⟵ back

AI Will Eat Cybersecurity

On February 20th, 2026, cybersecurity stocks cratered. CrowdStrike dropped nearly 8%. Cloudflare fell over 8%. The catalyst wasn't a breach, a recession scare, or an earnings miss. It was a research preview. Anthropic launched Claude Code Security, a tool that reasons about code vulnerabilities the way a human security researcher would, and Wall Street immediately repriced the entire sector.[1]

This wasn't a surprise to anyone paying attention. It was an inevitability.

Anthropic is not building a security startup

Here's what most people miss: Anthropic isn't trying to compete with CrowdStrike. They're not building a security startup. They're building AI that reasons, and then pointing it at security as one of the first verticals where that reasoning pays for itself immediately. The distinction matters enormously.

Look at the job posting for their Cybersecurity Products team.[2] It reads nothing like a traditional security vendor's hiring page. They want engineers with 7+ years of experience who can "work across the stack to prototype new ideas and build from the ground up." They want people who've done incident response, reverse engineering, penetration testing. They want people who can build agentic applications. And they want these people to sit at the intersection of research, product development, and market strategy, collaborating directly with researchers to develop security-focused AI capabilities.

That's not a security company hiring engineers. That's an AI research lab building point vendor solutions from first principles, rethinking what security products should look like when your core primitive is reasoning rather than signatures.

And it goes deeper than code scanning. Anthropic recently hired an endpoint security director to lead their security vendor product team. Read that again. Endpoint security. That's not "we're building a dev tool." That's a direct declaration that they intend to compete on the terrain where CrowdStrike, SentinelOne, and yes, Palo Alto Networks live and breathe. They're not tiptoeing around the incumbents. They're walking straight into the product categories that generate the most revenue in cybersecurity.

The legacy vendors are not ready

Let me be blunt: basically all of the existing legacy cybersecurity vendors are not anywhere remotely ready for this.

The incumbent model is well understood. You ship agents to endpoints. You collect telemetry. You write detection rules. You build dashboards. You sell seats. You upsell SIEM, SOAR, XDR, and whatever acronym the analyst firms are pushing this quarter. The moat is integration sprawl and procurement inertia. The product is a pane of glass on top of a regex engine.

Legacy Security Signatures / Hashes Pattern Matching Static Rules Engine Dashboard + Alerts Human Analyst Triages AI-Native Security Code / Telemetry Reasoning Engine Context + Intent Action + Explanation Human Reviews Result

Claude Code Security doesn't scan code with pattern matching. It "maps component interactions and data flow" to find vulnerabilities like input filtering defects and authentication bypass weaknesses. It ranks findings by severity and generates natural language explanations with suggested fixes. It reasons about your code the way a human security researcher would.[1]

That's not an incremental improvement. That's a categorical shift in what "security tooling" means. And the legacy vendors can't replicate it because they don't have the foundational models. They'll bolt on API calls to OpenAI or Anthropic and call it "AI-powered," but that's renting the revolution, not owning it.

Why AI labs have the structural advantage

Security is fundamentally an adversarial reasoning problem. Attackers don't follow signatures. They find novel paths through complex systems. Defending against that has always required human judgment: reading code, understanding context, mapping trust boundaries, thinking like an attacker. That's exactly what large language models are getting good at.

Anthropic's structural advantage is threefold:

AI Research new model capability weeks Product Team prototypes feature weeks Ship Feature security product Customers validate + feedback feedback informs next research cycle Anthropic: weeks from research to product Legacy vendors: quarters from vendor API call to shipped feature

First, they own the model. They're not integrating someone else's reasoning engine; they're building it. When they discover a new capability relevant to security, the product team is sitting next to the research team that made it happen. The feedback loop from "this model can now reason about X" to "ship it as a security feature" is measured in weeks, not quarters.

Second, they're prototyping from the future backwards. The Cybersecurity Products team isn't constrained by ten years of legacy architecture. They're not trying to make an endpoint agent smarter. They're asking: if you had a reasoning engine that could understand code, map data flows, and think adversarially, what would you build? The answer looks nothing like what exists today.

Third, the economics are inverted. Traditional security vendors need large sales teams, long procurement cycles, and per-seat pricing to justify their existence. An AI-native security tool that ships as a feature of your existing development workflow, integrated into CI/CD, available inside the IDE, doesn't need any of that. It just works where you already are.

What AI-native endpoint security actually looks like

I work at Palo Alto Networks. I build security products. So when I say that a reckoning may be coming for the endpoint security industry, I'm not saying it from the cheap seats. I'm saying it because I can see what's possible and I can see how far the current paradigm is from it.

Here's what someone could build if they started from a reasoning engine instead of a signature database:

Process Telemetry syscalls, memory, network AI Reasoning Engine understands intent, not just patterns Intent Analysis "this process is trying to execute code as svchost.exe" Kill Chain Mapping traces lateral movement, identifies initial access Surgical Response isolate credential, not host; contain without collateral Plain-English Report "attacker used CVE-XXXX via phishing to pivot to DC"

Imagine an endpoint agent that doesn't pattern-match on known-bad hashes or YARA rules but actually understands what a process is doing and why. A PowerShell script downloads a payload, reflectively loads a DLL, and injects into a trusted process. Today's EDR flags this based on a behavioral rule someone wrote: "PowerShell + download + injection = suspicious." The rule works until the attacker changes the sequence, obfuscates the commands, or uses a different LOLBin. The rule is brittle because it encodes the "what" without understanding the "why."

An AI-native endpoint agent could reason about intent. It wouldn't need a rule for every permutation. It would understand that a process is attempting to execute arbitrary code in the context of another process and that this behavior is inconsistent with the application's purpose. The same reasoning that lets Claude read code and find authentication bypasses would let it read process telemetry and find kill chains in real time.

Take it further. Today's incident response workflow is: alert fires, SOC analyst triages, analyst pivots through logs, analyst builds a timeline, analyst escalates or closes. That's a reasoning task. An AI-native endpoint could collapse the entire triage-investigate-respond loop into something that happens at machine speed. Not "auto-quarantine the host." That's a blunt instrument. Actual reasoning: trace the lateral movement path, identify the initial access vector, determine blast radius, surgically isolate the compromised credential, and generate a plain-English incident report. All before a human SOC analyst finishes reading the first alert.

Or consider memory forensics. Today it requires a specialist who can read hex dumps and understand PE structures. An AI that can reason about memory layouts could identify injected code, packed malware, and rootkit hooks not by matching signatures but by understanding what shouldn't be there. It could explain in natural language exactly what was modified, how the attacker got in, and what they were trying to do.

This isn't science fiction. Every one of these capabilities is a straightforward application of the reasoning skills that models like Claude already demonstrate in other domains. The gap isn't intelligence. It's infrastructure: getting the right telemetry to the model, at the right latency, with the right context window. That's an engineering problem. And Anthropic just hired an endpoint security director to solve it.

This isn't just Anthropic

OpenAI launched Aardvark roughly four months before Claude Code Security. It tests vulnerabilities in isolated sandboxes to assess exploitation difficulty.[1] The AI labs are converging on security as an obvious application of reasoning capabilities because it is one. The question isn't whether AI eats cybersecurity. It's how fast, and who gets displaced.

The next move is obvious: integrate these tools directly into CI/CD pipelines to automatically prevent vulnerable code from ever being deployed. That's a capability established vendors already offer in primitive form with SAST and DAST scanners. But those tools flag everything and understand nothing. An AI-native version that actually reasons about exploitability, prioritizes real risk, and explains its findings in plain English doesn't just compete with legacy scanning. It replaces it entirely.

What the stock drop actually means

The market's reaction on February 20th wasn't about Claude Code Security being a finished product. It's a research preview. The market was pricing in the trajectory. If Anthropic can ship a tool in limited preview that reasons about code security better than the static analysis tools companies pay millions for, what happens when it's generally available? What happens when it's integrated into every Claude-powered development environment? What happens when it expands from code review to runtime detection, incident response, and threat hunting?

The answer is that a significant chunk of what the cybersecurity industry sells today becomes a feature, not a product. And features don't command $30B market caps.

The uncomfortable conclusion

I build security products at Palo Alto Networks. I'm not writing this from the outside. And the honest assessment is this: the cybersecurity industry as we know it is about to be fundamentally restructured by AI, and the restructuring won't be led by the incumbents. It will be led by the AI labs who can reason about security from first principles, prototype at research speed, and ship into workflows where developers and operators already live.

The legacy vendors, including the one that employs me, will acquire, partner, and rebrand. Some will adapt. Most will slowly become irrelevant in the same way that antivirus companies became irrelevant when the threat landscape moved past signature matching. The difference is that this time the displacement won't take a decade. It'll take a product cycle.

Anthropic is hiring engineers to "prototype new ideas and build from the ground up" at the intersection of AI research and cybersecurity product development, paying $320K-$405K. That's not a job posting. That's a declaration of intent. And the market heard it loud and clear.

I'll admit: when I saw what they were building, I threw my hat in the ring. When you spend years building security products and then see a team that's rethinking the entire problem from the model layer up, it's hard not to want a seat at that table. Whether or not I end up there, the direction is unmistakable. The future of cybersecurity is being prototyped right now, and it's not happening at the vendors.

Sources

  1. SiliconAngle -"Cybersecurity stocks drop as Anthropic debuts Claude Code Security" (February 2026). Link
  2. Anthropic -"Software Engineer, Cybersecurity Products" job posting. Link