Olivier Le Moal - stock.adobe.co
The AI cyber security challenge
Artificial intelligence has had a seismic impact on the security landscape, as Billy MacInnes discovers
As with so many other sectors, artificial intelligence (AI) is starting to have a significant impact on cyber security. On the plus side, it is creating new ways to boost defences, but, on the minus side, it is bringing greater risks and challenges.
While the technology can help businesses spot cyber-related threats faster, it is also enabling threat actors to boost the scale and speed of their cyber attacks. Attackers and defenders are ramping up for an AI arms race, but how do defenders make sure they’re not on the losing side?
According to Sunil Agrawal, chief information security officer at Glean, the problem isn’t a shortage of security products, but a surplus. “Too many tools, too few people to run them, and none of them talking to each other,” he says. Agrawal believes agentic AI is “the connective tissue” that orchestrates defences autonomously “without needing a small army of trained analysts to babysit every dashboard”, describing it as “a structural shift in favour of defenders”.
Anton Shelepchuk, vice-president of worldwide sales at Nakivo, accepts that AI can make the imbalance between attackers, who only have to find one weakness to exploit, and defenders, who must protect everything, all the time, worse, “with faster phishing, smarter vulnerability discovery and attack automation that outpaces any single team”.
But AI can also help to improve the visibility, speed and verification needed for effective defence against AI-driven threats. “Vendors and channel partners can help deploy anomaly detection, automated threat-hunting mechanisms and AI-enhanced firewalls to identify and respond to attacks,” he says.
On the subject of speed, Jonathan Wright, director of products and operations at Global Cloud Exchange, argues defenders need to prioritise speed “delivered by autonomous systems over manual oversight. In 2026, the winning strategy increasingly centres on autonomous response, where human reaction times are simply too slow for AI-driven exploits,” he says.
Agentic AI “can isolate infected segments and rotate credentials in milliseconds, shifting organisations from a ‘human-in-the-loop’ model to ‘human-on-the-loop’, where people observe and govern rather than execute every response”, he adds. At the same time, defenders are increasingly using AI to find their own weaknesses first, simulating attacks against their own environments and patching vulnerabilities before attackers discover them.
Changing the pace
Richard Ford, chief technology officer at cyber security specialist Integrity360, describes AI as “changing the pace of cyber security, not the fundamentals”. Defenders are trying to keep pace by automating detection and response. “The risk is that organisations adopt AI without the same level of control,” he says. “If you don’t fully understand what your AI systems can access, or how they behave in real environments, you’re introducing risk at speed.”
Adam Febry, security engineering manager at Kocho, says AI is “reshaping how attacks are designed and delivered”, allowing threat actors “to operate at a scale and speed that would be impossible using manual methods alone”. Traditional security operations, designed around human-led investigation and response, struggle in environments generating thousands of alerts every day, where attacks adapt faster than analysts can reasonably track.
He stresses that AI “has genuine defensive value, but only if its role is understood properly”. It should not replace analysts or be making high-impact decisions in isolation. By reducing noise, correlating signals across identity, endpoint, cloud and network, and presenting analysts with prioritised, contextualised incidents, AI “helps analysts do their jobs more effectively. It shortens the gap between detection and response, and reduces the risk of serious threats being missed because teams are overwhelmed by low-value alerts.”
Peter Watson, cyber practice lead at Leading Resolutions, agrees that “the answer isn’t to out-automate the attacker. It’s to be smarter about where humans stay in the loop.” AI is excellent at pattern recognition across large datasets but can still miss novel techniques and still can’t exercise judgement in a crisis. “Organisations that treat AI as a force multiplier for their security teams will outperform those treating it as a replacement,” he says. “The losing side is whoever automates their way out of understanding what they’re actually protecting.”
Stew Parkin, global chief technology officer at Assured Data Protection, notes that the challenge of applying AI in a controlled way that improves resilience without adding complexity or unmanaged risk “is driving a notable shift away from point products toward integrated security platforms, with the aim of improving visibility, reducing gaps and enabling broader automation”.
But while they deliver real benefits, they also “introduce risks around vendor lock-in and over-dependence on a single ecosystem. Customers may accept some degree of lock-in where the operational value is clear, but they should not have to tolerate weaker components simply for the sake of integration.”
Reducing tool sprawl
Rob Anderson, director of security practice for global channel at Barracuda, says customers are turning to platforms because they “want to reduce tool sprawl, drive automation, increase visibility and simplify day-to-day operations for under-resourced or over-stretched security teams”.
But he warns that if moving to a single vendor’s platform results in weaker protection or resilience, centralisation has missed the point.
Sean Remnant, chief strategy officer at Ignition Technology, believes “the attitude is shifting decisively in favour of the integrated platform model” in cyber security, claiming that “a fragmented, best-of-breed stack of disconnected point solutions is simply not equipped to respond at the speed and scale these attacks demand”.
The platform approach directly addresses customer objectives of reducing risk, cost and complexity. To suggestions that this runs the risk of vendor lock-in, he retorts: “Customers are not accepting lock-in reluctantly, they are choosing consolidation deliberately, because the benefits far outweigh the perceived risks. The assurance of seamless interoperability, reduced operational overhead and stronger security outcomes represents a compelling value exchange.”
The greatest risk is not vendor dependency, but “the complexity, the gaps and the blind spots that come with trying to do it all yourself”.
Remnant believes the platform model also enables partners to consolidate around a smaller number of strategic vendors and “invest deeply in building real technical proficiency, developing repeatable methodologies and accumulating the kind of hands-on experience that translates into genuine customer outcomes. Depth replaces breadth and that is a better model for everyone.”
When the market converges around a small number of dominant platforms, differentiation does not come from which vendor a partner represents, but from how well the partner can “deploy, optimise and extract value from that platform on behalf of its customers. Skills become the differentiator. The partners who invest in deep platform expertise will be the ones who win, retain, and grow accounts”.
Layered approach
Andy Portlock, group revenue director at Utilize, agrees that customers are prepared to accept platform lock-in when “it clearly improves outcomes. As security becomes increasingly complex, many customers see misconfiguration, alert fatigue, and sprawl as bigger risks than vendor dependency.” But customers “aren’t looking to be locked in for its own sake, they want security that works and reduces risk. Lock-in is most acceptable when it sits within a layered approach, providing resilience rather than creating dependence on a single control or vendor.”
As for partners, he believes that most don’t have the skills to deliver those platforms effectively. Most partners are strong on licensing, deployment and first-line support, but “fewer can take responsibility beyond go-live. Real value comes from identity design, secure configuration, policy enforcement, incident response, logging and ongoing optimisation. Without this, platforms are often under-used or poorly configured, creating the illusion of security rather than genuine resilience.”
Rob Kehoe, chief technology officer at Smarttech247, claims that “the market has clearly voted for consolidation. But that’s been partly a reflection of how bad the alternative was, not necessarily how good platforms are.”
But will customers “make a strategic choice or tactical retreat? When pricing power shifts, when acquisitions change product roadmaps, when the platform’s weakest module becomes your biggest risk, that’s when we’ll find out. Without at least a considered exit strategy, consolidation is less a platform decision and more a hostage situation waiting to happen.”
The role of partners is under-appreciated, he adds: “A platform is only as good as the team running it. Certifications are table stakes, but what matters is whether your partner has seen the platform fail, been through a major incident on it, and knows where the gaps are. Many haven’t done that.”
Sam Weeks, vice-president for client solutions at Prevalent AI, describes the push towards platform consolidation as a rational response to the complexity of fragmented tools providing fragmented intelligence. “But it risks trading one problem for another,” he warns. Integrated and locked in are not the same thing.
“Vendors do not need to offer monolithic platforms; they need to interoperate,” he says. “MCP and agentic AI are already breaking down walled gardens and making horizontal integration easier. Platform plays always involve compromises on features and capabilities; best of breed does not have to mean integration friction if the architecture is right.”
Reduced complexity
Geert Busse, solutions architect director for EMEA and go-to-market at Westcon-Comstor, believes customers are looking for reduced complexity. “Some remain cautious about betting everything on a single vendor, but there is widespread acceptance of the need for pragmatic consolidation, meaning fewer tools where integration is weak, overlap is high or operational overhead is unsustainable,” he says
Platform approaches “can make sense in an AI-driven threat environment because visibility, telemetry and response need to be joined up to operate at speed”.
Beth Miller, global field chief information security officer at Mimecast, agrees that “the push toward platform consolidation is a logical response to complexity, because unified visibility does matter when threats move at machine speed”. But she warns that “integration can create a false sense of coverage”, highlighting organisations that have interpreted consolidating onto a single platform as a security win, “when what they’ve actually done is concentrate their risk and mask the gaps their previous point solutions were at least making visible”.
Adam Williamson, UK country manager at Exclusive Networks, argues that “customers aren’t setting out to lock themselves into a single vendor. What they’re really looking for is simplicity, better visibility and ultimately stronger security outcomes.”
Like many others, he accepts that platform approaches can help by reducing operational friction and speeding up response. “But in reality, most organisations still want choice,” says Williamson. “They’re adopting platforms where it makes sense, while keeping the flexibility to bring in specialist technologies where they add real value.”
Larger platform ecosystems, such as those from Fortinet, Palo Alto Networks and SentinelOne, “are working well because they don’t exist in isolation”, he adds. “They integrate effectively with other vendors in the stack.”
From a partner perspective, platforms represent an opportunity because they “don’t take away the need for skills”, says Williamson. “If anything, they make them more important. The partners doing well today are the ones evolving beyond pure product resale into architects and managed service providers. They’re the ones who can design and run these environments end-to-end.”
Sleepwalking into platform lock-in
Watson at Leading Resolutions argues that most customers aren’t prepared to accept platform lock-in, “but many are sleepwalking into it anyway”
“The consolidation pressure is real: boards want fewer invoices, simpler procurement, and someone to blame when things go wrong,” he says. “That pushes buyers toward the big platform players. What they don’t always see is that ‘integrated’ often means ‘integrated with itself’. When your SIEM [security information and event management], EDR [endpoint detection and response], and identity tooling all come from one vendor, your blast radius from a single vendor compromise or licensing dispute becomes enormous.”
Asked whether partners have the skills to deliver those platforms effectively, he replies: “Not consistently. The channel is full of partners who can sell a platform licence and handle a basic deployment. Far fewer can architect it properly, tune it to the customer’s environment and integrate it with the brownfield estate most enterprises are running.”
Yonni Shelmerdine, chief product officer at Vega Security, doesn’t mince his words. “The current obsession with platform consolidation misses the point,” he says. “Reducing vendor count might simplify procurement or operations, but it doesn’t solve the core issue. In many cases, it just replaces fragmentation with dependency and lock-in, while still restricting how data can actually be used.”
For Shelmerdine, the priority for security teams “shouldn’t be choosing between one platform or many, it should be ensuring that all security data can be accessed, understood and acted on as a single system. Anything less, and you’re capping what AI can do, regardless of how advanced the models become.”
