Ross Haleliuk delivers a stark reality check for the cybersecurity industry: the era of buying tools based on fear is dead, replaced by a ruthless demand for tangible return on investment. In a landscape where artificial intelligence promises to reshape everything, Haleliuk argues that the true paradigm shift isn't just the technology itself, but the fundamental change in how security leaders justify their budgets. This is a crucial pivot for any executive trying to navigate the 2026 market, where visibility without action is no longer a selling point.
The Death of Fear-Based Selling
Haleliuk begins by dismantling the old playbook that dominated the last decade. For years, vendors thrived by exposing gaps in security posture, creating a panic that CISOs felt compelled to fix. "You can't scare a CISO into buying a new tool anymore," Haleliuk writes, noting that the market has shifted from a desperate need for visibility to a desperate need for resolution. The author points out that posture management solutions successfully identified risks, but failed to solve the operational burden of fixing them. "Visibility without action is just noise," Haleliuk quotes Yaron Levi, a sentiment that now defines the buyer's mindset. The industry's failure to bridge the gap between knowing a problem exists and actually fixing it has left security teams overextended and blamed for breaches they could see coming but lacked the power to stop.
This framing is particularly sharp because it addresses the human cost of tool proliferation. When vendors sell "more data," they are often selling more work for already exhausted teams. Haleliuk observes that "driving remediation" often means "more of creating tickets, more of chasing people, more of begging them to fix problems." The argument holds up well against the current trend of AI hype; while automation is rising, the core issue remains that security teams are drowning in findings they cannot act upon. A counterargument worth considering is that for some organizations, the sheer volume of new threats requires a layer of detection before remediation is even possible, but Haleliuk correctly identifies that detection alone is no longer a sufficient value proposition.
The New ROI Calculus
The core of Haleliuk's analysis lies in redefining what return on investment means in a mature market. He breaks this down into three distinct categories: efficacy, efficiency, and direct cost savings. Historically, vendors won deals by promising better coverage, claiming their algorithms could catch 98% of threats where competitors failed. "People bought CrowdStrike because its behavioral detection engine was designed to catch what McAfee missed," Haleliuk notes, illustrating how coverage was once the golden ticket. However, in 2026, this pitch has lost its luster. With every startup claiming to be "next-gen" and "AI-powered," CISOs are no longer willing to rip and replace existing stacks just for a marginal gain in detection rates.
The author argues that the new wedge for adoption is efficiency, specifically the ability to eliminate toil rather than just speed it up. "AI agents can reason across context, correlate information from multiple sources, and make decisions that previously required human engineers," Haleliuk explains. This moves the conversation from "doing the same work faster" to "eliminating entire categories of toil." This distinction is vital. It suggests that the most successful tools will be those that act as force multipliers, allowing teams to do more without hiring more staff. Haleliuk cites the example of Chainguard, which succeeded not by finding more vulnerabilities, but by providing container images with zero vulnerabilities, effectively removing the need for patching. "Security teams get containers with no CVEs, which means they no longer need to ask developers to patch," he writes. This is a compelling example of solving an operational problem to achieve a security outcome.
In 2026, you just can't scare a CISO into buying a new tool, but hey - good luck if you want to try it.
Haleliuk also tackles the tricky area of direct cost savings, noting that in security, price is often conflated with quality. "In a market for silver bullets, price is most definitely one of the factors that shape the perception of what products can offer better security," he observes. He contrasts the skepticism around a "cheaper CrowdStrike" with the success of Cribl, which sold its value by explicitly saving money on Splunk ingestion costs. The lesson here is that cost savings must be clear and direct, not abstract. If a tool cannot articulate exactly how it saves money or time, it will struggle to justify its existence to a CFO scrutinizing every dollar.
Solving the Wrong Problems
Perhaps the most provocative part of Haleliuk's argument is the assertion that "most security problems aren't actually security problems. They are IT and engineering problems that have downstream security consequences." This reframing suggests that the future of the industry belongs to companies that solve non-security problems while delivering security as a byproduct. He points to giants like Zscaler and Okta, which succeed because they enable connectivity and access, not just because they block threats. "The fastest way to improve security isn't layering on more detection tools, but fixing the underlying operational bottlenecks that create risk in the first place," Haleliuk argues.
This perspective aligns with the concept of "security through obscurity" in a way that flips the script: instead of hiding assets, the industry is moving toward making the underlying infrastructure so robust that security becomes inherent. It also echoes the principle of Goodhart's law, where a measure (like the number of vulnerabilities found) becomes a target and ceases to be a good measure of security. By focusing on operational efficiency and cost reduction, vendors avoid the trap of optimizing for metrics that don't actually reduce risk. Haleliuk concludes that the winners will be those who offer "compound value," hitting at least two of the three ROI pillars: coverage, efficiency, and cost savings.
Bottom Line
Ross Haleliuk's analysis provides a necessary corrective to the industry's obsession with AI hype, grounding the conversation in the hard economics of security operations. The strongest part of the argument is the clear delineation between visibility and action, a distinction that finally gives CISOs the vocabulary to reject tools that only add noise. However, the piece slightly underestimates the inertia of legacy systems; even with a perfect ROI case, replacing entrenched infrastructure remains a monumental challenge. Readers should watch for vendors who can prove they are not just automating the old way of doing things, but fundamentally rearchitecting the workflow to make security an invisible, operational default.