How AI Impacts the Cyber Market and The Future of SIEM
None
<figure class="wp-block-image size-full"><a href="https://raffy.ch/blog/wp-content/uploads/2026/01/ChatGPT-Image-Jan-16-2026-03_08_11-PM.jpg"><img fetchpriority="high" decoding="async" width="800" height="533" src="https://raffy.ch/blog/wp-content/uploads/2026/01/ChatGPT-Image-Jan-16-2026-03_08_11-PM.jpg" alt="" class="wp-image-1581" srcset="https://raffy.ch/blog/wp-content/uploads/2026/01/ChatGPT-Image-Jan-16-2026-03_08_11-PM.jpg 800w, https://raffy.ch/blog/wp-content/uploads/2026/01/ChatGPT-Image-Jan-16-2026-03_08_11-PM-300x200.jpg 300w, https://raffy.ch/blog/wp-content/uploads/2026/01/ChatGPT-Image-Jan-16-2026-03_08_11-PM-768x512.jpg 768w" sizes="(max-width: 800px) 100vw, 800px"></a></figure><p>Security has always moved in waves. Not because we suddenly get smarter, but because we learn from past mistakes, identify gaps, hit limits, need to protect new technologies, and then go and do our best to solve those new security challenges with the technologies at hand.</p><p>The era of AI (let’s be clear, we have had AI for a long time; what I mean specifically is the advent of Large Language Models) has shifted many industries, but specifically security in a particularly revealing way. AI did not just give us new tools to solve security problems. It invited innovators and entrepreneurs to revisit pretty much every security technology to see if LLMs could be useful to address some of the existing challenges. But that’s not where things stopped. More interestingly, some teams used this moment to question whether the underlying approaches themselves still made sense at all. Not just whether LLMs could help, but whether modern data architectures, different telemetry choices, and different enforcement models could fundamentally change outcomes.</p><p>That is what has triggered a real wave of new companies in cyber, including across markets that many considered mature, or even stagnant, like SIEM.</p><h2 class="wp-block-heading">The Five Phases We Just Lived Through</h2><p>Let’s take a non-scientific look at how major security approaches evolved over the past 25 years. This is not exhaustive, but it helps explain where we are today.</p><h3 class="wp-block-heading">1. Network-Centric Prevention</h3><p>Back, many moons ago, we started with firewalls, IDS, and later IPS. The model was simple. Look at packets. Stop bad things. It worked until attackers learned to look normal.</p><h3 class="wp-block-heading">2. More Data, Centralized, Higher-Level Insights</h3><p>When network telemetry created too many false positives, we added vulnerability data and authentication events and fed them into a SIEM to correlate. The results were “mixed”. Fortunately for the SIEM market, compliance and audit requirements emerged, mandating long-term log retention. This gave SIEM a durable justification, even when its security value was debated. SIEM became indispensable for visibility and forensics, but increasingly disconnected from real-time decision making.</p><h3 class="wp-block-heading">3. Back to Prevention and Response</h3><p>As SIEM alert volumes exploded and analysts could not keep up, the industry pivoted. EDR. NDR. SOAR. We all know how that played out. NDR never truly broke out. EDR became a major category. SOAR largely collapsed back into SIEM. And eventually, most large EDR vendors added a SIEM to their portfolio.</p><p>This was not convergence by design. It was convergence driven by operational gravity.</p><h3 class="wp-block-heading">4. AI Triggers a Reality Check</h3><p>LLMs made many believe they could simply layer AI on top of broken architectures. Some startups did exactly that. They will likely not be the long-term winners.</p><p>The more interesting group of companies used AI as a forcing function to re-examine first principles. What data actually matters? What can realistically be prevented at the edge? What must still be correlated centrally? What is structurally broken in SOC workflows? Where have we been compensating for bad architecture with human labor? Crucially, many of these answers have little to do with LLMs themselves, and much more to do with data fidelity, placement of control, and modern system design.<br> This is where the real innovation is happening.</p><h3 class="wp-block-heading">5. The Convergence</h3><p>We are now in a phase where prevention is moving back to the edge, while analytics and orchestration remain central. Endpoints are smarter. Browsers are instrumented. Networks are being re-observed. Context is finally treated as a first-class input.</p><p>But there is still a SOC. There is still a central nervous system that correlates, reconstructs, explains, orchestrates, and proves what happened. Call it SIEM, security analytics, XDR, or AI SOC. The name is irrelevant. The function is not. </p><p>In parallel, we are realizing that we can push enforcement / prevention back to the edge. Wherever we have enough information, execute at the edge. Where we don’t, call out to your central nervous system. To your brain. The brain (your SIEM) that understands at any moment in time, what the risk and function is of every entity in your network. And use that information for decision making.</p><h2 class="wp-block-heading">Why AI SOC Will Collapse Back Into SIEM</h2><p>Many startups brand themselves as “AI SOC”. What do they actually do?</p><p>They primarily ingest alerts from EDR, NDR, SIEMs, and cloud platforms, then attempt to determine which ones matter. They add context, apply behavioral analysis, and suppress false positives.</p><p>In other words, they attempt to do what SIEM, UEBA, and SOAR were always supposed to do, just with better math and more compute. However, there is one problem. Many of the AI SOC contenders operate on alert streams. That means they start from already lossy, opinionated data. Real behavioral analysis does not on top of alert streams. It lives in raw telemetry. Email flows. Network sessions. Browser actions. Endpoint system behavior.</p><p>Once an AI SOC platform decides to ingest that raw data directly, it immediately recreates the ingestion, normalization, storage, and correlation problems that SIEM already exists to solve. At that point, the separation no longer makes sense. This is exactly why UEBA and SOAR collapsed back into SIEM. And it is why AI SOC will do the same.</p><p>There will be one place where data is reconciled, correlated, and turned into decisions. That place will increasingly run on federated, near-real-time architectures rather than twenty-year-old indexing engines. But their function remains the same. Call it whatever you want. It needs to be one system, not many and it doesn’t care what you call it.</p><h2 class="wp-block-heading">The Shift Is Not Just Technical. It Is Organizational.</h2><p>What is interesting to note about these new entrants in the SIEM or security analytics space is not just their security architecture. It is the company architecture. Modern security startups are being built on AI-native operating systems: Sales calls are captured and analyzed, not just by sales, but product teams mine them for competitive signals, marketing uses them to refine messaging, engineering uses them to prioritize roadmaps. This is not a tooling upgrade. It is a fundamentally different operating model.</p><p>Imagine a system where the vision, mission, strategy, and priorities are centrally maintained, updated and codified. Every function consumes that shared intelligence to drive decisions, messaging, and execution. This does not just improve alignment. It dramatically compresses learning cycles and execution speed. And that, more than any individual feature, may be the hardest thing for incumbents to replicate.</p><p>The post <a href="https://raffy.ch/blog/2026/01/16/how-ai-impacts-the-cyber-market-and-the-future-of-siem/">How AI Impacts the Cyber Market and The Future of SIEM</a> first appeared on <a href="https://raffy.ch/blog">Future of Tech and Security: Strategy & Innovation with Raffy</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/how-ai-impacts-the-cyber-market-and-the-future-of-siem/" data-a2a-title="How AI Impacts the Cyber Market and The Future of SIEM"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhow-ai-impacts-the-cyber-market-and-the-future-of-siem%2F&linkname=How%20AI%20Impacts%20the%20Cyber%20Market%20and%20The%20Future%20of%20SIEM" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhow-ai-impacts-the-cyber-market-and-the-future-of-siem%2F&linkname=How%20AI%20Impacts%20the%20Cyber%20Market%20and%20The%20Future%20of%20SIEM" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhow-ai-impacts-the-cyber-market-and-the-future-of-siem%2F&linkname=How%20AI%20Impacts%20the%20Cyber%20Market%20and%20The%20Future%20of%20SIEM" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhow-ai-impacts-the-cyber-market-and-the-future-of-siem%2F&linkname=How%20AI%20Impacts%20the%20Cyber%20Market%20and%20The%20Future%20of%20SIEM" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fhow-ai-impacts-the-cyber-market-and-the-future-of-siem%2F&linkname=How%20AI%20Impacts%20the%20Cyber%20Market%20and%20The%20Future%20of%20SIEM" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://raffy.ch/blog">Future of Tech and Security: Strategy &amp; Innovation with Raffy</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Raffael Marty">Raffael Marty</a>. Read the original post at: <a href="https://raffy.ch/blog/2026/01/16/how-ai-impacts-the-cyber-market-and-the-future-of-siem/">https://raffy.ch/blog/2026/01/16/how-ai-impacts-the-cyber-market-and-the-future-of-siem/</a> </p>