What’s the ROI of AI in cybersecurity?

If you’re an investor backing AI-driven security, you’re focused more on the numbers than the hype. You need to look at where AI delivers measurable return, how fast, and what separates winning vendors from the noise. 

Google Cloud’s new ROI study is a very good place to start. It shows that ROI is real – especially when organisations move from ‘assistive’ GenAI to agentic systems that automate parts of the security workflow. 

The headline for investors is that AI can drive ROI fast

Across all functions, 74% of leaders report AI delivers ROI within the first year. Among early adopters of AI agents, 88% already see positive ROI, and they’re doubling down (at least 50% of future AI budget allocated to agents). Many have scaled breadth too: 39% report more than 10 agents in production. And that spend focus shows up in IT budgets – early adopters allocate around 39% of annual IT spend to AI vs about 26% on average.

Where security gets its return

Security is one of the five areas where leaders most often report value from AI: 49% say AI has improved security posture. Looking deeper, organisations cite better threat identification (77%), faster time to resolution (61%), improved intel/response integration (74%), and fewer security tickets (53%). 

These are the levers that matter to boards – and to your underwriting model.

If you want a concrete benchmark, Forrester’s independent TEI on Google SecOps (a composite enterprise model) reports 240% ROI over three years and USD $4.3M NPV, driven by a 70% reduction in risk and breach cost and 50% faster mean time to respond. That’s a single-stack example, but the economics illustrate where agentic detection, triage and response can pay back.

IDC’s analysis of Google Cloud AI (cross-function, not security-only) also points to outsized returns – an average 727% three-year ROI and roughly 8-month payback for AI initiatives, which aligns with the ‘fast time-to-value’ pattern seen in security use cases once agents are embedded into workflows.

Why agentic approaches matter in SecOps

The study tracks a shift from point tools to AI agents that can plan steps, call tools, and hand off to humans when needed. Of the organisations in the study that use GenAI, 52% now run agents in production – and leaders deploy them across security operations more than most functions. 

The practical effects of this are that automation is enriched, signals are correlated across data lakes, and investigations or playbooks can be drafted to enable analysts to act sooner. That’s how you compress the mean time to recovery (MTTR) and shrink ticket volumes – and it’s why early adopters report stronger ROI.

What does this mean for your diligence? 

Firstly, you should demand proof on security KPIs, and not accept vanity metrics. Ask vendors to show reductions in MTTR, incident volumes, and breach-related loss – precisely the outcomes enterprises report. If reference customers can’t demonstrate these, then you should treat claims with caution.

Following that, look for agentic coverage across the SecOps lifecycle. Returns compound when agents touch intake (signal ingestion), triage (entity resolution, risk scoring), investigation (summary, recommended actions), and response (workflow execution with approvals). Forrester’s SecOps TEI highlights ROI when automation spans multiple steps, not just detection.

Also check integration and data governance as an early priority. The study shows data privacy and security top the shortlist when choosing LLM providers, with systems integration and cost close behind. Startups that make deployment safe and simple (plug-ins to SIEM/XDR, clear policy guardrails, and auditable actions) reduce time-to-value and expand TAM.

And finally, back teams that are aligned with the C-suite. Google Cloud’s researchers found 78% of organisations with comprehensive C-level sponsorship report ROI on at least one GenAI use case. In security, exec alignment accelerates access to data and budget, and speeds up any required process change – and those are the hard parts of shipping useful agents.

Meet the leading vendors at Black Hat MEA 2025 

AI’s ROI in cybersecurity shows up where it hurts (and helps): fewer tickets, faster investigations, lower breach risk and cost. The strongest results come from agentic approaches that stitch together the security workflow – and from vendors who can prove it with customer KPIs. That’s where capital should gravitate. 

If you want to meet innovative vendors and expand your portfolio, join us in Riyadh this December for Black Hat MEA 2025.