TL;DR

AI has crossed a threshold in cybersecurity that warrants a genuine reassessment — not of whether it matters, but of what to actually do about it. Recent frontier model evaluations confirmed autonomous discovery and exploitation of vulnerabilities at expert level, chaining multi-step attacks across major operating systems and browsers, including flaws that survived decades of review. Three structural shifts follow: the offense-defense balance has changed; the layer at which cyber vendors compete is moving; and the convergence of digital and physical worlds is opening a frontier that barely registers yet. And despite what recent market moves might suggest, the case for cybersecurity as a category has never been stronger.

Myth(os) is real

AI’s impact on cybersecurity is undeniable and only accelerating. The premise is universally accepted. What’s still being worked out is what it means in practice — we’re in a moment of more doubts than certainties, but some shifts are clear enough to act on.

Models have set the bar high for what’s expected from cyber products. We’re in an outcomes-based industry where foundational models are widely available, and that’s changing what “good” looks like across the board. The most striking recent signal: frontier models autonomously discovering thousands of zero-day vulnerabilities across every major operating system and browser — chaining exploits with a level of reasoning that matches the most skilled human practitioners. These assessments ran in controlled environments without active defenders or detection tools, so real-world performance in hardened networks is a different question. But the trajectory is not. Work that once took specialist teams weeks can now be done in hours.

Offense is now table stakes

Reactive and defensive approaches are not enough anymore. Offensive tools and processes are a must-have. Companies need to think and simulate attacks the way attackers will — AI has sharpened this asymmetry considerably. Vulnerability discovery and exploitation can now be scaled to levels and speeds no human team can match, and the democratization of that capability means the gap between a nation-state actor and a well-resourced criminal group is narrowing fast.

Firms can now reproduce multi-step attack chains and emulate the real complexity of their own environments. Offensive security tools have existed for a long time, but never with this level of autonomous reasoning. The vendors in continuous security validation, attack surface management, and automated penetration testing are facing a reset in baseline expectations — what was differentiated two years ago is quickly becoming the floor.

That reset is an opportunity — newer vendors building natively on current model capabilities, without legacy architecture to defend, are better placed to capture a category that enterprises now treat as a must-have.

The moat is moving up the stack

After cloud abstracted infrastructure, AI is now abstracting software. The logic once embedded in products’ IP — rules engines, deterministic pipelines, traditional ML classifiers — is being challenged by what frontier models can do out of the box. Cyber vendors will increasingly rely on shared foundational models, and differentiation will be built above the model layer, not inside it. Token spend will fragment across providers as teams select different models for different tasks. That’s the new infrastructure reality, and it favors those who move early.

The real moat is in two places:

• Bespoke scaffolding: proven to outperform generic models on domain-specific tasks. This means investment in data pipelines, tool selection, memory and compute efficiency, system prompt engineering, and deep ecosystem integrations — the connective tissue that turns a general model into a product security teams actually trust.

• Infrastructure for enterprise adoption: rigorous evals and reliability testing, model explainability (especially difficult in complex agentic workflows), fine-grained access controls, data loss prevention, monitoring, and guardrails. These requirements won’t soften as AI agents take on more autonomy — they’ll harden.

The physical world is an open frontier

Digital and physical worlds are converging, and the cyber implications are only beginning to be understood. The AI stack powering autonomous systems, industrial control environments, and connected critical infrastructure is far more nascent than the software security world most vendors operate in. These systems were built for uptime, not security — and they are being networked at a pace that far outstrips the defensive work being done around them.

Given the current geopolitical environment, this deserves more attention than it receives. A breach here is not a data or downtime problem — it’s a physical one. The frameworks are early, the attack surface is growing, and the opportunity for cyber and infrastructure software in this space is significant. It warrants its own dedicated treatment, but the signal is clear enough to flag now.

The market is selling the category. That’s the mistake.

Public markets have repriced a number of cybersecurity companies over the past year. Some of that is correct. Legacy vendors that built products on assumptions that no longer hold — heavy rules-based detection, siloed point solutions, models trained on yesterday’s threat landscape — face real disruption. The market is right to reassess those.

But selling the category is a different call, and that’s where the disagreement sits. The overall cybersecurity market is not contracting — it’s accelerating. The attack surface is expanding with every AI agent, connected device, and cloud workload deployed. Regulatory pressure is increasing across every major jurisdiction. And the threat environment, as recent model evaluations made clear, just got materially worse. Security budgets will grow; the allocation across vendors will shift, but the total will be larger.

Some of today’s public cyber companies will consolidate and emerge bigger. New ones will be built on the new stack. The disruption is real, but it runs through the market, not against it. Reading the stock price as a verdict on the category misses that distinction entirely.

33N Portfolio Updates 🚀

Exein

• Opened Asia-Pacific HQ in Taipei 👉 Read more

• Selected as Scaling Europe Top 50 by J.P. Morgan and Nebius 👉 Read more

StrikeReady

• Announced OJ Cherry as CRO, formely executive at Sophos

Upcoming Events for 33N 🤝

• SIM Conference, Porto, 14-15 May

• 33N Connect Day and Cyber&AI Summit, Porto, 21-22 May

• InfoSecurity Europe, London, 2-4 Jun

• South Summit, Madrid, 3-5 Jun

• London Tech Week, London, 8-12 Jun

• Super Return Venture, Berlin, 8-12 Jun