If you just dropped into the security industry today and are listening to the chatter, you’d be forgiven for thinking that AI in cybersecurity was invented in the last couple of years. Every vendor, analyst, and conference keynote talks about it like it’s a brand-new thing.
But here’s the thing—it isn’t.
Machine learning has been used for security for decades. Spam filters, phishing detectors, intrusion detection systems—these were applying statistical models to separate “normal” from “suspicious” long before anyone put “next-generation agentic AI-powered” on their marketing slides.
The technology has been evolving quietly in the background for a long time. What’s changed recently is the nature of the AI—and that actually matters quite a bit. We’ll get to that.
But first, let’s talk about how we got here. Because the story is more interesting—and more instructive—than most people realize.
Cloud, Big Data, and the “Collect Everything” Mindset
Around the late 2000s, something important changed: the economics of data shifted. Cloud computing and commodity storage made it dramatically cheaper to keep large volumes of logs, telemetry, and events online for longer periods. In addition, APIs made it easy to pipe data from one system to another at scale. At the same time, NoSQL and big data technologies matured, making it feasible to ingest and analyze data at massive scales without needing a data center full of expensive, proprietary hardware—something that would have been impractical just a few years earlier.
Unsurprisingly, cybersecurity followed the broader IT trend. If you could centralize and retain more data, you could, in theory, build better detection and response. SIEM platforms and related tools began positioning themselves as the elusive “single pane of glass,” promising holistic visibility across endpoints, networks, applications, and cloud infrastructure. The prevailing assumption was simple: more data plus more analytics equals better security.
Since then, almost every cybersecurity vendor has sounded exactly the same: “We give the CISO and security team visibility.” But the bigger question is: what do we actually do with that visibility? How do we make sense of all that data so we can take action? Is it actually actionable?
Visibility that is not actionable is just noise.
While the amount of collected data grew exponentially, overall security effectiveness didn’t improve at the same rate. The vast majority of data provided by modern security tools is not actionable, mostly because the broader context is missing or unknown. Therefore, it is often ignored or dismissed as a false positive.
Here’s the uncomfortable truth that anyone who’s actually worked in a SOC knows: collecting data is not the same as understanding it. Having visibility into everything is meaningless if you can’t tell the difference between an alert that matters and one that doesn’t.
The “collect everything” mindset didn’t make security teams more effective. In many cases, it made them less effective—buried in noise, chasing low-quality alerts, while genuinely important signals got lost in the volume.
The Intelligence Process (Or Lack Thereof)
Cybersecurity teams need to transform raw, disparate data into meaningful insight by filtering, structuring, and analyzing it to support decisive action. Because data is rarely complete, cybersecurity professionals must rely on structured analytic techniques to bridge the gaps.
Similar to scientific research, this process involves formulating hypotheses, identifying patterns, and using inductive reasoning to infer missing pieces based on historical context and known behaviors. The goal is to reduce uncertainty and assess probabilities, constructing a coherent framework that allows analysts to make informed decisions despite incomplete information.
While structured intelligence has been practiced by militaries and nation-states for generations, it remains almost non-existent outside of the government or law enforcement sectors. However, intelligence is critical for effective modern cybersecurity. True intelligence requires quality data, skilled professionals, and the creativity to map information against the proper context—because the exact same data point can mean entirely different things depending on the environment.
The “Security Data Scientist” Who Was Supposed to Save Us
For a while, the industry’s answer to this data deluge was to hire a “security data scientist.” This was someone who could build and tune custom detection models, write statistical analyses of threat behavior, and extract insights from massive data lakes that regular analysts couldn’t navigate.
In theory, it was a great idea. In practice? These professionals are incredibly rare—and expensive. The overlap between deep data science expertise and real-world security domain knowledge is genuinely small. Because data science talent commands sky-high salaries across every industry, most security teams—even well-funded ones—simply couldn’t compete.
Consequently, this role mostly existed in the R&D arms of large vendors or within a small number of elite, in-house teams at major banks or defense contractors. For the vast majority of organizations, “AI-powered security” remained something you bought and trusted, not something you built or truly understood.
To be fair to the industry, machine learning did genuinely improve certain categories of security tools. The shift from signature-based to behavior-based malware detection was real and meaningful. Instead of just matching files against a list of known-bad hashes, tools started modeling what malicious code does—how it behaves, what it touches, how it communicates—allowing them to catch threats they’d never seen before.
Similarly, ML began to power anomaly detection in network and log analytics, surfacing subtle patterns across many weak signals that rule-based systems would have missed entirely. These were genuine improvements, but there was a catch that never quite got resolved: almost nobody could explain how these models actually worked.
They were black boxes. You received an alert, a risk score, or a critical flag, and you were essentially asked to trust that the vendor’s proprietary model had done something smart underneath. There was no practical way for most teams to validate efficacy, understand failure modes, or challenge the model’s reasoning.
Marketing, on the other hand, accelerated well ahead of reality. By the mid-2010s, “AI/ML” had become a mandatory slogan on every vendor slide deck—applied so broadly that it lost almost all meaning.
Then LLMs Showed Up and Changed Everything
The emergence of Large Language Models (LLMs)—and their rapid popularization starting in late 2022—is genuinely different from what came before, and it’s worth being specific about why.
The tools and techniques that existed previously required deep specialization to use directly. You needed statistical modeling skills, ML engineering experience, or at minimum, a data science background to build or meaningfully interact with those systems. For most practitioners, AI remained something that happened inside the products they bought, not something they could pick up and apply themselves.
LLMs completely changed the interface.
You don’t need to understand gradient descent or write PyTorch code to start using these models for real security work—like threat intel research, log triage, detection rule development, policy drafting, explaining complex code, or automating repetitive analysis tasks. Instead, you can simply use natural language. For the first time, the core capability of AI is accessible to a frontline analyst, not just a data scientist or a well-funded vendor team. That’s a massive, meaningful shift.
From AI Literacy to AI Fluency in Cybersecurity
That shift raises the bar for what it means to be effective in cybersecurity, creating an opportunity to provide practitioners with genuine superpowers. It is no longer enough to be vaguely “AI-aware” or to recognize buzzwords on vendor datasheets. Practitioners need to understand, at a working level, how to:
- Frame security problems effectively: Moving past generic questions to construct precise queries that produce reliable, actionable outputs.
- Critically evaluate model outputs: Recognizing when an LLM is hallucinating, oversimplifying, or missing critical security context.
- Integrate AI into existing workflows: Combining AI capabilities with current tools in ways that actually reduce workloads and improve detection, rather than just adding another dashboard to manage.
- Understand new AI-specific risks: Defending against prompt injection, data leakage, and model abuse, because these are now part of the active threat landscape.
In other words, we need to move from AI literacy (“I know what this is and roughly how it works”) to AI fluency (“I can reliably use this to solve real security problems, and I understand its failure modes”).
That fluency isn’t about turning every practitioner into a data scientist. It’s about giving analysts, engineers, architects, and leaders the conceptual and practical tools to treat AI as a part of their craft, rather than just a feature in a tool they buy.
To put it another way: literacy is like knowing how to drive, but fluency is doing it smoothly, accurately, and with little conscious effort. It becomes second nature. Being fluent allows you to focus entirely on the destination, rather than worrying about how to operate the vehicle.
As we’ve discussed, many of our core cybersecurity challenges stem from system complexity and massive amounts of messy data. Humans are inherently limited in their capacity to process vast amounts of data at speed and scale across wildly different environments.
AI fluency provides practitioners with the superpowers needed to unlock those insights, clear the noise, and finally reach new destinations.
More about that in Part 2…
