Everyone’s Selling AI – But Who’s Actually Solving Real Problems?

Vivek is a partner at Madrona and one of the sharpest VCs in the U.S. specialising in security and AI. A few weeks ago, Vivek dropped a post that lit up LinkedIn, calling out the wave of AI-powered SOC analysts on what's real versus what's just noise. With investments across security ops, AI infrastructure, and early stage companies, Vivek sits in a rare position between founders pitching the next big thing and CSIS trying to cut through the hype.
In this episode, we will get into why saying you're an AI-driven means very little, what CISOs actually care about, and how VCs like Vivek help filter out the fluff and answer the question, who is actually solving the real problems? So Vivek, great to sit down with you today. How are you doing? I'm doing great. James, thanks so much for having me.
Good to hear. Let's crack on with some questions because I really think this will be very interesting. So when we start with AI and security as a reality check, we're looking at your LinkedIn post and it called out a trend that we've all seen lately.
Vendors rushing to say that they've built the next AI-powered something. So what's made you speak up about specifically? Yeah, so it's interesting. I would say, anyone who was at RSA a couple weeks ago would see that I think the word AI was more prominent than the word security.
So it was the trend. It's been the trend for the last few years where every security vendor is rushing out to say that they have some AI-powered solution or they're AI native or they're doing something with the AI. So whenever everyone's saying that they're doing something with AI, you really have to come in with a bit of a sharper lens.
And look, I understand why, right? I mean, we've been talking about this at Madrona for several years now. We have an AI conference we've been putting up, even pre-chat GPT and all this. It's a real trend.
There's incredible technology out there. There's builders who are building things that we couldn't even build five years ago across a number of different domains, not just security, but in cloud infrastructure and vertical applications and horizontal applications. Now, the difficult thing is when you have every security vendor rushing out to say they have AI, it becomes very confusing for CISOs and for buyers.
And they in fact get sceptical, right? They go from, hey, this is a really cool solution to like, wait, is what you're selling me or pitching me really what I'm going to be using? And so the point of this article that we wrote was saying, how do we separate the hype from reality? Because yes, there's a lot of hype around AI. At the same time, there's only a handful of companies or a handful of products that we think are really cutting through the noise and building something that's going to be really special. And it's going to stand the test of time five to 10 years out.
And the last thing I'd say on this is that, you know, security already is a very crowded market, right? If you're even pre-2022, if you're coming to RSA, you would see that there are so many security vendors for every, you know, level of security, app sec, data security, cloud, you know, you go down the list, there was five to 10 to 20 plus vendors, startups all the way to big companies. And I think that's just become even noisier in this AI landscape. But our view is that there's going to be an incredible set of businesses that are created and being formed that are going to be $10 billion plus sized companies if they do it the right way and they solve customers' actual problems.
So that's how we sort of look at what's real versus what's fake in AI. I know we'll get into some of this, but that was setting the stage of why we thought it was important to put a piece out there that just said, AI is great, everyone's going to talk about it, but only some of it is actually real. Very clear.
Thank you. And you mean you're a top VC in the home of tech in San Francisco. How are you evaluating first as a business, but maybe also as an individual yourself, what's hype versus what's real when looking at new AI driven security tools? Is there a way or you sort of figuring that out day to day right now? It's, you know, it's we're figuring it out with everybody else.
We think that there are some ways that are, that we think are more scientific in nature or that we think we can start creating templates for, but we're also figuring it out. And so what I'd say is one, you have to separate the role between early stage companies and products, and then more growth stage companies and products. I think the other, you know, the other lens we look at things is AI or LLM native companies and what we call AI and LLM enhanced companies.
So, you know, to give you an example, I think in the, you know, we're not investors in these companies, but in the email security world, you'll have something like, you know, abnormal security, which is, or if you go even further, you know, before that, you've got proof point and minecast and, you know, these, these email security products that were built 5, 10, 15, 20 years ago. And then you have something like abnormal, which kind of came around pre LLMs and did a fantastic job of getting to, you know, 100 million plus revenue by building a really great product that people actually use in email sec. And then now you have LLM native companies, like, you know, sublime security, which is a cool company that made a lot of noise during RSA.
And they actually are built on top of AI models where they can, you know, they can, they can filter out emails, they can help, you know, security administrators inside of companies actually do a lot of, you know, more sort of customisation around what they can filter out. And it's no longer a black box. And they can actually use all these interesting security engines and detection rules to weed out email.
So what we're seeing is like, okay, can you do that with the LLMs with models with AI? Are you building a product that is utilising this new technology in a way that you couldn't even have built five years ago with machine learning models? So I think that's number one is like at the product level, what are you doing? I think the other axis to look at is, you know, what is the product and the company servicing the customer for? So it was interesting, I'd say after open AI launched, you know, GPT four, and, you know, after chat GPT came out, I think there's a lot of companies that were going after, how do we secure the model? So it was like security for AI, right? How do you secure the model? How do you secure the data that's going inside and outside these models? JP Morgan Chase talked about, you know, how everybody was using chat GPT inside the organisation, but like, they didn't actually allow people to use chat GPT, right? Because they didn't want people's bank information and credit card information filtering through, you know, an employee just kind of randomly using chat GPT. And so I think it was a very smart, you know, initial move to say, okay, well, you know, models are great, you know, chatting with the model is great, and we need security for that. I think what I'm seeing now more, and I personally believe is a bigger opportunity, is not just securing the model, but using the models for security, right? So the spin on that is how do you use AI to do all the things that organisations need for security? And so that's email security, that's how do you supercharge the SOC analyst, invest in a company that is basically helping create a new way of doing security awareness training.
So there's like an old school way of doing security awareness training. Once a quarter, you watch this 10 minute video, and then you go off. And guess what, it doesn't matter how much, you know, data and cloud and network security you have, if an employee, you know, presses the wrong link, then all of that is for not right.
And so what I'm interested in seeing is how are founders thinking about using this technology to either reimagine existing security spaces, or think of entirely new ones, right? And so that's how I evaluate early stage founders, and how I can, you know, we always have to use the lens of like digging in, what are you really using AI for? And then the second part of that is, I think for growth stage companies, it's actually a little bit easier in a way, right? Because if you have customers, I know we'll talk about this at some point, to me, we even kind of stopped talking about AI with growth stage companies, it's are you delivering a service that customers like, at the end of the day, a lot of customers actually don't really care about AI, C shows don't really care about AI. They're just like, are you solving the need that I have? Now, if you can use AI, and you can use models, and you can use, you know, all of the tools at our disposal now to do that, I think it's great. And I think that's where the opportunity lies.
But at the end of the day, we always go back to, are you solving a real problem? What's the vision of the founder? And those two things is what we believe can help be the start of a great company. So I think the interesting thing here is you're looking at, not just positioning, but what the core of the company is looking to achieve, right? So you've said companies need to lead with their value, not necessarily AI. And obviously, we're seeing AI as the buzzword now.
So diving a little bit deeper, what's your advice to founders trying to sell into security teams, or even looking to grow or get off the ground? What's your advice to them regarding that value? Yeah, I think you have to sell the value. I think if you are talking to a CSO, if you're talking to a security practitioner, you know, most of them can see through the bullshit, right? If I, you know, excuse my language there. But like, I say this because you see a lot of BS at an RSA, and you see a lot of noise, and I get it, like, you have to find a way to stand out.
But I think when you go and you talk to a customer, the number one thing is, they have very specific needs. They often, most of these CSOs are understaffed. They don't have enough budget.
It's they're getting reached out to by hundreds, if not thousands of vendors. And so my advice to our founders, and what I'm really excited about is when I see companies that say, Hey, yeah, we have AI, that's all great. But we can actually deliver a product that's going to solve your problem, either help you with time savings, help you with cost savings, more importantly, help secure your environment.
If I was a, you know, a cloud security or data security company, I'd be selling that promise. Like, I think what Wizz did incredibly well is they didn't go around and just talk about AI. Now, of course, on the website, and all this, you'll see some mentioned AI, they're like, we're going to be the easiest possible way for you to set up cloud security, which is something you fundamentally need in this new environment.
Right? And so you make it really seamless, you make it really fast, they could do it in a way that was cheaper and easier than several other, you know, CS, cloud security products, and cloud security posture management products that came before them. Right? So that's when I say value, the value is speed to implementation, the value is, are you actually protecting the environment? Okay, you know, are you doing it in a way that's economical and feasible for the buyer? And can you do in such a way that it's not a huge lift for the CSO, they don't want to have to be managing 30 different products, they want to be able to put something into the environment and not have to think about it too much. And so I think like being able to use those words, you notice I never used AI, right? These are fundamental business concepts that have been helping since Oracle probably sold their first database, you're going even further before that, right? The technology will always change.
I think tech is always changing. And that's what's fun about, you know, my job and our jobs and being in this, you know, in this environment is things are always, there's going to be something else people get hyped up about in 10 years. But at the end of the day, if you really want to build a company, sell solutions, I think you and especially in security, you really have to pitch why you are solving the problem.
And then you can always say AI is helpful, and I've got a new way of doing it, AI might make me faster, cheaper or better. But those are the things that matter. It's not the AI part, it's how are you delivering value.
So that would be my advice to founders is use those words more. Now, of course, when a VC is asking, how do you do it, then you might talk about AI. You know, I think, you know, pretty much every startup is using AI, every company's figuring out how to use AI, you might be using it, not just in your front facing product, but on the back end, too, right? If you have engineers, your engineers are probably gonna use Winsor for cursor, right? If you have designers, they might be using some next gen AI design tool, you know, and so I think that there's ways to incorporate AI throughout your whole business.
And I think that's going to make companies better than a company that's not using AI. But I would deliver with the value and or I would sell with the value of what you can deliver as opposed to selling with AI. It's interesting, you've touched on two things here, Vivek.
One is what you saw at RSA, and then also what you're seeing as companies are pitching or talking to potential customers. And it seems that with AI, at the moment, because it's such a shakeup of the industry or of the market, especially around cyber, is that you're hearing of what you think companies want to be saying to their customers. And really, there's therein lies the panic to maybe scare maybe strip back a little bit and focus on AI as added value eventually.
But still really, the value is what are you doing? Why are you better than everybody else? What is your true value over time? And how can you help the end user and then bring in AI at the later stage? That's my feeling. And I see this with a lot of, you know, brilliant and incredible early stage founders, especially technical founders, right? They are, you know, they're, they're so wrapped up in what they're building. And I understand why, you know, they come up with this incredible solution often, they've come from an engineering background, or this is a problem they've been working on.
And so the way that it comes out is all about what they've built, right? But from the CSO angle, from the security buyer angle, or really from any buyer line, I would say this, even in CROs and in other functions, and which means us too, they're really trying to hear what's the value, what value you're providing to me, like all your AI stuff, okay, you used a combination of cloud and for a cloud and for Oh, and you've also used some open source models, and you use some Wama, like all of that is great. But at the end of the day, what are you doing for me, right? Like, what value are you delivering for me? And I think that that's where you can start to see founders evolve. And I think the really incredible founders not only have great technical depth and understand the technical differentiation with their product, they know how to sell to, right? We always say like, you know, you have to build the product, and then you actually have to sell it.
These are for companies we invest in, right? These are venture backed companies. And so I think the really incredible founders are the ones who can marry the two of them. You know, why have I built something differentiated? But how do I deliver it in a way that if I'm talking to a CISO, I'm talking to CISO of Disney or craft or, you know, all that, they're dealing with a million different things, right? They're managing people, they're managing systems, you're managing processes, they're managing up, they have a board to report too often, right? And a CISO job is not hard.
Oh, sorry, she says CISO job is not easy. It's the threat of hacks. We see this all the time.
You know, and now they're beholden to a board and to the rest of their executive team, where they're dealing with a lot. And so when I think a founder has the ability to pitch them and get in front of them, it's better to sell the solution. Now, of course, they may ask, how do you do it? Right? And can you do it in a better way than my existing platforms? I'm already using crowds, right? I'm already using Microsoft Defender, I'm already using this.
Why is this better? Then, you know, you can show maybe because of the way they've built it, because of the way they've architected it, architected the way they've thought about it, they can deliver it in an interesting way. And so, one of the kind of clear examples on this is that the blog post we wrote up was on AI socks, right? And like, so AI for the Security Operations Centre. And, you know, in talking to customers, you'll hear them say, well, hey, look, the problems that I'm dealing with is not AI related, it's that my sock turnover is really high.
It's that there's a lot of burnout at the security analyst level, especially for, you know, L1 alerts. There's just, you know, not enough budget for me to hire the number of people I need. So I hear all this about AI, that's great.
But then the, you know, the company is like a drop zone, for example, that we're, you know, we're not investors in, but certainly excited by like, they are saying, we're going to put an agent inside. It's like the way they sell it is like saying it's like having a software intern, it's like having a security intern come and sit inside your organisation. And it's one third the cost of what you pay a sock analyst for, but they'll work 24 seven, right? That's selling the solution.
That's saying you have a security need right now, you have a labour shortage, and we're going to fill that labour shortage. Now, they're using AI, they're using agents, they're using all that cool stuff, but the way they deliver that is the interesting part, right? So that's what gets us excited. Like, yeah, building a great product, you need to build a great product, right? You can't differentiate at some point without building a great product in most cases.
But I think that in order to scale, in order to get distribution, you have to be able to sell the solution. And so that's how I, I that's, you know, when I look at RSA, and when I'm there, I'm like, who's selling the solution, like who versus who's just saying, I'm AI for X, I'm AI for Y. Very good advice. I think moving on from AI.
I know you've got an advisory group of CISOs. What are they telling you right now that they actually need? What is that? What are you hearing from, I guess, CISOs well placed in the tech and cyberspace. Yeah, it's, it's interesting.
I, you know, so we've got a group of about 15 or 16 CISOs. It's a terrific group. We started this about a year and a half ago.
You know, we've got folks all the way from large public companies to, you know, even some high growth private companies, just just really terrific, you know, security leaders who have been around for a long time. I would say there isn't any one thing. What I do here is that from the large security, or for the large companies, this uses large companies, they're not even thinking all the way down to this like granular AI level.
They're just like, we're still in the middle of, of moving from on prem to cloud, you know, and so like, we're still doing digitisation of all of our workloads. And so, you know, Wizz was like the first cloud security product that we used, right? And then now they're starting to look at, you know, one or two other solutions. So they're not even at the point yet that they're thinking, really thinking about, or they can really buy these like very hyper specific, you know, AI solutions or model AI companies and things like that.
They're like, we're not even there yet, right? I think for the ones that are smaller and higher growth, they're aware of a lot of these vendors and a lot of these companies. But they're still figuring out like, what do I actually need today versus what do I not need? I would say that the SOC analyst part is interesting. Like that's something I do here, because whether it's an AI SOC, or even using a managed detection and response company or going off to MSSP, like alert fatigue is a real thing.
So, like at the basic level, you know, a lot of these CSOs who are dealing with tonnes of alerts, or just trying to figure out how do I triage these alerts better, because it's an important part of my business, like, I need to make sure I'm dealing with that appropriately. And so I think that is an area that's right for disruption. And that could come from, you know, there's a lot of companies are trying to attack that right now.
But that's a real problem that CSOs are dealing with. Another one is on the data security side, right? And so it's not just for AI models, but people are just trying to say, like, okay, I'm dealing with all this data that's coming in, I need to figure out, how do I secure that data? How do I make sure that I can mask it appropriately and anonymise it, whether it's credit card data, or, you know, or healthcare data, or, you know, anything that's like private and confidential. Because right now, like every CEO and every executive team is saying, where's our data? Where's our data reside? You know, what's going on there? And so I think that's number two.
The number three is phishing. You know, I think especially, you know, because of what we're seeing with AI and deep fakes, that's like, you know, we talked about how AI is a solution. The other part of it is actually is creating a bigger problem for CSOs, because you have way more phishing attacks, you have way more deep fakes, you have way more AI generated malware.
And so what used to be like you might get, I don't know, 20 phishing attacks a month, you know, now you might get 10,000 because it's just so easy to create this, you know, the phishing attacks and create this malicious content that you can just start bombarding companies with it. And we're seeing that happen. And that's why, probably why we invested in this company, Haneagram, to help, you know, businesses deal with that and secure themselves against it.
So I would say those are three of the big ones, like SOC, analyst fatigue, that's a labour shortage problem, data security, that's more of a business problem, and then phishing, that's more of the, you know, you can call it an AI problem, but it's just it's become such a big problem that every CSO is trying to figure out how do I deal with it. Because one hack gets you on the front of the Wall Street Journal. And that can be detrimental, not just for the company internally, but for the company externally, too.
And we saw that with, you know, T-Mobile attack, you know, several years ago, we saw that with Snowflake, we saw that with Gmail more recently. So those are the things I'm hearing from CSOs is how do I make sure I can keep off the front page of the Wall Street Journal, protect my employees appropriately? You know, how do I do that? Well, it's a lot for I mean, just looking from a CSO perspective, a lot for them to take on, prioritise, manage day to day, look at the day, get into the day to day weeds, but also manage the bigger picture. So I can understand many of those challenges, even from my role and in my company.
And just touching on something you mentioned beforehand, because I think it's interesting. You said there's a gap between essentially cloud native startups and large enterprise, and you said still running on prem. So I guess what does that disconnect look like, really? But also from your perspective, are we talking about that founders are too far ahead of the market, really, at the moment, or are you just saying that the company is still fighting a more established fight? I think it's more that there is a gap in the market in terms of the perception of how far along some enterprises are and where they really are at, right? I think a lot of especially I'm talking at the large enterprise level for companies that have been around for 20, 30 years, they're many of them are still in that transition, right? So you can pitch them all the next gen super niche AI solutions you want.
At the end of the day, they're figuring out how do I go from on front to cloud? How do I bring in the basic building blocks of network security, firewall? And I think that's helpful for founders to know, because it's not saying that you can't sell them to them. You might not be able to sell a solution today, but get to know them early, figure out their problems, and as they go through the evolution, then it may make more sense for them to bring in like a next generation of AI for an extra generation of firewall. For many of them, they're like, I'm using Microsoft, I'm using Palo Alto, I'm using CrowdStrike, that's what I'm using, right? They're not even thinking like, let alone late stage startup, forget early stage startup.
So I think it's one of those things where it's always good to get on the radar of big companies, but just be empathetic to the problems that large enterprise users are dealing with versus companies that are a little bit more early stage or companies that are cloud native from the get go, right? Selling to a GitLab is going to be different from selling to Pfizer, right? And it's not just the account size, but it's what can their environment handle and what are they looking for and all those kinds of things. The reason I also differentiate between the cloud native and the AI native and non-AI native companies is because it's important to think about like, how do I have to architect my own infrastructure and my own product in order to sell something that the market wants, right? So we see this in other sectors like Figma, like they had their design conference last week and they're talking about all these new products that they've been rolling out because they know if they don't do that, it's going to be very hard to compete with the AI native companies that are building this from the ground up. And so I see that with security companies all the time too.
And I think, yeah, going back to the original point, it's important for, I think, security founders to understand who they're selling to, what their problems are, where they are in the evolution of things, and not get too ahead of their skis in terms of saying they're still building blocks, like basic building blocks they have to put in place first before selling the kind of shiny AI ball or whatever the new thing is on the block. So I think good advice to both established companies and startups there, Vivek. For me, one of the things that is interesting for on our end is how startups stand out when pitching or talking to enterprises.
What is your advice for startups to stand out? You've given good advice on how to win the long game, but how would you get noticed as a startup? Yeah, I think there's a lot of ground game you have to do. I think some of the companies that I've seen that have done a really good job of just getting in front of enterprises, they use their network to get in front of CISOs. How do you know somebody who knows somebody who can get you in front of the CISO? And again, it's just pitching a solution that makes sense for them.
And I've seen people use your VCs, use your board, use your investor network, use your friends' network, use your company's network. I've seen a lot of success from, again, I go back to one of our company's anagram, their founder got their first five or six enterprise logos just by sending LinkedIn messages to the CISO saying, this is the problem you have, and here's how we can fix it. That's so compelling for CISOs, especially when they're getting inundated with all these emails saying, oh, we have this AI power or whatever.
They're just like, okay, I have this problem. How do I fix it? How do you figure out what the problem is that the CISO has before you even talk to them? What research can you do? What telemetry can you get that allows you to figure out what the CISO is looking for and what the CISO needs before you sell to them? And so that's like, have they gone and done interviews? Have they said something in RSA about a certain product or problem they're having, and how do you creatively find a way to get in front of them to actually deliver some value? So I'm not saying it's easy, it's really difficult. And also, you can pick your spots.
If you're selling an enterprise solution, I wouldn't focus on SMB because it's not going to resonate the same. If you have an SMB or mid-market product, then focus on that segment and see who you can get in front of and who you can actually show you can deliver value to. So I think it's a combination of being able to hustle, being able to get in front of CISOs.
I talk a lot about CISOs. The levels one or two under a CISO are also really great entry points. Because remember, the CISO is dealing with a lot.
Sometimes you have a VP of security or head of security that's actually far more in touch with what these new products and companies are in startups what they're doing. And so I often say target that segment too. I've seen a lot of founders do dinners for heads of security.
You bring people in a room and just say, what are your issues? What are the things that you're talking about? The question James, you asked about what are the problems CISO is dealing with. Sometimes for a CISO advisory group, I don't want to pitch anything. I'm just like, you guys need a forum.
You all need a forum to talk. This is a forum you can talk and exchange ideas. And I think through that, you can start to hear, okay, here are the problems they're dealing with.
Here's the issues they're dealing with. Here's the products they've tried that may not have worked in the past. And then over time, you can start to insert your own product and think about how you can enhance your own product.
But I think community is really big for security teams. I think that like being able to show some kind of solution versus just saying, here's what I'm building without any context is really