The Moment We Realized We Were Ahead of Anthropic
May 2026 · 10 min read AI & SECURITY OPERATIONS
AI, and the death of SaaS, can turn small companies into market leaders (for now)
Disclaimer: I am not bashing the Anthropic video referenced herein. Claude Clue looks compelling, and the approach, the technology, and the protagonist are all great. This is a compliment wrapped in an observation.
I watched this video a few times, and it's great. A security practitioner at Anthropic prompts Claude to investigate a privilege escalation alert, and the model goes to work: pulling account details, checking logs, assessing severity, recommending scope expansion for detection policies across the organization. If you're a security operations person, it's immediately recognizable as useful; Claude is doing the things you'd do, just faster and without the coffee.
The thing that really struck me, though, was that we at Sensilla already built that, and we've gone further.
The research is already done before you sit down
In the Anthropic demo, the operator opens the tool and starts asking questions. Paraphrasing: "What happened with this privilege escalation?" Claude then begins its investigation, and that's the interaction model: human asks, AI responds, human asks a follow-up, AI digs deeper. It's a conversational approach to incident investigation, and it works.
But we took a different path. By the time our SOC operators reach the UI screen for an incident (a privilege escalation, an account compromise, a suspicious login, etc.), several activities have already been initiated or completed, and the operator doesn't need to ask "what happened, should I care, what should I do?" because the answer is already there.
Account lookup to understand the user's role, analysis of recent login history, the organizational relationship between the person who elevated privileges and the person whose privileges were elevated (who promoted whom, and why does that matter), and recent behavior of the hosts associated with the alert; all of it gathered, interpreted, and staged for human review before a single analyst clicks into the case. If the detection and research indicate a compromise, actions are also taken to isolate or quarantine the host, revoke sessions, disable the account, etc.
At Sensilla, the operator's job isn't to direct the investigation, it's to approve the investigation that's already been done.
Same model, different philosophy
Notably, we leverage Anthropic models in AWS/Bedrock to perform these actions; same underlying models, but a different approach to using it.
Anthropic's demo treats Claude as an interactive analyst. You sit with it, you converse, you guide the investigation through natural language, and it's impressive and intuitive, but it still requires a human in the loop during the research phase, because the operator is driving.
We treat Claude as the research engine behind the curtain, where the SOC operator is the approver, not the driver. Natural language is an extraordinary tool for gathering and interpreting telemetry at speed, and that's exactly what we use it for, but the decision about which actions to take, which enrichments to run, which context to pull? Those are code-based automations. We don't rely on natural language to decide the investigation plan; we built the investigation plan, and Claude executes the parts of it that benefit from language understanding.
Machine learning separately informs our alerting system, identifying notable changes in behavior across the customer environment, so the alert itself is already context-rich before Claude ever touches it. By the time the operator is looking at the screen, the system has done the research, the ML has flagged the anomaly, and the natural language layer has synthesized the findings into something a human can evaluate quickly.
That's a fundamentally different operating model than "ask the AI what happened."
None of this will matter
And I say that without bitterness (ok, maybe a little).
That Anthropic video has 288,000 views and counting, and this article will reach perhaps a thousand people. Companies like ours; privately funded, US-focused, conservative business plan, commonly hear a particular kind of dismissiveness: "They couldn't possibly be ahead of Company X." or my personal favorite: "We don't see you in the Gartner Magic Quadrant." (old rant about that one here) The assumption is that scale equals capability, that the company with the most resources must be the furthest along, and that's been true for most of the history of enterprise technology.
It's not true anymore.
Domain knowledge is the accelerant
In the era of AI-assisted development, a small team with deep domain expertise can build things that would have required a 50-person engineering organization three years ago. The models are available to everyone, the cloud infrastructure is available to everyone, so the differentiator isn't access to the technology; it's knowing what to build with it.
Thirty years in security gives you a very specific kind of knowledge. You know what an analyst actually needs when they open an alert at 2 AM, you know which enrichment steps are always the first three things they do and which ones they forget until it's too late, and you know that the bottleneck in most SOCs isn't detection; it's the time between detection and understanding. That's the gap we're closing, and we're closing it not because we have a better model, but because we've spent decades learning where the pain actually is.
Custom software on demand (for some)
There's a moment in the Anthropic video where the operator describes building custom detection systems on the fly, tailored to their specific environment. To me, that moment is more important than the release of Clue.
Throughout our business, we're seeing the same thing: the ability to create purpose-built tooling for unique use cases, at a pace that would have been unthinkable three years ago. Every customer's environment is different; their systems are configured differently, their network topologies are different, their compliance requirements overlap in weird ways. The old approach was to buy a SaaS product and hope it was flexible enough to accommodate your reality, but the new approach is to build exactly what you need, when you need it.
This feeds the 'death of SaaS' narrative that's been long debated, and I think the narrative is directionally correct, but it has an important asterisk on it. The operator in that video has deep AI fluency and deep security domain expertise; her team knows what to ask for, how to validate what they get back, and where the model's output needs a human sanity check. Many organizations have neither, because they don't have the AI expertise to prompt and orchestrate these systems effectively, and they don't have the security domain knowledge to know whether the output is any good.
So yes, custom software on demand is real, but it's going to be a haves-and-have-nots situation for a while. The organizations that can do this will pull further ahead, while the ones that can't will still be buying SaaS products and hoping for the best. The gap between those two groups is where companies like ours live, because we have the domain knowledge and the AI capability to build custom systems for our customers, and that's the value proposition that the 'death of SaaS' crowd sometimes forgets: someone still has to be the expert.
Where this leaves us
Anthropic built an agent that can investigate a security alert when you ask it to, and we built a system where the investigation is already done by the time you look at it. Both use Claude; one requires you to be the investigator, the other lets you be the decision-maker.
Whether there's any kind of moat around that advantage remains to be seen, because Anthropic could build what we've built, and so could a dozen well-funded startups. Domain knowledge is a head start, not a fortress, but right now, today, a small company with the right ideas and the right experience is ahead of arguably the most successful AI company on the planet in at least this one narrow, important area.
The tools have been democratized, and the advantage belongs to the people who know what problems actually need solving. Whether the market notices is a different question entirely.
← Back to blog