Last week our team was in Las Vegas attending a series of events at and around the Black Hat 2025 Conference. During the week CyberProof:
- Unveiled new Threat-Led Defense capabilities to demonstrate business value through measurable security outcomes
- Released the 2025 Mid-Year Threat Landscape Report
- Provided a deep dive into the Top Ransomware Trends, TTPs, and Defense Strategies
While walking the Black Hat 2025 Conference Business Hall I had a chance to parse through the avalanche of vendor announcements & messaging. During my observations three distinct themes emerge that reveal an industry simultaneously racing toward automation while grappling with its implications, wrestling with unprecedented complexity in our environments, and searching for ways to make sense of it all. Those recurring themes included Agentic AI, the complexity of managing tools and data, and threat context.
Theme 1: The Automation Paradox
The conference floor was dominated by “Agentic AI” platforms promising to automate 90% of Tier-1 SOC work, autonomous threat hunting, and AI-powered incident response. Yet this rush to automate, something that SOARs promised and never quite delivered on, reveals a fundamental tension. Security is ultimately about understanding and managing risk, but how do we maintain that understanding when decisions are increasingly made by opaque AI systems?
The proliferation of these platforms raises other uncomfortable questions:
- If we automate away entry-level analyst work, where will tomorrow’s security leaders develop their intuition?
- How do we verify that automated decisions align with business risk tolerance?
Ask any AI SOC vendor what happens when their agent encounters conflicting indicators: does it know enough to pause and seek clarification, as a human analyst might, or does it confidently charge ahead with a potentially wrong decision?
I didn’t hear compelling answers to these questions from the floor, suggesting we may still have important work ahead in making AI truly ready for these use cases. Vendors are selling efficiency, but organizations need effectiveness – and those aren’t the same thing.
Theme 2: The Tools Complexity Explosion
Perhaps no trend is more telling than the surge in “unified platforms” and integration announcements. When every other vendor is promising to unify SaaS security, AI security, cloud security, or identity security, it’s clear we’ve created a data complexity crisis. We’re now securing AI agents that interact with SaaS applications that connect to cloud infrastructure managed by non-human identities – each layer adding new data sources, attack surfaces, and blind spots.
The emergence of specialized tools for securing AI (inference, model governance, prompt injection defense) mirrors what happened with cloud security years ago: we’re bolting on security after the fact rather than building it in. This reactive approach to emerging technology guarantees we’ll always be playing catch-up.
Theme 3: The Threat Context Deficit
The most sophisticated attacks aren’t necessarily the most damaging, and context determines impact. This BlackHat revealed an industry struggling with context at every level. Vendors are touting threat intelligence platforms that identify thousands of potential threats, but often can’t tell you which five truly matter to your organization.
Security tools generate alerts without understanding business criticality. AI systems can make decisions without explaining their reasoning. The previous push toward MITRE ATT&CK alignment across numerous platforms suggested the industry recognized this problem – we need common frameworks to create shared context – but continued understanding of this remains fragmented.
Organizations don’t need to know about every possible threat; they need to understand which threats target their specific combination of technologies, business processes, and data. As one enterprise security team has told me: “We have plenty of lists of problems, and we don’t want something that only adds to that.”
Cutting Though The Buzz
Standing back from the vendor buzz, BlackHat 2025 feels like an industry at an inflection point. We’re adding AI capabilities faster than we can secure them, creating complexity faster than we can manage it, and generating data faster than we can contextualize it. The organizations that will thrive aren’t those buying every new AI-powered tool, but focusing on the basics, understanding their actual risks, and making decisions based on business context rather than technical capabilities.
AI isn’t good or bad. It’s another technology that needs to be understood, managed, and appropriately deployed against real threats. The winners will be those who resist the temptation to chase every shiny new capability and instead focus on the fundamental question that hasn’t changed since the first Black Hat: given our specific business, our specific assets, our specific threats, and the defensive tooling we have at our disposal, how do we make informed decisions about acceptable risk and security posture management?
The Bottom Line
This year’s conference highlighted a clear push toward more complex and automated solutions, but it often missed the central problem our customers face: a lack of clarity. Organizations still don’t truly understand if they’re protected from the threats that matter to them.
Many vendors are jumping on the AI-powered bandwagon, but genuine security confidence comes from knowing your actual security posture and having experts to help you continuously improve it. I challenge security professionals to take a different approach when adopting new solutions. Focus on organizations that can provide:
- Clarity on the specific threats targeting your organization.
- Visibility into whether your current defenses are actually effective.
- Expert services to help you act on these insights.
The real question isn’t whether you need more tools or more AI. It’s whether you know if your current investments are protecting you from the threats that matter most. Learn how CyberProof’s Threat-Led defense empowers security teams to continuously measure operational maturity, align spending with threat-risk exposure, and guide future investment decisions based on real-world threats.
