AI Agents Are Starting to Show Real Value
We've all heard the AI hype for the past couple of years, and honestly, a lot of it felt overblown. But 2025 has been different. We're starting to see where AI agents actually make sense in security operations, and it's not everywhere like the vendors initially promised.
The real impact seems to be happening in alert triage and investigation work—the stuff that traditionally eats up most of an analyst's time. AI is also showing promise in detection engineering, helping with writing and tuning detection rules. These aren't just theoretical anymore; organizations are actually deploying these capabilities.
One interesting development is MCP becoming a standard protocol. Basically, this means AI agents can now talk to different security tools using a common language. This is a big deal for integration strategy because it could change how we think about connecting all these different tools in our security stack. Something to keep an eye on going forward.
The SIEM Market Is Settling But Not Settled
Splunk and Microsoft continue to dominate the SIEM space, which isn't too surprising given their market position. However, CrowdStrike's Next-Gen SIEM is emerging as a serious challenger. The value proposition makes sense—organizations are already paying for EDR, and if they can bundle SIEM functionality with their existing CrowdStrike investment, that's attractive from a budget perspective.
The broader SIEM market has gotten more challenging though. We saw Hunters AI shut down operations, while Panther appears to be regaining momentum. The market is clearly consolidating, and it's becoming harder for smaller players to compete.
Data Lakes Are Becoming More Important
One trend that's become clearer this year is that data lakes are becoming a better interface for AI agents compared to traditional SIEMs, at least in certain scenarios.
The advantages are pretty straightforward—data lakes are faster, cheaper, and require less compute for agents to query and analyze security data. When you're running AI-driven analysis at scale, these factors matter. Of course, there are tradeoffs. SIEMs still provide richer context and built-in capabilities that raw data lakes don't offer.
Microsoft launching their data lake feature is a strong signal about where the market is going. When major players start investing in a capability, it usually means the use case has proven itself.
On the analytics front, Vega has generated significant interest in the detection and analytics layer. This space had been relatively quiet for a while, so it's good to see renewed focus on improving how we detect threats.
Security Data Pipelines Are Getting More Attention
This might not be the most exciting part of security operations, but the data pipeline space saw a lot of M&A activity in 2025.
The strategic logic is clear: EDR and SIEM vendors want to control data ingestion into their platforms. If they own the pipeline, they strengthen their position with customers.
There's also an interesting overlap developing between security telemetry and observability data, especially as organizations start thinking about AI agent observability. Companies like Cribl are positioning themselves at this intersection, trying to serve both security and IT operations teams.
Palo Alto Networks acquiring Chronosphere illustrates this trend. Instead of just selling to security teams, they can now target infrastructure and observability personas as well. That's a significant market expansion.
Looking Ahead to 2026
Based on what we've seen this year, a few things seem likely for 2026. AI agents will continue to mature, but the focus will remain on practical use cases that actually reduce analyst workload rather than flashy capabilities.
The interoperability standards being developed now should start paying off as more tools adopt common protocols. This could simplify integration challenges that have plagued security teams for years.
The SIEM market will probably see continued consolidation. CrowdStrike's push into this space could shake things up depending on their execution. Data lakes are becoming essential infrastructure for organizations that want to leverage AI in their security operations effectively.
We'll also see the lines between security and observability continue to blur, creating both opportunities and challenges for teams managing these systems.
Bottom Line
SecOps in 2025 has been about separating real AI value from hype, consolidating around platforms with strong integration capabilities, and building the data infrastructure needed for the next phase of security operations. As someone working in this field, I think we're moving in the right direction, even if progress sometimes feels slower than the marketing would suggest.
The fundamentals haven't changed—we still need to detect threats, investigate alerts, and respond quickly. But the tools and approaches we're using to accomplish these goals are evolving in interesting ways. That's what makes this field challenging and engaging to work in.