The narrative surrounding artificial intelligence's impact on the cybersecurity sector is undergoing a reassessment. In recent weeks, announcements from Anthropic regarding its Claude Code Security and a perfect score for its Mythos AI model on its own cybersecurity benchmark sparked market fears of AI disrupting the industry, leading to a sector decline of approximately 25%. However, Morgan Stanley, in a recent report, argues that this sell-off reflects a structural misjudgment by the market regarding the AI threat, rather than a genuine deterioration in fundamentals. Investors are underestimating the expansion in defensive demand driven by AI while overestimating its disruptive threat to incumbent vendors. The incremental security opportunity created by AI is estimated at $2.2 trillion, multiples larger than the approximately 10% market share deemed at risk of disruption. Consequently, the net size of the cybersecurity software market is projected to be about 10% larger than it is today.
**Sector Decline of ~25%: Concerns Deemed Overblown**
The recent sell-off was triggered by announcements from AI-native companies. Reports indicated that Anthropic's release of Claude Code Security and the Mythos AI model's perfect benchmark score led investors to worry that AI would significantly devalue traditional cybersecurity solutions, prompting heavy selling. Morgan Stanley notes that some AI-native firms are already establishing pre-release model partnerships with select cybersecurity vendors. Companies like Palo Alto Networks and CrowdStrike are participating, aiming to co-develop safety "guardrails" before models are widely deployed. This initiative itself signals that AI providers view cybersecurity as a prerequisite for model scaling, not a replacement. Regarding divergent views within the sector, Morgan Stanley points out that long-term investors are generally bullish. They believe AI will lower attack costs while increasing their frequency and complexity, thereby continually reinforcing security budgets from the demand side. Hedge funds, conversely, are more pessimistic, expressing greater skepticism about traditional vendors' ability to withstand competition from AI-native players long-term. Morgan Stanley suggests the current debate closely resembles historical narratives, like during the early cloud migration era when fears that "cloud vendors would replace the security industry" proved to be significantly overstated.
**$2.2 Trillion Incremental Opportunity Far Exceeds Disruption Losses**
Morgan Stanley estimates the current cybersecurity market size at approximately $3 trillion (including services), accounting for 6% to 7% of total IT budgets. Disruption risk is primarily concentrated in the "preventive security" layer—tasks like vulnerability management, application security testing, and cloud configuration management, which can be executed asynchronously with higher latency tolerance, making them relatively easier for AI models to address. This segment constitutes about 10% of the total market. Simultaneously, incremental security demand driven by AI is rapidly materializing. As enterprises deploy AI models, agents, and data pipelines at scale, protecting these new assets will generate substantial additional budget. Morgan Stanley calculates that this new demand is sufficient to offset market losses, leading to a net expansion of the cybersecurity software market by roughly 10% compared to today. Data from the attack side further strengthens the demand argument: currently, 80% to 90% of attacks are AI-generated, with attack costs approaching zero. This does not weaken the rationale for security spending; instead, it fundamentally amplifies the need for real-time detection, response, and identity security capabilities.
**The Battlefield with the Strongest Defensive Moats**
Morgan Stanley segments the cybersecurity market into three layers: Preventive Security, Control Points/Perimeter Security, and Runtime Security, emphasizing that AI's disruptive power is highly unevenly distributed across them. Runtime Security is considered difficult to disrupt because threats like prompt injection, data leakage, and model misuse must be captured and handled in real-time once AI models are in production; they cannot be entirely eliminated during development or training. Both Control Point and Runtime Security require low-latency, deterministic responses, which fundamentally conflict with the probabilistic nature of current AI models. Companies like CrowdStrike, Palo Alto Networks, Okta, and SailPoint are leveraging this, extending their capabilities in endpoint, network, and identity security to the AI layer to build dynamic enforcement "guardrails" around real-time AI systems. Cost logic is also a critical factor. Morgan Stanley notes that using large language models for high-frequency security tasks like email filtering or authentication could incur computational costs several orders of magnitude higher than existing solutions. Current email security and identity platforms often price at low-to-mid single-digit dollars per user per month, handling hundreds of thousands or more events, implying a marginal cost per event of less than one cent. Running token-based AI models at a similar scale would introduce significantly higher compute expenses. Morgan Stanley believes that in the near term, AI is more likely to play an "augmentation" role in cost-sensitive, low-latency scenarios rather than fully replacing existing architectures.
**Non-Human Identity Emerges as the Next Core Battleground**
The proliferation of AI is elevating the strategic importance of identity security. With the rapid growth of "Non-Human Identities" (NHIs)—such as APIs, machine identities, and autonomous agents—traditional human-centric identity management frameworks are struggling to cover new risks. Morgan Stanley highlights that AI-driven systems often operate with high privileges, accessing sensitive data across distributed environments, which significantly expands the attack surface for credential misuse, privilege escalation, and unintended access paths. Identity security is evolving from mere "authentication" into a real-time enforcement control layer encompassing continuous verification, fine-grained access control, and full lifecycle management. As AI agents autonomously execute database queries, trigger workflows, and interact with external systems, identity becomes the primary mechanism for enforcing trust boundaries and policy controls. TD Cowen analyst Shaul Eyal also noted that every agent on every AI platform requires identity credentials, and Okta and SailPoint remain the only pure-play public identity security companies, giving them scarcity value.
**Platform Integration and Flexible Pricing are Key Barriers**
Morgan Stanley believes top cybersecurity companies in the AI era should possess three core attributes: a clear roadmap for agent security and rapid AI product release capability; a flexible consumption-based pricing framework (like CrowdStrike's Falcon Flex) to reduce friction for customers adopting new capabilities; and an overall value proposition rooted in runtime enforcement, proprietary data advantages, and cost efficiency. Regarding budget trends, Morgan Stanley anticipates a shift away from fragmented point solutions towards integrated platforms. Long-term, the continuous expansion of the attack surface is expected to make cybersecurity one of the most defensible priority areas in corporate IT spending—the firm's CIO surveys indicate that cybersecurity software is the least likely IT project category to face budget cuts.
Comments