{"id":242902,"date":"2026-07-13T18:08:00","date_gmt":"2026-07-13T22:08:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/ai-in-cybersecurity-is-not-what-vendors-are-selling-you\/"},"modified":"2026-07-13T18:15:07","modified_gmt":"2026-07-13T22:15:07","slug":"ai-in-cybersecurity-is-not-what-vendors-are-selling-you","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/ai-in-cybersecurity-is-not-what-vendors-are-selling-you\/","title":{"rendered":"AI in Cybersecurity Is Not What Vendors Are Selling You"},"content":{"rendered":"<p><a href=\"https:\/\/hackernoon.com\/ai-in-cybersecurity-is-not-what-vendors-are-selling-you?sourceu003drss\">AI in Cybersecurity Is Not What Vendors Are Selling You<\/a><\/p>\n<p><a href=\"https:\/\/hackernoon.com\/ai-in-cybersecurity-is-not-what-vendors-are-selling-you?sourceu003drss\">https:\/\/hackernoon.com\/ai-in-cybersecurity-is-not-what-vendors-are-selling-you?sourceu003drss<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-13 18:08:00<\/a><\/p>\n<p>Source Domain: <a href=\"hackernoon.com\">hackernoon.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Every major cybersecurity vendor now claims their product is \u201cAI-powered.\u201d The term has become so overused that it has lost almost all meaning. When everything from a firewall to a password manager is described as artificial intelligence, the word stops being informative and starts being noise.<br \/>\nBut behind the marketing, there is a real question worth answering: where does AI actually work in cybersecurity, and where is it still failing?<br \/>\nHaving worked in cybersecurity across regulated industries \u2014 aviation, port operations, healthcare, and manufacturing \u2014 I have seen both sides of this problem. I have seen AI-labelled tools that were nothing more than regex under a dashboard. I have also seen machine learning solve problems that no human team could handle at scale. And in my own work, I work with a credential exposure dataset of over 8.2 billion records \u2014 large enough that the question of what AI can and cannot do stopped being theoretical a long time ago.<br \/>\nThe difference comes down to one idea:<br \/>\nAI is useful in cybersecurity when the problem is scale. It is dangerous when the problem is judgement.<br \/>\nEverything below follows that line.<br \/>\nWhere AI Actually Works<br \/>\nThese are scale problems \u2014 problems where the volume of data exceeds what any human team can process manually, and where pattern recognition provides genuine, measurable value.<br \/>\n1. Dark Web Content Classification<br \/>\nThe dark web produces an enormous volume of unstructured content across multiple languages, formats, and platforms \u2014 forums, paste sites, Telegram channels, marketplaces, and onion services. Manually triaging this content is not scalable.<br \/>\nNLP works well here because many threat actor communities use recurring language patterns, listing formats, and commercial vocabulary. Ransomware groups announce victims using consistent phrasing. Credential sellers describe their data in formulaic ways. Multilingual NLP models can classify posts by threat type, identify the sector being targeted, assess severity, and flag content for human review.<br \/>\nWhat does not work is expecting a model to understand context the way an analyst does. A post saying \u201cwe have access to a major bank\u201d could be a real initial access broker or someone lying for reputation. NLP can flag it. Only a human can assess it.<br \/>\n2. Credential Exposure Pattern Detection<br \/>\nThe dataset I work with aggregates more than 8.2 billion leaked credentials from breach compilations, stealer logs, and paste-site dumps. At that volume, traditional search and filtering breaks down entirely. The interesting patterns are not obvious at that scale \u2014 they are statistically invisible to manual review.<br \/>\nMachine learning is useful here for detecting password reuse across breach sources, identifying credential stuffing candidates, clustering stealer log entries by malware family, and scoring exposure risk based on complexity, recency, and sector classification.<br \/>\nConsider what \u201creuse detection\u201d means at this scale. Finding every account that appears in multiple breach sources with the same or trivially mutated password (Password2023 \u2192 Password2024) is a fuzzy-matching problem across billions of rows. No human analyst can do this. A well-designed pipeline surfaces the high-risk clusters in hours \u2014 and in critical infrastructure sectors, those clusters are consistently where the real risk lives, because a reused password on an engineer\u2019s personal account can become a path toward OT-adjacent systems.<br \/>\n3. Phishing Behavioural Analytics<br \/>\nTraditional phishing simulation produces binary metrics: someone clicked or they did not. Machine learning can extract significantly more signal \u2014 time-to-click patterns that distinguish habitual behaviour from curiosity, clustering analysis that predicts future susceptibility, and channel-specific vulnerability profiles across email, SMS, and voice campaigns.<br \/>\nOne pattern worth highlighting from running simulation campaigns across thousands of users: the users who click within the first sixty seconds of receiving a message behave differently from those who click after ten minutes. The first group acts on reflex; the second deliberates and is convinced. These two groups need entirely different training interventions \u2014 and binary click metrics cannot tell them apart.<br \/>\nThe value is moving from \u201cwho failed\u201d to \u201cwhat patterns predict failure\u201d \u2014 a fundamentally more useful question for security awareness programmes.<br \/>\n4. Stealer Log Parsing and Enrichment<br \/>\nModern information stealer malware \u2014 Redline, Raccoon, Vidar, Lumma, and their variants \u2014 generates structured but inconsistent output. Each family has its own log format and extraction pattern, and those formats change between versions without notice.<br \/>\nMachine learning models trained on stealer log structures can classify logs by malware family, extract credentials and system information from unstructured dumps, identify high-value targets for analyst review, and detect log poisoning \u2014 deliberately planted fake data designed to mislead threat intelligence consumers.<br \/>\nThe alternative \u2014 manual parsing of thousands of log files per day \u2014 simply does not scale. A single stealer campaign can produce tens of thousands of log archives in a week. If your parsing is manual, you are not doing threat intelligence; you are doing archaeology.<br \/>\nWhere AI Is Still Failing<br \/>\nThese are judgement problems \u2014 problems where the cost of being wrong outweighs the benefit of being fast, and where contextual understanding matters more than pattern recognition.<br \/>\n1. Automated Incident Response<br \/>\nThe promise of AI-driven incident response \u2014 \u201cthe system detects, contains, and remediates threats autonomously\u201d \u2014 remains largely unfulfilled. Not because the technology is incapable of taking automated actions, but because the cost of being wrong is too high.<br \/>\nIn critical infrastructure environments, an automated system that isolates a workstation based on a false positive can halt a production line, disrupt port operations, or affect patient monitoring. In one port operations environment I worked in, the systems in question schedule vessel berthing and crane operations. An automated quarantine action against the wrong host does not cost you a helpdesk ticket \u2014 it costs you a berth window, and berth windows are measured in tens of thousands of dollars per hour. The blast radius of an incorrect automated response in OT environments is fundamentally different from IT.<br \/>\nWhat works is AI-assisted triage \u2014 models that prioritise alerts, correlate events, and present analysts with ranked recommendations. What does not work is removing the human from the decision loop in environments where the consequences of error are measured in physical safety rather than data loss.<br \/>\nAI-assisted is the correct operational model for security operations. AI-autonomous is not. The goal should be decision support, not unsupervised control.<br \/>\n2. Zero-Day Detection<br \/>\nThe idea that machine learning can detect previously unknown exploits by recognising \u201canomalous\u201d behaviour is theoretically sound and practically unreliable.<br \/>\nThe core problem is base rates, and the arithmetic is unforgiving. Take a production environment generating 10 million security events per day \u2014 a mid-sized enterprise SOC. Suppose you deploy an anomaly detection model with a 0.1% false positive rate, which is already an extremely generous assumption in real-world security operations. At that event volume, this still produces 10,000 false positives per day. Meanwhile, the number of genuinely novel attacks in that event stream on any given day is close to zero \u2014 perhaps a handful per year.<br \/>\nSo the analyst\u2019s real question \u2014 \u201cgiven that this alert fired, what is the probability it is a real attack?\u201d \u2014 has an answer measured in fractions of a percent. This is the base rate fallacy applied to security operations, and no amount of model tuning escapes it, because the imbalance is in the data, not the algorithm.<br \/>\nSecurity teams drowning in false alerts are not more secure \u2014 they are less secure, because they develop alert fatigue and begin ignoring signals that matter. I have yet to see a model that can reliably detect truly novel attacks in production while keeping false positives low enough for security teams to trust it. Until the base rate problem is solved \u2014 and it may be mathematically unsolvable at current false positive rates \u2014 \u201cAI zero-day detection\u201d belongs in the marketing category, not the engineering one.<br \/>\n3. The \u201cAI-Powered\u201d Marketing Problem<br \/>\nA significant portion of products marketed as AI-powered cybersecurity are, under the surface, using regular expressions, signature matching, and conditional logic. There is nothing wrong with these techniques \u2014 they are effective for many use cases. I have built detection systems on exactly these foundations, and they worked. But labelling them as artificial intelligence creates a false expectation gap.<br \/>\nWhen a vendor says their product uses \u201cAI to detect threats,\u201d the relevant question is not whether it works \u2014 it is whether the AI component is doing something that a well-engineered rule set could not do equally well. In my experience evaluating security products for regulated environments, the honest answer is usually no.<br \/>\nThe genuine value of machine learning lies in NLP, behavioural analytics, and large-scale pattern recognition \u2014 the scale problems described above. Too often, the rest is deterministic logic wearing a neural network costume.<br \/>\nWhat Defenders Should Actually Do<br \/>\nStop buying AI. Start buying outcomes.<br \/>\nThe question is never \u201cdoes this product use AI?\u201d The question is \u201cdoes this product solve a problem I have, and can I verify that it works?\u201d Demand detection rates, false positive rates, and performance on your data \u2014 not marketing materials about neural networks. Run the proof-of-concept on your own traffic, not the vendor\u2019s curated demo dataset.<br \/>\nInvest in data quality before model complexity.<br \/>\nEvery machine learning system is only as good as the data it is trained on. If your threat intelligence feeds are noisy, your log pipeline drops events, or your asset inventory is incomplete, no model will save you. Clean data with good engineering is worth more than the most sophisticated algorithm running on garbage.<br \/>\nUse AI for scale problems, not judgement problems.<br \/>\nAI excels at processing volume that humans cannot handle \u2014 classifying millions of dark web posts, scanning billions of credentials for reuse patterns, and parsing thousands of stealer logs per day. These are scale problems.<br \/>\nIncident response in critical infrastructure, threat attribution, and risk prioritisation relative to business context are judgement problems. They remain human problems.<br \/>\nDo not remove humans from the loop in critical environments.<br \/>\nBuild systems where AI surfaces, prioritises, and recommends. Keep humans in the decision loop for actions that have irreversible or high-impact consequences \u2014 particularly in OT, healthcare, and critical infrastructure.<br \/>\nMeasure what matters.<br \/>\nIf your AI-powered security tool cannot tell you its false positive rate in your environment, it is not a security tool \u2014 it is a liability. Demand measurable outcomes: mean time to detection, false positive rate, coverage percentage, and analyst time saved. If the vendor cannot provide these numbers, the AI is not the product. You are.<\/p>\n<p>Bar\u0131\u015f Ke\u00e7eci is a cybersecurity practitioner with over 16 years of experience in threat intelligence, credential exposure monitoring, critical infrastructure protection, and security engineering across aviation, port operations, healthcare, and manufacturing environments. He has been ranked among HackerNoon\u2019s Top 10 Cybersecurity Writers.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AI in Cybersecurity Is Not What Vendors Are Selling You https:\/\/hackernoon.com\/ai-in-cybersecurity-is-not-what-vendors-are-selling-you?sourceu003drss Publish Date: 2026-07-13 18:08:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242903,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/hackernoon.imgix.net\/images\/Zxoy5AUvqxUA7HiIFlsL60xE3c63-6783duk.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,30,24,32,25,34,27],"class_list":["post-242902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-breach","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242902"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242902"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242902\/revisions"}],"predecessor-version":[{"id":242904,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242902\/revisions\/242904"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242903"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}