Bank of America has stated that market concerns about AI disrupting the cybersecurity industry appear to be exaggerated. Last Friday, Anthropic introduced a new security feature called Claude Code Security for its Claude AI model, leading investors to worry that AI could automate and replace a significant portion of the cybersecurity sector's business. This triggered a broad sell-off in the sector. On Monday, cybersecurity stocks continued to decline, with CrowdStrike and Zscaler falling approximately 10%, Netskope plunging over 12%, and the Global X Cybersecurity ETF dropping to its lowest level since November 2023.
According to a recent research report from Bank of America, the panic over "AI replacing cybersecurity" is overestimated. The report indicates that AI tools are currently unable to replace comprehensive cybersecurity platforms; their role is that of an enhancer, not a disruptor. The research notes that while AI can indeed improve efficiency in specific scenarios, such as code scanning, it still falls short in three critical dimensions—visibility, control, and reliability—compared to full-fledged cybersecurity platforms.
The report suggests that integrated platform vendors, represented by companies like CrowdStrike and Palo Alto Networks, maintain strong competitive advantages due to their consolidated data foundations and detection and response capabilities. In contrast, standalone application security (AppSec) vendors such as Checkmarx and Snyk, along with toolchain companies like GitLab and JFrog, may face greater competitive pressure. These players must continuously demonstrate their technological differentiation and ability to redefine value in the AI era.
The report describes AI tools like Claude as achieving key breakthroughs in development security. Unlike traditional scanners that rely on signature matching, Claude can perform deep reasoning analysis on component interactions, data flows, and business logic vulnerabilities, surpassing pattern recognition boundaries and significantly improving the accuracy of detecting complex vulnerabilities.
However, the report also clearly defines Claude's limitations: its impact is confined to the narrow segment of pre-production code analysis. This means vendors whose growth relies heavily on application security will face pressure to reassess their value and prove their indispensability in the age of AI.
The difficulty for AI in challenging core cybersecurity platforms stems from fundamental differences between developer tools and runtime security environments. Runtime security is characterized by continuous monitoring, context-aware fusion of multi-source signals (integrating data from endpoints, identities, networks, and cloud environments), and near-zero tolerance for errors—particularly false negatives, which must be controlled with 99.99% precision, as any oversight could lead to severe consequences.
In contrast, reasoning models like Claude exhibit clear vulnerabilities: they are highly sensitive to prompt phrasing and prone to losing context beyond defined task boundaries. While such instability may be tolerable in code reasoning scenarios, it is fundamentally incompatible with the demands of autonomous defense.
Moreover, current AI tools lack the real-time data collection capabilities of runtime sensors, visibility into execution processes, and control plane permissions, meaning they cannot perform critical response actions such as blocking processes or isolating endpoints. These capability gaps represent significant barriers that current AI technology cannot yet overcome, especially given the high reliability thresholds required for security.
Bank of America Securities believes that AI's reshaping of the cybersecurity industry will follow a path similar to that of cloud computing. Just as the rise of hyperscale cloud providers redistributed value across the software stack and gave rise to new leaders like CrowdStrike and Palo Alto Networks, the AI wave will also drive substitution at the edge. However, the ultimate beneficiaries will be integrated platform vendors capable of combining massive telemetry data, runtime sensor capabilities, and reproducible workflow systems.
In the application security space, standalone vendors face direct impact. Companies like Checkmarx and Snyk, which rely heavily on code scanning functionality, risk having their core value partially replaced by AI tools like Claude. Even though larger vendors have expanded their capabilities through acquisitions—such as CrowdStrike's purchase of Bionic and Palo Alto Networks' acquisitions of Bridgecrew, Cider, and Dig—the report notes that some of these acquired model capabilities could also be diluted by AI advancements. A similar logic applies to cloud security posture management, where certain misconfiguration identification functions may be enhanced by AI.
Nevertheless, the report emphasizes that these capabilities exist merely as features within larger platforms, not as core elements defining platform value. Integrated vendors are difficult to disrupt due to three structural advantages: accumulation of cross-dimensional telemetry data spanning endpoints, identities, and cloud workloads; continuous monitoring capabilities for real-time execution behaviors; and reproducible workflow systems that integrate multi-dimensional signals in complex environments. Together, these strengths form competitive barriers that AI tools are unlikely to overcome in the near term.
Comments