Ross Haleliuk delivers a provocative thesis that upends a decade of cybersecurity orthodoxy: the very data centralization that built the modern Security Information and Event Management (SIEM) industry is now being dismantled by the rise of AI agents. While the market has spent years obsessing over where logs are stored, Haleliuk argues that intelligent agents have rendered the location of data irrelevant, challenging the fundamental "ingest-and-store" revenue model of legacy vendors. This is not just a technical shift; it is an existential threat to the business logic of the entire sector, forcing a reckoning with how security value is actually delivered.
The End of Data Gravity
Haleliuk begins by revisiting a concept that once seemed immutable: data gravity. He recalls his own writing from early 2023, noting that the idea "as more and more data is gathered in one place, it builds mass" was the dominant logic of the industry. That logic dictated that security data must migrate to massive cloud data warehouses like Snowflake or Amazon Redshift because moving it was too costly. However, Haleliuk observes that the landscape has shifted dramatically since the explosion of generative AI.
The core of his argument is that AI agents do not require data to be centralized to function effectively. He writes, "AI agents don't care where the data lives." This single observation strikes at the heart of the SIEM business model, which has historically charged customers based on the volume of data ingested. If an agent can query logs directly across tens of disparate sources—whether in AWS, GCP, or on-premise servers—and synthesize an answer in a human-friendly interface, the economic imperative to ship everything to a central silo evaporates.
Haleliuk is careful not to predict the immediate death of these platforms, noting that "I am not here to theorize that a year from now, agents are going to destroy SIEM." Yet, he insists the pressure is real. The traditional model relied on the friction of moving data; AI agents remove that friction. As he puts it, "If agents can query the data across tens of different sources and provide an answer in a single human-friendly interface, why would companies need to centralize all of their logs?" This question is likely causing "pretty bad insomnia for executives at large SIEM companies."
Critics might argue that data centralization remains necessary for compliance, long-term forensic retention, and complex correlation that requires a unified view. Haleliuk acknowledges this, stating, "I don't believe we will end up in a world with zero data centralization." However, he suggests the future is not a single lake, but "a few separate islands for different kinds of data." High-volume, low-value logs might stay in a central repository, while high-value, real-time data is accessed on-demand by agents. This hybrid approach weakens the monopoly of the traditional SIEM.
AI agents challenge the very business model behind SIEMs because they weaken the data gravity effect SIEM vendors have been so fortunate to capitalize on.
The Rise of Workflow Gravity
As the gravitational pull of data storage weakens, Haleliuk identifies a new force taking its place: workflow gravity. He defines this as a system becoming the "system of action where work happens," using that position to pull other tasks into its orbit. This concept mirrors the evolution seen in other enterprise sectors, such as the rise of Service-oriented architecture, where the value shifted from simple data storage to the orchestration of complex business processes.
Haleliuk argues that the future of security lies not in where data sits, but in how it is acted upon. He explains that "workflow gravity is when a system becomes the system of action where work happens, and then uses this position to pull other work into the platform." In this new paradigm, the platform that accumulates the most context—change history, approvals, evidence, and remediation steps—becomes the most valuable.
This shift forces a reevaluation of the role of Security Orchestration, Automation, and Response (SOAR) tools. Historically, SIEM vendors acquired SOAR players to add action to their data. Haleliuk suggests the dynamic may reverse or merge entirely. He notes, "First, all work is centralized in one place, and all the incidents, changes, approvals, exceptions, tasks, evidence, etc., all of that becomes a record in a single workflow system." The platform that can automate triage and remediation based on this accumulated context will win, regardless of where the raw logs reside.
The author highlights that this realization is driving an "enmeshment of data and workflows." Smart vendors are realizing that "just being a repository of data with some rules on top is no longer enough." The value is in the ability to act. This aligns with the "Human-in-the-loop" principles often discussed in AI adoption guides, where the goal is to automate the mundane while keeping humans in the loop for critical decisions. Haleliuk sees this as the only viable path forward for legacy players who cannot rely on data ingestion fees alone.
The Three Future Archetypes
Looking toward the market's evolution, Haleliuk predicts a consolidation into three distinct types of players. First, there will be pure-play data platforms, but he doubts any new billion-dollar companies will emerge solely focused on "ingesting, normalizing, and storing security data alone." The value of storage has commoditized; the value of intelligence has not.
Second, he foresees the rise of workflow-centric platforms. These entities will double down on the "system of action," becoming agnostic to the underlying data sources. Haleliuk finds it "interesting to think if that will change" regarding the historical trend of SIEMs acquiring SOAR tools, suggesting workflow-native players might now be the ones expanding outward.
Finally, and most significantly, Haleliuk identifies the "data + workflows" hybrid as the busiest and most competitive category. This is where the new wave of AI-native Security Operations Centers (SOC) and Managed Detection and Response (MDR) providers are building. He observes that "All the new AI SOC and AI MDR players are building the data + workflows layer from the ground up." Whether they are AI MDRs building for their own analysts or AI SOCs empowering customer teams, the goal is the same: "bringing workflows into a data platform so that humans don't have to spend time manually stitching and correlating things together."
This convergence means that legacy vendors are now competing with startups that have no baggage of old data models. Haleliuk notes, "Essentially, everyone is trying to eat everyone else's lunch." The market is in a state of flux where "everything is changing, and nothing is changing at the same time." While the underlying need for security remains, the mechanisms for delivering it are being rewritten.
The previous generation of AI (ML) accelerated data gravity, while the new generation of AI (AI agents) seems to be destroying it.
Bottom Line
Haleliuk's most compelling insight is the decoupling of data storage from data utility; the argument that AI agents can query distributed data effectively enough to break the SIEM monopoly is a powerful, if unsettling, reality for the industry. However, the piece underestimates the inertia of enterprise procurement and the regulatory necessity of centralized audit trails, which may slow the transition to a purely federated model. The reader should watch closely for how legacy vendors pivot from "ingest-based" revenue to "action-based" value, as that shift will determine who survives the coming consolidation.