In April, Anthropic previewed Claude Mythos, an AI model capable enough at finding and exploiting software flaws that the company held it back from open release. Instead of shipping it, Anthropic stood up a defensive coalition, Project Glasswing, giving a small group of organizations early access to harden critical software before those capabilities could spread. The major cloud providers and a handful of security vendors were on the list. What rattled people was the specificity. This wasn't a chatbot writing sloppy malware, but a frontier model good enough at hunting and exploiting real software flaws that its own maker decided the safe move was to lock it down. The market's first read was that AI had just handed attackers a loaded weapon, and security stocks wobbled. I think that read is backwards.
A cheaper, faster attack tool expands the security market. Every major breach of the last decade pushed budgets higher, and a weapon that compresses an attack from months to minutes only makes fast, automated defense more valuable. When a board asks whether the company is protected against AI-driven attacks, nobody answers by cutting security. The scary headline is really a demand catalyst wearing a threat costume.
The catch is that the uplift spreads unevenly. Companies that own a real control point, a place in the flow where the data and the decisions live, capture that spend. The ones selling a narrow feature a big cloud platform can absorb get squeezed instead. The harder question is which layer of the stack captures the next dollar.
The math that makes AI good for cyber
It's worth being concrete about why a scarier threat helps the people selling defense. Start with the workload. A human analyst can work through a few dozen security alerts in a day. A machine-speed attack throws off thousands of signals an hour, probing for a way in faster than any team can read the logs. No amount of hiring closes a gap that wide. The only thing that does is software that defends at the same speed it's attacked, which is exactly what the new wave of AI-era security tools is built to do.
There's an economics angle underneath this. For most of internet history, finding a fresh software flaw took real skill and time, which kept the pool of capable attackers small. Cheap, capable AI lowers that bar, so more attackers can do more damage for less effort. When the cost of attacking falls, the value of defending rises to meet it.
Then there's the surface area. Every new app, device, and login is another door an attacker can try, and AI is adding doors faster than anything before it. The biggest source is identity. Inside large enterprises, the "users" that need securing are mostly not people anymore. Machine identities, the automated accounts that software and services use to talk to each other, already outnumber human staff by an order of magnitude, by some estimates more than eighty to one. Turn loose fleets of AI agents that log in, move data, and act on their own, and that ratio only climbs. Each agent is one more identity to verify and govern, which turns security from a human-sized problem into a machine-sized one.
A floor is forming under all of it, too. Regulators are starting to treat AI-driven cyber risk as a financial-stability problem, not just an IT headache. Watchdogs in the U.S. and U.K. have begun pressing banks and infrastructure operators to meet AI-speed threats with AI-speed defense. Rules like that quietly raise the baseline of security spending across the system, the kind of pressure that compounds over years.
A map you can use: identity, endpoint, network and cloud, detection and response
Cyber isn't one market, it's a stack, and it helps to read it as four jobs. Identity is the question of who is allowed in, the logins and permissions that decide whether a user, or increasingly an AI agent, is who they claim to be. Endpoint is the devices people actually use, the laptops, phones, and servers where an attacker's foothold usually lands. Network and cloud is the traffic itself and the apps it flows to, the layer that filters out the bad and lets the good through. And detection and response is the security operations center, the people and software that catch a breach in progress and contain it, ideally at machine speed.
A real attack usually touches several of these at once. A stolen login gets an attacker in, they drop malware on a laptop, that laptop reaches across the network to other systems, and whether anyone catches it in time comes down to detection and response. The value flows to control points, the spots a vendor can own so completely that an attacker, or a competitor, has a hard time going around them. A company sitting on one sees more of the attack surface, shapes more of the response, and is harder to rip out. Keep that idea in mind, because it's what separates the winners from the names AI could squeeze.
The tell: AI is becoming a product line
The through-line shows up plainly in the latest earnings. The winners are all making the same move, turning AI from a threat into a product and repositioning as the security layer for AI itself. CrowdStrike ($CRWD) was named to Anthropic's defensive coalition and its CEO described the company as "AI security infrastructure." Palo Alto Networks ($PANW) has an AI-security product that went from nothing to a few hundred customers in under a year, among the fastest ramps it has seen. Cloudflare ($NET) calls AI the biggest tailwind in its history. Even Fortinet, further down the list, is seeing the same pull in its AI-driven security-operations business. The scary headline is becoming a new revenue line.
These new products do two jobs. Some put an AI copilot next to the human analyst, triaging those thousands of alerts an hour and handling the routine ones on their own. Others secure the AI itself, watching the models and agents a company deploys for prompt attacks, data leaks, and misuse. Both are budget lines that didn't exist two years ago, and both exist because the threat got scarier, not in spite of it.
For all of them, these AI-security lines are still a small slice of total revenue today, but they're growing much faster than the core. AI is building on growth that was already there instead of replacing it, which makes it a durable tailwind to track, not a reason to chase.
What this means inside your own company
You can see this play out where you work. Every AI tool that creeps into a company's stack, the writing assistants, the coding copilots, the agents wired into email and documents, is another place sensitive data can leak and another login an attacker can hijack. That's not a reason for companies to slow down on AI. It's a reason they keep spending more on security as they adopt it, because the alternative is handing those tools the keys with nobody watching.
There's a gap worth noting, too. Large organizations can afford to build and secure their own AI systems, while smaller ones increasingly lean on the big platforms and the leading security vendors to do it for them. The U.S. Treasury has flagged exactly this divide in financial services. It points the same direction as the rest of this piece: scale and a real control point matter, and the companies that own one tend to gather more of the spend over time.
The honest risk
The same AI that lifts demand could, over time, let the big cloud platforms fold basic security into their bundles for next to nothing. Capabilities like anomaly detection and automated cleanup are already becoming default features in the security tooling native to Azure, AWS, and Google, and each new default chips away at the standalone tools that look replaceable. The same agentic workflows that create demand could also learn to route around single-function products. That's the slow squeeze to watch, and it's the other reason control points matter so much: the winners need to sit somewhere AI feeds rather than bypasses. The thing that would prove the bear case right is concrete enough to watch for. If the cloud platforms' built-in tools start turning up where customers used to pay a specialist, the squeeze is real. So far the specialists with a genuine control point are still gaining ground, and that's the first thing I'd want to see crack.
It also helps to keep the timing straight, because this theme runs on more than one clock. The clock on AI making attacks cheaper and faster is already ticking. The clock on securing AI agents and their identities is more of a one-to-three-year build-out. And the clock on physical AI, the robots, vehicles, and devices that will start acting in the real world as brand-new endpoints, is a decade-long story. The companies worth owning are the ones building for all three at once.
There's also one name in the stack I think AI could genuinely disrupt rather than help, where the whole business rests on a single chokepoint that AI workflows might route around. I'll name it, and walk through the names I hold and the full basket, this Sunday.
For beginners: the ETF route
If picking individual names feels like a lot, there are cybersecurity ETFs that hold the whole group, with tickers like $CIBR, $BUG, and $HACK. Two things to understand first. These funds blend the AI winners together with plenty of legacy security names that face exactly the commoditization risk above, so you get the theme diluted. And weightings differ a lot fund to fund, so two "cyber ETFs" can hold quite different mixes. Neither is good or bad on its own, it's a tradeoff between owning the whole theme loosely and owning a few parts of it deliberately. As always, look under the hood at a fund's actual holdings and weights before deciding.
This Sunday
Sunday is where I name them. I'll walk through the three companies I hold across these layers and why each one owns its spot in the flow, the single name I'd avoid because AI could route around it, and the rest of the basket, from identity through detection and response.
Before you go, something bigger than a weekly email.
My first book, Make Your Own Alpha, is on its way. It's the full version of the approach behind these issues: how to build your own portfolio deliberately enough to make work optional, without a finance background or a windfall to start. I'll share a launch date once it's set.
If you want first word on that date, plus the special launch pricing, get on the launch list by clicking “Yes, I’m in!” below.
Make Your Own Alpha is launching soon. Do you want to be notified?
Stay disciplined - Koh
Disclaimer: Nothing in this newsletter constitutes investment advice or a recommendation to buy or sell any security. Numbers and observations are as of publication. I may hold positions in companies discussed above. Always do your own research and consult a licensed financial advisor before making investment decisions.
