Headline & intro
Vega’s $120 million Series B is not just another cybersecurity funding headline – it’s a clear signal that the core plumbing of enterprise security is about to change. For 20 years, the SIEM model has been simple: ship all your logs into one giant, very expensive bucket and hope you can find the attackers in time. That assumption is collapsing under the weight of cloud, AI and regulation.
In this piece we’ll look at what Vega is really challenging, why Splunk’s Cisco-backed dominance is now a liability, and how “security where the data lives” could reshape SOCs, budgets and even regulation – especially in Europe.
The news in brief
According to TechCrunch, Israeli-born startup Vega Security has raised a $120 million Series B round to scale its “AI-native” approach to security operations. The round, led by Accel with participation from Cyberstarts, Redpoint and CRV, nearly doubles Vega’s valuation to around $700 million and brings total funding to $185 million.
The two‑year‑old company is attacking the security information and event management (SIEM) market, historically dominated by Splunk, which Cisco acquired in 2024 for $28 billion. Instead of forcing customers to centralize security data in a single platform, Vega’s software runs where the data already resides – across cloud services, data lakes and existing storage systems.
TechCrunch reports that Vega already employs about 100 people and has signed multimillion‑dollar deals with banks, healthcare providers and Fortune 500 firms, including cloud-heavy customers like Instacart. The new capital will be used to deepen its AI-powered detection and response suite, expand go‑to‑market operations and grow internationally.
Why this matters
Vega is attacking one of the most entrenched – and resented – layers in enterprise security: the log tax. Traditional SIEM tools don’t just charge for software; they effectively charge rent on every event, packet and audit trail an organisation wants to retain. That was painful but manageable when infrastructure was mostly on‑premise. In a multi‑cloud, API‑driven, AI‑augmented world, it becomes absurd.
The winners, if Vega’s thesis holds, are clear:
- Security teams that stop throwing away “non‑critical” telemetry just to stay within licensing limits.
- CFOs who see security bills more tightly coupled to actual value, not to arbitrary gigabyte counts.
- Cloud‑first enterprises that want to keep data in Snowflake, BigQuery, S3 or Azure rather than endlessly copying it into yet another silo.
The obvious loser is the classic SIEM business model. Not just Splunk, but every vendor whose revenue scales primarily with ingested data volume, not outcomes.
There is also a subtler shift: moving detection closer to where the data lives is a precondition for meaningful AI in security. Large models need breadth and context; if you can only afford to index a narrow slice of telemetry, your “AI SOC” is constrained from day one. Vega is effectively arguing that AI‑native security is impossible on top of a 2000s‑era data architecture.
In the immediate term, Vega doesn’t need to replace Splunk everywhere to win. It only needs to absorb the growth – especially new cloud workloads – while incumbents remain stuck in migration projects and price negotiations.
The bigger picture
Vega’s story fits into three converging trends in security and infrastructure.
1. From centralized SIEM to security data lakes and meshes.
Over the last few years we’ve seen the rise of “security data lakes” (AWS Security Lake, Snowflake’s security pushes, Databricks-based approaches) and open schemas like OCSF. The pattern is the same: keep data in cheap, scalable storage and run analytics on top rather than duplicating everything into a proprietary index. Vega extends that logic to real‑time detection and response, not just reporting.
Historically, similar architectural shifts have reset markets. Think of how data warehouses challenged traditional BI, or how endpoint detection vendors disrupted legacy antivirus by changing where analysis happened. Vega is trying to do the same at the level of security operations.
2. AI as the bottleneck, not the magic.
Everyone claims to have “AI‑powered” detection. The real differentiator is not the model itself but the data substrate: can you see enough of the environment, with enough historical depth, to spot subtle patterns without drowning analysts in noise? AI amplifies both strengths and weaknesses. Centralized, expensive SIEMs tempt customers into aggressive filtering; AI then works on a biased, incomplete view.
By promising “no‑migration” adoption and running on top of where data already lives, Vega is trying to remove that bottleneck. If it works at scale, it will force competitors to re‑architect, not just bolt on new models.
3. Consolidation vs. fragmentation.
Cisco’s massive Splunk acquisition was a bet that customers still want a central nervous system under one large vendor. Vega is a bet in the opposite direction: that modern security is inherently federated and must reflect the messiness of real infrastructure. The likely outcome is not winner‑takes‑all, but a new balance where incumbents own governance and workflows, while newcomers own high‑volume, cloud‑first detection – until someone manages to unify both.
The European / regional angle
For European organisations, Vega’s “security where the data lives” pitch hits two particularly sensitive nerves: cost pressure and regulation.
Under GDPR and a growing body of national data‑residency rules, moving vast amounts of log data across borders – or into US‑controlled clouds – is increasingly fraught. Many CISOs quietly accept the compliance risk because the alternative is to duplicate storage in every jurisdiction. A model that lets you run analytics locally, against data that never leaves its region, is immediately attractive.
The timing also intersects with NIS2, which comes into full force across the EU and EEA in 2024–2025. NIS2 raises the bar for logging, incident detection and reporting for critical sectors such as energy, healthcare, transport and digital infrastructure. In practice, that means more telemetry, for longer, under stricter oversight – exactly the conditions under which legacy SIEM pricing becomes untenable.
From a competitive standpoint, Europe has promising players in adjacent spaces – for example, Sekoia.io (France), Logpoint (Denmark), or various MDR/MSSP providers building on top of Elastic and open‑source stacks. Most, however, still assume some degree of centralisation. If Vega executes well, expect both European vendors and large integrators (Atos, Capgemini, Deutsche Telekom’s T‑Systems, Orange Cyberdefense) to either partner, imitate or directly compete with similar “in‑place analytics” models.
Finally, data‑sovereignty and the upcoming EU AI Act add another twist. A vendor that can keep logs in‑country while offering transparent, controllable AI models will have a clear edge in highly regulated markets like Germany, the Nordics and the DACH financial sector.
Looking ahead
The next 24 months will determine whether Vega is a category creator or just a well‑funded feature. Three developments are worth watching.
Depth of integrations. Running security “where the data lives” is easy to pitch and hard to engineer. Enterprises have sprawling combinations of AWS, Azure, GCP, on‑prem Hadoop, Snowflake, Kafka, legacy databases and SaaS telemetry. Vega’s success will depend on how seamlessly it can normalise, correlate and query across that mess without forcing hidden mini‑migrations.
Vendor reaction. Expect aggressive counter‑moves from incumbents. Cisco+Splunk, Microsoft Sentinel, Google Chronicle and CrowdStrike will double down on their own data‑lake or “bring your own storage” stories. Some will partner closely with Snowflake/Databricks; others may pursue acquisitions of younger startups that already do in‑place analytics. If a major cloud provider launches a directly competing service that’s “good enough” and deeply integrated, Vega’s differentiation narrows.
Customer willingness to bet core security on a young vendor. The reference list TechCrunch mentions (banks, healthcare, Fortune 500) suggests early adopters are willing to take the risk – but usually as a complement, not a full replacement, to their main SIEM. The inflection point comes when large enterprises start decommissioning Splunk indexes, not just offloading marginal workloads.
On the macro side, the security talent shortage makes AI‑assisted SOC tooling less a luxury and more a necessity. If Vega can show that its models reduce alert fatigue and triage time without black‑box behaviour that scares auditors, it will find a receptive audience among overworked security teams from San Francisco to Frankfurt.
The bottom line
Vega’s funding round is less about yet another AI security startup and more about a structural challenge to how enterprises have done detection and response for two decades. Centralised SIEM made sense in a server‑room world; in a multi‑cloud, regulation‑heavy era it increasingly looks like technical debt.
Whether Vega becomes the new default or merely accelerates incumbents’ evolution, the direction of travel is clear: security analytics will move closer to where data is born, and pricing will be forced to align with value, not volume. For CISOs and architects, the real question is no longer if they’ll rethink their SIEM stack, but how soon they dare to start.
