We first wrote about the impact of generative AI on cybersecurity early this year. Since then, much of the focus has been on securing generative AI models and applications, but equally exciting is the opportunity to apply large language models (LLMs) to security use cases.
In the last several months we’ve seen a new crop of startups emerge that are leveraging LLMs for a variety of security use cases, from detection and response to penetration testing and vulnerability remediation. We’ve also seen several announcements from incumbent players like CrowdStrike, Microsoft, Palo Alto Networks, and Google adding new generative AI features.
In this post, we’ll dive into the biggest areas of opportunity to apply LLMs in cybersecurity and discuss how startups can compete against established players in the race toward generative AI–powered security.
What are the biggest opportunities to apply LLMs in security?
We believe LLMs will have the biggest impact on security in these three categories:
1. SOC automation
We’ve all heard it: security teams are overwhelmed by alerts. The triage, investigation, and response workflow for a security analyst is typically a manual and painstaking process that requires sifting through event and log data across multiple tools to get a clear picture of what occurred. If the alert turns out to be a true positive, determining the full impact of the incident requires even more manual effort. Some of the largest categories in security today — such as SIEM (security information and event management) and SOAR (security orchestration, automation, and response) — are aimed at improving SOC (security operations center) efficiency, yet the problem persists.
LLMs have high potential to move the needle on automating the triage, investigation, and response workflow of SOC analysts. Unlike current security automation tools that rely on building playbooks and workflows by hand, LLM-powered agents could review an alert, determine next steps to investigate, write their own queries to retrieve the required data and context, and present their findings to a human reviewer with a suggested response plan.
We are still in the early innings of generative AI agents, and need to solve problems around reliability and hallucination before we can trust them to perform.
Applying LLMs to this use case almost seems obvious, but doing it well is complex from both a technical and business perspective. We are still in the early innings of generative AI agents, and need to solve problems around reliability and hallucination before we can trust them to perform. Taking advantage of this opportunity also requires that agents can access security alerts and data across tools.
Product delivery is the key question here. Incumbent platforms have a data advantage, in particular SIEM platforms and Extended Detection and Response (XDR) platforms that integrate data from multiple tools and security domains. We expect companies in this space to benefit from adding generative AI–powered automation directly into their products.
Startups looking to build AI agents for automating SOC workflows must carefully weigh their approach. Do they look to become a platform, owning both the security data lake and the workflow automation layer to compete directly with SIEM/XDR, or do they provide just the automation layer and build integrations into existing security tools?
Adding an additional consideration to the product delivery equation is the rapid growth of Managed Detection and Response (MDR) platforms such as Arctic Wolf, which act as an outsourced 24x7 SOC. It’s possible that these companies will also look to augment their internal workflows with generative AI, and compete directly against unmanaged SIEM and XDR. Founders must understand the competitive dynamics of the detection and response ecosystem and present a clear point of view on how they will deliver their product and win against incumbents.
Startups in the SOC automation space:
Dropzone AI, Cyclops Security
2. Code analysis and vulnerability remediation
With the proliferation of static application security testing (SAST) and software composition analysis (SCA) scanners, developers find themselves with a never-ending backlog of vulnerabilities in their application code and infrastructure. The “shift left” trend in security enabled developers to discover and address vulnerabilities earlier in the development lifecycle, but doesn’t address the pain points around remediation. This is where generative AI can help.
LLMs have proven quite adept at both code analysis and code generation. LLM-powered code analysis can identify security risks that wouldn’t be caught by traditional scanners. LLMs can also generate potential fixes for security vulnerabilities in code, speeding the time to remediation and reducing developer toil.
Again, startups will compete against incumbent vendors in this space. Snyk debuted AI-generated security fixes in their Snyk Code product earlier this year. Startups aimed specifically at vulnerability remediation may also find themselves competing against broader code generation products like GitHub Copilot as well as the tried-and-true copy-and-paste-into-ChatGPT method. For startups, how well they integrate into and improve upon developer and security team workflows will be key to building a business in this space.
Startups in the code analysis and vulnerability remediation space:
Mobb (recent winners of the Startup Spotlight Competition at Black Hat), Socket (using GPT to discover and analyze risks in open source code)
3. Offensive security and penetration testing
Penetration testing has largely been the domain of third-party security consultants, typically engaging with clients once or twice per year. Offensive security professionals are essentially white-hat hackers, and follow a hacker’s playbook to discover vulnerabilities and gain access to resources. Much of the manual work that hackers do for reconnaissance and exploitation can be automated by LLM-powered agents.
Automating penetration testing and red teaming workflows would enable enterprises to do more with fewer resources, and to test more frequently or even continuously. This category offers more greenfield opportunities for startups, as the existing penetration market is fragmented and largely services-based, and there isn’t an obvious data advantage for existing players.
Startups in offensive security and penetration testing:
Overview
LLMs will be leveraged anywhere there is a need to analyze or generate content at scale, including additional use cases like answering third-party security questionnaires, or generating content for security awareness training. Across these opportunities, startup founders must think carefully about the role that incumbents will play in the market, and how to define a product delivery strategy that will enable them to compete effectively.
If you’re a founder building with LLMs in security, we’d love to chat. You can connect with me on LinkedIn or reach out directly at allison@unusual.vc.
Read more
Generative AI is blowing up. What does this mean for cybersecurity?
Autonomous AI agents could change the world, but what do they actually do well?
The race for identity verification and onboarding is on! How will Generative AI make an impact?
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.