Editor’s note: Louis will lead an editorial roundtable on this topic at VB Transform this month. Register today.

Open-source AI is shaping the future of cybersecurity innovation, consistently breaking down barriers and delivering results. Its impact spans from agile startups to Cisco‘s Foundation-Sec-8B model, which was downloaded over 18,000 times in just the last month and over 40,000 times since launch.

VentureBeat is seeing the trend accelerating, especially in cybersecurity startups that are bringing a new level of intensity to turning roadmaps into revenue-producing products. Based on months of interviews with startup founders, open-source AI is now indispensable to them and their teams when it comes to fast-tracking concepts to completed, shippable code.

Databricks’ recently announced partnership with Noma Security demonstrates how startups leveraging open-source AI are rapidly disrupting legacy cybersecurity providers by achieving accelerated time-to-market and substantial operational maturity. Cisco’s President and Chief Product Officer Jeetu Patel spoke to the critical shift at RSAC 2025, “AI is fundamentally changing everything, and cybersecurity is at the heart of it all. We’re no longer dealing with human-scale threats; these attacks are occurring at machine scale.”

VentureBeat’s numerous interviews with cybersecurity industry leaders, particularly founders, reveal that open-source AI is essential for enabling businesses to sharpen their focus on key unmet needs across the broad base of enterprise prospects they successfully turn into customers. While open-source AI and the wider software industry drive unprecedented levels of new venture creation and innovation, they also fuel a growing paradox encompassing security, compliance and monetization.

VentureBeat continues to see successful cybersecurity startups navigate these complexities and discover new strengths in their apps, tools, and platforms that weren’t anticipated when they were first created and delivered.

The best-run startups are quick to capitalize on these unforeseen strengths and apply a more disciplined and deliberate approach to governance, recognizing the long-term benefits of that strategy. They’re also faster in adopting as much automation as possible. Most impressive is how they view themselves as building communities for decades to come, all predicated on the ability to pivot product strategy on open source.

Decoding the open source paradox

Open-source AI’s ability to act as an innovation catalyst is proven. What is unknown is the downside or the paradox that’s being created with the all-out focus on performance and the ubiquity of platform development and support. At the center of the paradox for every company building with open-source AI is the need to keep it open to fuel innovation, yet gain control over security vulnerabilities and the complexity of compliance.

Gartner’s Hype Cycle for Open-Source Software, 2024, highlights this stark contradiction, noting that high-risk vulnerabilities within open-source codebases surged 26% annually and now average nearly three years before resolution.

At RSAC 2025, Diana Kelly, CTO of Protect AI, crystallized the stakes during her session titled Principles of GenAI Security: Foundations for Building Security In. She said that “organizations routinely download open-source AI models without adequate security checks, significantly amplifying vulnerability risks.”

Regulatory compliance is becoming more complex and expensive, further fueling the paradox. Startup founders, however, tell VentureBeat that the high costs of compliance can be offset by the data their systems generate.

They’re quick to point out that they do not intend to deliver governance, risk, and compliance (GRC) solutions; however, their apps and platforms are meeting the needs of enterprises in this area, especially across Europe. With enforcement of the EU AI Act imminent, Prompt Security CEO Itamar Golan emphasized the urgency of embedding compliance at the strategic core during an interview completed earlier this year with VentureBeat. “EU AI Act, for example, is starting its enforcement in February, and the pace of enforcement and fines is much higher and aggressive than GDPR. From our perspective, we want to help organizations navigate those frameworks, ensuring they’re aware of the tools available to leverage AI safely and map them to risk levels dictated by the Act.”

Golan further explained, “A very big portion of the current cybersecurity market is derived only from GDPR, and as I see it, the AI regulation is going to be much more aggressive than GDPR. It’s very rational that by around 2028, a very big market will be allocated to AI compliance.”

Nearly every cybersecurity startup founder VentureBeat has interviewed over the last five years mentions how contributing to the open-source community is core to the company they’re creating. Many strive to make this one of the core elements of their business DNA.

The most successful cybersecurity startups realize that making ongoing, significant contributions to open-source communities builds sustainable competitive advantages and industry leadership. Cisco’s Foundation-Sec-8B model exemplifies how targeted, purpose-built cybersecurity tools substantially enhance overall community resilience. The Foundation-Sec-8B model has been downloaded 18,278 times in the last 30 days alone, according to its page on Hugging Face. Foundation Sec-8B is an 8 billion parameter model that can be fine-tuned for specific use cases, including threat detection and auto-remediation.

Meta’s AI Defenders Suite and ProjectDiscovery’s Nuclei further illustrate how focused open-source contributions significantly improve ecosystem security and industry-wide collaboration.

Niv Braun, Co-founder and CEO of Noma Security, reinforced the critical importance of sustained community-building strategies during a recent interview, telling VentureBeat, “The community we’re building is much, much more valuable and will be much more long-lasting than any yearly revenue figure. Building a community that people rely on is absolutely critical”.

Key Takeaways from open-source cybersecurity leaders

Drawing on insights from Braun, Golan, Kelly, Patel, and over a dozen interviews with cybersecurity founders, CEOs, and leaders, five key takeaways emerge as foundational to succeeding with open-source AI. They are as follows:

1. Embed governance strategically
   Establish an Open Source Program Office (OSPO) to manage licensing, compliance, and vulnerabilities centrally. Embed governance dashboards directly into products, offering real-time regulatory compliance visibility as core differentiation. Braun highlighted governance’s transformative potential during his recent interview with VentureBeat, saying, “Governance isn’t overhead—it’s our key differentiator, enabling seamless compliance.”

2. Automate security aggressively with generative AI
   Implement generative AI extensively to automate security processes, including vulnerability detection, remediation, and real-time threat management. As Golan articulates clearly: “Generative AI-driven automation dramatically streamlines operations and enhances security efficiency beyond manual capabilities.”

3. Strategically contribute purpose-built tools
   Actively contribute specialized, purpose-built cybersecurity models back into open-source communities, enhancing collective security resilience. Jeetu Patel succinctly captured this perspective during his keynote at RSAC and interview with VentureBeat: “The true enemy isn’t our competitor. It’s the adversary. Purpose-built open-source contributions are critical for collective cybersecurity resilience.”

4. Proactively manage and transparently communicate Total Cost of Ownership (TCO)
   Clearly articulate TCO, transparently addressing hidden costs and long-term value. Proactively managing TCO calculations reduces customer uncertainty and enhances market confidence, directly addressing Gartner’s challenges around vendor lock-in perceptions.

5. Prioritize rigorous and proactive risk management
   Continuously deploy automated vulnerability scanning and remediation, maintain curated internal OSS catalogs, and automate compliance documentation (SBOM/VEX) to streamline audits, minimize risk exposure, and simplify regulatory compliance. Kelly emphasized during her keynote at RSAC 2025, “Rigorous, automated risk management is essential to managing open-source cybersecurity effectively.”

Conclusion: Mastering open source for strategic advantage

For cybersecurity startups, strategically leveraging open-source AI offers unparalleled innovation, differentiation and sustained growth opportunities. Embedding governance deeply, automating security through generative AI, contributing purpose-built community tools, proactively managing total cost of ownership (TCO) and rigorously mitigating risks positions startups as industry leaders capable of driving significant cybersecurity transformation.

As Jeetu Patel summarized at RSAC 2025: “Strategic open-source innovation is essential to collectively securing our digital future. The adversary—not competitors—is our true challenge.”

By embracing these strategic insights, cybersecurity startups can confidently navigate the complexities of open-source software, driving transformative industry leadership and long-term competitive success.

Join me at VB Transform 2025

I’ll be hosting a roundtable focused on this topic, called “Building Cybersecurity Apps with Open Source,” at VentureBeat Transform 2025, happening June 24–25 at Fort Mason in San Francisco. Register and sign up to join me in conversation. Transform is VentureBeat’s annual event bringing together enterprise and AI leaders to discuss practical, real-world AI strategies.