AI in Cybersecurity: When the Shield Becomes a Sword

You can’t open a browser tab these days without someone banging on about how AI is going to either save humanity or turn us all into paperclips. It is everywhere. And in our corner of the universe—cybersecurity—it has created this properly fascinating, if slightly terrifying, dynamic that is fundamentally changing how we think about defence.

As an architect, I look at AI and Machine Learning and I see enormous potential. But I’d be lying if I said I didn’t also see a massive headache brewing. Because here is the uncomfortable truth we don’t talk about enough: the exact same technology that promises to help us predict threats before they materialise is simultaneously giving attackers a significantly bigger stick to beat us with. We are essentially engaged in an arms race where both sides are wielding the same weapons. The question isn’t whether AI will transform cybersecurity—it already has—but whether we can stay ahead of the curve.

The Arms Race Nobody Asked For

I know calling it a “double-edged sword” is a bit of a cliche, but it fits. On one side, we’ve got this promise of unprecedented efficiency. Algorithms now churn through raw log data—mountains of it—spotting patterns and anomalies that even the most caffeinated human analyst would miss in a thousand years. That’s not science fiction anymore; that’s Tuesday afternoon in a modern SOC.

But flip that coin over and you’ve got the threat landscape, which has evolved dramatically. Check Point’s Cyber Security Report found that organisations faced an average of 1,968 attacks per week in 2025—a 70% increase since 2023—with AI playing a central role in that surge. Every networked device remains a potential gateway, and we are now dealing with increasingly sophisticated adversarial attacks where clever bastards manipulate the data we feed our models to trick them into missing threats entirely. It’s like digital camouflage that adapts in real time.

And let’s not pretend the attackers aren’t using AI themselves. Cofense reported that their Phishing Defence Centre was detecting a new AI-powered phishing threat every 42 seconds throughout 2024, a figure that had accelerated to one every 19 seconds by early 2026. They are weaponising machine learning to automate attacks, making them faster and more sophisticated than anything we faced even two years ago. We used to rely on typos and bad grammar to spot phishing; now, AI writes better business English than half the people in my office.

Research from CrowdStrike’s 2025 Threat Hunting Report confirms what many of us suspected: adversaries are using AI to gain unauthenticated access, establish persistence, and deploy malware. Lower-skilled attackers—the ones who used to struggle with basic scripting—are now abusing generative AI to automate tasks that once required advanced expertise. We are seeing malware families like Funklocker and SparkCat cited as early proof points that GenAI-built malware is no longer theoretical but already operational, which is both impressive and deeply worrying.

The Defence Toolkit Actually Looks Decent

Despite the gloom, the defensive toolkit has matured considerably. We aren’t bringing a knife to a gunfight here, even if sometimes it feels that way at three in the morning when you’re responding to an incident.

Take Darktrace. I’ve always liked their “Enterprise Immune System” analogy. It’s a smart way of conceptualising the problem—not just building a perimeter wall and hoping for the best, but developing a system that genuinely understands the difference between “self” and “non-self” in your network. Their platform now extends well beyond traditional networks into SaaS applications and cloud environments, which is exactly where the attack surface has expanded.

CrowdStrike has also stepped up, launching Falcon AI Detection and Response (AIDR) in late 2025 specifically to protect the AI interaction layer itself—stopping prompt injections, jailbreaks, and malicious agents before they can cause havoc, with reported efficacy of up to 99% at sub-30ms latency. And IBM’s QRadar has evolved significantly; their Investigation Assistant powered by watsonx uses LLMs to generate attack summaries and recommend responses, parsing through unstructured data that human analysts simply can’t process quickly enough.

These tools excel at the heavy lifting—analysing colossal datasets, spotting anomalies that would take human teams weeks to identify, and reacting at machine speed. But they aren’t magic boxes. You can’t just plug them in, walk away, and expect perfect security. They require proper tuning, continuous feeding of quality data, and—critically—skilled humans to interpret what the machines are telling you.

Getting the Fundamentals Right

Strategy isn’t just about buying the shiniest new AI-powered tool and ticking the “innovation” box on your quarterly objectives. It’s about getting the basics right first, because all the machine learning in the world won’t save you if your fundamental architecture is rubbish.

Take IoT, for example. It is still the Wild West out there. If you aren’t isolating those devices on their own network segments with proper Zero Trust principles, you are leaving the front door open to trouble through the front door. I’ve lost count of how many breaches I’ve investigated where the initial access vector was some smart device still running default credentials because nobody thought the office coffee maker could be a security risk.

And then there’s the human element. You can have the most sophisticated AI in the world, but if Dave in accounts clicks a link he shouldn’t, you’ve got a problem. Here is where AI actually helps us. Companies like Cofense are using a global network of over 35 million trained employees reporting phishing threats. They combine this human intelligence with Bayesian machine learning to identify patterns faster than any human team could manage. Their AI-powered spam filter processes emails locally—preserving privacy—while reducing analyst overhead by around 30%. This means we can spot the really clever phishing lures before they land in Dave’s inbox.

What I’m Actually Building

Speaking of getting hands-on with this technology, I’ve been spending my evenings—and more than a few early mornings—messing around with anomaly detection in my home lab. It keeps me out of trouble, or so my wife claims, though she might have a different opinion about the electricity bill.

I’m currently training models on logs I’ve generated from my AWS and Azure test accounts. Nothing groundbreaking, just practical experimentation. I’m using Python and working primarily with the Isolation Forest algorithm.

The beauty of Isolation Forest is that it banks on a fundamental principle: anomalies are rare and distinct, making them easier to isolate from normal data. Rather than trying to profile what “normal” looks like—which is increasingly difficult in dynamic cloud environments—it focuses on isolating the outliers.

I’m currently deep in the weeds of tuning the contamination parameter—that’s the setting that tells the model roughly what proportion of the data should be considered an outlier. It’s a delicate balance. Set it too high, and you drown in false positives; set it too low, and you miss the subtle signals of a breach. The challenge is finding that sweet spot where you catch genuine threats without driving yourself mad with alerts about perfectly normal but statistically unusual behaviour.

The Road Ahead

The intersection of AI and cybersecurity is moving faster than I’ve seen any technology space move in my entire career. We are heading toward a future of machine-versus-machine conflict, where AI systems engage in real-time combat at speeds human operators can’t even perceive.

What is clear is that treating AI as just another tool you can install and forget is a recipe for disaster. This requires continuous learning and adaptation. The threat actors certainly aren’t standing still; they are innovating constantly, and they don’t have compliance departments slowing them down.

At the same time, we can’t let perfect be the enemy of good. Waiting until you have the perfect AI security solution means you are already years behind. Start somewhere sensible. Combine the power of AI with human expertise, maintain that sceptical security mindset, and keep the fundamentals solid.

That’s the approach that actually works. The boring bits—proper architecture, defence in depth, continuous monitoring—combined intelligently with new capabilities. Not replacing one with the other, but using both to strengthen your posture rather than just creating new attack surfaces wrapped in marketing buzzwords.

Until next time…