There’s no better way to ring in the new year than opining about the future of cybersecurity tooling with friends and family. Below are five critical features that I predict will sell themselves in 2026, and three features that I personally think are most important.

The 5 Product Capabilities That Will Dominate in 2026

Supply Chain Malware Detection

Whether we like it or not, the security industry is highly reactionary. Upstream supply chain malware detection has existed for a long time, with vendors like Phylum and Socket doing a lot of challenging work early on to detect emerging threats in open source code. This feature was ahead of its time for a few reasons:

• Teams didn’t understand the difference between malware and vulnerabilities

• Teams want this feature as part of their overall application security platform

• Developer adoption for NPM wrappers and firewalls is extremely low

The last two years have seen widespread impact from open source malware, with attacks like Shai Hulud compromising thousands of organizations. The widespread impacts here are no longer hypothetical, forcing teams to answer for their solution.

Supply Chain Malware is no longer an afterthought for teams going into 2026, and it’s a priority feature during application security assessments.

You can watch our video on Shai Hulud here.

AI Vulnerability Remediation and Prioritization

(that’s not just a chatbot)

The emerging Continuous Threat Exposure Management (CTEM) category has been a weird one for startups. 2025 saw many vulnerability management startups consolidate, with buying vendors ranging from application to cloud to network security. This consolidation happened because selling a point solution tool to manage your tools is hard, but it’s a great differentiator between platforms fighting to be the single pane of glass for your security program.

In 2025 we’ve seen an explosion of new vulnerability management approaches driven by AI - from auto-remediation to investigation and prioritization. Historically, vulnerability focused startups struggled to find mass adoption as single panes of glass for the same reason the prior CTEM vendors did - teams treated them as a tool to manage your tools, which wasn’t a compelling budget line item.

The newer solutions have more narrow scopes, tied directly to budgetable outcomes for the teams that understand the importance of AI vulnerability remediation and risk prioritization.

You can watch our video on Maze as an example vendor here.

AI Visibility, Guardrails, and Testing

Two years ago, I shared how AI security architectures are challenging, due to how quickly an organization’s risk exposure can change. Early chatbots introduced little risk - just regurgitation of public information back to a user. Agentic systems however rapidly increase risk, making in depth security measures essential. Adding to the confusion for startup builders, the majority of the security industry doesn’t know what good looks like, while those on the cutting edge have specific expectations of products.

In 2026, most tools offer some basic visibility into your AI systems, telling you what models are getting used by your workloads or called in your code. These tools provide a basic overview of how AI agents function in your environment, and are the starting point for most security teams. These capabilities are already available from most major providers.

Runtime guardrails are a more niche capability of some tooling, but companies that started here have expanded elsewhere. Most major cloud providers and frameworks offer their own guardrails instrumentation that will grow much faster in both adoption and sophistication than security specific tools. While runtime protection remains important more broadly for AI systems, code instrumented guardrails are best left to the major AI providers rather than security startups.

Testing however always has fallen under security’s purview. Many DAST providers are now adding LLM red teaming capabilities, largely trying different prompt injection techniques. While these features will become widespread over time, they’ll be a major testing driver for 2026.

You can access our full AI report here.

AI Based Detections | SAST, DAST, DLP, and Phishing

AI is incredible at helping developers write code, it’s equally incredible at analyzing code for security flaws. AI based detections are a categorical improvement wherever they’re deployed - from SAST to DAST to DLP to Phishing. AI excels anywhere complex manual review of small amounts of static data was required to get the best results.

Many security companies have focused on building AI based assistants and workflows, but those who have focused on rebuilding their detection engines to support semantic analysis will win big in 2026.

You can watch our video on AI SAST here.

SOC Augmenters

Security Operations teams are currently under a barrage of pitches from startups promising everything from cheaper data ingestion costs to seamless querying of large amounts of data. This has led to a flood of confusion about what is or isn’t a necessary part of a security operations arsenal.

The core of every SOC is quite simple and unchanging: a SIEM. The success of Cribl has revealed to many startups that there is plenty of room for flourishing around the SIEM - from making data ingestion easier, to long term storage, to detection engineering. Even attack surface management solutions and CNAPPs are positioned as SOC enablement tools by providing asset contexts.

CISOs recognize that their SOC teams need a better way to handle everything from AppSec to Cloud Security more effectively, and will allocate budget to modernize this workflow where it makes sense - from AI MDRs to data pipeline tools.

You can read our latest article on AI SOC capabilities here.

3 Capabilities That Should Be On Your Radar in 2026

If I were building a security program, here are the three capabilities that I would make room for in my 2026 security efforts.

1. ADR: runtime function level reachability, robust application detection, and emerging in-application AI detections.

As ADR capabilities have developed, I’ve only grown more impressed with the results they can deliver teams - from exploit prevention, to AI security, to prioritization. This category of tools is in my opinion the best budget line item a team can open up.

2. Developer endpoint security:

Developer endpoints continue to face dismal security standards, with many teams having no real way to even know what their attack surface looks like on these devices. From MCP servers to open source malware, developer laptops are more exposed than ever before. Tools like Koi led the charge in 2025, but expect massive investments in this category as AI coding assists have forced Application Security vendors to take a second look at developer endpoints more broadly.

3. Realtime AI threat modeling and design review: building an overall map of your application architecture that updates with your documentation and pull requests

In application security we’ve said for a long time that a threat model should be the starting point for a program rather than an after thought. Despite this, AI threat modelling has yet to be widely deployed by most application security platforms. Early versions of these tools do a great job at both exposing potential vulnerabilities and helping teams better understand how their applications function.