When AI met Cybersecurity

Traditional cybersecurity tools have become powerless to address new threats. The stage is therefore set for a long romance between powerful and effective AI-based security tools and users in distress.

Bottom line

With the increasing digitization of our societies, cybersecurity has become a crucial issue. However, legacy threat-mitigation techniques cannot keep up with the exponential increase in the level of data traffic, as well as with the inventiveness of malicious players.

This is where Artificial Intelligence kicks in: far from being an aspirational technology, it already powers products from a large array of cybersecurity players, and has allowed companies who extracted the most of it to blaze a trail toward market dominance at the expense of legacy players.

Executive Summary

Big Data is crushing security 

  • Data generation has become exponential and is now originating from critical segments of our lives and societies, hence becoming ultra-sensitive.

  • Criminals have taken notice of this profitable opportunity, hence a rapidly deteriorating cyberthreats landscape.

  • Legacy techniques have become obsolete to newer threats, prompting the need for a new generation of tools.

Artificial Intelligence: the perfect match

  • Artificial Intelligence allows cyber defenses to be proactive instead of reactive, greatly improving their efficiency.

  • The technology relies on behavioral analytics, which can detect abnormal patterns from users or machines in real-time.

  • Such tools save a great deal of time to IT teams and enable them to focus on actual threats.

Not a matter of when, but of who

  • The technology is not futuristic, but has already been deployed at a large scale by a new generation of players. 

  • Endpoint security company CrowdStrike has risen to a leading position less than 10 years after being founded.

  • With barriers to acceptance falling down, success calls for success and will pave the way to broader adoption of AI-based technologies.

Big Data is crushing security 

An ever-expanding digital landscape

It has become complicated, if not truly impossible, to go against the digitization train: digital technologies have already become ubiquitous, and yet their penetration rate has still much room to go. Once limited to niche applications, they have first generalized in the professional world, before witnessing a massive acceleration in our personal lives with the combined rise of the internet and smartphones. We have now reached a point where even critical infrastructure (e.g., water treatment plants) is one way or another becoming connected to the internet, despite not being designed for this. Consequently, the amount of data generated by human and machine activities and transiting on communication networks is exploding: according to IDC, global data creation and replication reached 64.2 zettabytes in 2020 vs. 6.5 zettabytes in 2012; this amount is expected to reach 181 zettabytes in 2025, corresponding to a 23% 2020-25 CAGR. Above all, as digitization progressively penetrates every aspect of our lives, this Big Data is also becoming ever more sensitive, e.g., healthcare status or confidential business operations. 

Threats are rapidly surging

This fact did not escape criminal groups, as they found it represented a lucrative opportunity. The number of cyberattacks is therefore increasing rapidly, with a 15% growth in 2021 alone, and the cost of cybercrime is estimated to be at least over $1tn. Ransomware, which encrypts data and only gives a deciphering key in exchange for a hefty payment, is exploding in popularity thanks to its relatively low sophistication and availability as Ransomware-as-a-Service. And when attacks do not originate from cybercriminals, they are launched by state-sponsored groups (especially Russian and Chinese ones) to break into enemy State agencies, as demonstrated by the SolarWinds attack. In short, resourceful players have a strong incentive to rapidly innovate in developing attack vectors, meaning that no one is safe.

Legacy techniques cannot keep up

The pace of innovation has become too rapid for legacy technologies. Traditional endpoint security services such as antivirus software, which rely on a database of threat signatures to detect attacks, are no longer up to the task. The increasing number of exposure points (think millions of assets interconnected through the cloud) leads to an exponential growth in the probability of attack. In addition, they are hardly mobile and IoT-friendly, as their tracking engine is demanding in terms of computing power. Finally, they need acute human supervision to filter false positives at a time when the sector is under a heavy shortage of skilled professionals. A technological jump is therefore much needed to catch the bad guys.

Artificial Intelligence: the perfect match

Reactive is not enough, proactive is the new standard

As mentioned above, traditional defense software relying on threat signatures is inherently reactive technology: in order to identify a threat, you have to know where to look, similar to a living organism fighting a disease. Of course, this implies having an idea of what the foe looks like, which can work rather well for variations of a threat, but requires a period of adaption when defending against new kinds of attack vectors, during which much damage can be done, considering the average breach is only discovered after 287 days. Cybercriminals have of course adapted and are now using camouflage techniques to mask their signature and escape detection. And in some cases, such systems are simply blind to attacks, e.g. when attackers use fileless malware leaving no code running within the operating system's boundaries. 

This is where AI comes to save the day. Such systems indeed operate on a transversal scale, running a very lightweight telemetry software locally, while all the heavy lifting is done remotely on a central server. This allows such tools to run on basically every kind of device, thus enabling a quasi-real-time panoramic view of a broad variety of potential threats and instant reaction as soon as a new threat is detected. But the actual breakthrough comes with advanced behavioral analytics, which propels defense techniques into an entirely new league.

Behavioral analytics, the reactor core

Instead of targeting signatures, AI enables the analysis of behaviors. As it is in everyday life, users' behavior in a network or processes' behavior on a device is generally following some sort of routine, e.g., connecting from the same geographical locations to the same network nodes, or accessing a defined quantity of specific resources. Thanks to Machine Learning and to techniques such as graph databases, which store nodes and relationships between data points, AI tools run through vast quantities of data to establish normal activity patterns. As legitimate behaviors can change over time, the system is flexible enough to take this into account; however, when a sudden change is detected (e.g., an occasional peripheral user suddenly requiring access to gigabytes of confidential data stored on a central database), the connection will be automatically blocked and a red flag will be waived to conduct further analysis. Such techniques thus allow detecting a broad range of threats against which traditional tools would be powerless (e.g., insider threats with legitimate credentials). 

Saving precious time for IT teams

Such tools allow saving precious time for busy professionals. IT teams indeed rely on log review to conduct their analysis and to take decisions. These logs are generated by any event considered abnormal according to a predefined set of rules, implying a large number of false positives, which must be painstakingly identified as such. AI tools thus enable a high degree of automation, allowing IT teams to focus on actual threats.

Not a matter of when, but of who

A technology already "combat-proven" underpinning market share gains

The use of Artificial Intelligence in cybersecurity is far from being futuristic, as many players have already deployed the technology in operational products, or at least claim to do so. The poster child of this technology is CrowdStrike, a company active in Endpoint Security and founded in 2011, but which nevertheless reached a #1 market share in the corporate segment in 2021, a meteoric rise made at the expense of household names such as McAfee or Symantec (acquired in 2019 by semiconductor juggernaut Broadcom ) and built on the large superiority of its solution over competitors. Other high-visibility new names such as SentinelOne or Darktrace could be mentioned, but another interesting example is Microsoft , which managed to build a successful cybersecurity franchise and turned its Defender software from a laughing stock to a more than serious alternative in the consumer segment (albeit, surely helped by being shipped with every Windows 10 system). AI technologies are also enabling a new generation of firewalls, which can conduct so-called deep packet inspection without any degradation of service for users and with much higher security and flexibility than traditional rule-based firewalls.

A wider acceptance paving the way for further use

The increasing popularity of AI technologies was not a given thing, as IT teams could legitimately feel threatened by a tool that they saw had the potential to replace them. Others feared that giving the keys to the kingdom to a machine would be utterly dangerous. In the end, it is far from being the case: professionals have understood that such tools had the power not only to simplify their lives but also to give them a reach they could not have possibly dreamed of. The success of such applications calls for additional ones through a snowball effect, and will inevitably lead to the technology becoming increasingly popular. This will in turn open the door for attractive investment opportunities, as a new generation of players will challenge former leaders unable to adapt to the new reality. Our cybersecurity exposure, integrated within the Security & Space theme, precisely targets players having made this pivot (e.g., CrowdStrike, our biggest position) in subsegments such as Network, Endpoint and Cloud security, and we carefully monitor the sector to detect and exploit new investment opportunities. 


  • Struck by reality. Traditional technologies are running out of steam, creating business and reputational risks for companies that are not upscaling their cyber-defenses. As they realize the significant implications of lagging behind, such companies will have to reverse course, and fast.  

  • Regulation. Regulatory authorities and governments are upping security standards to face the increasing number and importance of threats. Businesses will have no choice but to follow.

  • Shift to cloud. Businesses are increasingly shifting to cloud services for cost reasons and to adapt to the new technological landscape. AI tools are perfectly adapted to such a framework.


  • The winner takes it all. AI tools benefit from the network effect. Players with a huge user base could capture most of the market.

  • Cost-benefit tipping point. AI-powered solutions are not cheap due to the heavy infrastructure required to power them. This could delay their adoption.

  • Adaptation of threats. Cybersecurity is a never-ending cat-and-mouse game between attackers and defenders. The formers will ultimately find a way to defeat, at least partially, AI tools.

Companies mentioned in this article

Broadcom (AVGO); CrowdStrike (CRWD); Darktrace (DARK); Microsoft (MSFT); SentinelOne (S)




This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.

As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.

The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.

Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.

It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.

Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.