TL;DR
- MDR and AI SOC look like rival categories, but they’re chasing the same customers with the same goal. The market will consolidate around that reality.
- Customers want AI in their security operations, but they want humans making the calls. AI for speed. Humans for accuracy.
- The platformization pendulum keeps swinging because cybersecurity moves faster than any platform can keep up with. Best-of-breed isn’t dead. It just goes quiet for a while.
Everyone wants to know where AI fits in security operations. The more useful question is why we’re treating it as a separate conversation from MDR at all.
That thread ran through a recent Nerdy 30 with Justin Bajko, Expel’s Chief Strategy Officer, and Rueben Rodriguez, VP of Product Marketing. They got into what’s driving the AI SOC boom and where the market is almost certainly headed.
This one was timed to the release of the Gartner® Market Guide for MDR, and it covers a lot of the same ground. Watch the full 30 minutes below.
Get the analyst’s take on the shifting market. Download your complimentary copy of the Gartner Market Guide for MDR.
The MDR market right now? “Gross.”
Justin’s word, not ours. Asked to sum up the market in one word, that’s the one he landed on, then he explained himself.
The market is in an awkward in-between moment. MDR providers are adding AI capabilities. AI SOC startups are raising serious capital and hiring SOC analysts to backstop their tech. The lines are blurring, and nobody’s quite figured out where to plant their flag.
Justin’s take: they’re all in the same market. “There’s a bunch of companies out there that need to keep themselves secure, and they want to figure out the best way to do it,” he said. “Some want to do it themselves. Some want to do it in an outsourced way. Most of them probably need some kind of combination of those things.”
The split between MDR and AI SOC, in other words, is a vendor problem more than a customer problem.
40-plus AI SOC companies—and counting
The AI SOC category has exploded. By last count there are 40-plus players, with more launching regularly. Here’s the part worth watching: several of these startups, despite positioning themselves as AI-first, have started hiring human analysts to backstop their technology.
That’s not a knock on the category. It tells you where customer trust actually sits.
“Our customers are living and dying by what decisions are being made,” Rueben said. “They like the potential support of AI, but when decisions need to be made, they want the humans there.”
Why do we still need humans?
Expel CEO Dave Merkel likes the self-driving car analogy. The tech is capable. It works. But you still want a human behind the wheel, especially when you’re pulling into your own driveway.
Justin took it further. The value of AI in security operations isn’t replacing the humans in the loop. It’s multiplying what those humans can do: automating the manual click-work, surfacing what matters faster, running detection engineering at a scale a team couldn’t touch by hand.
“There’s never enough defenders,” Justin said. “They just never will be. And so you have to make the few precious resources that you have count. You’ve got to try to 2x, 3x, 10x them as much as you can.”
That’s the model Expel runs on. AI takes more of the mechanical work, the analysts take more of the judgment calls.
The platformization pendulum
The consolidation trend in cybersecurity is real, and MDR isn’t immune. Justin described it as a pendulum that’s been swinging for years: security leaders consolidate around platform vendors to cut cost and complexity, then peel back toward best-of-breed when the platforms can’t keep pace with new threats.
“The reason the pendulum swings back toward best of breed,” Justin said, “is because the technological advancements that happen, specifically in cybersecurity, happen faster than a lot of the platform players can build capabilities themselves, or find, acquire, and integrate those capabilities into their platforms.”
He compared the dream of a fully integrated security platform to the Apple ecosystem, where everything works together seamlessly. “It just hasn’t worked out that way in practice,” he said, “partially because there’s only a few companies in the world like Apple that can do that kind of thing really well.”
Rueben flagged the tension customers feel. Budget pressure pushes them toward consolidation, but they’re also watching for emerging categories that don’t yet live inside their platform of choice. Either way, the security team is the one navigating the trade-off.
Where the market goes from here
Justin’s prediction on the AI SOC shakeout is consolidation. Not all 40-plus players survive. Some get acquired. Some get absorbed into larger platforms hunting for a specific capability. A few break out and build real businesses.
“Probably at some point in the not too distant future, we’ll end up with a reasonably sane size of a market,” he said. “It’ll come about through acquisition, consolidation, and a few winners being declared.”
The MDR providers heading that way aren’t standing still either. They’re adding AI capabilities, giving customers more room to get hands-on with their own security operations when they want it, and stepping back when they don’t. Meeting customers where they are was Justin’s phrase for it, and it’s the clearest read on Expel’s direction.
Gartner’s Market Guide for MDR covers this same shifting landscape from the analyst perspective. Get your complimentary copy today.
One thing security leaders should remember
Rueben closed simple. Change is constant, and security programs have to keep adapting. But you’re not adapting alone. The security community tends to look out for each other, and if you’re trying to figure out where MDR, AI SOC, or any of this fits for your org, it’s worth reaching out to others working through the same questions.
Want the full market picture? Download your complementary copy of the Gartner Market Guide for MDR.
