Fourteen years ago I started an AI company. Back then, telling an enterprise that a model should touch their most sensitive decisions was a conversation that took years. I watched that resistance dissolve, and not because anyone was argued out of it. The work got so much better that the old way stopped making sense. I have seen, up close, what happens when AI is finally allowed into real work.
It is happening again in cybersecurity, and I don't think most people have internalized what it means.
Here is the claim, plainly: within a few years, the best security teams will be engineering teams. They will build and operate fleets of agents instead of watching alerts. The defender's job changes from doing the work to designing the loops that do the work, then judging the output.
Two roles emerge from this. One is engineering: people who run the agent fleet, improve its accuracy, challenge it, sample its work, catch its mistakes. The other is judgment: analysts who handle the exceptions the agents escalate, operating at a higher tier because the tactical drudgery never reaches them. The alert queue as a job description disappears.
That is a bigger change than "AI is coming to the SOC." It changes who you hire, what you buy, and what a security organization even is.
Why this isn't SOAR again
Anyone who has been in this industry for more than five minutes is now thinking about SOAR. We were promised a platform, we were told our teams would build on it, and we ended up with graveyards of half-maintained playbooks that nobody wanted to own.
That failure was real, and the reason for it is specific: playbooks are brittle. A playbook is a rigid chain of assumptions about your environment. It is 100% fine until an API changes, a field gets renamed, or a vendor gets swapped. Then it is 100% dead. Silently. The failure mode of a playbook is a cliff.
Agents don't fail like that. An agent that encounters a renamed field reasons about the renamed field. An agent that meets a tool it hasn't seen reads the tool. Its performance sags instead of snapping, and you can see the sag and fix it. That single property is the difference between infrastructure a team abandons in eighteen months and infrastructure a team builds a career on.
Brittleness is what killed automation in security. And brittleness is gone.
What defenders actually need
If defenders are going to build, they need something to build on, and that thing does not currently exist in this industry.
Cybersecurity is knowledge work about a system nobody can see all of at once. For thirty years the answer was more screens: another dashboard, another console, another query language. Agents collapse most of that into a conversation and a loop.
What replaces the screens is a runtime for agents, the environment where they actually live and work. That is what Beacon is. A runtime worth the name requires three things.
First, context that is legible to a machine. Security telemetry was built to be read by people. It is inconsistent, unresolved, and scattered across a dozen vendors who each think they're the center of the universe. An agent reasoning over that mess produces confident garbage. Fusing that telemetry, pre-resolving entities, normalizing and enriching it continuously: that is the agent's senses.
Second, an open harness. A place where an agent can run, connected to everything in your estate, where your team writes the tradecraft (the skills and judgment only you have about your environment) and the agent picks it up. If the harness only does what the vendor imagined, it isn't a harness. It's a feature list.
Third, a low enough floor to actually start. Some things you should never have to build. You want a detection-engineering agent on day one, not a project plan. So we ship agents out of the box, tuned by people who spent their careers on the offensive side and in nation-state defense. Use them as-is, use them as reference, or take them apart and make them yours. The out-of-the-box agents are the on-ramp. The harness is the destination.
Easy to implement. Open. Flexible. Those three words are the entire bet.
Why the incumbents can't hand you this
The SIEM was built for humans, priced for a world where you thought carefully before ingesting anything, and architected on the assumption that its own console was the point. Agents violate all three assumptions at once. They want everything connected, they want to read broadly and cheaply, and they don't want a console at all.
The platform vendors will do an excellent job inside their own ecosystems. That's not a knock; it's how those companies make money. But your estate is not inside anyone's ecosystem. The connective layer between everything you own cannot be owned by one of the things you own.
Every vendor in the industry now says "agentic," so here is a test you can run on any of them, us included. Does the system learn and improve from your use of it, or does everyone get the same thing? Is it becoming part of the fabric of your organization, or are you consuming insights generated by someone else's agents? Can it do things its vendor never anticipated, the way Claude or ChatGPT can, or only what's on the roadmap? A SaaS product with an agent attached fails all three questions. Hold us to them too.
What this looks like today
One of our customers is growing at a rate that would break most security organizations, with a security team small enough to fit around one table. They left their SIEM for Beacon and a lake, then automated the actual work, not one showcase workflow: detection engineering, threat hunting, triage, then a widening set beyond those, brought online as fast as they could think of them.
A handful of people now operate across a surface area that would have taken an organization ten times their size, because they were handed the infrastructure and they built. Their time goes to the risks. The plumbing takes care of itself.
What comes next
We just raised $13 million in seed funding, led by Notable Capital, joined by Holly Ventures, AlphaDrive Ventures, SVCI, Jefferies Family Office, and more than sixty founders and CISOs who have lived this problem themselves. Our ARR grew over 300% in the first half of this year. I mention this because it means we get to build faster, and there is a great deal to build.
Sensors aren't going anywhere. Neither is enforcement, and intelligence will keep arriving from a dozen directions. What is up for grabs is the layer that connects all of it, the place where a defender's context, tools, and agents come together and work. That layer is the one we intend to win.
To my co-founders Or and Iddo, and to the team: this thesis was a conviction long before it was a company. To our customers, who bet on us early and then showed us things about our own product we hadn't imagined: thank you.
The defender's job is changing. We're building what it changes onto.
---
Beacon is the agentic security platform that security teams run on and build on. If you want to build the future of cyber defense, we're hiring.

