Vega CTO Eli Rozen on matching the speed of modern attacks

Attackers are exploiting vulnerabilities within hours of disclosure, sometimes before defenders have finished reading the advisory. Eli Rozen, cofounder and CTO of security analytics company Vega, argues the industry’s foundational infrastructure wasn’t built for that pace, and that the fix isn’t more patches, it’s agentic AI that can find, correlate and act on security data wherever it lives.

Rozen, who previously helped build Granulate before its $650 million acquisition by Intel, founded Vega in 2024 with CEO Shay Sandler. The company, one of a wave of AI-native challengers to legacy SIEM, has raised $185 million in under two years.

TechInformed spoke with Rozen about what attackers are doing differently and why he believes much of the security stack will need rebuilding. The conversation has been edited for length and clarity.

What are the big topics and conversations happening in cybersecurity right now?

The big conversation is agentic cyber defense. How do you use AI for cyber defense at scale? The speed and pace of attacks today means companies need to move at the same pace on the defense side. Whether you’re a large financial institution or a smaller cloud-native company, every organization has security data and wants to be able to use all of it, especially in the AI era.

How does agentic threat intelligence work?

It ingests feeds from many threat intelligence providers alongside what we observe in the wild, then uses agentic detection engineering to build tailored detections for each customer.

From the moment a threat is identified externally, [someone using agentic threat intelligence] can instantly understand how it affects their specific environment, what’s relevant to them and have detections deployed immediately. Perfect prevention is impossible, but you want to detect and respond as fast as possible.

What trends are you seeing in how attackers are operating?

Attackers only need to be successful once, so they’ll use every tool available, all the agents, all the models. We’re seeing a significant increase in attack volume. More importantly, we’re seeing organizations recognize that you have to be able to monitor and query everything, not just a subset of your data. There’s been a lot of change and chaos, and people are being forced to rethink the fundamentals.

What do you see as those fundamentals?

The biggest one is legacy SIEM [security information and event management]. It was architected 15 to 20 years ago, before cloud, before AI, and has been patched ever since. Data pipeline tools have helped, but they’re patches, not a strategic solution for an AI-driven world.

Centralizing all security telemetry into one place simply isn’t scalable, and it’s not what AI actually needs. AI needs to be able to access all the data, wherever it lives, as fast as possible.

When you talk about data quality in a security context, what does that mean in practice?

It’s less about clean versus dirty data and more about completeness. You don’t want to feed your AI agents only 20% of the available data. If an analyst or an AI is investigating an incident, they need to be able to ask: what happened before? What happened after? Why did it happen the week prior? Think of it like a detective who only receives the emails about a crime but can’t search the archive. We try to make sure the AI can access those archives and build a full picture, rather than working with just a flashlight on a fraction of the data.

What research has your team discovered recently?

Across almost every exploitation and threat we’ve observed in customer environments and in the wild, there’s always a chain of events spanning multiple data sources.

It’s never isolated to one database or one user. That’s why monitoring the whole environment is so critical.

Every threat we research reinforces the same point: you need to correlate across multiple data sources to understand the full picture.

When you say “in the wild,” what does that mean exactly?

Everywhere: the dark web, the public internet, what we observe across our customer base. We use multiple sources and combine them.

What are organizations most concerned about right now when it comes to cybersecurity?

There’s pressure coming from multiple directions simultaneously.

Executives and boards are pushing security teams to adopt AI and operate more efficiently. At the same time, the reality of breaches — we’ve seen major names hit in recent weeks, including a notable GitHub incident — is making it very concrete.

You can’t just plug AI on top of an old data foundation. [Organizations] want to build the right data framework for AI, and they want to do it now, because they know if they don’t move, it’ll be too late.

What’s the most common mistake you’re seeing organizations make?

Assuming the old fundamentals will support the AI-powered SOC [security operations center] they’re expecting to build, sprinkling AI on top of a broken data architecture. It’s another patch.

AI is a genuine technological shift, and a significant portion of the security tech stack will need to be rebuilt with that capability in mind.

How do you take your coffee?

I love a cortado with oat milk. I make it myself usually, on a proper coffee machine.