Artificial intelligence has become the defining technology story of the past two years. It dominates boardroom discussions, investor briefings, vendor messaging, product launches and conference agendas. Every sector is being told that AI will transform how it operates, competes and manages risk. Cybersecurity is no exception.

AI is everywhere

Across the industry, AI has quickly become one of the most used terms in marketing. Security platforms are AI-powered. Detection tools are AI-driven. SOC operations are AI-augmented. Risk assessments, compliance workflows, threat intelligence, phishing defence and incident response are all now being presented through an AI lens.

Some of this is justified. AI is already helping security teams process large volumes of data, automate repetitive tasks, accelerate investigations and identify patterns that would be difficult for humans to spot at speed. Used well, it can make analysts more effective and help organisations respond faster to threats.

But that does not mean every AI claim deserves to be accepted at face value.

Read our piece on the Mythos AI for an example

The current AI boom is built on real innovation, but it is also surrounded by hype, overinvestment and inflated expectations. History repeatedly shows that when a technology becomes this dominant in the market narrative, a sharp and often painful correction usually follows. The question for cybersecurity is not whether AI has value. It does. The question is whether security companies have rushed too quickly to present themselves as AI-first without proving where the technology genuinely improves outcomes.

 

 

 

Why are people talking about an AI bubble?

Technology bubbles form because expectations move faster than reality.

The dot-com crash did not mean the internet was unimportant. It meant too many businesses had been valued, funded and promoted on the assumption that internet adoption would immediately rewrite every commercial rule. Many failed. The internet did not. The useful companies survived, matured and became part of everyday life. AI is likely to follow a similar path.

The technology will not disappear, but the hype surrounding it will eventually cool. We're seeing it now with Investors will starting to ask harder questions about returns. Customers are becoming more sceptical of vague AI claims. Boards want evidence that AI-enabled tools are reducing risk, improving productivity or cutting cost, rather than simply adding another layer of complexity to already crowded technology stacks.

This matters because AI infrastructure investment is enormous. Data centres, chips, cloud capacity, specialist software and power demand have all become part of the wider AI race. That level of spending creates pressure. The more money poured into the market, the greater the need to prove that AI adoption can deliver sustainable value.

If that value does not arrive quickly enough, the market correction could be sharp.

The true costs of AI is becoming harder to ignore

One reason the AI bubble conversation is becoming louder is that the economics are starting to look less forgiving. For much of the current boom, AI use has been supported by heavy subsidies, cheap access, free trials and aggressive investment from major technology companies. That has made adoption appear smoother than it really is.

As demand rises, the real cost of running AI is becoming clearer. Training and operating models requires expensive infrastructure, huge volumes of computing power, specialist chips, cloud capacity and significant energy consumption. At the same time, many organisations are discovering that AI usage can quickly generate high operational costs, especially when employees are encouraged to use AI tools without clear business value.

This creates a difficult question for buyers: is AI delivering enough productivity, security improvement or risk reduction to justify the spend?

For cybersecurity, that question is crucial. If AI-enabled tools increase licence costs, data-processing costs or operational complexity without improving measurable outcomes, security leaders will begin to challenge the investment. The market will move away from broad AI promises and towards specific proof. Vendors will need to show how AI reduces alert fatigue, improves detection accuracy, accelerates response, prioritises exposures or strengthens resilience.

The free lunch is ending. The winners will be those who can prove value when the bill arrives.

Has cybersecurity jumped on the AI bandwagon?

Cybersecurity vendors have not been slow to join the AI movement. In some cases, this has been a positive development. AI and machine learning have long had a role in areas such as anomaly detection, fraud monitoring, behavioural analytics and malware classification. Security teams have been using forms of automation and statistical analysis for years, even before generative AI became mainstream.

The issue is not the use of AI itself. The issue is the way AI is sometimes being positioned.

Too often, AI is presented as a cure-all. It is used as a shorthand for better security, faster response and smarter detection, without enough explanation of what the tool actually does, how it works, what data it relies on, what its limitations are, or how it improves the work of security teams in measurable terms.

That creates a risk for buyers.

A security leader does not need another dashboard with an AI label. They need confidence that their organisation can detect threats, investigate incidents, prioritise exposures, protect critical assets and recover when something goes wrong. If AI helps achieve that, it has value. If it is simply a feature wrapped in marketing language, it becomes another distraction.

 

 

What is AI-washing in cybersecurity?

AI-washing happens when a product, service or capability is marketed as AI-led even though the AI element is limited, unclear or not central to the value being delivered. It can also happen when long-standing automation, rules-based analysis or machine learning capabilities are repackaged as something more advanced than they really are.

This is not just a marketing concern. It has practical consequences.

If organisations buy tools based on exaggerated claims, they may overestimate their protection. They may assume AI is making decisions that still require human review. They may believe the technology can reduce analyst workload when, in reality, it creates more alerts to validate. They may also deploy AI-enabled systems without understanding the governance, data and access control implications.

That is a serious issue because AI does not remove security fundamentals. It increases the importance of them.

AI systems need access to data. They may connect with business applications, identity systems, customer records and operational workflows. They may summarise sensitive information, automate decisions or recommend action. If they are poorly governed, they can widen the attack surface and create new opportunities for data leakage, privilege misuse and compliance failure.

Can AI replace good cybersecurity fundamentals?

No. AI cannot replace strong cybersecurity fundamentals.

An organisation with poor asset visibility, weak identity controls, limited logging, unmanaged endpoints, underdeveloped incident response processes and inconsistent patching will not become secure because it buys an AI-enabled tool. It may gain additional capability, but that capability will sit on top of the same underlying weaknesses.

AI can help security teams move faster, but speed only matters if the right processes and controls are already in place. Faster alert triage is useful. Faster investigation is useful. Faster threat hunting is useful. But none of this removes the need for governance, risk management, testing, resilience planning and skilled human oversight.

In many ways, AI makes the basics more important.

The more organisations automate, the more they must understand who has access to what. The more they connect AI to workflows, the more they must control data movement. The more they rely on AI-generated outputs, the more they must validate accuracy, context and decision-making. The more attackers use AI to scale phishing, reconnaissance and social engineering, the more organisations need layered, resilient defences.

AI should strengthen cybersecurity. It should not become a substitute for it.

What happens when the AI market turns?

If the AI bubble bursts, or even deflates gradually, cybersecurity companies will face a credibility test.

Vendors with genuinely useful AI capabilities will be able to show clear outcomes. They will demonstrate how their tools improve detection accuracy, reduce response times, support analysts, prioritise risk, cut noise or strengthen resilience. Their claims will be specific, measurable and grounded in operational reality.

Those that have relied too heavily on AI as a positioning exercise may struggle.

Customers will become less impressed by broad promises. Procurement teams will ask tougher questions. Security leaders will want to know whether AI features are mature, explainable and properly governed. Boards will want to know whether investment is reducing cyber risk or simply following a trend.

This could be healthy for the industry.

A market correction would not mean AI has failed. It would force the conversation to become more mature. It would separate genuine capability from noise. It would push vendors to explain how AI contributes to security outcomes, rather than assuming the word itself is enough.

What do Fable 5 and Mythos show about AI hype and cybersecurity?

The controversy around Anthropic’s Claude Fable 5 and Mythos shows why the AI bubble debate matters to cybersecurity. These models were not just another consumer AI launch. Mythos was specifically highlighted for its cyber capabilities, with the UK AI Security Institute reporting improved performance in capture-the-flag challenges and multi-step cyber-attack simulations. Anthropic also launched Project Glasswing, positioning Mythos Preview as a way to help secure critical software. 

Then came the backlash. In June 2026, Anthropic disabled access to top-tier models after a US order limited foreign access, with reports citing concerns around national security, export controls and model misuse. Reuters reported that some early users still retained access to Mythos through the Glasswing programme, underlining how confused and uneven the response had become.

For cybersecurity leaders, the lesson is clear. Frontier AI can improve vulnerability discovery, research and defensive analysis, but it also creates governance, access, trust and accountability challenges. If a model is powerful enough to help defenders find weaknesses faster, it will also help attackers move faster. That does not mean organisations should ignore AI. It means they should avoid panic buying, demand clear controls and treat AI-enabled security claims with scrutiny.

Fable 5 and Mythos show the central problem with the current AI moment. The capability may be real, but the surrounding market is still chaotic. Security companies should not build their messaging around fear of missing out. They should focus on what can be proven, governed and safely deployed.

Key questions to ask AI cybersecurity vendors

Organisations evaluating AI-enabled cybersecurity products should look beyond the label and ask practical questions:

  • What problem does the AI capability solve?
  • Is it improving detection, investigation, prioritisation, reporting, response or user productivity?
  • How is performance measured?
  • What data does the AI system use, and where does that data go?
  • Can decisions or recommendations be explained?
  • What level of human oversight is required?
  • How does the tool handle false positives, false negatives and hallucinated outputs?
  • Does it integrate with existing security workflows?
  • What happens if the AI capability fails, produces an incorrect recommendation or is manipulated by an attacker?

These questions do not reject AI. Serious adoption requires scrutiny. The organisations that benefit most from AI will be those that understand both its strengths and its limits.

 

 

The real opportunity for cybersecurity companies

The cybersecurity industry should not abandon AI, but it should be more disciplined in how it talks about it.

The real opportunity is not to claim that AI changes everything. It is to show where AI can improve specific security functions when combined with human expertise, mature processes and strong governance.

AI can help analysts work through large volumes of telemetry. It can support faster summarisation of incidents. It can assist with threat intelligence analysis. It can help identify suspicious behaviour patterns. It can support security awareness by making phishing simulations and training more adaptive. It can help organisations understand risk across complex environments.

But it must be deployed responsibly.

That means being clear about where AI is used, what it can and cannot do, and how it is controlled. It also means recognising that many security challenges are not technology problems alone. They are problems of visibility, accountability, process maturity, resourcing and decision-making.

AI can enhance those areas. It cannot magically fix them.

What’s beyond the AI bandwagon?

The AI bubble will burst in the sense that the current level of hype cannot last forever. Expectations will normalise. Investment will become more selective. Buyers will become more demanding. Some claims will age badly.

Cybersecurity companies should prepare for that moment now.

The firms that succeed will be those that can prove value beyond the buzzword. They will be able to explain how AI supports better security outcomes, where human expertise remains essential, and how organisations can adopt AI without weakening governance or increasing risk.

The firms that have simply jumped on the bandwagon may find that the market becomes far less forgiving.

AI will remain part of cybersecurity. In some areas, it will become deeply embedded. But the future will not belong to companies that shout the loudest about AI. It will belong to those that use it responsibly, explain it clearly and deliver measurable improvements in resilience.

When the bubble bursts, the strongest security message will not be “we use AI.”

It will be “we help you reduce risk, and we can prove it.”

 

Contact Us

 

FAQs

What is the AI bubble?

The AI bubble is the gap between the huge expectations around artificial intelligence and the measurable value it is delivering for many organisations. It does not mean AI is useless. It means some investment, valuation and marketing claims may be inflated.

Is AI useful in cybersecurity?

Yes. AI can help cybersecurity teams analyse data, detect suspicious behaviour, prioritise alerts, summarise incidents and speed up investigations. It is most useful when it supports human expertise and clear security processes.

Has cybersecurity jumped on the AI bandwagon?

Parts of the cybersecurity industry have jumped on the AI bandwagon by using AI heavily in marketing without always explaining how it improves security outcomes. Buyers should ask for evidence, not just claims.

What is AI-washing?

AI-washing is when a product or service is promoted as AI-led even though the AI element is limited, unclear or not central to the value being delivered. In cybersecurity, this can lead buyers to overestimate protection.

Can AI replace cybersecurity professionals?

No. AI can support cybersecurity professionals, but it cannot replace human judgement, accountability, incident response expertise, risk management or strategic decision-making.

What should CISOs ask before buying AI cybersecurity tools?

CISOs should ask what problem the AI solves, how performance is measured, what data it uses, how outputs are validated, what human oversight is required and how the tool reduces cyber risk.

Why are AI costs a concern?

AI can be expensive to run at scale because it depends on compute power, cloud capacity, specialist chips, data processing and energy. If usage grows without clear business value, costs can rise quickly.

Will the AI bubble bursting end AI in cybersecurity?

No. A market correction would not end AI in cybersecurity. It would likely force vendors to prove value, improve transparency and focus on practical security outcomes.