As expected, every ambulance chasing security company is banging on my door, trying to convince me that I need their antimalware/SIEM/monitoring service because GDPR.

You guys are shameless.

GDPR includes requirements to protect consumer data from breaches, and has reporting requirements for such breaches.

So does every security framework in existence. If one is already (in the US, anyway) following NIST 800-53, SOC2, ISO27001, etc., then all these products are redundant.

Any company that is not already doing monitoring/anti-malware/etc., has no security policies, does no audits/training/etc., has far bigger problems than the GDPR, and all these product offerings aren't going to help anything. No security product is going to fix crappy management. In fact, it can make the problem worse by providing a false sense of security.