Every news piece about AI and cybersecurity is the same article: attackers have AI, defenders have AI, it's an arms race, be afraid. It's lazy, and it misses the most important fact on the board. Defenders hold a structural advantage, and AI makes it bigger, not smaller.
Here's why. Yes, an attacker only has to find one way in while you defend everything — true, but it's the half of the picture people repeat. The other half: you have the full context of the environment. You know your network, your users, what normal looks like at 3am on a Tuesday. The attacker is guessing. AI is genuinely excellent at spotting anomalies inside a context you understand deeply, and genuinely poor at operating in a context it's never seen. That asymmetry runs in the defender's favour.
So where does AI actually earn its place on a security team?
The highest-ROI use, by some distance, is alert triage. Most security operations centres drown in alerts. You don't need to rip out your detection stack — you bolt a second-stage model on top that re-ranks the alerts already firing by how likely each is to be real, and hands a tired analyst a short list instead of a wall. This is what Exabeam, Splunk UBA and Microsoft Sentinel's Fusion are doing. The model quality matters far less than how cleanly it plugs into the queue your analysts already work. Integration is the whole game here.
Phishing detection is the second clear win. Modern language models catch the tonal and structural tells of social engineering even when the grammar is clean and the branding is perfect — the cases that used to sail through. Proofpoint, Abnormal and Microsoft Defender all live in this space. Combined with header and link-reputation checks, it moves the needle properly.
Endpoint behavioural analysis — EDR — is real and worth having. CrowdStrike, SentinelOne, Defender. But understand what you're buying: the differentiator between these is operational maturity, your ability to actually run the thing, not the cleverness of the underlying model. A brilliant EDR nobody tunes is worse than a plain one somebody watches.
Log analytics and user-behaviour analytics are now buildable in-house. This is the one I'd push back on the hardest when a vendor quotes you half a million. A competent team with Elastic, or honestly a notebook and scikit-learn, can get a long way on UEBA. Sometimes you genuinely need the product. Often you're paying for a dashboard you could have built.
Code analysis rounds it out — tools that flag likely injection bugs, hard-coded secrets and the usual OWASP mistakes before a human ever looks. GitHub Advanced Security, Semgrep, Snyk. Treat this as a cheap layer in front of human pen-testing, not a replacement for it. It clears the obvious so your expensive humans spend their time on the interesting problems.
Now the things I'd be wary of, because the marketing is loudest exactly where the value is thinnest.
Autonomous response — "our AI contains the breach for you" — makes me nervous every time. Containment that gets it wrong takes down production, locks out real users, triggers cascading failures. If you deploy it, run it in suggest mode for a long time, watch what it would have done, and only loosen the leash once you trust it. Predictive threat intelligence is mostly threat feeds with a thin AI wrapper bolted on; pay for the feeds, not the wrapper. AI-generated detection rules tend to be noisy and create more triage than they save. And real-time deepfake detection is an arms race that moves too fast to win with a product you bought last year.
Be straight about the attackers, because security people rightly hate hand-waving. Yes, they use LLMs for better phishing and business-email compromise at scale. Yes, voice cloning for vishing. Yes, faster malware development. All real. But the fundamentals of defence are unchanged. Good identity management, careful access control, regular patching, and a culture where people feel safe reporting a suspicious email still protect you from nearly all of it. AI makes the tactics scarier. It does not make the defences weaker.
Which is why, if you're a mid-sized org getting serious tomorrow, I would not start with AI. I'd go in this order:
- MFA everywhere — phishing-resistant for admins, no exceptions.
- Managed EDR you actually operate.
- Email security with AI phishing detection.
- A SIEM you genuinely run, with AI-assisted triage on top.
- Regular training and phishing drills — to train people, not punish them.
Only items three and four are where you deliberately pay for AI. Everything else is discipline. Do those five and you've out-secured most organisations your size, and you'll have earned the right to a sensible conversation about where smarter detection fits next. Start with the AI and skip the basics, and you've bought a very expensive alarm on an unlocked door.
