AI Cybersecurity Is Moving from Hype to Proof as Investors Demand Real Outcomes
Published
Key Takeaways
- AI can automate alert triage and reduce workload, but only if it changes how investigations are done instead of leaving everything to analysts.
- Investors are no longer satisfied with AI as a feature; they want to see measurable operational outcomes.
- They are actively moving away from AI “wrappers” that don’t fundamentally change how work gets done.
- Saurabh notes that investors are looking for early operational signals as proof that ROI will follow.
- In MDR, beyond marketing claims, evaluating investigation quality remains a challenge, so teams look for visibility into how alerts are resolved.
Kumar Saurabh, CEO and Co-Founder of AirMDR, explains what security teams are expected to show as AI moves into real operations. Saurabh brings over 25 years of experience in cybersecurity and engineering, with a background in building detection, analytics, and large-scale security systems.
He says that the focus for AI in cybersecurity is not just on what it can do, but what it actually changes. Teams are asked to show reduced workload, faster investigations, and consistent outcomes.
In terms of security operations, alert triage, investigation quality, and response speed are still not working as expected. At the same time, budgets are flat, so new tools must replace existing spend.
This conversation covers what teams can track early, what investors are looking for, and where current AI approaches still fall short in operations.
Vishwa: Your survey shows that more investors are putting money into AI cybersecurity, while expectations are rising. Compared to a year ago, what are companies now being asked to demonstrate more clearly?
Kumar: Compared to a year ago, the biggest shift is from promise to proof. Investors are no longer satisfied with AI as a feature, they want to see measurable operational outcomes. That means:
- clearly demonstrating how a solution reduces total cybersecurity costs,
- improves efficiency in security operations, and
- delivers consistent results at scale.
Our data shows this shift clearly: 40% of investors say cost reduction is the primary driver of adoption, and many are actively moving away from AI “wrappers” that don’t fundamentally change how work gets done.
Vishwa: With many investors expecting evidence of returns within a few years, what do you think early signs of value could look like in the first few months of using a solution like this?
Kumar: Early value shows up in how quickly a solution impacts day-to-day operations. In the first few months, teams should see:
- reduced security operations workload,
- faster alert triage, and
- higher quality investigations.
These are leading indicators that the platform is automating meaningful work, not just augmenting it. Over time, those improvements translate into broader outcomes like cost reduction and improved threat response, but investors are increasingly looking for early operational signals as proof that ROI will follow.
Vishwa: With budgets staying flat, new solutions often need to replace existing spend. What do companies tend to stop using when they adopt an MDR service?
Kumar: Under flat budgets, MDR usually replaces legacy managed security services spend and the need to expand internal SOC coverage via hiring, but not eliminating core controls like EDR or SIEM.
In most cases, buyers are trading out the cost of watching and triaging alerts themselves — or hiring more staff to do it around the clock.
Vishwa: Security operations continue to see strong interest. Which part of the day-to-day operations still does not work as expected for teams?
Kumar: The biggest gap is in the consistency and scalability of investigations. Lean security teams are still heavily constrained by hard-to-find expertise and limited headcount budgets, which makes it difficult to handle alert volume efficiently and maintain high-quality outcomes.
This aligns with our findings that investors are particularly bullish on security operations, with 43% identifying SecOps as the segment they are most optimistic about. AI has the potential to automate alert triage and reduce staff workload, but only if it meaningfully changes how investigations are performed, not just how alerts are surfaced.
Vishwa: There is increased scrutiny around MDR in your findings. What factors do teams consider most carefully before choosing an MDR provider?
Kumar: Trust and transparency are becoming central to the decision. With the MDR market more crowded than ever, teams are looking beyond marketing and contractual claims and evaluating whether a provider can deliver consistent, high-quality outcomes across their environment.
That includes the ability to demonstrate:
- real threat reduction,
- operational efficiency, and
- investigation quality
One of the biggest challenges is evaluating investigation quality, which is why giving buyers visibility into how outcomes are achieved is increasingly important.
Vishwa: There is growing caution around solutions that add AI without changing much underneath. What specific gaps or issues usually become visible once a team starts using such a solution?
Kumar: What becomes clear very quickly is whether the AI is actually doing meaningful work. In many cases, “AI wrapper” solutions still rely on the same underlying processes, which means teams don’t see improvements in efficiency or outcomes.
Our data shows that over half of investors say these types of solutions have already disappointed. The gap shows up in a lack of measurable impact:
- no real reduction in workload,
- no meaningful cost savings, and
- no improvement in consistency
Vishwa: As the market becomes more selective, companies are expected to stand out more clearly. What does a company need to show to avoid being seen as replaceable?
Kumar: Companies need to demonstrate defensibility through outcomes, not features. That means showing they can consistently reduce costs, automate meaningful parts of security operations, and deliver measurable results early.
Investors are favoring AI-native platforms because they are built to deliver these outcomes from the ground up, rather than layering AI onto existing products.
In a more selective market, differentiation comes from proving operational impact, not just having AI in the product.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular