Mark - stock.adobe.com

Check Point builds homegrown AI model as attack barriers collapse

The company is training a security-only small language model as AI hands attackers industrial-scale capabilities and pushes cyber defence towards full automation

Check Point Software Technologies is training its own small language model dedicated solely to cyber security, in the belief that a specialist artificial intelligence (AI) model can beat general-purpose frontier models on speed, cost and accuracy in defending enterprise networks.

The effort, revealed by CEO Nadav Zafrir in an interview with Computer Weekly on the sidelines of Check Point Engage 2026 in Singapore, is being led by the team behind Lakera, the Zurich-based AI security startup Check Point acquired last September in a deal reportedly worth around $300m. Lakera’s Zurich base now serves as the company’s global AI security research and development (R&D) centre.

“We are training a small language model that is focused on cyber security only, because at the end of the day, the generalist models, just like any other model, are as good as the data feed that they get,” said Zafrir. “We think that by training our model, we can create better latency, lower cost and better accuracy.”

One of the model’s more unusual data sources is Gandalf, Lakera’s online game that challenges players to trick an AI chatbot into giving up a password across increasingly difficult levels. The game has drawn almost two million users, according to Zafrir. “By having these users around the world, we’re constantly getting more crowdsourced ideas of how to hack,” he said. “That is fed into our model, which is constantly updated.”

The homegrown model will not replace frontier models. Through an internal programme, Check Point continuously runs the latest models – accessed through partnerships with the likes of OpenAI and Anthropic, alongside open source releases – against software to find flaws before adversaries do, because, as Zafrir put it, “we want to be able to simulate what real attackers are going to be doing”.

The move dovetails with where Gartner sees the market heading. The analyst firm predicts that preemptive cyber security tools – many of them built on agentic AI and domain-specific language models – will account for half of IT security spending by 2030, up from under 5% in 2024.

Between paradigms

The small language model is Check Point’s answer to what Zafrir describes as an industry caught “between paradigms”, with AI eroding the assumptions underpinning today’s defences before a new security operating model takes shape.

“If you think about this from the attackers’ perspective, what we’re seeing is the collapse of scarcity,” he said. “Attackers now have abundant capabilities to find vulnerabilities and to weaponise them, and that creates a democratisation where many more groups will have access to what only a few groups had in the past.”

The second change, he added, is industrialisation: “Not only can you find these gaps in software, you can also make correlations with vulnerabilities, to infrastructure, to other vulnerabilities, and create pathways to breaches – and you can do this in an industrialised way.”

We tend to think about these agents from a personification perspective – like they will replace humans, they will be like us – but they’re not humans. They don’t have common sense. They don’t have judgement. They don't have a moral standing. It’s a different phenomenon, and so we don’t know everything
Nadav Zafrir, Check Point Software

The numbers bear him out, with Gartner expecting the number of documented common vulnerabilities and exposures (CVEs) to exceed one million by 2030, roughly quadruple the 277,000 recorded in 2025.

Against this backdrop, Zafrir’s advice is to do two things at once: “Go and execute the fundamentals maniacally, like your life depends on it – because it does – but at the same time, you need to start preparing for the future.”

Exposure management doubles

The clearest sign of where demand is heading is the company’s continuous threat exposure management (CTEM) suite, which saw 96% year-on-year growth in annual recurring revenue during the first quarter of 2026.

Assembled from the acquisitions of threat intelligence firm Cyberint in 2024, automated remediation specialist Veriti in 2025 and asset management supplier Cyclops earlier this year, the product launched in January 2026, aligned to Gartner’s CTEM framework and integrating with more than 75 third-party security controls.

The premise is that static vulnerability scores are useless at machine speed. Check Point uses agentic red teaming to simulate attack paths adversaries could take in a specific organisation, then offers push-button remediation, whether patching, virtual patching or segmentation – including on rival suppliers' products.

“If you had 1,000 indications of intelligence coming from different feeds and you had to prioritise and fix vulnerabilities manually, the time to fix was measured in months and weeks,” said Zafrir. “Now, you have to measure it in days, hours, minutes – and ultimately, in seconds. The only way to do this is to automate it by using AI.”

The adoption of CTEM also helps to break down organisational silos between security and engineering teams, he observed. “One of our large customers – a vice-president of engineering – told me: ‘I used to speak to the CISO [chief information security officer] once every couple of months. Now I speak to him twice a day.’”

Gartner, which coined the term CTEM in 2022, predicted that organisations prioritising security investments through continuous exposure management would be three times less likely to suffer a breach by 2026, and expects those implementing CTEM with a focus on mobilisation to cut successful attacks by at least half by 2028.

But Check Point is a latecomer to a crowded field: the analyst firm’s first Magic Quadrant for exposure assessment platforms, published in November 2025, assessed 20 suppliers and named Tenable, Rapid7 and Qualys among its leaders. Check Point’s product arrived after the evaluation closed.

In network security, Check Point fares better and is a leader in Gartner’s inaugural Magic Quadrant for hybrid mesh firewall platforms in August 2025 alongside its larger and faster-growing rivals Fortinet and Palo Alto Networks.

Check Point reported revenue of $668m for the first quarter of 2026, up 5% year on year, while Fortinet grew 20% to $1.85bn over the same period, and Palo Alto Networks posted $3bn, up 31%, for its most recent quarter – albeit boosted by its acquisitions of CyberArk and Chronosphere.

Will AI labs eat security?

The rise of frontier models has prompted some security leaders to speculate that budgets could one day flow to AI labs rather than security suppliers. Zafrir conceded the models are becoming capable security assistants but rejected the idea they will displace the incumbents.

“Given the depth, breadth and expertise needed, I still think that the security vendors are going to be at the core of protecting networks,” he said. “They [AI labs] will be a player, but I also think that the pure-play cyber security platform players are going to remain at the core of this industry.”

He was blunter still about proliferation, noting that organisations must assume that the capabilities of every frontier model will soon be widely accessible, whatever guardrails their developers apply. “Some governments around the world are doing a pretty good job of containing some of [the risks], but at most, I think they’re buying us time to prepare,” he added.

One consequence, he warned, is that critical infrastructure and operational technology (OT) will become far more fragile. “Until now, we had what we call security by obscurity,” said Zafrir, referring to the arcane industrial protocols few attackers understood. “But we see a world in which these frontier models are really good at taking legacy software, which may even be open source, and finding vulnerabilities that humans haven’t found before.”

In Asia-Pacific, Zafrir said data sovereignty – spanning where data resides, who can access it and who controls the models governing it – is driving Check Point’s investment in regional infrastructure and points of presence, as well as its work with Nvidia to embed its software into AI factories. The company’s second-largest R&D centre is now in Bangalore, and it is scouting Singapore’s entrepreneurial ecosystem for partnerships, an instinct Zafrir carries over from his years running venture group Team8.

For all the investment, the former commander of Israel’s famed Unit 8200 cyber intelligence agency said staying humble is important, because nobody yet knows what networks will look like once autonomous agents operate inside them at scale.

“We tend to think about these agents from a personification perspective – like they will replace humans, they will be like us – but they’re not humans,” he said. “They don’t have common sense. They don’t have judgement. They don't have a moral standing. It’s a different phenomenon, and so we don’t know everything.”

Read more about cyber security in APAC

Read more on Hackers and cybercrime prevention