Businesses are investing great sums of money in generative AI – to the point that GenAI spending in 2025 will be nearly seven times greater than it was in 2022, according to IDC historical data and forecasts.
Where is all that money going? In many cases, it’s cybersecurity, which ranks at the top of the list of factors driving increased IT spending in 2024.
Now, the question that CISOs must answer is whether spending on GenAI tools and services is worth it. Which cybersecurity capabilities does GenAI unlock? And what are the risks that GenAI investments in this domain will turn out to be duds that fail to create real value?
One way to gain perspective on those questions is assessing the extent to which AI has noticeably impacted cybersecurity tools. This can be challenging given the varied ways in which tool vendors describe AI-based features. But through a systematic analysis of the AI capabilities that are actually available today – as opposed to features that vendors have promised or theorized but not yet implemented – it’s possible to gain an accurate assessment of the extent of AI’s impact on the cybersecurity space.
To that end, this article explains how GenAI is, and isn’t, currently in use within the realm of cybersecurity. (To be clear, the focus here is on the extent to which cybersecurity tools have implemented AI-based features, as opposed to novel cybersecurity threats posed by AI technology – an important but quite different topic.)
AI vs. GenAI in cybersecurity
An assessment of AI’s impact on cybersecurity solutions must begin with the observation that AI in general is not novel within the cybersecurity space. For years, cybersecurity tools have routinely employed AI technology to power analytical processes, such as detecting anomalies within IT systems that could be a sign of an attack.
GenAI, however, is a different type of AI technology, and one that opens up interesting new possibilities for cybersecurity tool vendors and their customers. With GenAI, AI-based use cases in cybersecurity extend far beyond analytics.
Applying GenAI to cybersecurity challenges
To understand what those use cases are, let’s walk through the ways in which GenAI applies to four key cybersecurity domains: security operations, application security, cloud security, and phishing mitigation. Within each category, we’ll discuss specific examples of GenAI-based features that are currently available – and their limitations.
Security Operations
Security operations, which focuses on finding and responding to threats, is at the heart of modern cybersecurity. In this realm, standout GenAI features include:
Automatically summarizing alerts to help analysts make sense of high volumes of alert data more quickly. Vendors like Google and Elastic currently offer this feature in their cybersecurity tools.
Using natural language (instead of code-based queries, which require time and skill to write) to ask questions about cybersecurity data like log files. This capability is available from vendors such as CrowdStrike and Splunk.
The main benefit of these AI features is that they help teams work faster and more efficiently – especially in cases where staff are less experienced, and therefore less capable of performing tasks like parsing high volumes of alerts quickly. However, there is a risk that GenAI tools will draw inaccurate conclusions when summarizing information or translating natural language into query code.
Application security
In application security, the main GenAI-based feature that vendors have brought to market to date is the ability of application scanning tools to generate code that fixes security flaws. This is available through platforms like Snyk and Veracode.
In some ways, this type of feature resembles code generation capabilities available from generic AI-powered software development tools, such as GitHub Copilot, which can also help to manage application security issues. But by integrating this capability directly into application security platforms, vendors have made it a bit easier for security teams to find and fix application security risks faster.
Cloud security
Cloud security is a domain where GenAI has had little impact so far – likely because traditional, rules-based scanning tools were effective at detecting cloud security risks (like cloud services that lacked adequate access controls) prior to the advent of GenAI.
Thus, it’s unsurprising that GenAI-based cloud security features are mostly limited to capabilities like asking questions in natural language to parse cloud security data (a feature available from vendors like Orca).
Phishing mitigation
Detecting and blocking phishing content is another area where GenAI opens some new opportunities, but does not break fundamentally new ground. The main use case for generative AI in the realm of phishing is using GenAI to detect and remove phishing messages, a capability available from vendors like Ironscales.
However, it’s possible to identify content that is likely to be part of phishing campaigns via other means, such as analysis of the sentiment of messages and of metadata about message origins and delivery trends. Thus, GenAI in this space mostly offers a new way of accomplishing an old task.
What’s the value of AI in cybersecurity tools?
In sum, it’s clear that cybersecurity teams can benefit here and now from GenAI-based capabilities – but the value is limited. None of the GenAI features brought to market so far are fundamentally disruptive; most are incremental improvements, at best.
In addition, many of the available features are of value primarily for cybersecurity teams with less experience. Seasoned analysts are less likely to benefit from GenAI tools because they are already adept at performing complex tasks without assistance from GenAI.
For CISOs, the takeaway is that investing in cybersecurity tools featuring GenAI capabilities makes sense – to a point. It’s important to recognize the limitations of the value and to avoid purchasing shiny new AI features that don’t actually solve an organization’s specific cybersecurity challenges.
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.
For a deeper and broader analysis of GenAI’s impact on cybersecurity, check out IDC’s publication “Generative AI in Cybersecurity Tools: Distinguishing Hype from Value.”
Christopher Tozzi, an adjunct research advisor for IDC, is senior lecturer in IT and society at Rensselaer Polytechnic Institute. He is also the author of thousands of blog posts and articles for a variety of technology media sites, as well as a number of scholarly publications.Prior to pivoting to his current focus on researching and writing about technology, Christopher worked full-time as a tenured history professor and as an analyst for a San Francisco Bay area technology startup. He is also a longtime Linux geek, and he has held roles in Linux system administration. This unusual combination of “hard” technical skills with a focus on social and political matters helps Christopher think in unique ways about how technology impacts business and society.
