 | Shay Sandler Founder & CEO, Vega Security |
We’ve spent the last decade patching around the legacy SIEM. Bolting on orchestration, automation, data pipeline filters—anything to avoid admitting the foundation doesn’t work. And every year we hear the same thing: one more optimization round and we’ll get there. We won’t. And I think most of you reading this already know that.
It’s 2026 and we’re still doing the same things. Filtering data sources. Suppressing fields. Capping ingest at some arbitrary threshold so licensing costs don’t spiral. You end up with a security program that sees maybe half the data it should. And that’s not because the telemetry doesn’t exist, but because it costs too much to look at. Every CISO I talk to knows this is the situation. Most have accepted it as normal. It’s not normal. It’s a failure of the architecture.
And at this point, expectations have completely changed. Boards want AI across the organization, security included. CISOs are being asked to deliver autonomous triage, natural-language investigation, detection that actually scales with the threat landscape instead of with headcount. These aren’t roadmap items anymore. People are being measured on this today. And if you’re honest with yourself, you know there’s a gap between what you’re reporting up and what your legacy SIEM can actually deliver.
Legacy SIEM isn’t just not getting us there. It’s blocking the path.
AI ambition vs. legacy SIEM reality
AI-native security operations need full access to the data, speed at query time, and costs that don’t scale linearly with volume. Legacy SIEM gives you none of that. It was built for a previous era: collect logs from endpoints, ship them to a central index, write correlation rules against a known schema. That whole approach stops working when you need an AI agent to reason across data it hasn’t been explicitly fed, especially if the data is split across multiple locations.
This is where the industry keeps fooling itself. If your analytics layer only sees a fraction of the security telemetry, every AI capability on top of it is running on partial context. You can wrap that in as many LLM-powered workflows as you want. It’s still partial context. Adding a chatbot to a broken data model doesn’t make it AI-native. And telling your board it does, doesn’t make it true.
The vendor compromise problem
So what have vendors done about it? They tell you to tier your data. Archive what you can’t afford to index. Accept that cold storage means slow answers. This isn’t a solution. It’s the vendor offloading their cost problem and their architectural debt onto your team so they can keep charging per GB.
But let’s be honest: vendors only get away with this because we keep signing the renewals. We keep accepting the tradeoffs. We keep building workarounds instead of demanding something fundamentally different.
At some point, the question stops being “why haven’t vendors fixed this?” and starts being “why do we keep buying it?”
The question is not complicated: how do you give a security analytics platform access to any data, fast, at scale, without requiring centralization? That’s the vendor’s problem. But you have to actually make it their problem instead of absorbing it as yours.
What the post-SIEM era actually means
It’s not about swapping vendors. It’s about raising the bar for what a security analytics platform should do in the first place. Any data, anywhere, queryable immediately, at scale. That’s the baseline now.
That’s what Security Analytics Mesh does. SAM federates queries across wherever your data already lives: S3, Splunk, Sentinel, Google SecOps, data lakes. No moving it, no duplicating it, no pre-filtering it. The economics change because the architecture changes: you stop paying to centralize and start paying to analyze.
Yes, cost gradually goes down. But that’s a side effect. The real change is you stop making coverage decisions based on what you can afford to ingest. Let that sit: how many of your detection gaps right now exist because of a budget constraint, not a technical one?
AI needs AI-ready infrastructure
When your analytics layer can see all the data (actually all of it) AI becomes the operating model, not a feature bolted onto a constrained pipeline. NL queries translate to KQL across federated sources. Investigations pull context from telemetry that used to be too expensive to even ingest. Detection coverage goes from “whatever the legacy SIEM budget allows” to the full breadth of what your environment is generating.
Right now everyone in this market is shipping AI features. Almost nobody is shipping the data infrastructure those features actually need. You can’t build an AI-native SOC on top of an architecture that was designed to limit how much data gets looked at. That’s the contradiction, and it’s strange to me that more people aren’t saying it. Or maybe they are saying it privately and just not willing to say it where their vendor can hear.
What I’d ask of security leaders
I’m not going to pretend this is only a vendor problem. Vendors build what the market rewards. If CISOs keep buying legacy SIEM renewals and calling it “good enough for now,” that’s what will keep getting built.
If you’re a CISO, a SOC director, or a detection engineering lead, here’s what I’d be asking. And not just of your vendor, but of yourself:
- What percentage of my security telemetry can my platform actually query right now?
Not after a retrieval delay. Not after rehydration from cold storage. Right now, in a live investigation. If you don’t know the number, that’s a problem.
- If my data volume doubles next year, what happens to my bill and what happens to my detection coverage?
If those two numbers move in the same direction, I have an architecture problem, not a tuning problem. And I’ve probably had it for a while.
- Am I telling my board we have AI-native security operations? And if so, what data can that AI actually see?
If it can only reason over what I’ve chosen to index, I haven’t built AI-native anything. I’ve put a nicer interface on the same SOC.
Tiered access isn’t “just how it works.” It’s how it works when nobody pushes back. And vendors framing their architecture problem as your optimization problem only continues as long as we let it.
The AI-native outcomes we’re all being held to won’t happen until the data layer is fixed. The post-SIEM era is an architectural requirement, not a marketing position. I don’t think that’s controversial anymore. I think it’s just uncomfortable.
And that’s exactly why it needs to be said.
Vega is a cybersecurity startup focused on modernizing how SecOps teams use data. Founded in 2024 and backed by firms like Accel, Cyberstarts, Redpoint, and CRV, the company aims to eliminate the cost and complexity of traditional SIEM platforms by enabling more flexible, efficient data use.
Its core product, the Security Analytics Mesh, is a federated, AI-native platform that analyzes security data in place rather than requiring central ingestion. This approach provides visibility across cloud environments, data lakes, and existing tools without duplication, improving speed and efficiency in detection and investigation.
Vega’s platform supports the full detection lifecycle—from threat detection to response—using AI to reduce noise and optimize workflows. The goal is a more scalable, real-time, and cost-effective model for enterprise security operations.