find exploitable bugs in code, the same idea occurred to everyone simultaneously: Is it possible to completely evaluate a code base, fix all the vulns, and publish vuln-free code?

There is no question that would be a game changer. There remains a minor problem with actually being able to claim code is perfect. I’ll leave that to the Trustworthy Computing folks. Certainly, if you can point Mythos at your code and fix everything it finds you have produced much better code.

On Tuesday Mozilla posted:

This is it. This is the beginning of improved code across the world.

The Mozilla blog goes on to state unequivocally that computers were completely incapable of reasoning through source code a few months ago, and now they excel at it, exceeding even the best human researchers.

Historically, having egregiously bad code has had consequences in a few notable instances. Flash is practically dead. Adobe had its struggles. Microsoft Internet Explorer was forced into extinction. But there are plenty of cases of code being replete with vulnerabilities for decades and yet still winning in the marketplace. That is pretty much the story of most Microsoft products, at least early on.

Is it going to be different this time? Mozilla was the first developer which had access to Mythos to issue a Mythos-scrubbed update. I am writing this on Firefox 150.

When it announced Project Glasswing ten days ago Anthropic did not even mention Mozilla. Those lucky few that were granted early access were: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. We anxiously await their improved code.

Mozilla has shown the way. Microsoft, Apple, and Google are now on notice. Show us the results of your application of Mythos to your code bases for Edge, Safari, and Chrome.

We will know that Mythos has materially changed the game when the number of Chrome CVEs reported each year drops to single digits.

Ending with one more quote from the Mozilla announcement.

Join me today for a discussion of the impact of Mythos with Jeremiah Grossman and Jim Dubois. Register here.

I then supplied it with the remaining list of AI Security vendors to be posted here to Substack. It systematically searched the Dashboard and copied the descriptions into a text file which I cut and pasted below.

If you want to jump into Claude Cowork this is a good tutorial.

If you want to automate research for report writing definitely reach out to get a demo of the Dashboard.

Safeguard.sh provides a software supply chain security platform that performs 100-level deep dependency scanning across source code, containers, and AI models. The platform includes an IDE Extension that secures code during development and uses reachability analysis to reduce false positives by 80%. It delivers autonomous auto-fix remediation capabilities that achieve 92% faster remediation times and generates and manages CycloneDX and SPDX SBOMs automatically with version control, centralized repositories, and SLSA provenance attestation. The platform includes a Third Party Risk Manager for validating vendor SBOMs before integration and continuous supplier monitoring with automated policy enforcement. It operates a Zero CVE Components registry with 6,000+ vetted open-source packages screened for malware, SLSA compliance, and dependency confusion risks. Safeguard.sh supports deployment across 15+ cloud platforms including AWS, Azure, and GCP, as well as on-premises Kubernetes and Docker environments, air-gapped networks, and classified infrastructure.

The platform provides complete tenant isolation, end-to-end encryption with AES-256 at rest and TLS 1.3 in transit, multi-factor authentication, role-based access control, real-time threat detection with 24/7 SOC monitoring, and automated incident response. It maintains 99.99% uptime SLA with sub-100ms API latency and processes 10 million daily scans at 100,000+ components per second. The platform is built for FedRAMP HIGH and IL7 compliance and operates completely offline without cloud dependencies for classified and defense environments.

Strike48, a spin-out from Devo, is an agentic log intelligence platform that unifies logs and AI to deliver comprehensive coverage, autonomous investigation, and orchestrated response. Built on 15 years of petabyte-scale log infrastructure management, the platform features a ground-up agentic architecture with three core components: a Log Intelligence Layer supporting parse-at-query and flexible deployment, Prospector Studio for building and managing custom agents without dedicated AI teams, and Agentic Packages of vetted, production-ready agents. The platform deploys purpose-built micro agents designed for specific tasks that investigate, correlate, hand off to one another, and respond autonomously across security operations, IT operations, and compliance use cases.

For security operations, Strike48 handles alert triage and threat investigation, manages workflows and incident coordination, and monitors threat intelligence feeds and security advisories. For IT operations, the platform automates incident troubleshooting, password resets, and access provisioning while identifying performance bottlenecks, monitoring cloud spending, and continuously watching infrastructure for degradation and outages. The platform offers a no-code agent builder enabling teams to design custom monitoring and automation workflows, visual orchestration combining deterministic logic with AI reasoning, real-time data visualizations, and centralized incident management. It maintains complete data isolation within customer tenants with no cross-customer model training, supports SOC2, GDPR, and SOC3 compliance standards, and provides full transparency and control over agent actions and data access.

ThirdLaw provides an operational layer for enterprise AI that delivers visibility, evaluation, and control. The company makes enterprise AI safer to run and easier to control, building specifically for day-two operations. Their core capabilities include monitoring how AI is used across applications and agents, assessing AI interactions against safety and security expectations, and runtime interventions that support human review.

Their solutions address specific enterprise AI operational needs including AI investigation and response, which enables teams to link evidence across systems, preserve decision context, and route findings to existing SIEM, SOAR, and ITSM workflows. They offer AI runtime protection that enforces policy at the point of decision, making each AI decision policy-aware with outcomes based on scope and severity. Additional capabilities include agent and tool controls that govern tool execution to control risk at the moment of impact, AI data protection that prevents internal documents and restricted content from appearing in context or responses outside approved scopes, and AI governance frameworks for policy management and compliance oversight.

Tropico Security operates a preemptive defense platform that predicts, deceives, and neutralizes cyberattacks before they cause damage. The platform deploys AI honeypot mazes and emulators to trap attackers in controlled environments, analyzing their tactics and techniques in real time. It detects lateral movements of ransomware using SMB and RDP emulators while stalling encryption phases to give security teams response time. The system creates a secondary Active Directory that exposes attacker tactics while protecting the real deployment, and defends Entra ID against phishing attacks. Tropico tracks stolen data on dark-web forums by feeding attackers AI-generated information instead of real company data, helping identify threat actors. The platform uses defensive phishing pages to recover compromised credentials and shut down active campaigns. It collects intelligence from multiple sources including external and internal honeypot mazes, dark-web monitoring, SIEM alerts, and client threat intelligence.

Tropico serves critical industries including banking and fintech, aerospace and defense, logistics and transportation, telecommunications, and utilities. For each sector, the platform anticipates attack campaigns, forecasts state-sponsored threats, monitors early indicators of credential theft and ransomware activity, and provides early-warning detection of cyberattacks targeting operations before escalation occurs.

VisionHeight is a pre-attack intelligence and control platform designed to identify and stop threats before weaponization occurs. The platform operates through three core components: Pulse Sensors provide proprietary telemetry across worldwide datacenter IPs to detect malicious infrastructure during build-out, identifying threats 2-8 weeks before weaponization; an Infrastructure Intelligence Graph and Explainable Risk Engine map complete adversary campaigns with reason codes, confidence levels, and temporal context rather than isolated indicators; and Decision Sync integrates directly with security tools including SIEM, EDR, firewall, WAF, and identity systems to propagate policies autonomously across the security stack.

The platform provides unified, pre-attack cyber risk intelligence by fusing multiple intelligence sources — including proprietary datacenter IP signals, internal SIEM/EDR data, attack surface intelligence, and network traffic — into one verified intelligence layer. This approach addresses the problem of security teams operating with fragmented tools and high false positive rates. According to the company, VisionHeight eliminates 70-80% of VPN/CDN false positives and can reduce alert volumes significantly while surfacing actual infrastructure risks.

Zepo provides an agentic social intelligence platform designed to protect organizations from AI-driven social engineering threats targeting employees. The platform enables organizations to simulate realistic, AI-powered social engineering attacks including deepfakes, voice calls, cross-platform messages, and personalized phishing to identify human vulnerabilities. It monitors employee activity in real time across multiple channels including email, chat, messaging apps, and collaboration platforms, flagging suspicious activity the moment it appears to enable organizations to act before threats escalate into actual incidents.

Zepo integrates behavioral training with live threat detection to create a unified, proactive defense layer, combining human risk assessment with immediate threat detection rather than relying solely on traditional training tools and email filters. The platform provides centralized visibility of an organization’s human risk, allowing security teams to track employee performance, identify weak points, and receive actionable metrics adapted to each employee’s behavior. Zepo’s mission centers on redefining human-centric security by addressing the gap created as attackers exploit generative AI and move toward multi-vector, personalized attacks on employees, focusing on protecting what happens at the human level rather than solely at the system level.

Zynap is a preemptive cybersecurity platform that combines threat intelligence, AI agents, and automated workflows to shift security operations from reactive response to proactive attack prevention. The company’s mission is to outsmart cybercrime by delivering advanced technology and actionable threat intelligence that enables organizations to protect themselves before attacks occur, empowering enterprises and managed security service providers to stay ahead of evolving threats.

Zynap’s AI-powered platform unifies internal and external data sources to turn raw threat data into real-time, actionable foresight, tracking over 900 threat actors, monitoring more than 25,000 victims of tracked campaigns, identifying over 300,000 CVEs, and maintaining records of more than 20,000 exploits and proofs of concept. The platform features context-aware AI agents called NINA that serve as the cognitive core, automating security workflows with human oversight, along with an intelligent automation canvas enabling low-code/no-code workflow design that connects tools and orchestrates actions across security environments. Zynap delivers measurable outcomes including 95% faster remediation, 85% faster incident analysis, automation of 90% of security tasks, and 5x greater threat relevance, designed specifically for MSSPs and Fortune 2000 companies seeking agile, scalable tools that integrate seamlessly with existing security infrastructure.

And here are even more vendors added since I started publishing these updates.

Above Security is an insider risk management platform that deploys purpose-built AI agents to detect, investigate, and respond to insider threats. The company’s tagline — “Checkmate, insider threat” — reflects its mission to solve the blind spots left by traditional data loss prevention and behavioral analytics tools. Above Security raised $50M to build a suite of agents that address distinct threat scenarios: the Data Exfiltration Agent connects behavioral signals, permissions, and contextual data into a unified, human-readable picture of potential data theft; the Inappropriate Use Agent identifies policy violations and misuse patterns while favoring coaching over punitive action; and additional agents monitor for behavioral drift and employee churn risk. The platform’s core philosophy is that “comprehensive security comes from understanding intent,” positioning it as a solution for organizations that need to distinguish malicious insiders from negligent employees without creating friction for legitimate users.

Ntur, operating under the product name Agent Vault, provides a zero-trust security platform designed specifically for agentic AI systems. As enterprises deploy AI agents with access to tools, APIs, and sensitive data, Ntur addresses the new attack surface these agents create. The platform’s operating principle — “never trust, cryptographically enforce” — extends zero-trust architecture into the AI agent layer by cryptographically enforcing tool execution policies rather than relying on behavioral trust assumptions. Agent Vault monitors for behavioral drift in AI agents, flags deviations from expected execution patterns, and guarantees compliance with enterprise policy frameworks. The platform is built for regulated industries where AI agents must operate under strict governance, providing security teams with visibility into agent actions, tool invocations, and access patterns across the agentic stack.

Aether AI delivers continuous, AI-powered penetration testing designed to outpace AI-enabled adversaries. The company positions its platform as the “world’s most dangerous Attack AI, defending you” — an offensive AI system turned toward defensive purposes that operates continuously across internal and external attack vectors. Built on more than 15 years of experience breaching hardened targets, Aether AI claims to identify more vulnerabilities than human penetration testers and operate faster than traditional red teams, at a fraction of the cost of manual testing engagements. The platform covers the full attack surface — network, application, identity, and cloud — running simulated attacks on an ongoing basis rather than in periodic point-in-time assessments. Certain advanced capabilities are currently restricted to organizations operating within Five Eyes (FVEY) allied countries, reflecting the platform’s classification-relevant origins and the sensitivity of some of its offensive techniques.

CyberAGI markets its platform, branded Excalibur, as an “AI Security Department in a Box” — a self-contained security operations and offensive testing system that runs entirely within the customer’s own infrastructure. Excalibur is deployed on NVIDIA DGX Spark hardware, giving it local AI compute without requiring data to leave the customer environment, a design the company emphasizes as providing private AI with zero data exfiltration risk. The platform features a living threat risk map that continuously models attack paths and identifies choke points across the organization’s environment, allowing security teams to visualize where adversaries are most likely to move and which controls are most strategically valuable. Excalibur includes pentest orchestration capabilities that enable repeatable, scheduled attack simulations, visual evidence reporting through a Notion-like editor for documenting findings in a shareable format, and a CISO dashboard providing executive-level risk visibility. The platform is designed for security teams that want offensive and defensive capabilities unified in a single air-gapped deployment without dependency on cloud-based AI services.

Hackerdogs positions itself as a “Chief Intelligence Partner” for organizations that need decision-grade threat intelligence rather than raw data feeds. The platform deploys autonomous AI agents that actively pursue answers to security questions — probing internal and external sources, correlating findings, and delivering evidence-backed intelligence — rather than simply aggregating and analyzing existing data. Core capabilities include one-click attack surface discovery that maps an organization’s external exposure, continuous scheduling of intelligence collection runs, and autonomous AI agent probing that operates without manual analyst tasking. Hackerdogs integrates with Claude and the Model Context Protocol (MCP), allowing security teams to query the platform through conversational interfaces and pipe intelligence directly into their existing toolchains. The platform is built on the premise that traditional threat intelligence tools produce too much noise and too little actionable signal, and that AI agents capable of pursuing targeted intelligence objectives can replace much of the manual analyst work involved in staying ahead of adversaries.

Threat-Watch is a managed security service provider that offers to “replace your entire cybersecurity department minus the CISO” — providing comprehensive outsourced security operations for organizations that lack the resources to build in-house security teams. The service is powered by Xcitium zero-trust EDR technology and ConnectSecure for attack surface management, combining endpoint protection with continuous vulnerability visibility. Threat-Watch’s service portfolio includes 24/7 SOC threat detection and monitoring, managed incident response, compliance consulting for ISO 27001 and NIS2 frameworks, and employee phishing simulation and security awareness training. The company backs its MDR service with a $1 million ransomware breach warranty, providing financial accountability for the coverage it delivers. Threat-Watch is designed for small and mid-sized enterprises that need enterprise-grade security capabilities but cannot justify the headcount or tooling costs of a fully staffed internal security function.

PurpleSec is an adaptive AI security company founded in 2019 by veterans with Department of Defense training, focused on securing AI systems and the organizations that build them. The company’s flagship innovation is PromptShield™, an intent-aware AI protection layer that analyzes prompts and AI interactions for malicious intent, jailbreak attempts, and policy violations before they reach the underlying model. PurpleSec’s product suite spans both AI-native security and traditional enterprise security: the AI Firewall provides runtime protection for AI deployments; the Prompt Analyzer allows security teams to evaluate prompt inputs for risk; the AI Security Framework offers governance and compliance guidance for AI programs; and a Free AI Risk Assessment helps organizations baseline their exposure. On the managed services side, PurpleSec offers a Virtual CISO program and Managed XDR for broader security operations. The company targets AI builders, systems integrators, and enterprises navigating the security implications of deploying generative AI in production environments.

SOC Jedi.ai is an AI SOC analyst platform designed to conduct alert investigations with the speed and accuracy of an experienced Level 1 analyst — automating 90% of L1 triage work and providing 24/7 coverage without analyst fatigue. The platform operates through a pipeline of specialized agents: an orchestrator agent ingests incoming alerts, scores them using prior investigation verdicts, filters noise, and forwards unique threats for deeper analysis; a malware analysis agent decodes and decompiles files, analyzes code logic and behavior, detects malicious patterns, and issues risk reports; an attack surface agent performs continuous asset discovery, simulates attack paths under safe testing conditions, prioritizes findings by business risk, and delivers actionable remediation reports; and a dark web monitoring agent tracks leaks by corporate domain, correlates and classifies exposures, and aids deep leak investigations. Underlying the agent layer is a four-stage processing pipeline: alert data collection from SIEMs, data lakes, log managers, and REST APIs; enrichment via aggregation, threat feeds, IOC matching, and RAG; analysis for correlation, attack chain mapping, and incident summarization; and investigation delivery providing full narrative reports on what happened, how, and what to do next. The platform operates entirely within the client’s secure environment, is customizable to integrate with existing security tools and workflows, and is designed for rapid deployment with minimal setup overhead.

That wraps up the promised updates to Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense.

As promised, today I continue to play catch-up with ten more vendors that were added to IT-Harvest’s research coverage after Guardians of the Machine Age went to print. They are presented alphabetically so that you can easily compare to the Directory of 378 vendors in Appendix IV.

Jazz is an AI-native Data Loss Prevention (DLP) platform that detects and prevents unauthorized data movement across an organization’s environment. The platform captures activity across entire environments to uncover all data loss vectors and features an agentic investigator called Melody that analyzes events to deliver pre-investigated answers with context, rather than generating high volumes of alerts.

LangGuard.AI discovers and classifies AI assets and agents across an organization, providing IT visibility into AI systems that aren’t tracked in existing records. The platform provisions and approves vetted AI agents for enterprise use while continuously monitoring their behavior to identify incidents and audit findings through behavioral analytics, activity monitoring, and audit log retention with replay capabilities.

Operating as an AI Control Plane for IT and Security teams, LangGuard.AI interprets AI agent intent at runtime and evaluates it against enterprise policy to determine whether actions should be allowed, modified, or blocked. It enforces controls on access, tools, data, identity, and cost, while generating immutable audit logs and reports that support compliance requirements including ISO 42001, NIST AI-RMF, EU AI Act, and SOX.

Lunar.dev provides an enterprise gateway for governing AI applications and agents, with strong emphasis on MCP security, tool governance, observability, and policy enforcement. The platform is designed to give security and IT teams centralized control over agent access to enterprise systems while supporting self-hosted deployment, auditability, and safer rollout of AI tools.

Manifold is an AI Detection & Response (AIDR) and Governance platform that secures endpoints and monitors agent behavior at runtime. The platform provides full runtime visibility into what AI agents actually do, including the tools they call, the systems they access, and the actions they take. It delivers a real-time map of every agent in an environment, their connections to MCP servers, databases, and external systems, with anomalies flagged the moment behavior drifts from normal activity. Manifold enables security teams to detect threats in real-time, define normal agent activity, and recognize risky behavior. The platform deploys in days without requiring new architecture, gateways, or proxies, and leverages existing infrastructure.

Mave offers an Agentic SecOps Platform that uses AI agents to continuously detect, investigate, and triage across security stacks. The platform treats alerts as hypotheses rather than conclusions, delivering root-cause verdicts with complete audit trails and evidence-based outcomes. It continuously runs threat-hunting coverage tests across environments, adapting as the stack and adversaries evolve to prevent new tactics from becoming blind spots. Users can act directly from investigations, then automatically document and push outcomes back into existing tools like cases, tickets, and SIEM notes for fast, consistent, and repeatable response. The platform allows natural language questions across connected systems to get unified, evidence-backed answers without manual pivots or ad-hoc searching. It includes approval gates for actions and changes, fine-grained API permissions across platforms, and complete audit trails showing exactly what agents queried, how they correlated data, and what they concluded. Mave’s mission is to elevate SIEM operations by simplifying, automating, analyzing, monitoring, and optimizing them.

Ntur AI is focused on securing agentic AI systems through its Agent Vault platform, which applies zero-trust and cryptographic enforcement to tools, memory, and access flows. Its positioning centers on giving enterprises stronger control over autonomous agents by blocking unauthorized tool use, protecting RAG data, and reducing credential exposure in production environments.

Pallma AI provides an agent security platform designed to give enterprises visibility and control over autonomous AI systems. The company focuses on discovery, monitoring, and runtime policy enforcement so organizations can detect weaknesses early, govern agent decision-making and tool use, and contain prompt-injection or misuse risks before they affect production workflows.

Plerion provides unified cloud security across code, cloud infrastructure, and AI deployments, focusing on identifying and prioritizing genuine security risks rather than best practices. The platform delivers comprehensive security coverage across three domains: code security that catches risky code patterns before deployment across GitHub, GitLab, and Bitbucket; cloud security that provides visibility into security posture across AWS, Azure, GCP, and Kubernetes environments; and AI security that detects shadow AI deployments and manages data leakage risks across platforms like Bedrock, OpenAI, and Anthropic.

Pluto Security is focused on securing the enterprise AI workspace, helping organizations monitor and govern the rapidly expanding use of AI building tools across employee environments. Its positioning centers on enabling innovation while reducing the blind spots and attack surface created when workers adopt AI tools and build without centralized security oversight.

RemoteThreat is an offensive-AI cyberwarfare company focused on readiness for large-scale, AI-enabled cyber conflict. Its positioning centers on helping organizations understand and prepare for the ways AI can speed vulnerability discovery, exploitation, and attack operations through training, simulation, and related programs.

Here is a chart that includes Funding in millions of dollars and Headcount. Subscribers to dashboard.it-harvest.com can use the URLs to go right to the vendor pages.

Also read:

Tracking the new vendors in AI Security

Ten New AI Security Vendors

Arambh Labs builds an agentic AI platform that augments security operations teams by intelligently detecting, investigating, and remediating security incidents. The platform uses agentic intelligence and swarms of AI agents to autonomously analyze findings from across an organization’s entire security ecosystem. It integrates with over 100 tools spanning identity, cloud, endpoint, network, and data security solutions including SIEM platforms, SOAR systems, EDR solutions, NDR systems, IAM platforms, and cloud infrastructure providers.

Armadin builds an AI-powered offensive security platform combining human expertise with advanced technology to defend complex organizations. The platform operates as a continuous, agentic red teaming and remediation solution designed to identify and address security vulnerabilities through autonomous AI agents. The company focuses on offensive security capabilities to combat AI-driven hyperattacks, offering automated penetration testing, red team operations, and vulnerability remediation. The platform answers the core question of organizational security posture by providing unified, scalable, and ongoing offensive assessments that simulate attacker behavior at scale. It announced total funding of $189.9 million on March 10.

Astelia is an AI-native exposure management platform that identifies vulnerabilities that are truly reachable and exploitable within an organization’s environment, eliminating noise from theoretical risks. The platform delivers three primary capabilities: network topology mapping that integrates with infrastructure and network tools to understand the complete network landscape, agentic vulnerability analysis that uses AI agents trained by nation-state-level experts to identify exploitability requirements, and reachability analysis that correlates network topology, asset context, and runtime data to classify which vulnerabilities pose genuine risk.

Ciphero is an early-stage enterprise AI security vendor offering an AI verification layer that monitors, verifies, and governs human and agentic AI interactions. Founded in 2025 by the former Fakespot leadership team, the company focuses on shadow AI visibility, policy enforcement, and data-loss prevention for enterprise AI deployments, and launched from stealth with $2.5 million in pre-seed funding in late 2025.

C1 is an AI-native identity security platform focused on governing access for human, machine, and AI identities. Rebranded from ConductorOne in 2026, the company combines identity governance, just-in-time access, dynamic controls, and automation in a single platform aimed at modernizing legacy identity stacks for cloud and agentic enterprise environments.

CyberAGI is an early-stage offensive security startup developing Excalibur, an AI-native platform for threat modeling, pentest workflow automation, and related security operations use cases. The company promotes a broader vision of building an ‘AI enterprise,’ but its current market presence appears centered on self-serve and private-deployment offensive security tooling, with limited independent public evidence so far on funding or customer scale.

EnforceAuth is a unified enterprise authorization platform that enforces fine-grained policy across infrastructure, applications, data, and AI workloads. The company’s core objective is to solve the fragmentation problem where enterprises operate with disconnected access control systems across different environments. EnforceAuth is specifically designed for AI-driven enterprises, treating AI models, prompts, tools, and agents as first-class security subjects. It controls every AI-agent-to-data and agent-to-agent interaction in real time across any cloud or infrastructure, addressing new security challenges like prompt injection and unauthorized data access by AI systems.

Evoke secures the agentic workforce by providing visibility and control over every agent, action, and connection across enterprises. The platform auto-discovers agents, models, tools, and data sources to eliminate shadow AI. It identifies malicious skills and model context protocols (MCPs), maps attack paths and toxic flows, and remediates over-permissioned agents through threat modeling. The platform detects, prevents, and responds to unauthorized actions by monitoring all prompts, tool calls, and responses, enforcing per-agent policies and detections, and blocking unauthorized actions in real-time. Evoke meets agents where they live through multiple deployment architectures including endpoint agents for local environments, SDK and proxy API integrations for production agents, and browser extensions for SaaS agents. The company was selected for the 2026 CrowdStrike, AWS & NVIDIA Cybersecurity Startup Accelerator and raised $4 million in pre-seed funding.

FlintX provides AI-powered security monitoring and threat detection specifically designed for industrial control systems and operational technology networks across critical infrastructure sectors. The company’s primary mission is to protect critical infrastructure by combining operational technology expertise with artificial intelligence to defend industrial control systems (ICS), SCADA systems, PLCs, and related environments from cyber threats.

Hackerdogs is an early-stage AI-native cyber intelligence vendor that combines attack-surface discovery, OSINT, and cross-domain threat analysis into evidence-backed intelligence briefings for security and executive stakeholders. Founded by former Sumo Logic and LogicMonitor executive Tej Redkar, the company is positioning around autonomous, intelligence-led cyber exposure management, though public third-party evidence on funding and customer scale remains limited.

By next week we should be all caught up. In the meantime order your copy of Guardians here.

At that time I was asked “what could possibly make AI worth $100 billion to Microsoft?” My answer: imagine if Microsoft could find and fix ALL of the vulnerabilities in its software? That would easily be worth $100 billion. Instead of being the root cause of all of our security issues Microsoft could be the secure option for software products. The total annual cost imposed on the world for Patch Tuesday is estimated to be as high as $225 billion according to a model I had ChatGPT construct. Should Microsoft spend $100 billion to save its customers $225 billion a year? Yes.

An AI with those capabilities is here. Only it is not an OpenAI model, it is Claude Mythos Preview from Anthropic. Download the 244 page system card here.

It’s April 9. The latest models from OpenAI and Anthropic were released in February. They were created using earlier versions of themselves. The Intelligence Explosion is happening.

Mythos is in “Preview” because in developing the model to be the next generation of general purpose LLMs Anthropic realized it was very good at discovering vulnerabilities in code and chaining together multiple vulns to create sophisticated exploits.

A couple of examples:

Somehow take a blind SQL injection vulnerability, one that executes arbitrary SQL commands but returns nothing, and use it to gain control of an account. Watch Nicholas Carlini from Anthropic describe this at the [un]prompted conference in San Francisco. He is probably talking about Mythos but it was still under wraps at the time.

From Anthropic’s announcement of Project Glasswing.

Mythos Preview found a 27-year-old vulnerability in OpenBSD—which has a reputation as one of the most security-hardened operating systems in the world and is used to run firewalls and other critical infrastructure. The vulnerability allowed an attacker to remotely crash any machine running the operating system just by connecting to it;

Project Glasswing is Anthropic’s stopgap solution to releasing a model so powerful that it can own any software anywhere. Only certain partners are allowed to play with it.

Over the past few weeks, we have used Claude Mythos Preview to identify thousands of zero-day vulnerabilities

Thousands.

Does anyone have the infrastructure to deal with thousands of new zero-days? Can the scanners keep up? Can the vulnerability enrichment solutions keep up? Imagine you are going to be patching every single app in your org each and every day. That is where this is going.

This feels like 2010. Virus signatures had exploded from a handful a week to 1,000 a day to 30,000 to 60,000 per day. The AV vendors were pushing signature updates six times a day. The model broke and the industry collapsed (read up on the demise of Symantec and McAfee and the consolidation of AV vendors.)

We already know that bug research has been turned on its head by the use of AI. What happens when thousands of researchers use models like Mythos to discover new vulnerabilities? Do software companies (think Oracle, SAP, SFDC) even employ enough people to address all the disclosed vulnerabilities coming their way? Can they create and push patches fast enough?

Let’s say “over the past few weeks” means seven weeks and “thousands of zero-days” means 2,000. That is 285 new zero-days a week or roughly 15,000 a year. In 2025 there were 48,000 new CVEs cataloged. One team can now increase the total annual CVEs by 30%. What happens when thousands of researchers are discovering thousands of zero-days every few weeks? There are currently 360K CVEs. How can all of the systems scale to 3.6 million CVEs?

A whole bunch of things are going to break. Vulnerability Management writ large is going to break.

Anthropic has pushed ahead of the other AI labs for now. They are responsibly withholding Mythos Preview from general availability. But even the current models from all the labs are great at finding and exploiting vulnerabilities. The next models will be upon us shortly and its time to think about what this means for cybersecurity.

If you want to dig into both sides of the reaction to Mythos Preview watch these two pundits.

First the OMG this changes everything reaction:

Then the “ho-hum AI is just a stochastic prediction of the next token” view.

Enjoy.

Update: Nimitt Jhaveri pointed out in the comments an Axios scoop that reveals OpenAI is rolling out their own security tool. https://www.axios.com/2026/04/09/openai-new-model-cyber-mythos-anthopic

Update 2. AISLE™ tested the Mythos vuln discoveries on older models. 8/8 found the BSD vuln:

We tested Anthropic Mythos’s showcase vulnerabilities on small, cheap, open-weights models. They recovered much of the same analysis. AI cybersecurity capability is very jagged: it doesn’t scale smoothly with model size, and the moat is the system into which deep security expertise is built, not the model itself. Mythos validates the approach but it does not settle it yet.

https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier

Phoenix Security also uses existing models to discover and chain vulns. https://phoenix.security/claude-code-leak-to-vulnerability-three-cves-in-claude-code-cli-and-the-chain-that-connects-them/

Update 4-25-2026

XBOW ran benchmarks for vulnerability discovery against the latest models. GPT 5.5 (OpenAI’s just released model) blows the roof off their testing. Black box is fuzzing against compiled code (DAST). White box is against source code (SAST).

November 30, 2022, of course, is when ChatGPT ignited the GenAI era.

In the front matter of Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense I promised to update the data on the AI Security players here on Substack. Before I do so I want to be completely transparent about what we are striving for at IT-Harvest.

We are a next-gen industry analyst firm. That means data-driven, AI-powered. You can discern our manifesto in Of Long Tails and Stalking Horses. I may have been too subtle in that post. Gartner, by its own admission only serves 12,000 or so customers out of a total addressable market of 140,000. That’s less that 1%. While we do have overlap with Gartner’s clients we also have an affordable alternative for the remaining 99.4%.

IT-Harvest sells data on the entire cybersecurity industry. That’s what I am here for. All of the data and research posted here on Substack or Linkedin; all of my research, and yes, the six editions of Security Yearbook and now Guardians, was created to demonstrate the value of applied data for cybersecurity industry research.

Each post, each infographic, and each book is meant to spark the question: How can IT-Harvest produce this research and give it away for free? The whole point is that we can do that because it is easy and you could too if you were a Dashboard subscriber.

The other point is that we only expose a tiny fraction of the data we collect on 4,022 vendors and all of their products. Relying on my posts to get a picture of the cybersecurity industry is akin to owning just the Ser-Soosy volume of the Oxford English Dictionary.

Guardians of the Machine Age was written to demonstrate what a complete market scope report looks like. With our platform we (you) can easily generate such a report for any category/topic you like. Maybe a compilation of all 321 vendors with SIEM products? Or the 70 vendors that produce HSMs?

New AI Security vendors added since the publication of Guardians.

As mentioned there are 37 new AI Security vendors added to our database since the publication of Guardians of the Machine Age on March 11. In the next several Substack posts I will provide summaries of each one. Today we start with the following five. Listed alphabetically to make it easy to incorporate into Appendix IV in Guardians.

Above Security recently raised $50 million in funding to enhance its AI-native platform designed for managing insider threats. The investment was led by Ballistic Ventures, Merlin Ventures, and Norwest, with the company aiming to scale its operations and expand its market reach. Don’t forget that, while insiders pose a real and present danger, an outside attacker seeks to gain the same privileges as an insider.

Adversa operates a red teaming platform designed for continuous adversarial testing of agentic AI systems, generative AI applications, and AI models. The platform simulates adversarial behavior in real time to discover exploitable vulnerabilities, including zero-day weaknesses in agent interactions, AI reasoning, coordination, and autonomy before they become breaches. The company provides capabilities for investigating, reproducing, and prioritizing remediation efforts for discovered AI vulnerabilities.

Aether AI presents itself as an AI-driven offensive security platform that continuously tests an organization’s attack surface across internal and external vectors. The product is positioned as an alternative or complement to vulnerability scanners and traditional red-team engagements, with emphasis on automated, persistent testing. It cites performance claims including finding more vulnerabilities than human pentesters, faster execution than traditional red teams, lower cost than manual testing, and faster detection-rule generation than SOC analysts.

AI Score is an enterprise AI governance and risk management platform focused on visibility, oversight, and control across an organization’s AI usage. The product connects data, tools, and teams to identify where AI is creating value, creating risk, or operating outside policy.

They aim to provide real-time risk detection, compliance monitoring, performance insight, and centralized governance rather than model development or deployment tooling. The company highlights enterprise deployment and security features including single-tenant architecture, broad integrations, SAML SSO, role-based access controls, and options for on-premise or private deployments.

AISOC is an AI-assisted security operations platform that ingests and contextualizes SIEM alerts to help security and IT teams investigate incidents more efficiently. The company positions the product around alert triage, anomaly detection, case creation, and dashboard-based visibility into incidents, suppressions, notifications, and processing times.

If I continue to post new vendors at the rate of five at a time I may never catch up. So the next post will have ten vendors.

These posts will mean a lot more if you have your copy of Guardians of the Machine Age handy. Get it here.

If you are already a subscriber to the IT-Harvest Dashboard you can visit each of these vendors’ pages at the links below.

Above Security

https://dashboard.it-harvest.com/vendor_details/28874

Adversa

https://dashboard.it-harvest.com/vendor_details/26648

Aether AI

https://dashboard.it-harvest.com/vendor_details/28876

AI Score

https://dashboard.it-harvest.com/vendor_details/28819

AISOC

https://dashboard.it-harvest.com/vendor_details/28829

Exciting news. Here is the Press Release. You can get your copy at Amazon.

The only book to cover the entire AI Security space as of two weeks ago.

Last April I wrote about the coming Intelligence Explosion as predicted in the AI 2027 Scenario.

Here are more predictions based on the concept of the intelligence explosion described in AI 2027. Keep in mind that we are talking about the biggest technological shift in our lifetimes; bigger than the internet, mobile computing, virtualization, and cloud computing. So there are going to be outsize changes in the landscape.

-By the end of 2026, 95% of all SOCs will use AI agents including those of MSSPs. In other words, most medium to large companies will see a dramatic decline in their security spend and will no longer need a large percent of their security teams.

Well…

That post ruffled some feathers. Chime in there if you have thoughts about my prediction.

When Security Yearbook 2025 went to press last January we tracked 80 vendors in the AI Security category. By April, I reported the number was 96. When I sat down to write Guardians we were up to 295. To get to that number I had to go back to look at the 512 vendors founded in 2022-2025 and had to re-categorize many to AI Security. I only started tracking AI Security as a separate category in 2024.

When the manuscript for Guardians was complete two weeks ago there were 378 AI Security vendors.

Today we track 407 AI Security Vendors.

The companion site to the book, guardiansofthemachineage.com, has profiles of 610 vendors because it also includes legacy vendors that have pivoted to AI Security or have introduced AI Security products. One more prediction: within 12 months more than 95% of vendors will be AI Security.

Writing a book is like creating a startup. It requires a business plan, a product, marketing, and sales. It also takes investment. The investors in Guardians include our sponsors:

Surf.ai launched this morning with $57 million in backing. I will be signing books in their “Surf Shack” in San Francisco at 1 PM on Tuesday, March 24. Grab a spot here: rsvp.surf.ai.

I will be signing books at a dinner hosted by Quilr on the 24th. Reach out if you want an invitation.

And our advertisers: Ridge Security, Mindgard, and Enzoic.

If you research the cybersecurity industry or need access to a complete database of cybersecurity products. Reach out via dashboard.it-harvest.com

Last year’s winners demonstrated how a data platform such as the IT-Harvest Dashboard can identify the up-and-comers. Eight have grown beyond the inclusion criteria. Cyera, the data security posture management (DSPM) leader grew 115% and announced yet another round of $400 million, bringing their total investment to $1.7 billion. Calcalist reports they are valued at $9 billion.

Methodology

We simply set up a filter for vendors with a minimum of 50 head count and a maximum of 500. That provided us with the list of 811 vendors including last year’s cyber 150 awardees. After removing those that had grown past 500 head count there were 767 vendors between 50 and 500 HC with positive growth last year. In the top 150, two had already been acquired. SGNL by Crowdstrike for an astounding $740 million, and Koi by Palo Alto Networks, Feb 17, 2026 at $400 million.

Head count is determined by monitoring LinkedIn data for each company.

The Winners

Here is a Google Sheet of the 150 winners of this year’s award. The smallest growth recorded was 25%, very similar to last year’s 24%.

And here are short descriptions of each of the top ten taken from the Dashboard.

TENEX.AI provides next-generation Managed Detection and Response (MDR) services that combine artificial intelligence with human expertise to detect and respond to enterprise security threats. The platform operates as an extension of client teams through proactive threat management, continuously identifying vulnerabilities and emerging risks to implement defenses before threats impact operations.

XBOW provides an artificial intelligence-powered penetration testing service that conducts autonomous security evaluations of applications. Their platform employs multiple specialized artificial intelligence agents operating collaboratively to identify, analyze, and exploit security weaknesses within digital assets. Each agent functions independently yet coordinates within a centralized management framework that guides systematic examination of applications’ full scope.

Sublime Security, a 2025 winner, operates an adaptive, AI-powered email security platform that deploys autonomous agents to detect, triage, and respond to email threats. The platform uses specialized AI models including natural language processing and computer vision to identify and prevent phishing attacks, business email compromise (BEC), malware, and novel threats.

Fable, founded only in 2024, combines AI, behavioral science, and adtech to manage human risk in enterprises. The platform identifies risky user behaviors and delivers real-time, personalized interventions designed to change security-related actions and decisions. These interventions include AI-generated training content, nudges, two-way chats, workflows, and simulations delivered directly within employee workflows. Listen to my podcast with CEO Nicole Jiang-Gibson here.

Noma Security provides unified AI and agent security and governance across enterprise AI environments, delivering visibility and control from model development through application runtime and autonomous agents. The platform performs continuous discovery of AI assets and agents within organizational environments, offering deep contextual understanding of agent profiles including toolsets, functionality, data access permissions, and operations.

Adaptive Security only passed 50 people in November of 2024. Today it is at 187 and it grew 180%+ last year. OpenAI invested in Adaptive in April. It operates a platform designed to train people and organizations against threats most likely to target them. The company offers two primary products: Adaptive Phishing and Adaptive Training.

VulnCheck raised an additional $25 million in February. It operates as an exploit intelligence provider focused on addressing vulnerability prioritization through automation-first delivery mechanisms. The company maintains a continuously updated database containing over 400 million records spanning all documented Common Vulnerabilities and Exposures, sourced from approximately 500 distinct channels. Their system automatically gathers vulnerability and exploit-related information at the moment of public disclosure, refreshing the entire dataset every eight hours without manual intervention requirements.

Formal operates as a protocol-aware reverse-proxy for datastores and APIs, enabling security teams to understand and control data access within their infrastructure. The platform deploys within customer VPCs as a single distroless Docker image, ensuring data never flows through Formal’s systems and remains under the organization’s complete control.

Prophet Security develops an AI SOC Platform powered by an agentic AI SOC Analyst that autonomously triages and investigates security alerts. The platform performs alert triage by determining severity levels, prioritizing alerts based on importance, and providing remediation steps that integrate with existing workflows. It gathers evidence across security infrastructure and correlates data from multiple sources to build comprehensive investigation plans

CleanStart provides a repository of secure, lightweight container images designed to help organizations build safer software supply chains. The images are minimal, hardened, and continuously verified to reduce risk and streamline deployment.

How many were repeat winners?

There were a handful of the 2025 Cyber 150 that graduated by exceeding 500 head count. Eight to be exact:

There were 47 repeat winners of the Cyber 150 Award. Keep in mind that it is much harder to grow by the same or more in percentage terms when you are a bigger company. Kudos to these 47. Here are the top ten:

Half of these took in new funding to fuel their growth. Indeed, 24 of the 47 received new funding in 2025.

What about Categories?

It is astounding to me that AI Security led in number of vendors per category in this year’s list. I should not have been surprised after compiling 378 AI Security companies for Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense. (Available this week on Amazon.)

Here is the breakdown by category.

Guess the country distribution.

You guessed it. The USA leads, followed by Israel and the UK. Here are how all the countries are represented by the 2026 Cyber 150.

Going to RSAC 2026?

Thirty-nine of the Cyber 150 will be exhibiting at RSA Conference 2026 the week of March 23. I have noted those in the spreadsheet with booth numbers. Or you can see the full list in the 2nd tab.

Do you sell to cybersecurity companies?

If you offer marketing services to cybersecurity companies you can see the value of this data. Or you may be a recruiter or responsible for getting sponsors for your own cybersecurity events or CISO dinners. While 150 prospects is a great start, think what you could achieve if you had access to data on 4,000+ vendors and their products. Reach out to set up a demo of the only platform for researching the entire industry, dashboard.it-harvest.com.

What he linked to is a blog post by Matt Shumer that follows on from numerous such posts from those creating the AI revolution. There is a feeling in the air that the Intelligence Explosion is nigh.

In other words, the scenario that I wrote about last April is happening right on schedule. In the AI 2027 report it was projected that by 2026 AI would be used more and more to create the next LLMs. As Shumer notes that is exactly what happened in the creation of OpenAI’s latest model, 5.3 Codex.

Shumer attempts to convey the rapid progression of AI models:

In 2022, AI couldn’t do basic arithmetic reliably. It would confidently tell you that 7 × 8 = 54.

By 2023, it could pass the bar exam.

By 2024, it could write working software and explain graduate-level science.

By late 2025, some of the best engineers in the world said they had handed over most of their coding work to AI.

On February 5th, 2026, new models arrived that made everything before them feel like a different era.

Read Shumar’s thoughts before turning to the microcosm of cybersecurity.

When I wrote in April How Does an Intelligence Explosion Impact the Future of Cybersecurity? the IT-Harvest Dashboard tracked 96 AI Security vendors with 15 of those focused on SOC Automation.

As I get ready to go to print on Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense, we track 375 AI Security vendors. Almost all of them founded since 2022.

There are 58 companies tackling SOC Automation. They have received over $1.3 billion in funding.

2026 is the year that AI security will become part of every organization’s security tool kit. They may be small projects to begin with but as they begin having an impact on security outcomes AI Security solutions will take over our industry. By this time next year there will be no sense to tracking “AI Security” as a stand-alone category. Every vendor will be AI Security.

After a four year hiatus Momentum Cyber, the industry’s top investment banking firm, has published its Cybersecurity Almanac again. Free to download with no forms to fill out. This impressive report documents the entirety of 2025 in 100 pages of data and charts. It includes lists of all the acquisitions as well as funding rounds. Who needs Security Yearbook when you have this?

The highlights:

• In 2025, $96B deployed across 400 M&A transactions – both the highest marks ever

• ❑ Deal value was up 270% in 2025, while deal volume was up 22%

• ❑ Q1 2025 marked the largest pure play cybersecurity M&A deal of all time for $32B (Google acquiring Wiz)

• ❑ Q2 2025 witnessed the highest quarterly transaction activity on record with 109 deals

• ❑ Q3 2025 witnessed the largest M&A deal volume ever with a total value of $44.2B

• ❑ Cloud-native / SaaS deals accounted for 59% of the volume and 97% of M&A capital deployed

• ❑ Strategics are back and retook the M&A mantle from Private Equity, accounting for 92% of disclosed M&A value and 59% of deal count

Four hundred transactions means that 10% of the entire industry turned over in one year. That is amazing.

What about new investments? Look at these numbers:

$20.7 billion invested, $2 billion more than IT-Harvest projected earlier in the year. That marks the best year in cybersecurity investments since the record 2021.

One of the most impressive things to me is the effort Momentum put into revamping their taxonomy. Here it is:

You can see the taxonomy applied to the vendors they track here. You can also download the massive infographic of 1,000 logos arranged to this taxonomy.

This is a momentous work. Congrats to the authors!

The first awards for the IT-Harvest Cyber 150 went out last January. Let’s check in to see how they did. The purpose of pulling together this list was to demonstrate the value of a data-centric approach to studying the cyber security industry. We simply take a look at all the vendors in the size range of 50-500 people. Then we sort them by growth and take the top 150. If you were an investor or PE firm this would be a great place to start.

After a complete year:

These seven have graduated out of consideration for the 2026 award because they exceeded 500 people.

Cyera, the data security posture management (DSPM) leader grew 115% and just announced yet another round of $400 million, bringing their total investment to $1.7 billion. Calcalist reports they are valued at $9 billion.

With the Cyera investment the total received in 2025 for 39 of the Cyber 150 surpassed $4 billion. Over their collective lifetimes the Cyber 150 have taken in $11.5 billion in investments.

121 of these vendors continued to grow this past year. In 2024 they all grew over 24% but 29 of the 150 retrenched in 2025. Some are cause for concern and their investors should be calling for status updates. The biggest losers were actually all winners because the drop in headcount was the result of being acquired!

Check back in to see the 2026 Cyber 150 list shortly. Or, if you are a subscriber to the IT-Harvest Dashboard, you can set up a filter on companies between 50 and 500 employees and look at the top 150 fastest growing.

I had already come to the conclusion that, in the age of AI, it was too risky to the IT-Harvest business model to publish a complete up-to-date directory of all 4,000+ cybersecurity vendors every year. The amazing value we have built into the IT-Harvest Dashboard rests on an accurate list of all vendors, a list that took 5,000 hours of my time (not to mention the team’s time) to create and maintain. I envision some entrepreneur grabbing a free copy from one of the book signings at RSAC, scanning the directory, and creating their own database of the vendors, categories, locations, size, and growth rates that appear in the back of the book. It would be the fastest way to jump start a marketplace or compete directly with IT-Harvest. So the decision was made earlier in the year to stop publishing the Directory. Security Yearbook 2025 is the last edition to include the full Directory of 4,000+ cybersecurity vendors.

Every year I clear a week in November to pull together Security Yearbook. Then, when the final data is captured at the end of December, I finalize the manuscript and get it to the book designer by January 15 so we can print the book in time for the RSA Conference. What was I to do with that week I had scheduled in a cheap hotel in Mackinaw City?

The most dramatic change to the security industry is in the early stages of impacting everything. We only started tracking “AI Security” as a separate category in early 2024. In preparation for writing week I went back to look at the 512 vendors founded in 2022-2025. I looked at every one of those to extract all the vendors that are leveraging AI to either provide security for AI, or apply AI to security tasks. There are 290 in total.

Here then, is the good news. I am writing Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense.

I am in the get-words-on-the-page stage so not ready to reveal the ToC or complete details. One thing will stand out though. This is the first time that all the players in an industry category will be included in an extended market scope. Instead of cherry-picking representative vendors in a report, this book will summarize our data on all 290 companies that make up the AI Security space. It will probably have to be updated next year as at least 50 of these will be acquired by then, to be replaced by at least 50 funded startups.

Guardians of the Machine Age will go on sale in mid-January. You will be able to get a signed copy from one of the sponsors’ booths at RSAC in March.

So, the most common use case among resellers for the IT-Harvest is “find the next Crowdstrike.” Since we strive to curate data on all cybersecurity vendors (4,011 today), ours is the best platform for identifying the rising starts early. The Cyber 150, published every year in the Security Yearbook, is a quick and dirty way to track the up and comers. It is comprised of cybersecurity vendors with between 50 and 500 employees sorted by growth rate.

But there are other measures.

Is at least one of the founders a successful entrepreneur with multiple exits?

Is the company backed by venture capital with a track record of backing unicorns?

Resellers, unlike VCs, are not looking to invest their efforts in a quick flip. They want to build a partnership that generates long-term returns. Like a Check Point, or Crowdstrike, it must grow and IPO, and stay independent.

Researching the space for rising stars was always a primary use case for the Dashboard. But this past week I discovered another.

Using Stack Analysis for Reseller Portfolios

A mature reseller likes to have a complete portfolio. That could mean coverage of all the Categories with expansion into subcategories. At least 18 vendors then, one for each of the 18 Categories.

There are many subcategories under these for which specialized vendors are needed. Under Data Security for instance there are vendors of encryption, key management, HSMs, and erasure.

I recognize that most resellers evolve and grow with customer demand. They add tools to their portfolio over time as certain threats rise in importance or a new regulation arises.

So the new use case, similar to Security Stack Analysis, introduced last week, is to analyze a reseller’s portfolio for overlaps and gaps in coverage.

I created a representative reseller portfolio by adding all the products from 18 vendor partners to a Stack.

Our tool automatically maps the 41 products to subcategories and shows the mix of countries they come from.

Another useful view is our layered defense framework.

You can also look at MITRE ATT&CK coverage for all the products.

And finally, NIST CSF 2.0 mapping.

It’s pretty easy to glance at these images and see the primary focus of a reseller’s portfolio. This one is concentrated on Protect. Perhaps the company should be looking at more partners to broaden its coverage.

If you think about it. Resellers and MSPs are going to use the Stack Analysis Tool to help their customers make sense of their own Security Stacks. The reseller will identify gaps. Wouldn’t it make sense to have products in their portfolio to fill all those gaps as they are revealed?

Ludovic Leforestier was kind enough to quote me in this piece he published today titled What is The Role of Industry Analysts in an AI-Driven Market? Ludovic is the co-founder and board member of the International Institute for Analyst Relations (IIAR). He also founded Starsight, an industry analyst influence agency.

When it comes to the question of what impact AI is going to have on the analyst industry, Ludovic proposes and assigns probabilities to three “plausible directions.”

1. Brave new world: (Gen)AI becomes the interface for research. Clients browse, query and consume insights through intelligent platforms — and every interaction leaves a trace. (.3)

2. Gartner disrupts itself, moving faster than anyone else. It leverages AI to streamline and reskill its teams and outpace the competition. (.5)

3. AI makes raw research a commodity, and only analysts with sharp advisory skills or a strong personal brand thrive. (.7)

I want to expand on number two above: the idea that Gartner disrupts itself.

Gartner is lucky in that the majority of its customers self-attest to being late adapters. That means Gartner has plenty of time to wake up, develop different approaches, even make an acquisition if a competitor cracks the AI nut and starts to disrupt Gartner’s stranglehold on the market for advisory services. As long as Wall Street can exhibit patience, Gartner does not have to move fast.

But what is the disruption that is coming? It is most emphatically not vectorizing research reports in a RAG to power a chatbot. If Gartner analysts were to publish an AI Readiness Maturity Model (AIRMM) the zero stage would be having a RAG chatbot. (For the record, that’s where IT-Harvest was on January 21, 2023. Read: Catching the ChatGPT Wave.)

As a reminder, I have written two popular books on the world of industry analysts. They are:

UP and to the RIGHT: Strategy and Tactics of Analyst Influence.

and

Curmudgeon: How to Succeed as an Industry Analyst.

Since we are talking about Gartner let me propose what they would call a stalking horse:

The future of the industry analyst business is the long tail. Corollary: scaling to cover all of the vendors in technology requires the assistance of AI.

The analyst industry was born when computers entered the business world. Gideon Gartner left Wall Street in 1979 with the concept that his startup would offer Buy-Hold-Sell advice to clients in the market for technology. Think about the tech space back then. Apple did not go public until 1980 and Microsoft IPO’d six years after that. Gartner analysts were experts on the enterprise technologies of the day. IBM, Ahmdal, Burroughs, Honeywell, Univac, NCR, and Control Data Corp battled it out for enterprise sales.

Big business had to make multi-million dollar choices and they called on Gartner to guide them. (Or IDC, Forrester, Yankee Group, etc.)

If you step back and look at the model it was solely focused on acquiring deep expertise in the dominant market players and charging significant fees for decision advise.

Gartner was built — and thrived off of — the forever growing technology market. Every new generation of technology creates demand for advisory services.

Gartner grew dramatically along side the tech space. When I left Gartner in the summer of 2004 its stock (IT) was trading at 12. By the beginning of 2020 it was at a high of 160, a 12.3X increase. After a short correction due to Covid it rocketed up to its all time high of 538.54 at the beginning of this year. But it dropped steadily until August 5th when an earnings call raised questions about the impact of AI on Gartner’s business. Wall Street was not happy with that call. The stock dropped an additional 28% the same day and hovers around 250 today.

I believe its the explosion in technology solutions that is causing a problem for industry analyst firms. There are too many vendors for analysts to cover. In the niche of cybersecurity I count 3,966. HRtech is comprised of 7,000 vendors. Marketing tech has 14,106. Fintech has tens of thousands of vendors. I can’t even begin to estimate the number of AItech companies, but one vendor in AI Governance counts 2 million artifacts that indicate if an enterprise is using AI products.

In cybersecurity Gartner only covers 144 vendors in Magic Quadrants. The long tail is the other 3,822 vendors. George Colony, CEO of Forrester has publicly confirmed that they will not cover a vendor if its revenue is less than $50 million, the exact opposite of a long tail strategy.

The model of covering only the large vendors means a limited customer base. Gartner has 15,000 or so enterprise customers. That’s a great number, it implies $400K in revenue per customer. But which analyst firm can serve the other million or so enterprises world wide?

During a time of rapid technological advance there is extremely high interest in emerging tech. Even stodgy old companies have pockets of innovation. They track developments in quantum computing, AI, robotics, and space systems. Where are they going to get guidance and advice?

My contention is that an analyst firm should track all tech companies and their products. I estimate there are 250,000 vendors and somewhere around a million products. It would be unwieldy and probably not profitable to attempt to cover all of them with today’s methods.

AI and automation to the rescue.

We know exactly how to put AI and automation to work to tackle this problem. It took us three years to figure out. Even within the microcosm of the cybersecurity niche it’s expensive. Because of that head start, we think it could be done in 24 months. Investment to develop the tooling could be as high as $30 million. But with careful planning, and tackling each segment sequentially, the data gathered could be quickly monitized.

What about the threat from the foundational models? Will OpenAI, Anthropic, Perplexity, or Google, discover that there is a $50 billion market for technology data and advisory services? That’s a small number compared to the trillions represented by material science, or medical innovation. But there is always the risk that one of the LLMs will just be good enough. I test every model when it comes out.

Here is a simple test: I asked GPT-5, “create a list of all the hardware security modules (HSMs) on the market today. Be exhaustive, create a csv file listing the product name, company name, country of headquarters.”

GPT-5: I’m sorry — I’m unable to create an exhaustive CSV list of all hardware security modules (HSMs) on the market today.

Would you like me to pull together a representative list of major HSM products (say ~20-30), including product name, company, and HQ country, and provide it in CSV format?

When I said “sure” we get:

Product Name,Company,Country

nShield 5c,Entrust,USA

nShield 5s,Entrust,USA

nShield Connect,Entrust,USA

Luna Network HSM,Thales Group,France

Luna PCIe HSM,Thales Group,France

Luna USB HSM,Thales Group,France

PayShield 10K,Thales Group,France

YubiHSM 2,Yubico,Sweden

YubiHSM 2 FIPS,Yubico,Sweden

CryptoServer CP5,Utimaco,Germany

Atalla AT1000 (Payment HSM),Utimaco,Germany/USA

Vectera Plus (General-Purpose HSM),Futurex,USA

Excrypt Plus (Payment HSM),Futurex,USA

SecureKey HSM (Atalla line embedded),Utimaco (Atalla),USA

IBM 4769 (PCIe Cryptographic Coprocessor),IBM,USA

IBM 4768 (PCIe Cryptographic Coprocessor),IBM,USA

Not bad. 16 products from five vendors. Our answer? There are 139 HSM products from 71 vendors world wide in our database. If you are shopping for a HSM I believe starting with an exhaustive list, not a representative list, is the best approach.

Gartner creates whole new categories at a tremendous clip. One of my pet peeves is that an analyst will recognize a few similarities in the briefings they sit in on with emerging vendors. They make up a new category, implying that someday there will be a Magic Quadrant. They then pick 10 or 15 “representative” vendors to illustrate their thesis that there is a new category. Today the three letter acronym space (TLA) has been exhausted so they are starting to dip into four letters, thus ASPM, DSPM, CSPM, or even five letters, CAASM (Cloud Asset Attack Surface Management).

What they don’t do, because they don’t have the data, is publish a complete list of all the vendors that fall under that category. Take for instance Cloud Security Posture Management (CSPM), coined several years ago. We re-ingest cybersecurity product data from 4,000 vendors every quarter or so. As vendors update their marketing, they self identify as having products in the new category and only then do our search results match the new acronym. Here is the current search result for CSPM.

There are 109 CSPM products from 92 vendors. If an analyst firm is going to create a new category they should be in a position to acknowledge all of the players in the space and track them all the way to IPO, acquisition, or death.

Wake up call.

When trillions of dollars are being spent and created, when massive data center projects are kicking off to support it, when thousands and thousands of startups are jumping on the AI bandwagon, old school businesses should sit up and pay attention. We are at the very beginnings of the biggest technological upheaval of our time.

AI, even in its early stages of utility, is the most impactful of technology changes to occur since the 1947 invention of the point-contact transistor.

As during every other technological revolution, the old guard will pass away to be replaced by the innovators. Looking at the analyst industry it is obvious to many that it is ripe for change.

My initial reaction garnered more reactions and views (32,831) than any comment I have ever made.

Microsoft hired Igor Tsyganskiy as Global CISO in 2023. He went on to reorganize the security function at Microsoft, adding 14 Deputy CISOs. I looked into it hoping that this move could guide other CISOs only to find that it was just a typical large enterprise division of responsibility by business unit. Nothing to see here. Microsoft just created a hierarchy of dCISOs, one for each business unit. This is what most organizations do. You can see ads for bCISOs which stands for Business Unit CISO, usually reporting to a Global CISO. I am pretty sure that Roman Legions were organized the same way. It took 1,500 years for Napoleon to innovate the general staff concept.

All of which gives rise to the questions: How should a security team be organized?

Organizing by BU is one way, but is there a better way?

Say you are not Microsoft, which we cannot forget is a vendor. They are not representative of Big Banks, Big Oil, or Big Pharma.

One strategy is to organize by mission. To keep it simple, I propose that mission is to fight and win an ongoing battle with attackers. That leads me to thinking in military terms. In other words by function and tools. Like army, navy, air force, and space.

Here are my proposed 14 domains for security organizations.

1. Intelligence and Detection Engineering

2. Identity

3. Hygiene

4. Endpoint

5. Network

6. Infrastructure

7. Application and Product

8. AI and Data

9. GRC

10. Incident Response

11. Security Architecture and Engineering

12. Supply chain

13. OT/IoT

14. Operations (SOC)

What would you add to this list? Would you take anything away?

NIST CSF 2.0

MITRE ATT&CK

CIS

The IT-Harvest Layered Defense Model (new)

Creating a security stack analysis is the most frequent request we get from security teams and consultants. We have had the ability to provide this type of analysis for over a year but it still took a lot of work to create a report. Now, the only work involved is choosing your product stack from the 11,326 products in the database. All the mapping is taken care of.

For an example I created a representative security stack from scratch. I started with my spreadsheet of all 267 products that appear in Gartner Magic Quadrants that we created so I could write 10,000 Cybersecurity Products. You can see the chart of vendors per MQ in that post. Here is the resulting stack:

Then I simply navigate to each vendor’s product page in the Dashboard and add the products to a “Stack” that I had previously named.

It took 30 minutes to do this the first time for 17 products. A typical stack has at least 60 products in it so it could take two hours to accomplish this. But you could break the task up between team members to shorten that time. Ask a consulting firm to do that and they will quote a multi-month project.

For each stack you get a top level view like this:

Note the Security Coverage Map, a view we had to create because most people want to see coverage by product category too. Also note the Vendor Geographic Distribution.

Scroll down to see the Vendor Risk Summary:

These are derived from the individual scores for each vendor provided by Black Kite.

Now let’s look at the NIST mapping.

You can quickly get a general picture for overall coverage.

Govern has 23% coverage, Identify 85%, and Protect 83%.

Hover over a specific Subcategory to drill in:

In all, each of the ID.AM Subcategories are covered leading to 100% for the asset management requirement. There are six products that apply to asset management data flow (ID.AM-03). A security team may want to look deeper at the implementations of those products. Is there a way to consolidate any of those products?

Exploring the Subcategories that have no mappings reveals a lack of physical security controls from the Security Stack.

PR.AA-06, PR.IR-02, PR.PS-03, and DE-CM-02 all deal with physical environment security. It may well be that cabinet lock monitoring and CCTV cameras are in place but were not included in the Security Stack inventory, so not a problem. But that should be documented and included in any NIST coverage attestations.

Those who have tracked out progress since the initial launch of the Dashboard in March, 2022, will recognize this as the most impactful update yet to our platform. While the Dashboard is still extremely valuable for VCs and PE firms for investing decision support, vendors for OEM discovery and competitive intel, search firms for sourcing, and marketing services for client research, this new capability expands the value for security teams and consultants that serve them.

Quick demo of the security stack analysis here.

Once you have collected a list of all the vendors in cybersecurity, a new realm of possibilities opens up. Using automation and AI you can ingest and normalize product descriptions. A database of 11,326 cybersecurity products allows you to answer questions like: find all the hardware security module (HSM) solutions. There are 139!

Once you have all the products in a database you can do additional processing, like mapping to compliance frameworks. We launched the product database in late 2023 with mappings to MITRE ATT&CK and have since layered in MITRE Mitigations.

Every CISO we showed this to asked for NIST Cybersecurity Fraemwork mappings. We announced that on July 12 of 2024 (Yes! We have NIST!) If, during an audit or survey of your NIST coverage you discovered a subcategory that you lacked controls for you can now immediately search based on Category or Subcategory!

There are also new questions that you can ask. Which NIST CSF Category has the most solutions? Which has the fewest? Well…

For the first time ever. Here are the number of solutions per NIST CSF Category.

And in table form:

Some observations. The creators of the Cyber Security Framework did not have visibility into the entire solution space. Perhaps a product focused lens would have created a different hierarchy.

No surprise that Continuous Monitoring has so many solutions (5,943). It is a feature of many other products from other Categories.

One big surprise is that the Governance Category is so thinly covered. A surprise because GRC is the biggest category for vendors with 601 out of 3,956 tracked in the Dashboard.

There is no way that having products in your security stack that map to all the Categories means you have full coverage. You would need to have products that map to all of the subcategories. To see that, reach out for a demo.

If you sum the column for # of Solutions you get 36,958 which indicates that the average product covers 3-4 subcategories. In other words, you don’t need a stand alone product to map to each of the 135 Subcategories. Maybe 33-45 tools should be the goal for adequate NIST coverage?

Of course there are many tools that will not map to any NIST subcategories, but are still essential to operations.

Next up we are going to introduce a capability that will be welcomed by many security teams. The problem to be addressed is product rationalization. I have talked to a UK bank that has 750 tools. Most estimates put the average enterprise having 60-75 cybersecurity tools. I think the number is greater than that. There is growing demand to rationalize or at least optimize tool sets. Consultants are being paid hundreds of thousands to engage in projects that identify, map, and expose gaps and overlaps.

One approach would be to map an entire security stack to NIST CSF 2.0. If certain subcategories seemed to be overly covered that may guide an organization’s efforts to eliminate redundant tools. Or, there may be significant gaps in coverage indicating the need for more tools.

If you had all the mappings in one place couldn’t you build a tool to instantly complete this task? If you did, what would it look like? We have some ideas. Stand by…

Update. October 20. See the announcement and demo of Security Stack Analysis.

Today at Noon Eastern I presented presented a webinar on the current state of the industry.

As of the end of the third quarter 2025 the IT-Harvest Dashboard tracks 3,952 active cybersecurity companies with an additional 613 that have been archived because they were absorbed into another brand or have otherwise ceased operation.

This is how the industry stacks up by major category.

In Q3 AI Security surpassed IoT security in number of vendors. We now track 172 AI Security vendors. If you are not familiar with the fastest growing AI Security vendors you should check these out.

Legion Security’s growth is not a typo. They started the year with one employee. There have already been twelve acquisitions of AI Security vendors over the last year. Five of those in September.

Note that two of the Cyber 150 are included in the list. (We track and publish the 150 fastest growing mid-size vendors and publish the list in Security Yearbook every year). I will be talking about each of these fastest growing vendors in today’s webinar.

Total investment so far this year is $12.9 billion. This is on track to exceed 2024 investments of $16 billion.

See the accompanying webinar here.

The end of November, 2022, marked the beginning of what has become the biggest boom in the cybersecurity industry. One company notably foresaw what the introduction of ChatGPT would bring. That was ProtectAI, which, according to its founder, Ian Swanson, had early access to the OpenAI Playground. ProtectAI received funding in December of 2022 and exited to Palo Alto Networks in April of this year for a reputed $650 million.

Including Protect AI there have already been eight acquisitions of AI Security startups. With 160 vendors tracked in the IT-Harvest Dashboard it is easy to predict there will be many more acquisitions. There are more AI Security companies tracked than IoT Security companies (150). We only created a category for AI Security 18 months ago.

What is an AI Security Vendor?

We have defined the AI Security category to be inclusive of “AI for security” as well as “security for AI.”

Security for AI is all of the products meant to protect AI models in their creation and use. This is where Protect AI sits. For the most part, the foundation model companies like Anthropic or OpenAI recognize their own security issues and have the expertise to address them. But implementers within the enterprise may have dozens or hundreds of projects each with their own versions of commercial and open source models. These need protecting.

Company data also needs to be protected. The Guardrail providers can be thought of as DLP for AI. In other words, they monitor either prompts or responses for PII, corporate confidential information, medical records, etc. These products generate alerts and/or block the data from escaping.

Surprisingly, AI Governance, almost matches Guardrails. Part of the reason for this was the very fast response to the rise of large language models by the EU who passed the EU AI Act in August of 2023. Beyond regulations, buyers are asking vendors to attest to their use of AI in their products and services. That will be fertile ground for AI Governence vendors.

Here is how the vendor space appears today. There are 160 stand-alone AI Security vendors. They have taken in a total of $2.15 billion. There are also older companies that are pivoting and rebranding as AI Security companies. There are many large vendors that, through acquistion or innovation, have added AI Security tools as well.

The SOC automation category is easily the most exciting to track. It has the potential for completely disrupting multiple categories such as SIEM, XDR, Security Analytics, and Operations. Every SOC Automation company I have talked to has paying enterprise customers since the beginning of this year.

There has been $660 million invested in 26 SOC Automation vendors to date. But don’t discount the boot strapped vendors like Imperum in Amsterdam which has grown organically to $1 million ARR since the launch of its “AI-driven autonomous Sec-Ops” platform in January 2024.

Here are the fastest growing SOC Automation vendors by head count.

That is not a typo for Legion Security, they just started the year at a low number. Legion deploys a browser extension that can train an agent on any repetitive task, which makes it great for SOC automation. An expert repeats the same workflow three or four times. The agent learns it. Then it can be observed on its own and finally cut loose to work in the background.

Here are the 21 vendors providing Guardrails. While SOC Automation presents an opportunity to reduce costs, increase effectiveness, and get ahead of the attackers, Guardrails address the concerns enterprises and school systems have that AI will be abused. It provides a control layer, often itself powered by AI.

A total of $220 million has been invested in Guardrails to date. Note that Prompt Security was already acquired by SentinelOne on August 5 for an estimated $250 million.

M&A

Speaking of acquisitions there have been eleven twelve of AI Security startups so far, representing a total value of $2.78 billion. Five in the first half of September alone!

The land grab is on and there are still some very large companies on the sidelines without a great AI story. Splunk comes to mind after seeing their messaging at Black Hat in August where the call to action was “Build Your Dream SOC.” Never has a marketing team misread the room so badly. It reminds me of the days of Big Iron. The days of building bigger and bigger data lakes with propriatary formatting and specialized retrieval languages are gone. Send all of your logs to S3 buckets and let the AI figure it out. Splunk has to become relevent quickly in the new SOC Automation space by acquiring one of the 26 players. Don’t be surprised if they pay over $1 billion.

Watch the webinar I recorded to go along with this post.

Edits to number of acquisitions as readers provide more information. Thanks!

We don’t have an exact date for the launch because the project is growing into a full fledged platform for researching, rating, and discussing products. We are calling it an Exchange instead of a market place because IT-Harvest is not in the business of reselling any cybersecurity products.

Let’s start. Here is the landing page, populated with helpful resources like major conferences, recent research—in this case on the AI SOC, vendor competitions and recognition, and popular searches.

The real magic happens when you search on a keyword. Try “asset discovery".”

You can refine the 349 results by selecting from the choices on the left. You will also be able to filter by company location, size, category, deployments, or where the product fits in the kill chain, MITRE ATT&CK framework, or NIST CSF 2.0.

Each product page has name, description, features, use cases, deployments, even pricing info in about 30% of the results.

Everything you see here is a working prototype, not mockups, so you can see we are almost ready to launch. There are two major functions to complete: a discussion platform, and a security stack analysis tool.

This is what the Cyber Exchange Social looks like so far. At launch you will be able to post your questions, thoughts, and recomendations. This will be heavily policed to prevent vendors from flooding the network. One way to do that is a paywall. Only paying subscribers get to leave comments. Twenty dollars a month is not a high barrier but it will keep most of the spammers out.

There are going to be premium functions too. One of them will be the ability to build your own security stack and get a gap and overlap analysis. This is something major consulting firms charge tens of thousands of dollars for.

Sign up for the announcements and to get early access. Make sure you already have a Product Hunt account so you can vote for HarvestIQ on launch day. :-)