PeopleAreGeek
FR

Security

AI in Cybersecurity 2026: Real vs Hype, Both Sides

By Stéphane Cardon · · 6 min read

On this page
  1. Where AI actually helps defenders
  2. Where attackers are using it
  3. The dual-use problem nobody can wish away
  4. What to actually change in your stack
  5. Sources

AI in cybersecurity stopped being hype the moment a government made Anthropic pull two of its strongest models off the market, because someone showed the things could read a codebase and point straight at the security holes in it. The useful tool and the dangerous weapon turned out to be one and the same. So forget the breathless takes, and forget the doom too. After roughly two years of this stuff actually running inside real SOCs and getting thrown at real targets, here is what AI honestly does for defenders, what it does for attackers, and the handful of things you should genuinely change in your stack.

The short answer

AI in cybersecurity is a force multiplier, not a replacement. Defenders win on volume (alert triage, log summarization, phishing detection, a first-pass code review) with a human still signing off. Attackers win on scale (flawless phishing, faster recon and vuln discovery, deepfakes). The capability is dual-use, and your own AI features are new attack surface.

Dual-usesame skill, both sides
Volumewhere defenders win
Scalewhere attackers win
Answer card: AI in cybersecurity in 2026 is a dual-use force multiplier, the same read-code-find-bugs skill helping defenders audit and attackers exploit.
Both sides drink from the same well. The capability is neutral. The intent isn't. PNG

Want the cleanest proof that AI in cybersecurity stopped being hype? June 2026. The US government made Anthropic pull two of its strongest models off the market, and the reason was almost funny: someone showed the things could read a codebase and point straight at the security holes in it. Sit with that for a second. A model got recalled for being good at the exact thing your AppSec team grinds through on a Tuesday afternoon. The useful tool and the dangerous weapon turned out to be one and the same.

So forget the breathless takes. Forget the doom too. After roughly two years of this stuff actually running inside real SOCs and getting thrown at real targets, here's what AI honestly does for defenders, what it does for attackers, and the handful of things you should genuinely change in your stack.

Where AI actually helps defenders

Honest version? AI is great at the boring, high-volume grind that burns analysts out. It's mediocre the second a real judgment call shows up. Keep it on the first thing and away from the second, and it earns its keep.

  • Alert triage. A SOC drowns in alerts, and most of them are noise. Point a model at the flood so it clusters them, kills the duplicates, and writes a plain-language first take on each. Analysts get hours back. It won't decide what's a real incident. It just clears the runway so a human can.
  • Log and incident summarization. Ten thousand lines of logs, or some messy incident timeline nobody has time to read, turned into something legible. That's the sweet spot for these models. Mid-incident, that speed is the whole game.
  • Phishing and anomaly detection. Language models have a decent nose for the tone and shape of social engineering, and they'll flag the email that just doesn't read right. Pair it with classic detection. Don't let it replace the classic stuff.
  • First-pass code review. Aim a model at a diff and it'll catch the obvious injection, a secret somebody pasted into the code, an auth check that went missing. Easy wins, early. It's a first pass, not a pentest, and confusing the two will burn you.
  • Threat intelligence digestion. Boiling advisories and CVEs and vendor bulletins down to "does this actually touch us, and how" is the quiet time-saver nobody brags about.

Defender verdict. AI buys you speed on volume and triage. Not judgment. The teams getting real value out of it treat it like a junior analyst who never sleeps and is, every so often, confidently and completely wrong. So anything that matters still gets a human check before it counts.

Scorecard comparing AI on defense (alert triage, log summarization, phishing detection, code review, threat intel) versus offense (phishing at scale, recon and vuln discovery, malware assistance, deepfakes), the same capabilities on both sides.
The same underlying capability powers both columns. Only the intent changes. PNG

Where attackers are using it

The same leverage works for the other side. Pretending it doesn't helps nobody. And none of this is theoretical anymore, it's just Tuesday for them too.

  • Phishing at scale. Remember the old tell, the broken grammar in someone's second language? Gone. Models crank out fluent, personalized lures in any language you like, in seconds flat. Volume went up. So did quality. Both at once, which is the nasty part.
  • Recon and vuln discovery. Feed public code, a config, some scan output to a capable model and the hunt for the weak spot speeds right up. This is the exact capability that got Fable 5 recalled. It's also widely available.
  • Malware assistance. Models won't just hand you clean weaponized malware, not easily. But they'll happily speed up the scaffolding, toss out obfuscation ideas, help you debug the thing. The skill floor drops.
  • Deepfakes. Voice and video good enough to survive a quick call? Here already. That "CFO on a video call asking for a wire transfer" scam costs almost nothing to run now.

The pattern holds across all of it. AI doesn't really invent new attacks. It strips the friction off old ones and drops the skill you need to pull them off. The barrier to entry caved in.

The dual-use problem nobody can wish away

Here's the part that makes AI in security genuinely hard, and honestly it's worth just sitting with for a minute. A model that reads a codebase and finds vulnerabilities is, in the very same breath, a code-auditing assistant and an exploit-finding assistant. Same model. Same output. There's no version of the feature that quietly helps only the good guys, and I don't think one is coming. We covered the Fable 5 and Mythos 5 recall in detail, and that's precisely the tension behind it: a government stared at a dual-use capability and decided to treat it like a controlled export.

So the practical takeaway, for you, isn't to pick a side in that argument. It's simpler and grimmer. Assume the capability sits on both sides of your perimeter, because it does. Your attackers have the same class of tools you've got. Build your defense like that's already true.

What to actually change in your stack

Here's what actually holds up.

  1. Use AI for leverage, never for judgment. Let it triage, summarize, draft, run a first-pass review. Then keep a human on every call that closes a ticket or touches production. Every single one.
  2. Don't let it paper over weak fundamentals. MFA, patching, least privilege, the boring backups and the segmentation nobody wants to maintain, that's still what decides whether you get hurt. Bolt AI onto a broken base and it just fails faster.
  3. Treat your own AI features as attack surface. Ship a chatbot or an AI feature and suddenly prompt injection, data leakage and tool misuse are your problem. Read the OWASP LLM Top 10, then threat-model the thing like any other untrusted input.
  4. Govern it on purpose. The NIST AI Risk Management Framework and MITRE ATLAS hand you a real vocabulary for AI-specific risk. Use them. Don't reinvent the wheel badly.
  5. Train people for the new phishing and deepfakes. "Check the grammar" is dead advice now, honestly it might do more harm than good. Out-of-band verification for money and access requests is the control that still actually works.

Bottom line. AI in cybersecurity in 2026 isn't the savior the headlines promise. It isn't the apocalypse either. It's leverage, handed to both sides at the same moment. The teams that come out ahead treat it as a powerful, fallible assistant bolted onto fundamentals that already work, and they assume their attackers just got handed the exact same upgrade.

Sources

Frequently asked questions

Will AI replace security analysts?

No. And the teams trying to are getting burned for it. AI takes over the repetitive volume work (triage, summarization, the first-pass review nobody enjoys) and frees analysts up for the judgment, the threat hunting, the actual response. Force multiplier for a good team. Not a substitute for one.

Is AI making attackers more dangerous?

Mostly it makes them faster and drops the skill floor, rather than dreaming up brand-new attacks. Phishing turned fluent and personal. Recon and vuln discovery got quicker. Deepfakes made impersonation cheap enough that anyone can try it. The barrier to entry for a credible attack fell off a cliff.

What is the dual-use problem?

A lot of AI security capabilities help defenders and attackers equally, because they're literally the same capability. A model that finds vulnerabilities in code helps you audit, and helps an attacker exploit. There's no defender-only version on offer. That's the thing that made the 2026 Fable 5 recall so contentious.

Do I need to secure my own AI features?

Yes. The second you ship an AI feature, prompt injection and data leakage and tool misuse all walk into your threat model uninvited. Start with the OWASP LLM Top 10. Treat what goes into the model, and what comes out, with the same suspicion you'd give any untrusted data.

Where should a small team start?

Point AI at your biggest volume pain first. Usually that's alert triage or log summarization, with a human still signing off at the end. Lock down the fundamentals at the same time. And add out-of-band verification for money and access requests, because that's what stops the deepfake-driven social engineering cold.

Keep going

Security

Bug Bounty Starter Guide for Sysadmins

A bug bounty starter guide for sysadmins: how your DNS, HTTP and Linux skills transfer, the five free tools I open, and the report shape that gets paid.

Security · Guide

Linux Kernel Hardening: sysctl Checklist

Linux kernel hardening with sysctl: the 32 toggles I actually ship, grouped by subsystem and sorted by how much each one matters, plus a drift check.

Security · Guide

Ubuntu 24.04 Server Hardening: SysAdmin Checklist

Ubuntu 24.04 server hardening, the way I run it on every VPS: keys-only SSH on a quiet port, UFW, fail2ban, unattended updates, AppArmor enforcing, auditd.

Tool

Breach-Safe Email Checker

Size up an email address in your browser, score the risk, check the domain records, hash it locally and get a clear action plan.

Tool

CORS Policy Generator

Build a secure CORS policy and copy ready config for Nginx, Apache, Express, FastAPI, Django and 10 more stacks, with a live security review.

Tool

CSP Header Builder

Build, import and risk-check a Content Security Policy header in your browser, then copy snippets for Apache, Nginx, Netlify and Vercel.