AI App Spending Report: Where Are the Security Tools? TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesbyElizabeth Montalbano, Contributing WriterNov 5, 20253 Min ReadApplication SecurityRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolbyNate Nelson, Contributing WriterNov 5, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCybersecurity OperationsCyber RiskСloud SecurityApplication SecurityIndustry TrendsNews, news analysis, and commentary on the latest trends in cybersecurity technology.AI App Spending Report: Where Are the Security Tools?AI App Spending Report: Where Are the Security Tools?AI App Spending Report: Where Are the Security Tools?An analysis of startup firms' spending on AI applications finds the top categories to be productivity and content-generation. Security? Not so much.Robert Lemos, Contributing WriterNovember 4, 20254 Min ReadSource: Rob LemosA recently released list of the top 50 AI applications and services startups are actually paying for shows that they are, not surprisingly, focused on automation, productivity, and enterprise AI applications, with foundational model firms OpenAI and Anthropic leading the list.What's missing from the list? Security tools.The list, published earlier this month by venture capital firm Andreessen Horowitz (a16z) based on data from fintech platform Mercury shows that startups are investing in specific categories of capabilities, such as AI-powered development platforms — Replit (#3) and Cursor (#6) — and AI content-generation services — Freepik (#4) and ElevenLabs (#5). Mercury collected data from the aggregated expenditures of all its 200,000 customers.The data highlights a problem that has always been there, but has simply shifted to a new crop of applications, says Melissa Ruzzi, director of AI for AppOmni, an enterprise SaaS application security firm. Security is still not a top priority for these companies."What we're seeing here is really the 'build first and then worry about security later' [mentality]," Ruzzi says. "We see that even in the terms of not even just security, but scalability [and] maintainability."While startups are their own microcosm in the business world — with extreme pressures to release product quickly — other companies can look at their lean operations and learn what to do and what not to do. Even though the list doesn't explicitly name security applications, that doesn't mean startups are ignoring security in their purchase decisions, says Zane Lackey, a general partner at Andreessen Horowitz. Related:Closing the AI Execution Gap in Cybersecurity — A CISO Framework"What we're seeing isn't that startups are ignoring security," he says. "It's more that security is increasingly embedded within the tools they use, from code generation to data management."Security Happens EarlierFounders are moving faster than ever, trying to establish an AI-enabled business before competitors, and part of that involves taking digital trust, data integrity, and platform security into consideration, Lackey says. AI-native security startups are already emerging that focus on development pipelines based on foundational models, verify the authenticity and provenance of training data, and detect malicious attacks on services, he says."It's early days, but we expect to see a new class of companies that are purpose-built for AI security move from the infrastructure tier into mainstream adoption as the ecosystem matures," Lackey adds.Related:Let's Get Physical: A New Convergence for Electrical Grid SecurityYet, the AI-usage story for startups mirrors that for cloud apps a decade ago. While startups expected cloud application providers to incorporate security into their products, the SaaS providers' main goal continued to be features and functionality, not security, argues AppOmni's Ruzzi. As a result of these decisions, cloud breaches and service disruptions have become frequent problems.Source: The AI Application Spending Report: Where Startup Dollars Really Go, 2025"People, when they're using those top-50 [apps], they expect that the security is part of the service, so they're not thinking about separate security tools for those applications," she says. "But that's not necessarily true."AI transcription tools and note-takers, for example, have taken off — both Otter.ai and Happyscribe grace the Top-50 list — but their use leads to an increasing amount of sensitive business conversations being stored online, often without appropriate security. Cybersecurity researchers have found numerous ways to bypass OpenAI's guardrails, while Replit deleted the production database of a firm using the platform for development. And, because developers are producing more code with AI, the amount of security debt in those applications is growing, with secrets sprawl a major concern.Explicit Security NeededAt the very least, startup companies that offer a service or application need to consider their custodial responsibilities for the data they handle on behalf of their customers, says Ruzzi. Depending on the user agreement and government regulations, companies may not be able to put their customers' personal information into another AI service.Related:US Stands Out in Refusal to Sign UN Cybercrime TreatyDetermining security strategy means that startup workers should communicate with each other, she says. Different functional groups need to share information on which AI applications they plan to adopt and evaluate the security of those applications."The marketing person can ask the [IT/security] guy, 'Hey, what are the things I should be concerned about this?'" Ruzzi says. "I think the key point for the startups is to use their own internal AI expertise, not just to implement and develop AI, but also in the AI that they are using for the other departments."While the data shows that AI has become a significant component of how startups build and operate, they need to maintain strong security fundamentals, says a16z's Lackey."Founders should approach AI services with the same rigor they apply to any new technology they leverage," he says. "They still need to understand data flows, enforce access controls, and ensure model inputs and outputs are appropriately safeguarded."About the AuthorRobert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert Lemos, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeLatest Articles in DR TechnologyOperational Technology Security Poses Inherent Risks for ManufacturersNov 5, 2025|5 Min ReadAn 18-Year-Old Codebase Left Smart Buildings Wide OpenOct 30, 2025|4 Min ReadCloud Outages Highlight the Need for Resilient, Secure Infrastructure RecoveryOct 30, 2025|4 Min ReadMicrosoft Security Change for Azure VMs Creates PitfallsOct 29, 2025|4 Min ReadRead More DR TechnologyDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The AI Application Spending Report, published by a16z and based on data from Mercury, reveals a significant trend: startup investment in AI is heavily skewed towards productivity and content generation tools, with security lagging far behind. While OpenAI and Anthropic dominate the top-50 list, the report highlights a critical oversight – a lack of dedicated security tools within this rapidly expanding landscape. Robert Lemos, the contributing writer, emphasizes this "build first and then worry about security later" mentality, common among startups prioritizing speed and innovation.

The data illustrates that startups are prioritizing capabilities such as AI-powered development platforms (Replit and Cursor) and content-generation services (Freepik and ElevenLabs), reflecting a focus on rapid product development and operational efficiency. However, the absence of dedicated security tools – even as startups generate more code with AI – is raising concerns. Instances such as Replit deleting a firm’s production database and the proliferation of “secrets sprawl” due to AI-generated code underscore the vulnerabilities arising from this approach.

Melissa Ruzzi, director of AI for AppOmni, a SaaS application security firm, notes that the problem isn’t new, simply shifted to a newer generation of applications. She argues that security is consistently overlooked, pointing to the fact that startups often prioritize features and functionality over robust security measures. This mirrors a similar situation observed with cloud applications a decade ago, where providers initially focused on delivering features before embedding security.

Crucially, the report reveals a disconnect between user expectations and the security posture of these AI tools. Users anticipate “security as a service,” yet startups aren’t proactively addressing vulnerabilities, leading to concerns about sensitive business conversations stored in unsecure AI services like Otter.ai and Happyscribe.

The report stresses the importance of communication and collaboration within startups. Functional groups need to share information regarding the AI applications they intend to adopt and critically evaluate their security. The marketing team, for example, should consult with the IT and security teams to identify potential vulnerabilities. Furthermore, startups leveraging AI should employ their internal AI expertise not just for development but also for security, mirroring best practices.

Ultimately, the analysis suggests a need for a more rigorous approach to AI adoption, advocating for the same level of scrutiny applied to any new technology. Zane Lackey, a general partner at a16z, insists that founders should approach AI services with the same rigor and focus on data flows, access controls, and model input/output safeguards. The report concludes that despite the rapid growth of AI applications, maintaining fundamental security principles remains a critical imperative for startups.