Analysis

The near-term takeaway is not that AI is irrelevant to cyber risk, but that the marginal attacker is still bottlenecked by workflow quality, not model access. That favors incumbent security vendors because they are selling against a threat curve that is improving more slowly than the market narrative implies; the first-order spend likely stays defensive and steady rather than accelerating into a panic cycle. More importantly, the “cheap AI crime explosion” thesis appears premature, which removes a common bear case for internet/platform names and reduces the odds of a near-term fraud-cost spike that would compress digital ad or payments margins. The second-order effect is a concentration of capability among already-skilled operators, which tends to raise the quality of attacks before it raises the quantity. That means the loss function for enterprises may shift toward fewer but more bespoke incidents over the next 6-18 months, benefiting vendors with identity, endpoint, and email controls over point solutions marketed around generic AI threat detection. If criminal groups continue falling back to older open-source models, the real arms race becomes model hardening and abuse monitoring at the infrastructure layer rather than cybercrime-specific tools, which keeps the economic moat with large model providers that can absorb safety engineering costs. Catalyst-wise, the main reversal would be a step-change in open-source model quality or a jailbreak breakthrough that meaningfully lowers the skill threshold for phishing, botting, and scam generation. Watch for evidence in forum activity and attack telemetry over the next 1-2 quarters; if volume rises without a comparable increase in sophistication, this remains mostly a productivity story for defenders, not an earnings-risk story. The contrarian view is that markets may be overpricing an AI-enabled cyber offense wave in 2025 while underpricing the persistence of human bottlenecks, which argues for owning quality security rather than chasing speculative AI-security names.