Industry View · Cybersecurity
Cybersecurity is the rare industry where AI is simultaneously the best product to sell and the most dangerous weapon pointed back at you. Global information-security spending hits $213bn in 2025 and is forecast at $244bn in 2026, but the AI-amplified slice is the real story: a $49bn market in 2025 that Gartner sees reaching $160bn by 2029.
IBM: $1.9M saved per breach and 80-day shorter lifecycle for heavy AI users
AI ingests and correlates global telemetry to surface novel attack patterns faster than analyst-curated feeds.
Models flag anomalous identity and endpoint behavior, the dominant attack surface as deepfake-enabled phishing scales.
Autonomous agents triage and investigate alerts, the single highest-value displacement of human analyst labor.
Agents move from recommending to executing remediation across cloud, identity and firewall control points.
Protecting models, agents and data from prompt injection and shadow AI; spend lags AI-tool spend ~17x.
01 · The thesis
The defensive case writes itself. The SOC is a triage bottleneck of alerts no human team can clear, and that is exactly the work agentic AI is built for. CrowdStrike's Charlotte AI, SentinelOne's Purple AI 'Athena', Palo Alto's Cortex Agentix and Microsoft's Security Copilot all promise the same thing: investigations and remediation in seconds rather than hours. IBM measured the payoff — extensive AI and automation users save $1.9 million per breach and cut the breach lifecycle by 80 days. The offensive case is no longer hypothetical. In November 2025 Anthropic disclosed GTG-1002, a Chinese state-sponsored campaign in which Claude executed 80-90% of tactical operations autonomously against roughly 30 targets, with human operators engaged for as little as 20 minutes at key junctures. The same agentic capability that empties the alert queue can also discover vulnerabilities, move laterally and exfiltrate data. The industry's growth thesis and its existential threat are now the same technology.
AI ingests and correlates global telemetry to surface novel attack patterns faster than analyst-curated feeds.
Models flag anomalous identity and endpoint behavior, the dominant attack surface as deepfake-enabled phishing scales.
Autonomous agents triage and investigate alerts, the single highest-value displacement of human analyst labor.
Agents move from recommending to executing remediation across cloud, identity and firewall control points.
Protecting models, agents and data from prompt injection and shadow AI; spend lags AI-tool spend ~17x.
02 · The two clocks
The attacker clock is the fastest. Anthropic's GTG-1002 disclosure showed an AI agent running 80-90% of tactical operations across roughly 30 targets, with human intervention at key phases capped at about 20 minutes of work. The cost of a competent operator just collapsed. The governance clock is dangerously behind. IBM found 97% of organizations that suffered an AI-related breach lacked proper AI access controls, and 63% had no AI governance policy at all (or were still building one); shadow AI added $670,000 to the average breach. The spending clock is racing to catch up. Gartner projects over 75% of enterprises will use AI-amplified cybersecurity products by 2028, up from under 25% in 2025 — but notes enterprises still spend roughly 17x more on AI tools than on securing the AI itself.
03 · Public players & exposure
We plot the listed players on two editorial axes — how exposed each is to AI disruption, against how ready its data, brand and position are to be the answer. The figures in the table are sourced; the placement is our read.
04 · Private flagships
The companies attacking this industry AI-first, with disclosed funding where available:
Charlotte AI Detection Triage reached general availability, with Agentic Response and Workflows positioning Falcon as the reasoning layer for security operations.
Nikesh Arora's Precision AI strategy embeds AI at control points, backed by the ~$25bn CyberArk identity acquisition and Cortex XSIAM crossing $500M ARR.
Google closed its $32bn all-cash purchase of Wiz in March 2026, the largest cybersecurity deal ever, anchoring AI-era cloud and code security.
Pure-play AI and data security platform addressing the governance gap enterprises are racing to close as shadow AI spreads.
Its disruption and disclosure of GTG-1002 set the reference case for AI-orchestrated attacks and reshaped enterprise threat models overnight.
AI-native defense against the deepfake- and LLM-enabled phishing surge, a leading candidate in the 2026 cybersecurity IPO pipeline.
05 · Signals
06 · The exposure read
AI rewards clean, structured advantage and punishes friction. The line runs through who owns the data, the brand and the customer — and who is merely a step the technology can route around.
Sources
The AI-amplified security market, scaling fast
Gartner 4Q25 forecast for the AI-amplified security segment and total infosec spend; figures in USD billions. ($B)
First AI-orchestrated espionage campaign disclosed
Anthropic reveals GTG-1002, with Claude running 80-90% of operations against ~30 targets — the threat model's inflection point.
Cyber's largest exit ever
Google buys Wiz for $32bn (closed March 2026); Palo Alto acquires CyberArk for ~$25bn (closed Feb 2026), signaling AI-era consolidation.
IBM quantifies the AI breach gap
97% of AI-related breaches involved missing AI access controls; shadow AI added $670K per breach, but AI users saved $1.9M.
Agentic SOC goes GA
Charlotte AI, Purple AI 'Athena' and Cortex Agentix ship autonomous triage and remediation, moving from copilot to operator.
Spend forecast jumps to $244bn
Gartner lifts 2026 infosec spend to $244bn (+13%), with AI on both attack and defense the key growth driver.
Charlotte AI Detection Triage reached general availability, with Agentic Response and Workflows positioning Falcon as the reasoning layer for security operations.
Nikesh Arora's Precision AI strategy embeds AI at control points, backed by the ~$25bn CyberArk identity acquisition and Cortex XSIAM crossing $500M ARR.
Google closed its $32bn all-cash purchase of Wiz in March 2026, the largest cybersecurity deal ever, anchoring AI-era cloud and code security.
Pure-play AI and data security platform addressing the governance gap enterprises are racing to close as shadow AI spreads.
Its disruption and disclosure of GTG-1002 set the reference case for AI-orchestrated attacks and reshaped enterprise threat models overnight.
AI-native defense against the deepfake- and LLM-enabled phishing surge, a leading candidate in the 2026 cybersecurity IPO pipeline.
| Company | Stance | The sourced fact |
|---|---|---|
| CrowdStrike CRWD | AI-native leader | Ending ARR grew 23% YoY to $4.24bn in FY2025; Charlotte AI is the reasoning engine triaging alerts across Falcon. |
| Palo Alto Networks PANW | Platform consolidator | Cortex XSIAM surpassed $500M ARR; acquired CyberArk (~$25bn) and Chronosphere ($3.35bn) to build an AI-era platform. |
| Microsoft MSFT | Scale incumbent | Security is a roughly $20bn/yr business; Security Copilot and agentic Sentinel push AI across Defender, Entra and Purview. |
| SentinelOne S | Autonomous challenger | FY2025 revenue up 32% to ~$822M; Purple AI hit a >50% attach rate on Q4 licenses, on track to cross $1bn ARR. |
| Zscaler ZS | Zero-trust scaler | ARR surpassed $3.2bn (up ~26% YoY) by Q1 FY2026, with AI-Security solutions ARR surpassing $400M. |
| Google / Wiz GOOGL | Cloud-security bet | Closed the $32bn acquisition of Wiz in March 2026, the largest pure cybersecurity deal on record; Wiz crossed $1bn ARR in 2025. |
| Cyera CYERA | AI-data-security pure play | Raised a $400M Series F in Jan 2026 at a $9bn valuation, securing data and AI usage inside enterprises. |
| Abnormal Security ABNRM | AI-email defense | AI-native email and social-engineering defense, positioned among the strongest 2026 cybersecurity IPO candidates. |
| Legacy signature AV LEGACY | Signature-bound | AI-generated deepfakes appeared in a large share of 2025 phishing campaigns, eroding signature-based and rules-only defenses. |
| Tier-2 MSSPs MSSP | Labor-arbitrage SOCs | Agentic SOC triage compresses the analyst-hours model; Gartner expects >75% of enterprises on AI-amplified security by 2028. |