2. The Identity Paradox: Universal Trust

Summary: 

Identity has become the new perimeter, but it's fracturing under the weight of scale, sprawl, and inconsistent trust models across an increasingly complex digital ecosystem.

‍

The Practitioner Reality: 

Kevin Paige, CISO at ConductorOne, frames this as more than an access management challenge; a fundamental trust architecture problem:

"What is the trust anchor that you could provide identities to and access control to so that you know that this user is always good, always who they say they are? Identities multiply, systems multiply."

The numbers are staggering. Kevin ran the math on AWS alone:

‍"You take a look at all the permissions combinations that you could possibly have; there's probably hundreds of thousands of potential ways in which you could provide some form of capabilities."

Scale this across cloud providers, SaaS platforms, AI agents, and hybrid environments, and the combinatorial explosion becomes unmanageable.

‍

Current solutions are patchwork at best. Organizations stitch together fragmented SSO, IAM, and manual processes, but these are tactical fixes, not systemic solutions. The result? Most organizations still use makeshift databases, spreadsheets, and homegrown ticketing workflows to keep up, leaving credential abuse and privilege escalation at the root of most breaches.

‍

The Market Reality: 

It's not just provisioning and de-provisioning. It's the absence of a shared trust anchor, or an “identity fabric", that works across personal, enterprise, and hybrid environments. Identity observability remains painfully immature, and there's no universal way to validate identities across contexts – work accounts, personal devices, system-level access, SaaS applications, and AI agents.

‍

Call for Builders: 

The opportunity is massive: build universal, programmable identity backplanes designed for hybrid environments. Think beyond Okta for login. Think identity observability, drift detection, real-time revocation, and fine-grained control across people, services, and agents.

‍

The future isn't better login screens: it's dynamic, contextual access that adapts to behavior, environment, and risk in real-time.

3. The Context Collapse: Security Data Without Actionable Intelligence

Summary: 

Security teams are data-rich but insight-poor. Despite a decade of SIEMs, data lakes, and detection tools, most security leaders still lack the attack-chain visibility needed for effective response.

‍

The Practitioner Reality:

Devin Ertel, CISO at Menlo Security, describes the daily reality: 

"I want to see the full attack chain. Not just alerts, but context across EDR, identity, cloud. Right now it's still very manual; when we're in an incident or something is happening, we have to go manually, go get more logs, and understand the full picture."

This isn't just a technical challenge, it's a human bandwidth problem. Lean SecOps teams become manual data archaeologists during incidents, hunting across disconnected sources while attacks progress in real-time.

‍

Most SIEMs help you ingest data; few help you investigate effectively. The burden of enrichment falls on analysts who need to correlate EDR alerts with IAM anomalies and cloud activity, often across multiple tools that don't communicate. It's not just a tooling issue, it's a UX issue, a context issue, a prioritization issue.

‍

The Market Reality: 

Gourav Nagar, Head of Information Security at Upwind Security, highlights the cost problem: Teams want comprehensive visibility but face expensive, fragmented solutions. 

"The current tooling that we have is very expensive. If we have something where we can ingest a large volume of data and have a quick way to query that data, it will be easier for leadership to put money on that sort of a tool."

Call for Builders: 

The opportunity is a unified investigation layer that pulls just-in-time telemetry and enriches it with identity and asset context.

‍

Don't build another SIEM, build the intelligence layer that sits on top of existing data sources.

‍

Help teams shift from query writing to insight gathering, with context-first detection and response. The goal isn't more data, it's better correlation and faster investigation workflows that scale with lean security teams.

4. Vulnerability Management is Still Broken

Summary: 

Vulnerability management has become a sophisticated way to generate tickets that engineering teams ignore. The problem isn't finding vulnerabilities, it's prioritizing, validating, and fixing them systematically.

‍

The Practitioner Reality: 

Randolph Barr, Chief Security Officer at Cequence Security, describes this problem better: 

"From SAST to pen tests to CSPM to bug bounty findings, vulnerability data is everywhere, but not triaged, correlated, or actioned in one place. Security teams end up throwing tickets over the wall, often without proper validation or context."

The workflow is broken by design. Most teams still use makeshift databases and homegrown ticketing systems to manage vulnerabilities from multiple sources – network scans, application assessments, penetration tests, bug bounty programs, and CSPM tools. Each has different SLA requirements and remediation processes.

‍

The Market Reality: 

The real problem is downstream. Engineering teams push back against security tickets because they lack context, validation, and clear remediation guidance. Teams spend more time arguing about vulnerability severity than fixing actual issues.

‍

Call for Builders: 

Build the layer that sits on top of all vulnerability sources, enriches findings with asset criticality and existing controls, and creates trustworthy tickets with automated triage and remediation guidance.

‍

The opportunity isn't another scanner, it's the intelligence layer that validates vulnerabilities, adjusts severity based on real mitigations, and provides engineering teams with actionable, contextualized remediation plans. Think GitHub Copilot meets Jira, built specifically for application security workflows.

5. Secure by Design: Making Insecure Defaults Extinct

Summary: 

We're still shipping products with security as an afterthought, then hoping users read hardening guides. The most sustainable fix is upstream, making secure-by-default the standard, not the exception.

‍

The Practitioner Reality: 

John Donovan, Head of Security at Zededa, captures the urgency: 

"We’re still living in a world where base-level security is optional. Products ship fast, features win over safety, and secure-by-default remains more of a slogan than a standard. If you put something out there that has major security vulnerabilities, bugs or issues, the attackers are going to find it right away."

This is especially critical in edge computing and infrastructure that gets deployed and forgotten. Any initial security gaps become effectively permanent or require expensive retro-fitting.

‍

Even today, basic misconfigurations plague the industry such as default credentials, open S3 buckets, outdated TLS versions, permissive IAM roles. These aren't exotic zero-days; they're preventable oversights that still lead to breaches.

As John notes:

‍"Attackers have become faster, more automated, and now powered by LLMs. If defenders continue to rely on post-deployment patchwork, we'll keep losing."

The Market Reality:

Multiple practitioners mentioned increasing regulatory and legislative pressure. The EU's Cyber Resilience Act and CISA's Security by Design pledge are forcing better defaults, but the industry shouldn't wait for regulation to drive basic security hygiene.

‍

Call for Builders: 

There's room for a new wave of tools that enforce proactive, preventive security during the build phase:

‍

• Secure scaffolding for SaaS and infrastructure products
• Security linting and misconfiguration detection tied to deployment workflows
• Default profiles that enforce secure settings, not just recommend them
• Tooling to help developers test, simulate, and reason about security posture before code hits production

We need a future where insecure defaults don't ship at all.

6. AI-Native Security Assistants: Cognitive Load Management for Security Teams

Summary: 

Security work has become too complex & fast-moving for humans to manage alone. Every role faces massive cognitive load, growing at scale.

‍

The Practitioner Reality:

Aman Sirohi, Chief Security Officer at People.ai, explains the challenge:

"As human, we'll need assistance from toolings to look at this data at scale & then be able to siphon through all this data & be able to really focus on the critical areas that are called out. Yet most workflows remain reactive, fragmented, & manual."‍

But these can’t be generic co-pilots. They must:

‍

• Understand your tech stack (CSPM, EDR, IAM, incident response tools)
• Map to the unique architecture of your environment (AWS vs. Azure, retail vs. SaaS)

• Tailor prompts and actions based on role: helping a SecOps analyst sift alert noise, or  AppSec engineer prep for sprint planning, or helping a CISO prep board material
• Handle end-to-end workflow: from ingesting data to triaging issues to recommending context-aware remediations

The Market Reality: 

As Aman emphasizes:

‍"The agent must be a teammate, not just a summarizer. It should nudge, anticipate, and coach based on an understanding of your organization's real risks and responsibilities. You'll need one for AppSec, one for leadership, one for SecOps, and they need to speak about your data, your environment, your priorities."

‍

Call for Builders: 

There's an open field for security-native co-pilots grounded in real organizational data – aware of your compliance posture, vulnerabilities, asset inventory, and risk models. These agents should integrate with existing systems and be smart enough to brief, triage, and plan like a chief of staff.

‍

Start narrow (AppSec sprint prep, SOC triage) but design with extensibility in mind.

‍

If AI is changing the future of work, it must also change the future of securing that work.

7. Supply Chain Security

Summary: 

Software supply chain security isn't a single product category, it's an end-to-end trust problem spanning containers, dependencies, code reviews, build pipelines, and artifact signing. Current tooling is fragmented, and the gaps between tools are where real risk lives.

‍

The Practitioner Reality:

Sakthi Rangaraju, Head of Product Security at Pure Storage, describes the current state: 

“The challenge isn't lack of tools, it's tool sprawl. Organizations depend on a ‘Frankenstein stack’ of SCA tools, SBOM generators, SAST/DAST analyzers, container scanners, and CI/CD monitors. Each sees only part of the system while none offer full visibility across languages, environments, or runtime behavior.”

Common struggles include:

‍

• Manually stitching results across tools and formats
• False positives due to missing context
• Gaps in language or framework coverage
• Inability to correlate an SBOM diff with a real exploit path
• Fragmented remediation workflows between engineering and security

‍The Market Reality: 

Many vendors promise “comprehensive” coverage, but very few can actually connect the dots between code, components, infrastructure, and deployment. And that’s where the real security risk lives.

‍

Matt Goodrich, Director of Information Security at Alteryx, highlights a critical gap that exemplifies the broader problem:

‍"Understanding how code flows through our ecosystem, all the possible places it could end up and sort of being able to have that sort of reverse traceability so I can go from an identified vulnerability back to the true owner."

His challenge illustrates the complexity: developers write code that gets packaged into Docker containers, stored in image repositories, then deployed to cloud Kubernetes clusters. Along the way, different teams own different pieces—infrastructure teams handle container movement, development teams build the code, another team manages golden images. When a vulnerability is discovered in production, tracing it back to the responsible developer and specific code version becomes a manual archaeology exercise.

‍

Common struggles include manually stitching results across tools and formats, false positives due to missing context, gaps in language coverage, and inability to correlate SBOM changes with actual exploit paths.

‍

‍

Call for Builders:

Build a unified supply chain security platform – a "software bill of behavior" that tracks code lineage, component provenance, and deployment artifacts across the entire SDLC:

‍

• Ingest multiple scanning sources (SCA, SAST, DAST, IaC, secrets, SBOMs)
• Normalize across formats and frameworks
• Correlate issues across the SDLC (unpatched package in container AND IaC config)
• Visualize end-to-end supply chain posture in real-time
• Automate triage, deduplication, and developer ticketing

The opportunity is becoming the single source of truth for software supply chain risk.

8. Intelligent Risk Prioritization Engines

Summary:

CISOs aren't short on alerts – they're short on judgment bandwidth. The hardest question remains: What should we fix first? Current risk scoring is siloed, primitive, and disconnected from business context.

‍

The Practitioner Reality:

Kenneth Thomas Moras, Head of Security GRC at Plaid, explains the challenge: 

"There's no magic wand where you can come up with a strategic approach on what are the different initiatives to work on. Every CISO needs to stack-rank various initiatives, and it still happens through interviews, instinct, and spreadsheet wars."

Risk isn't static, it's contextual. A high-severity CVE on a sandboxed development system is less urgent than a medium-severity misconfiguration on a production crown jewel. Yet most risk scoring today operates in silos: vulnerability scanners provide one set of scores, GRC tools another, CSPM tools a third. None truly communicates or understands the business context.

‍

The Market Reality: 

Angel Liu, Director of Information Security at Confluent, frames this as the fundamental resource allocation challenge:

"Part of the risk management function is to see how can we actually collect all those risk data for us in order for us to do that prioritization exercise... We have all those data. How can we actually correlate those risk data and help us to make that prioritization decision?"

Even teams that adopt frameworks like FAIR or CVSS often fall back on instinct. Why? Because risk quantification isn’t just math, its correlation across sources, understanding of historical context, and the ability to align with business priorities.

‍

Current solutions fail because:

‍

• They rely heavily on human interpretation and judgment calls
• Inputs are scattered across tools with fragmented visibility
• There’s no shared risk ontology across asset types and teams
• Remediation prioritization is often decoupled from business impact
• Boards want clear, defensible risk decisions but teams can't provide them fast enough

Call for Builders: 

Build an AI-native platform that becomes the decision engine for security risk prioritization. Not another dashboard, but a reasoning layer that pulls context from across your tech stack – vulnerability scanners, threat intelligence, asset inventory, historical incidents, and synthesizes it into a dynamic, explainable risk heatmap.

‍

Think of it as a security co-pilot that helps teams and boards understand what to tackle first, why it matters, and what trade-offs exist.

‍

The opportunity is becoming the source of truth CISOs rely on to plan and defend their roadmap.

9. Semantically-Aware Access Management

Summary: 

As data sprawls across apps, platforms, and AI systems, traditional RBAC/ABAC models can't keep up with semantic complexity, especially in regulated environments where data lineage and context matter.

‍

The Practitioner Reality:

Justin Pagano, Director, Security Trust & Risk (GRC) at Klaviyo, describes the complexity:

"Enforcing even a simple data access policy like 'Sales reps in the Northeast should only see their regional accounts' – requires translating that rule into different languages for Salesforce, NetSuite, Slack, internal databases, and more."

The problem compounds when data moves. Once information is exported from Salesforce and shared via Slack, lineage is lost. With AI knowledge graphs aggregating sensitive information across systems, the risk multiplies. LLMs don't respect system boundaries – customer records, internal documentation, and HR data might all be queried through a single chat interface.

‍

The Market Reality:

For regulated industries, this isn't just convenience, it's survival. As Justin explains:

"If a bad actor or insider threat is involved, and they try to access data they shouldn't, they won't be able to, because the system will enforce least privilege everywhere, not just in silos."

Call for Builders:

The next wave of innovation in access control must move beyond RBAC into semantic, declarative policy enforcement.

‍

Build systems that let organizations define access policies in plain language and automatically enforce them across SaaS, internal tools, and AI applications.

‍

Think: "Account managers can only access PII for their region", enforced everywhere, continuously, with full data lineage tracking across tools and post-export policy enforcement.

10. Behavioral Monitoring

Summary:

Deepfakes and AI-powered impersonation attacks are enabling sophisticated social engineering. Current behavioral monitoring generates alerts; the future requires immediate, automated responses.

‍

The Practitioner Reality:

Mike Norris, Director of Security at Trek10, explains the evolution: 

"A lot of companies are compromised because of deepfakes, where they can use the voice of executives and how they are using that to be able to social engineer their way into companies. Even the most security-aware individual could be compromised with the use of some of these new tools and attacks."

Traditional security stacks are reactive. A user downloading sensitive data after a suspicious Zoom call might trigger an alert, but that alert relies on human intervention. The delay can be exploited, especially at mid-sized companies that lack dedicated SOC teams.

‍

The Market Reality:

Many targets aren't even giant enterprises but unicorn-stage startups and high-trust vendors who lack scalable defenses. These organizations are sometimes too small for legacy SIEM/SOAR but too big to ignore targeted threats.

‍

Call for Builders:

Build lightweight, AI-native behavioral monitoring tools that:

‍

• Build real-time baselines for users, devices, and services
• Detect deviations like post-meeting access to sensitive files or anomalous lateral movement
• Automatically execute policy-based containment (pause sessions, isolate accounts, revoke access)
• Scale down to serve mid-market companies with minimal setup and tuning

Think "endpoint EDR" for human behavior coupled with the speed and context to stop attacks before damage occurs.

11. Case Management for Trust & Safety and Corporate Security

Summary:

Security, trust & safety, and threat intelligence teams often chase the same adversaries but use siloed tools and workflows. Modern threats require unified case management across internal and external threat landscapes.

‍

The Practitioner Reality:

Simeon Anderson, Staff Security at Discord, identifies the gap:

"Sometimes you have actors that coordinate on your actual app and they also target your company and they sometimes also target your employees. Having a system where you can configure alerts and detections directly in the interface is really useful for trust and safety teams."

Traditional case management platforms were designed for enterprise threats, not the hybrid adversaries that social platforms, marketplaces, and consumer apps face.

‍

Malicious actors coordinate harassment campaigns, phishing lures, and platform abuse across corporate security and trust & safety domains, but teams share Slack threads, not intelligence pipelines.

‍

The Market Reality:

Companies experiment with open source tools and projects like MISP and TheHive but often find they don't quite fit trust and safety's use case and you can't integrate detections directly into the platform. The result? Teams build internal solutions or operate in silos.

‍

Call for Builders:

Build purpose-built platforms for the hybrid needs of consumer apps, social platforms, and B2C ecosystems.

‍

Imagine shared case management where trust & safety, intelligence, and detection teams operate in sync with native OSINT integrations, in-platform detection logic, and context-rich actor profiles that combine external indicators with on-platform behavior.

‍

If Jira is too generic and SIEMs too corporate-focused, there's white space for a trust & safety-first incident and knowledge platform.

12. GRC Engineering: The Data Crisis

Summary:

GRC teams are expected to scope, design, implement, test, monitor, and review controls with the most stale, manually updated, inconsistent, and context-poor data in the organization.

‍

The Practitioner Reality:

Ayoub Fandi, Staff Security Engineering Leader at GitLab, captures the core problem:

"GRC teams make compliance decisions based on outdated spreadsheets while the organization's actual risk posture changes in real-time through deployments, configuration changes, and service integrations. Every GRC team should have a centralized data layer.”

This centralized layer would ingest real-time telemetry from across the tech stack, normalize it for compliance frameworks, and provide GRC teams with the same data quality and freshness that engineering teams take for granted.

‍

The Market Reality: 

Traditional GRC tools were built for static infrastructure and infrequent changes.

Today's cloud-native environments generate compliance-relevant events continuously – container deployments, API changes, access modifications, but GRC teams still rely on quarterly assessments and annual control testing.

‍

The disconnect between operational speed and compliance visibility creates both risk and opportunity.

‍

Call for Builders:

Build the data infrastructure that makes GRC teams first-class citizens in modern organizations:

‍

• Real-time compliance telemetry: Ingest configuration changes, access events, and deployment data as they happen
• Framework mapping: Automatically map technical events to compliance requirements (SOC 2, ISO 27001, PCI, HIPAA)
• Evidence automation: Generate audit-ready evidence from live system data, not screenshots
• Continuous control monitoring: Validate that controls work as designed in real-time

The opportunity is transforming GRC from reactive spreadsheet management into data-driven, continuous compliance that operates at the speed of modern business.