The Security Industry Has a Context Problem

I've been a CISO five times across some of the most heavily regulated environments in financial services. And in every one of those roles, the conversation at the board level was never really about tools. It was always about understanding: what's actually happening in our environment, what's connected to what, and what do we do about it right now.

The average enterprise runs somewhere between 70 and 100 security products. Every one of them generates alerts, produces logs, and promises to reduce risk. And yet breaches keep happening. Response times keep climbing. Good analysts keep burning out and leaving, which frankly keeps me up at night more than the threat landscape does.

The problem isn't data volume. We've never had more data. The problem is that none of these tools tell you what the data means in the context of your actual environment. A fired alert tells you something happened. It doesn't tell you that the user triggering it is a contractor whose access was approved yesterday, or that the anomalous configuration change went through a proper change ticket three weeks ago, or that the SaaS app that just expanded its API permissions never got sign-off from anyone.

That gap between something happening and someone understanding why it matters is where real risk lives. And it's exactly where Surf AI was built to operate.

The Landscape Shifted. Most Security Programs Did Not.

Three things are happening simultaneously, and most security programs aren't built for any of them.

AI adoption is compressing decision cycles everywhere. Organizations are moving faster with smaller teams and less institutional knowledge than at any point in recent memory. When Block cut 40% of its workforce and bet on AI to fill the gap, that wasn't a one-off. That's the direction things are heading. Security infrastructure has to keep up with that velocity or it becomes a bottleneck, and in my experience, when security becomes a bottleneck, the business finds ways to go around it.

Supply chain attacks are now the dominant vector. Group-IB's 2026 High-Tech Crime Trends Report makes this clear: adversaries have largely stopped trying to break through your perimeter and started targeting the vendors, platforms, and managed services you've already trusted. Inherited access is the new attack surface, and most tools aren't built to reason about it.

The talent shortage isn't going away. The World Economic Forum's Global Cybersecurity Outlook 2026 puts it plainly: budgets are growing, but not fast enough to offset the complexity AI adoption keeps introducing. I've said for years that you can't hire your way through this, and now the math is making that undeniable. These aren't predictions. They're current operating conditions.

Context Is the New Moat

What security teams need now isn't more correlation. It's persistent environmental understanding. Knowing, at any given moment, how identities, assets, configurations, and behaviors relate to each other, and how those relationships have changed over time.

One of the things I learned running security at global financial infrastructure is that the relationships between things matter as much as the things themselves. A misconfiguration doesn't mean much in isolation. In context, who touched it, what it's connected to, what changed around it last week, it tells a completely different story.

At the center of Surf AI is the Context Graph: a continuously updated model of your organization's relationships, behavior patterns, and historical state. It maps connections across identities, endpoints, cloud resources, SaaS applications, and business systems, not as a snapshot, but as a living picture of how your environment actually operates. That's what makes agentic security possible.

Why Agentic Security Requires Context First

The security industry is racing toward AI agents, autonomous systems that can detect, investigate, and respond without waiting for a human in the loop. The potential is real. But an agent without context is a liability. It can act fast; it can't act wisely. It doesn't know that the flagged user is a contractor whose access was approved yesterday. It doesn't know that the anomalous cloud configuration is a documented exception from a change ticket three weeks ago. Without that awareness, automated response becomes automated disruption.

I've seen what happens when teams automate without context. You don't reduce incidents. You just create different ones.

Surf AI deploys specialized agents across identity, cloud, SaaS, and endpoint environments, and every one of them operates on top of the Context Graph. That means every detection, investigation, and recommended action is grounded in the actual state of your organization. Fewer false positives. Better prioritization. Remediation that accounts for business impact, not just technical severity.

Context is greater than intelligence. The quality of what any AI does is bounded by the quality of what it knows.

Built for the Enterprise. Secured Like One.

Surf AI is SOC 2 Type II certified, runs on AWS with enterprise-grade encryption and data isolation, and was designed from the start for regulated environments. Zero Trust architecture, identity-first access, least privilege, full auditability. Every agent action is logged and traceable. Human oversight is built into every high-risk workflow.

Having spent most of my career in financial services, I wouldn't have it any other way.

Why Now

AI is reshaping how organizations operate, and the security industry hasn't kept pace. Most platforms were designed for a world where humans were the primary decision-makers and environments changed slowly. That's no longer the world we're in.

The convergence of AI-driven workforce transformation, supply chain risk, and a persistent talent shortage has created a moment where incremental improvement isn't enough. Security programs need a new foundation, one that gives AI agents the context to act responsibly, and gives security leaders the visibility to make faster, better decisions about risk.

We're coming out of stealth at CyberSparx in Miami on March 17, and we'll be at RSA in San Francisco March 23–25. If you want to see what context-driven security looks like in practice, come find us.

The industry has been optimizing for more alerts, more dashboards, more tools. We're optimizing for understanding.

Eliminate Exposure. Elevate Your Team.