In this interview from RSAC 2026, Ken Exner, chief product officer of Elastic, joins theCUBE's Dave Vellante to discuss how Elastic is collapsing the modern SOC into a single AI-powered platform by eliminating per-endpoint pricing and embedding agentic workflows directly into its SIEM. Exner explains why AI has shifted from a copilot for threat hunters to a core defense primitive against increasingly AI-driven attacks. He details two major announcements: the removal of all per-endpoint XDR charges — what Elastic calls eliminating the "endpoint tax" — and a native workflow engine that injects AI reasoning steps into traditionally deterministic automation, enabling SOC teams to automate judgments that previously required human intervention.
The conversation also explores Elastic's identity as a data platform, rooted in the Elasticsearch open-source search engine that made it exceptionally capable with unstructured data at scale. Exner highlights how that search heritage now underpins the company's AI strategy, providing the grounding and context retrieval that power accurate, actionable intelligence for security analysts. Natural language queries are replacing specialized syntax like ES|QL, making the platform accessible to practitioners regardless of skill level — effectively giving junior analysts the capabilities of senior ones. From rethinking pricing models that incentivize full-estate protection to delivering conversational AI experiences across the SOC, Exner provides a roadmap for how Elastic aims to remove the friction between security teams and the data they need to defend against AI-era threats.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Ken Exner, Elastic
Ken Exner of Elastic, Chief Product Officer, joins theCUBE Research for live RSAC 2026 coverage with hosts Dave Vellante, Christophe Bertrand and Jon Oltsik. Exner discusses how artificial intelligence, AI, agentic workflows and native integrations reshape security operations and Elastic's positioning as a data platform that powers search, AI grounding and rapid threat investigation. They emphasize the embedding of native workflow capabilities into Elastic Security and the combination of deterministic automation and AI reasoning to accelerate investigation and response.
Key topics include Elastic eliminating per-endpoint charges for Extended Detection and Response, XDR, to remove the endpoint tax and encourage protection across the full estate; consumption-based Security Information and Event Management, SIEM, pricing; broad partner integrations; and the benefits of a search-as-data foundation for AI-driven security. Exner highlights how these changes support more efficient security operations, faster threat hunting and improved operational economics.
In this interview from RSAC 2026, Ken Exner, chief product officer of Elastic, joins theCUBE's Dave Vellante to discuss how Elastic is collapsing the modern SOC into a single AI-powered platform by eliminating per-endpoint pricing and embedding agentic workflows directly into its SIEM. Exner explains why AI has shifted from a copilot for threat hunters to a core defense primitive against increasingly AI-driven attacks. He details two major announcements: the removal of all per-endpoint XDR charges — what Elastic calls eliminating the "endpoint tax" — and a na...Read more
exploreKeep Exploring
Which problems were these announcements intended to help security teams address?add
What recent announcements are you making about pricing (in particular ending per-endpoint or "endpoint" charges) and the addition of native workflow/automation capabilities for Elastic's XDR/data platform?add
What do workflows mean in the age of agentic AI, and how do they apply to cybersecurity in general terms?add
Why did you decide to eliminate per-endpoint XDR pricing, and how are you now pricing your SIEM/XDR offering?add
>> All right. We're back at RSAC 2026. I'm Dave Vellante with Christophe Bertrand and Jon Oltsik is also here. You're watching theCUBE's live coverage. This is day two. We're winding up day two. You see the keynotes are exiting. It's been a great RSAC 2026. We're super excited to have Ken Exner here, he's a chief product officer at Elastic, CUBE alum. Good to see you again. Thanks for coming back.
Ken Exner
>> Good to see you, Dave. Good to be back.
Dave Vellante
>> So it's a good show. We love being here, as we said in Moscone West. It's kind of quiet.
Ken Exner
>> It's usually quiet.
Dave Vellante
>> Maybe not so much right now, but you guys have made a bunch of announcements yesterday. What are the challenges that you were trying to address? What were the problems that you were trying to help security teams address in these announcements?
Ken Exner
>> Well, of course, one of the themes of RSA this year is AI. AI was a theme last year, but this year it's become sort of front and center because everyone started to realize that it's not just a copilot or an assistant that aids you in threat hunting. It's actually sort of core to providing defense against increasingly AI-based attacks. So AI is both the primary threat that a lot of people are facing, but also one of the primary defense primitives that they have to work with. So a lot of the conversation right now is around AI-enabled SOCs. And the thing for Elastic is we have sort of provided AI-based tooling to help threat hunters combat these cyber threats for a long time. But one of the things that has always been a source of friction for a lot of our customers is that they have to integrate these different tools. They have to, in addition to having a SIEM, they have to have a different EDR system. They have to have a different source system. They have to have a different UBA or NTT analytics system. So one of the things we're trying to do is sort of combat that tax, that security tax that people have to have moving between these different systems and trying to provide a more integrated solution. We're also trying to combat the tax that we see with pricing that encourages people to take on bad security practices. So we want to make sure that pricing or pricing models don't actually encourage people to follow bad practices. So a couple of things that we're super excited to announce. One is that we are ending per endpoint pricing. So if you're using us as an XDR solution, there is no endpoint pricing. So we are eliminating what we like to call the endpoint tax. You're essentially using us as a data platform. You're using us for querying data. There's no additional charge for endpoints. The second thing that we're super excited to announce is our new workflow system. So with Elastic, you get this native workflow capability that you can use for automation. So you don't have to use a different source system. You have native workflow capabilities that you can use to automate the different tasks in SOC.>> So I'd like to talk to you about that. Obviously you're the chief product officer. I love products myself being a product guy too. So tell us about the workflows because to me, workflow is really a succession of jobs, or events, or actions that you take. In the age of agentic AI, what does that really mean? How does it apply then to security, cybersecurity in general terms?
Ken Exner
>> So first of all, what we've done is we've integrated workflows as a basic primitive within our stack that you can use for observability workflows, for security workflows, for agentic workflows. And we have dozens of different connectors, third-party systems. But it's also natively integrated with Elastic Security. So it's natively integrated with the alerts and cases that you have, the investigation that you have. So you have this native experience that you don't have to switch between a different platform and our SIEM. But what it means in the age of agentic AI is, and this is one of the things I'm super excited about, is that workflows are typically deterministic rules-based things. So you're taking a series of steps that are predictive, they're rule-based, but sometimes you want to have a bit of judgment, a bit of reasoning as part of that without having to always invoke a human, always have to have a human in that process. And the combination of what we have with our agent builder technology and workflows, you can now inject reasoning steps, judgment steps within a workflow. So you can start automating some of the things that usually had to have a human always be part of that. So again, in the age of AI where threats are speeding up, you want to combat that with faster actions. And sometimes using a reasoning step in a workflow can actually speed up that time to actually take action or do something. So if you are looking at a phishing email, you can reason over that email and not just use a rules-based approach.
Dave Vellante
>> So Ken, can you connect that to what you were saying earlier about eliminating the SOAR tax? Square that circle for me.
Ken Exner
>> Well, you don't have to integrate with a different system. So you don't have to have a different system that you're using. You're actually taking the workflows and compute related to workflows and bringing that to the data. So you don't have to switch and use a different system. You can actually, within the context of your SIEM, within your data platform, start building workflows from the data. So it allows you to actually have totally new sets of capabilities that weren't possible before, but also in an integrated experience. So you don't have to go to a different system. From the data, from the SIEM, you can actually start building workflows and use reasoning steps or deterministic workflows.
Dave Vellante
>> And there's no functional trade off in doing so?
Ken Exner
>> No, it's actually additive. So it's not only the ability to do traditional security orchestration response. You can do all the traditional things. You can take automated response actions. You can spin up a Slack channel, whatever you want might typically do. But in addition to that, you can also have AI-based steps in that. And I think this is going to... We're starting to see really novel clever uses of this to handle things that previously always had to have a human be part of that process. So you're able to speed up a lot of this. And eventually you might want to have a human in the loop, but you can take some of the things that might have taken simple judgment and actually automate that.>> So I want to focus on your users, your end user, security analysts.
Ken Exner
>> Yes.>> Obviously, this is injecting a change in how they interact with their job, literally, right? There's always this discussion, "Oh, AI is going to, or agents are going to steal my job." Or in this case here, you seem to be going in the direction that says that they're going to help you. But day to day, what is it changing for me as a security analyst if I'm watching this?
Ken Exner
>> If you've looked at how we've used AI within our SIEM product to date, it's always been about giving the analyst a couple of things. Removing a lot of the drudgery from what they're having to do, like attack discovery. We're here last year, we talked about attack discovery, which was an ability to automatically go through all the different alerts and determine which ones are false positives, which ones are related and automatically map the related ones to a MITRE ATT&CK chain. That sort of eliminates the drudgery. So you don't have to sift through 200 of these. You can actually just look at a couple of correlated attacks and we can actually map that and show you the attack path. That makes it much easier for the analysts. So suddenly they don't have to sift through all those alerts. They can immediately be taken to the thing that they want to try to get to. So it eliminates hours of sifting pain, manual work. The other thing is we augment them with a lot of knowledge base, a lot of the power of an LLM to sort of have all this additional information, this additional context. And we can bring that context to the work that they're doing. So suddenly any analyst suddenly has all the knowledge at their fingertips for how to resolve something. So in addition to the playbooks and the typical things that might build up as knowledge in an enterprise over time, you have all the industry information about how to deal with these issues. So bringing the industry knowledge, the company knowledge to bear to handle these different attacks makes everyone suddenly... It gives them superpowers. It gives them... Every junior analyst can suddenly become a senior analyst.
Dave Vellante
>> Who doesn't want superpowers?
Ken Exner
>> It's superpowers. Yeah.
Dave Vellante
>> I want to come back to the per endpoint XDR pricing, the fact that you're eliminating that. Somebody once said to me, no matter what pricing model you choose in software, it's never perfect. And so, but I'm fascinated by pricing and pricing changes. We're hearing a lot about per seat, per endpoint. What led to that decision and how are you pricing?
Ken Exner
>> So we charge for our SIEM, and there's a couple of different pricing models for that. One is, if you're using our serverless cloud product, we just charge for the data ingested and the data retained. If you're using a self-managed, we just charge you for the compute resources that are used to store and query to the data. But what we're doing is we're eliminating the endpoint charges. And the reason we're doing that is something we noticed is that people were making trade-offs about which systems to protect. They didn't want to protect every single... Because it would be expensive. Every single additional laptop, every single additional mobile device. These are all additional charges. And this is the model that we use in the industry today. We charge per endpoint, which means that most people are protecting only the most vital assets they have. But in an AI-based world, you should be looking to protect your entire estate, not just the elite few that you can afford to protect. So we wanted to make sure that customers were protecting everything that they had, and not having to make that choice, that sort of Hobson's choice. We don't want them to have to choose which endpoint is more important to protect. So we eliminated it, and we essentially charge just for the SIEM. So if you don't want to retain data with us, you can pretty much have a very, very close to free endpoint protection solution. But we think that customers will get value from our SIEM as well as a true XDR solution, and they'll want to use us not just as an endpoint solution, but also as a SIEM.
Dave Vellante
>> So it's kind of like an enterprise license agreement for the SIEM, and then of course you charge for the storage you consume.
Ken Exner
>> But if you don't use us, if you don't retain, you're not going to get charged.
Dave Vellante
>> Right.
Ken Exner
>> So we believe customers will get so much value out of the integrated XDR solution that they'll want to retain data. They'll want to use us as a SIEM as well, but they don't have to game us. Feel free to just use us as an endpoint solution and not get charged.
Dave Vellante
>> And that's a consumption pricing.
Ken Exner
>> Yes. It's all consumption-based.
Dave Vellante
>> I have a question regarding your ecosystem. Obviously, you're part of a broader solution here. How do you approach your ecosystem? What partnerships do you have? What alliances do you see as critical moving forward?
Ken Exner
>> So we've always been sort of a flexible... Our roots are an open source. So Elastic Security came from Elasticsearch, which is one of the most popular open source projects of all time. So we've always been open. We've always been a highly flexible platform. People use this initially as sort of a threat hunting platform that integrated with a bunch of other systems. So integration has always been core to what we do. We integrate with pretty much every EDR system out there, every other different CDR system, cloud security system. We want to make sure that we are always working with our ecosystem, and customers like that flexibility that we have. As we introduce some of these capabilities, we still support our partners. We still want to make sure we have great relationships with those partners, whether it's a SOAR partner or whether it's an EDR partner, we still maintain strong relationships. But we're trying to also provide a convenient, easy to use, integrated platform for the SOC. That includes most things that you'll want to have in modern day SOC platform.
Dave Vellante
>> I want to ask you about Jensen's AI stack, just sort of in my brain. He put this blog out talking about a five layer cake. And nowhere in that five layer cake was there data. So I want to ask you about-
Ken Exner
>> In Jensen?
Dave Vellante
>> In Jensen's, he's got-
Ken Exner
>> There was. Well, it wasn't in the five layers.
Dave Vellante
>> Oh, really?
Ken Exner
>> There was on a different slide. And you might have noticed that Elastic was actually on that slide.
Dave Vellante
>> But it wasn't in his fundamental architecture of the five layer cake because he had power, infrastructure, all the way up to apps. It's a yes. And of course, when we asked him about it, he's like, "Yeah, look, data's important," and he made a lot of data announcements. And to your point, Elastic was part of that. So I want to ask you about Elastic as a data platform. What is a data platform for you and what does that mean in the AI world?
Ken Exner
>> So as I mentioned, we started off as Elasticsearch, which is an open source search engine. And as a search engine, we had to become good at a couple of things. We had to become... A search engine is essentially a database. It's a data store. And we had to become very good at searching through vast amounts of data very quickly and very efficiently and figuring out how to store all kinds of data, structured, unstructured, different schemas. And one of the reasons we became popular in security is that we could handle all this data and help people find whatever they were looking for in that data, no matter what schema, no matter what system it came from, no matter whether it was structured or unstructured. And that's sort of the core of what we sort of tout as a data platform, is that we are exceptionally good at unstructured data. We can help you find that needle on haystack, even if it's unstructured, even if it's data that... We can do joins on two different data sets that are completely different schemas. We can help you do math operations on data that is completely unstructured. So we are exceptionally good at this kind of stuff that gives sort of magical powers to these analysts. But we're also, because we are a search engine, we're also an AI platform. So search has become essentially the foundation of AI. It's how you give context to an AI based system. It's how you ground an AI system. It's how you make sure that the AI system has the right information in order to give you the right answers or take the right actions. So that heritage of being a data platform and being an AI system or a system that powers AI applications has made us sort of uniquely positioned in the world of security. Where because we are exceptionally good at data and exceptionally good at AI, we can bring those two things together and deliver an AI-powered experience for the modern day solve.
Dave Vellante
>> And to your point about open, Elastic's always an open, ELK Stack is famous. The one criticism for ELK Stack is you need to have skill sets to take advantage of it and you got to be smart people. How does AI simplify that?
Ken Exner
>> Well, some of how we simplify that even before we get to AI is through the solutions that we created. So the Elastic Security solution was a solution built on top of the core set of tools that we had that made it easy. It created an interface and experience that was familiar and easy for a security practitioner. So they didn't have to use the raw tools. They had case management, they had alerts, they had all the things that they would expect timelines. They could sort of use the data in the way they came to expect to use them in a SIEM.
Dave Vellante
>> That was the intuitive kind of abstraction layer that you guys built on top of that.
Ken Exner
>> It was a UI layer that allowed them to interact with the data, interact with a powerful platform through a familiar interface.
Dave Vellante
>> And that shot up market share and we saw that since-
Ken Exner
>> Same thing for observability. We did the same thing. Now with AI, suddenly some of the things that required some specialization now don't. So I'll give you one example. With any SIEM, you typically have query languages that you need to learn. We love our query language, ES|QL. We think it's a powerful query language, but you don't have to use it. You can just use natural language, whether that language is English or Japanese or anything else. You can actually use natural language in order to construct queries and we will automatically take the chat conversation and actually create the ES|QL queries beneath the scene. So we are starting to deliver an experience that's more conversational and not requiring that specialized information. And you're seeing this delivered through sort of chat first, AI first experiences in Elastic so that you can actually just have conversations with your data. You can have conversations that don't require you having to learn different syntax or different query languages. You can just tell us what you're trying to do in whatever language you want. And we're starting to take the experience of alerts, and queries, and tables, and all the different visualizations and bringing that into this AI-based experience. And I think over time, it'll not only be our AI-based experience, it'll be others. We will work, whether you're using Cloud Code or anything else, we will work within those ecosystems and deliver our capabilities through whatever AI UX you're choosing to use. And I think the future is exciting. I'm excited about what we're going to be doing this year.
Dave Vellante
>> Sounds like Star Trek, the future's here.
Ken Exner
>> I was going to say, the universal translator. I was thinking just about that.
Ken Exner
>> It's beautiful. Yeah.
Dave Vellante
>> Ken, great to have you back on theCUBE. Thanks so much for coming.
Ken Exner
>> Thank you.
Dave Vellante
>> All right. And thank you for watching. Keep it right there. We're at RSAC 2026. You're watching theCUBE, Dave Vellante, Christophe Bertrand, Jon Oltsik, right back right after this short break.
Dave Vellante