AI in Cybersecurity Is Not What Vendors Are Selling You
AI in Cybersecurity Is Not What Vendors Are Selling You
https://hackernoon.com/ai-in-cybersecurity-is-not-what-vendors-are-selling-you?sourceu003drss
Publish Date: 2026-07-13 18:08:00
Source Domain: hackernoon.com
Using an unordered list, summarize the following article with between 4 and 8 key points. Every major cybersecurity vendor now claims their product is “AI-powered.” The term has become so overused that it has lost almost all meaning. When everything from a firewall to a password manager is described as artificial intelligence, the word stops being informative and starts being noise.
But behind the marketing, there is a real question worth answering: where does AI actually work in cybersecurity, and where is it still failing?
Having worked in cybersecurity across regulated industries — aviation, port operations, healthcare, and manufacturing — I have seen both sides of this problem. I have seen AI-labelled tools that were nothing more than regex under a dashboard. I have also seen machine learning solve problems that no human team could handle at scale. And in my own work, I work with a credential exposure dataset of over 8.2 billion records — large enough that the question of what AI can and cannot do stopped being theoretical a long time ago.
The difference comes down to one idea:
AI is useful in cybersecurity when the problem is scale. It is dangerous when the problem is judgement.
Everything below follows that line.
Where AI Actually Works
These are scale problems — problems where the volume of data exceeds what any human team can process manually, and where pattern recognition provides genuine, measurable value.
1. Dark Web Content Classification
The dark web produces an enormous volume of unstructured content across multiple languages, formats, and platforms — forums, paste sites, Telegram channels, marketplaces, and onion services. Manually triaging this content is not scalable.
NLP works well here because many threat actor communities use recurring language patterns, listing formats, and commercial vocabulary. Ransomware groups announce victims using consistent phrasing. Credential sellers describe their data in formulaic ways. Multilingual NLP models can classify posts by threat type, identify the sector being targeted, assess severity, and flag content for human review.
What does not work is expecting a model to understand context the way an analyst does. A post saying “we have access to a major bank” could be a real initial access broker or someone lying for reputation. NLP can flag it. Only a human can assess it.
2. Credential Exposure Pattern Detection
The dataset I work with aggregates more than 8.2 billion leaked credentials from breach compilations, stealer logs, and paste-site dumps. At that volume, traditional search and filtering breaks down entirely. The interesting patterns are not obvious at that scale — they are statistically invisible to manual review.
Machine learning is useful here for detecting password reuse across breach sources, identifying credential stuffing candidates, clustering stealer log entries by malware family, and scoring exposure risk based on complexity, recency, and sector classification.
Consider what “reuse detection” means at this scale. Finding every account that appears in multiple breach sources with the same or trivially mutated password (Password2023 → Password2024) is a fuzzy-matching problem across billions of rows. No human analyst can do this. A well-designed pipeline surfaces the high-risk clusters in hours — and in critical infrastructure sectors, those clusters are consistently where the real risk lives, because a reused password on an engineer’s personal account can become a path toward OT-adjacent systems.
3. Phishing Behavioural Analytics
Traditional phishing simulation produces binary metrics: someone clicked or they did not. Machine learning can extract significantly more signal — time-to-click patterns that distinguish habitual behaviour from curiosity, clustering analysis that predicts future susceptibility, and channel-specific vulnerability profiles across email, SMS, and voice campaigns.
One pattern worth highlighting from running simulation campaigns across thousands of users: the users who click within the first sixty seconds of receiving a message behave differently from those who click after ten minutes. The first group acts on reflex; the second deliberates and is convinced. These two groups need entirely different training interventions — and binary click metrics cannot tell them apart.
The value is moving from “who failed” to “what patterns predict failure” — a fundamentally more useful question for security awareness programmes.
4. Stealer Log Parsing and Enrichment
Modern information stealer malware — Redline, Raccoon, Vidar, Lumma, and their variants — generates structured but inconsistent output. Each family has its own log format and extraction pattern, and those formats change between versions without notice.
Machine learning models trained on stealer log structures can classify logs by malware family, extract credentials and system information from unstructured dumps, identify high-value targets for analyst review, and detect log poisoning — deliberately planted fake data designed to mislead threat intelligence consumers.
The alternative — manual parsing of thousands of log files per day — simply does not scale. A single stealer campaign can produce tens of thousands of log archives in a week. If your parsing is manual, you are not doing threat intelligence; you are doing archaeology.
Where AI Is Still Failing
These are judgement problems — problems where the cost of being wrong outweighs the benefit of being fast, and where contextual understanding matters more than pattern recognition.
1. Automated Incident Response
The promise of AI-driven incident response — “the system detects, contains, and remediates threats autonomously” — remains largely unfulfilled. Not because the technology is incapable of taking automated actions, but because the cost of being wrong is too high.
In critical infrastructure environments, an automated system that isolates a workstation based on a false positive can halt a production line, disrupt port operations, or affect patient monitoring. In one port operations environment I worked in, the systems in question schedule vessel berthing and crane operations. An automated quarantine action against the wrong host does not cost you a helpdesk ticket — it costs you a berth window, and berth windows are measured in tens of thousands of dollars per hour. The blast radius of an incorrect automated response in OT environments is fundamentally different from IT.
What works is AI-assisted triage — models that prioritise alerts, correlate events, and present analysts with ranked recommendations. What does not work is removing the human from the decision loop in environments where the consequences of error are measured in physical safety rather than data loss.
AI-assisted is the correct operational model for security operations. AI-autonomous is not. The goal should be decision support, not unsupervised control.
2. Zero-Day Detection
The idea that machine learning can detect previously unknown exploits by recognising “anomalous” behaviour is theoretically sound and practically unreliable.
The core problem is base rates, and the arithmetic is unforgiving. Take a production environment generating 10 million security events per day — a mid-sized enterprise SOC. Suppose you deploy an anomaly detection model with a 0.1% false positive rate, which is already an extremely generous assumption in real-world security operations. At that event volume, this still produces 10,000 false positives per day. Meanwhile, the number of genuinely novel attacks in that event stream on any given day is close to zero — perhaps a handful per year.
So the analyst’s real question — “given that this alert fired, what is the probability it is a real attack?” — has an answer measured in fractions of a percent. This is the base rate fallacy applied to security operations, and no amount of model tuning escapes it, because the imbalance is in the data, not the algorithm.
Security teams drowning in false alerts are not more secure — they are less secure, because they develop alert fatigue and begin ignoring signals that matter. I have yet to see a model that can reliably detect truly novel attacks in production while keeping false positives low enough for security teams to trust it. Until the base rate problem is solved — and it may be mathematically unsolvable at current false positive rates — “AI zero-day detection” belongs in the marketing category, not the engineering one.
3. The “AI-Powered” Marketing Problem
A significant portion of products marketed as AI-powered cybersecurity are, under the surface, using regular expressions, signature matching, and conditional logic. There is nothing wrong with these techniques — they are effective for many use cases. I have built detection systems on exactly these foundations, and they worked. But labelling them as artificial intelligence creates a false expectation gap.
When a vendor says their product uses “AI to detect threats,” the relevant question is not whether it works — it is whether the AI component is doing something that a well-engineered rule set could not do equally well. In my experience evaluating security products for regulated environments, the honest answer is usually no.
The genuine value of machine learning lies in NLP, behavioural analytics, and large-scale pattern recognition — the scale problems described above. Too often, the rest is deterministic logic wearing a neural network costume.
What Defenders Should Actually Do
Stop buying AI. Start buying outcomes.
The question is never “does this product use AI?” The question is “does this product solve a problem I have, and can I verify that it works?” Demand detection rates, false positive rates, and performance on your data — not marketing materials about neural networks. Run the proof-of-concept on your own traffic, not the vendor’s curated demo dataset.
Invest in data quality before model complexity.
Every machine learning system is only as good as the data it is trained on. If your threat intelligence feeds are noisy, your log pipeline drops events, or your asset inventory is incomplete, no model will save you. Clean data with good engineering is worth more than the most sophisticated algorithm running on garbage.
Use AI for scale problems, not judgement problems.
AI excels at processing volume that humans cannot handle — classifying millions of dark web posts, scanning billions of credentials for reuse patterns, and parsing thousands of stealer logs per day. These are scale problems.
Incident response in critical infrastructure, threat attribution, and risk prioritisation relative to business context are judgement problems. They remain human problems.
Do not remove humans from the loop in critical environments.
Build systems where AI surfaces, prioritises, and recommends. Keep humans in the decision loop for actions that have irreversible or high-impact consequences — particularly in OT, healthcare, and critical infrastructure.
Measure what matters.
If your AI-powered security tool cannot tell you its false positive rate in your environment, it is not a security tool — it is a liability. Demand measurable outcomes: mean time to detection, false positive rate, coverage percentage, and analyst time saved. If the vendor cannot provide these numbers, the AI is not the product. You are.
Barış Keçeci is a cybersecurity practitioner with over 16 years of experience in threat intelligence, credential exposure monitoring, critical infrastructure protection, and security engineering across aviation, port operations, healthcare, and manufacturing environments. He has been ranked among HackerNoon’s Top 10 Cybersecurity Writers.