Security people have a gallows sense of humour, and one of their favourite jokes is that every news article about AI in cybersecurity is a variant of the phrase "arms race." Defenders use AI! Attackers use AI! It's an arms race! Be afraid!
The real picture is both more interesting and less alarming. Yes, attackers are using AI. Yes, defenders are using AI. The defenders are, quietly, winning most of these small races — because they have one enormous structural advantage.
The boring advantage the defenders have
Attackers only have to find one way in. Defenders have to cover everything. That's the usual framing, and it's true in a narrow sense.
But here's the thing the framing misses: defenders have the full context of the environment being defended. They know their network. They know their users. They know what normal looks like. The attackers are guessing.
AI is very, very good at spotting anomalies in a context you understand deeply. It is not very good at operating in contexts it's never seen. Put those two things together, and the defender's asymmetric advantage gets larger with AI, not smaller.
What AI actually helps with
Anomaly detection, but the useful kind. Not "this login is 3.2 standard deviations from the user's normal pattern" — that generates a tidal wave of false positives. But "this sequence of API calls resembles the early stages of a known exfiltration campaign" is a different conversation. The state of the art here is genuinely good now.
Triage for the SOC. Most security operations centres drown in alerts. A well-tuned AI system that pre-sorts alerts, correlates related ones, and presents a tired analyst with a short list of "things that deserve attention right now" is the unsung hero of modern security teams.
Phishing detection. Language models have gotten surprisingly good at spotting the tonal and structural tells of social engineering, even when the grammar is perfect. Combined with header analysis and link reputation, this moves the needle.
Code analysis. An AI code review that flags likely injection vulnerabilities, hard-coded secrets, and common OWASP mistakes is now well within reach of a small team. It won't replace a human pen tester. It means the human pen tester spends their time on the interesting problems.
What AI is overrated for
Autonomous response. Every security vendor pitching "AI automatically contains breaches" makes me nervous. Automated containment that gets it wrong can itself be catastrophic — taking down production systems, locking out legitimate users, triggering cascading failures. Humans in the loop, always.
Predicting unknown attacks. An AI trained on yesterday's attacks will catch yesterday's attacks. It won't anticipate tomorrow's novel technique. The hype around "predictive" security is largely marketing.
Replacing the basics. An AI-powered endpoint detection product is no substitute for MFA, good patching, and sensible access control. Spend your budget on the basics first, always.
What attackers are doing with AI
I'll be honest about this, because security people hate it when we wave it away.
Yes, attackers are using LLMs to write more convincing phishing emails. Yes, they're using AI to generate deepfake audio for vishing attacks. Yes, they're using code-generation tools to accelerate malware development.
But — and this matters — the fundamentals of defence haven't changed. If your organisation has good identity management, careful access controls, regular patching, and a culture where people feel safe reporting suspicious emails, you're substantially protected from all of this. AI makes the tactics a bit scarier. It doesn't make the defences less effective.
The small habits that still matter most
If I were a small company and I wanted to get serious about security tomorrow, I would not start with AI. I would:
- Enable MFA everywhere. Seriously, everywhere.
- Patch weekly. Every week. Even the CEO's laptop.
- Run a quarterly phishing drill, not to punish people but to train them.
- Pay for a password manager for every employee.
- Have a written incident response plan that you've actually rehearsed.
Do those five things and you've just out-secured 80% of organisations your size. Then we can talk about AI-assisted detection.
If you're thinking about where AI fits into your security posture — or wondering whether you need it at all — we're happy to help you think. Honest answers, even when they're "don't bother."
