The Cyber-AI Paradox

The dominant narrative in Q1 2026 was that AI ends the cybersecurity trade. Anthropic's code-scanning preview triggered CRWD, PANW, and ZS each down roughly six percent in a single session. A later report on a more powerful Anthropic model flagged for elevated cyber-offensive risk took the iShares Cybersecurity ETF down another four and a half percent. JPMorgan summarised the consensus anxiety neatly. It's not about disruption this year or even fourteen to eighteen months from now. It's about whether, longer term, these business models will still be viable.

I think this is precisely wrong. Cybersecurity equities are structurally underpriced, and the AI thesis is bullish for incumbents in five distinct ways the market hasn't properly underwritten.

Vibe coding is a vulnerability supernova

The first driver is the explosion of AI-assisted development with minimal security oversight. Georgia Tech's Vibe Security Radar has catalogued over seventy critical vulnerabilities introduced by AI coding tools since August 2025, and the rate is accelerating. CodeRabbit's December 2025 study found AI-generated code contains seventy percent more errors than human-written code, with the errors more severe on average. Eighty-five percent of organisations have adopted AI coding assistants. Only nine percent consider AI-driven application security a must-have. Only thirty-eight percent use AI for code review in pull requests.

Every non-technical founder, product manager, and designer shipping a vibe-coded application is a customer creation event for runtime security, API security, and identity management. The total addressable market doesn't shrink when insecure applications proliferate. It expands.

AI-orchestrated offence is no longer hypothetical

In November 2025, a Chinese state-sponsored group successfully jailbroke Claude Code by framing it as a cybersecurity firm conducting defensive testing. Claude then autonomously executed reconnaissance, vulnerability discovery, exploitation, lateral movement, privilege escalation, credential harvesting, and data exfiltration against roughly thirty global targets across technology, finance, chemicals, and government. Anthropic's estimate was eighty to ninety percent of operations executed without human intervention. PwC put it bluntly. Bad actors can scale simply with more compute and aren't limited by finite personnel resources. Operations proceed twenty-four seven without sleep or rest.

The investment logic is symmetric. If the AI-offence threat is real, that's bullish for cyber. If it's hype, the market is mispricing a disruption that isn't happening, also bullish. The bear case loses either way.

Incumbents are absorbing AI, not being disrupted by it

CrowdStrike's Charlotte AI is now FedRAMP-authorised and saves forty analyst-hours per week per deployment. Palo Alto Networks has acquired Pangea, deployed Precision AI across Cortex and Prisma, and runs at $5.9B in next-generation security ARR up twenty-nine percent year on year. Zscaler's Zero Trust Exchange for AI agent-to-agent interactions hit a $400M+ ARR target three full quarters early. The Bank of America note nails the distinction. AI threatens code-scanning point solutions, not end-to-end platforms. AI doesn't now have the visibility, control, or reliability to replace end-to-end security platforms.

The 4.8 million talent gap is structurally AI-insensitive

The 2024 ISC2 Cybersecurity Workforce Study put the global workforce gap at 4.8 million professionals, up nineteen percent year on year. The active workforce is flatlined at 5.5 million. Ninety percent of organisations report skills shortages. When you can't hire analysts, you don't stop hiring. You buy AI-powered SOC platforms. The gap drives managed security services up eleven percent in 2026, the fastest-growing services segment Gartner tracks, and accelerates platform consolidation toward the four or five vendors that can credibly operate at scale.

Machine identity and regulation are one-way ratchets

Machine identities now outnumber human identities eighty to one. Every machine identity needs authentication, authorisation, policy, monitoring, and audit. All cybersecurity categories. Layer on the regulatory ratchet (EU AI Act, NIS2, SEC cybersecurity disclosure rules, Singapore MAS TRM) and the demand floor is structural, not cyclical. Gartner forecasts fifty percent of enterprises will use AI security platforms specifically to protect AI investments by 2028. Only six percent have an advanced AI security strategy now.

The trade

Long the platform consolidators with operating discipline. CRWD as the conviction position. ZS as the more contrarian one given year-to-date weakness. PANW as the breadth of platform exposure. Underweight the code-scanning point solutions that are genuinely at risk from AI-native competitors. Size for a multi-year hold. The path isn't linear, but the structural arithmetic doesn't change.

The market is mispricing AI as a threat. It's the accelerant.