Intelligence Scarcity: Underserved Cybersecurity Problems for AI Innovators

Intelligence Scarcity: Underserved Cybersecurity Problems for AI Innovators

TL;DR: AI investment in cybersecurity is crowding into triage, automation, and agentic response, all of which assume a foundation most enterprise environments don't have. The foundational problems that have resisted solution for 30 years are exactly where AI changes the economics, and the enterprises that need them are already your customers.

As an advisor, part of what I do is help security organizations charter a vision of future capability: identifying what's worth building, what's worth buying, and what the market hasn't gotten around to selling yet. That last category is where this post lives, a practitioner's account of real problems, in real enterprise environments, that AI is well-positioned to solve and that nobody seems to be pitching in their visions of the future.

The thesis is in the title. Intelligence scarcity was the actual blocker: not the security logic, which has been understood for decades, but the ability to apply that logic continuously across an unstandardized, heterogeneous environment at enterprise scale. Human attention couldn't do it. AI can. What follows is a list of capabilities that product teams at MSSPs, EDR vendors, SIEM platforms, and SOAR vendors could be building right now to differentiate their enterprise offerings.

The visible layer is crowded. The foundation isn't.

Alert triage acceleration, agentic response, AI-assisted threat hunting: real capabilities, real value. All of them built on an assumption that the environment is properly instrumented, assets are known, and telemetry is trustworthy. That assumption only holds if the customer has made the deliberate choice to lock into a single vendor ecosystem. For organizations with any meaningful scale or longevity, diverse vendor integration is the reality, not the exception, and no downstream AI capability bridges that gap for them.

Adding AI to an unintelligible foundation doesn't produce intelligence. It produces faster noise.

The differentiation opportunity is one layer down, in the problems that have been partially solved for 30 years and never finished.

Problems worth solving

Problem What it is
Asset reconciliation at enterprise scale Enterprise environments don't have one asset inventory. They have dozens: endpoint management, cloud asset APIs, network discovery, vulnerability scanners, CMDBs, and none of them agree. Human attention doesn't scale to reconciling that across Windows, Linux, Mac, containers, and cloud workloads in a single environment, let alone keeping it current. AI workers that normalize, deduplicate, and maintain a living asset picture across heterogeneous sources are the prerequisite for everything downstream. For any SIEM vendor already ingesting from those sources, this is a natural extension of what they're already doing.
SBOM and software inventory at runtime Not what was declared at build time. What is actually running, right now, in that container, on that endpoint, on the Mac that IT doesn't fully manage. The gap between declared and actual is where risk lives, and it's also where compliance attestations quietly fail. AI-assisted runtime inventory that doesn't require a monoculture assumption is a direct capability extension for any EDR vendor with existing agent coverage across a heterogeneous fleet.
Adaptive hardening: the Tripwire/SELinux problem Tripwire and SELinux have been technically correct answers to real problems for a long time. They're also notoriously painful to operate at scale, so organizations deploy them in permissive mode, where they do nothing, or skip them entirely. The operationalization never arrived. An agent that learns what an application actually does at runtime, intersects that with what threat intelligence says is dangerous regardless of observed behavior, and applies what policy mandates, then derives and maintains least privilege from all three. EDR vendors are already on the endpoint. This is the next layer.
Adaptive local firewall policy Policy derived from observed application behavior, continuously updated, proportionate in response to deviation. Not rules written by a human for every workload, maintained by a team that loses context every time someone leaves. The agent learns what traffic belongs and responds to what doesn't. Same agent footprint, different capability surface.
Intel translation at scale The raw material is abundant: OSINT, threat feeds, Sigma rules, YARA signatures, community detection content. What doesn't exist as a managed capability is the translation layer that converts that content into deployable detections in the customer's specific stack, validating against the customer's actual data model, flagging where translation loses fidelity, continuously ingesting new content as it's published. Detection engineers are doing this by hand or skipping it. Any threat intel platform or SIEM vendor with a detection marketplace is positioned to own this problem.
Policy observability Customers find out policy wasn't being followed when an auditor intervenes or an incident happens. Neither is a good time to discover the gap. An AI agent that reads the customer's policy corpus, interprets intent, and observes what's actually happening in the environment closes that gap continuously, including surfacing aspirational controls that cannot in practice be followed in a profitable business. Your SIEM, SOAR, and response layer can tailor findings to how the customer actually operates rather than a generic policy baseline. That custom fit is a real differentiator in enterprise sales where every environment is different and everyone knows it.
MSSP environmental compatibility Every MSSP sells standardization as a feature. What it actually means is the customer gets reshaped to fit the service. Build the intelligence layer that meets each customer environment where it is, learning their telemetry, their naming conventions, which assets are sensitive in their specific context. The accumulated environmental context becomes the moat. Enterprise organizations don't churn infrastructure. You're not selling a service. You're becoming infrastructure.

None of these problems are new. The security logic behind them has been understood for a long time. What was missing was the ability to apply that logic to an environment that doesn't cooperate: heterogeneous, unstandardized, constantly changing. That's the intelligence scarcity this title refers to. AI closes it.

The enterprises that need these capabilities are already your customers. The question is whether your product roadmap reflects what they actually need or what's easiest to demo.

Comments

Post a Comment

Popular posts from this blog

Lab Notes: Persistence and Privilege Elevation using the Powershell Profile

TL;DR; A recent ESET blog post mentions a persistence technique I wasn't previously aware of that is in use by the Turla APT group.  The technique leverages the PowerShell profile to sabotage PowerShell in a way that executes arbitrary code every time Powershell is launched, upon testing I've discovered this technique may also provide a low and slow vector to Domain Admin, and other privileged admin or services accounts by leveraging common flaws admin scripts, asset management systems, and enterprise detection and response tools. This post captures my observations working from  Matt Nelson's 2014 blog post  (Apologies to the researcher if there is prior art I'm unaware of at the time of this post) Privilege Elevation - Local Admin to Sloppy Admin Setup Requirements: In my testing, you need local admin rights to create the global profile $profile.AllUsersAllHosts  AKA C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 This does not bypass Executi...
Read more

Lab Notes: Claude Code Session Logs as a Forensic Artifact

Image
  TL;DR; Claude Code logs every agent action locally in structured JSONL transcripts. These are forensically valuable, generally unprotected, and your GRC and detection teams should know they exist. Background AI coding agents like Claude Code are becoming common in developer environments. Unlike a chat interface, these tools operate agentically — they execute bash commands, read and write files, and chain tool calls autonomously on behalf of the user. Users authorize this at session start, often broadly, and may not review every action taken. This creates a non-repudiation problem. The user is responsible for agent actions, but awareness of specific actions may be limited or absent entirely. From a forensic and compliance standpoint that gap matters. The Artifact Claude Code writes a complete session transcript for every run to: ~/.claude/projects/<url-encoded-project-path>/sessions/<session-uuid>.jsonl ~/.claude/history.jsonl Each record contains the timestamp...
Read more

Setting Static IP Addresses In VMware Fusion

During malware analysis, I frequently need to flip my analysis VM's between host-only and NAT to alternate between interacting with suspicious websites and man in the middling network traffic with various tools REMnux to simulate command and control traffic without tipping of the malicious operator. To avoid tinkering with IP settings on my analysis guest machines, I've taken to manually editing the VMware fusion DHCP configurations.  I'm posting this here to help me commit the configuration to long term memory - mainly which files I need to edit - in the hopes that it saves me some googling when updates periodically wipeout this file.  Maybe it will be useful to someone else too. My configuration (default) for NAT is vmnet 8.  atom "/Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf" My configuration (default) for host-only is vmnet 1. atom "/Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf" 
 Using the standard dhcpd.conf format, append ...
Read more