← Tools I Use

The AI cybersecurity hype is real, and so is the gap between the deck and the deployment

2026-06-01 · ~8 min read · Conor Dobbs

Somebody on r/cybersecurity hit 765 upvotes asking if anyone else was losing their mind over the "AI cybersecurity" hype. Yes. The answer is yes. Every practitioner I talk to is having the same conversation, and it's worth saying out loud what's happening so we can stop pretending the emperor is dressed.

The pitch goes like this. Vendor X has an "AI-powered" platform. It triages alerts, reduces analyst workload by 90 percent, autonomously investigates threats, contains incidents, and makes the SOC analyst job a quaint historical footnote. The deck is gorgeous. The demo is smooth. The price is six figures and growing.

Then you deploy it.

What actually shows up in production

A recent practitioner write-up tested an LLM-based triage tool against 348 known false positives and one synthetic true positive. The tool got 71 percent accuracy. It called obvious false positives malicious. It missed the planted incident entirely. That's the part nobody puts on the slide.

The Microsoft and Omdia State of the SOC 2026 report says 46 percent of alerts are false positives. The 2025 SANS detection and response survey says 73 percent of teams name false positives as their top detection challenge. SOC teams are looking at around 11,000 alerts per day with only 22 per analyst that warrant investigation. The AI is supposed to fix this. Some of the better tools (Radiant, Cortex XSIAM, Sentinel) do meaningfully reduce noise. Most do not. And almost none deliver what the vendor promised in the room.

Help Net Security ran a piece in March 2026 that put it bluntly: "AI SOC vendors are selling a future that production deployments haven't reached yet." That's the headline. That's the story.

The ai-washing tax

There's a name for what's happening. Ai-washing. A vendor takes a regex engine, a correlation rule, or a half-trained classifier, slaps "powered by AI" on the box, and triples the price. One security analyst put the estimate at 80 percent of "AI-powered" security tools being misleading. 77 percent of IT leaders report using AI-driven security products. Only 66 percent say they understand how the AI improves outcomes. That 11-point gap is the entire problem in one stat.

CISO enthusiasm for AI security tooling far outpaces operator enthusiasm. The people writing the checks are excited. The people running the consoles at 2am are not. That disconnect is load-bearing for the whole market right now, and it's why so many deployments look great in a board slide and miserable in a queue.

What I'd be skeptical of, every time

If you're a practitioner sitting across the table from a vendor pitch, here's the short list.

Vendors with real AI capability answer those concretely. Vendors selling air do not. NIST has said this on the record: there are theoretical problems with securing AI algorithms that haven't been solved. Anyone claiming otherwise is selling something.

The analyst trust problem

The part that bothers me most. AI-generated alert summaries create a real cognitive failure mode. Analysts start deferring to confidence-weighted AI output instead of doing evidence-weighted analysis. The model writes a paragraph that sounds plausible, marks it severity high, and the analyst goes with it even when the raw telemetry suggests something more boring is happening.

The inverse happens too. The model says benign with high confidence and an analyst stops investigating something that needed another five minutes. Either failure mode produces worse outcomes than if the analyst had read the logs themselves. The tool was supposed to amplify judgment. Instead it replaced it, badly.

This isn't a hypothetical. It's showing up in incident postmortems right now.

Where AI in security is actually working

I don't want to be the "AI bad, log4j good" guy. There are places this is genuinely working.

Notice what those have in common. The human is still in the loop. The AI is doing the boring scut work. The analyst is making the call. That's the architecture that works.

The next 12 to 24 months

Agentic AI is the next wave the vendors are selling. Agents that triage, investigate, contain, and remediate end-to-end. Some of this will be real. Most of it will not be real for at least another product cycle, probably two. Agents fail in compounding ways: one bad inference upstream becomes a bad action downstream becomes an isolated production host at 4am.

The agentic story will eventually work, but it will work in narrow domains first (specific alert types, specific containment actions with hard guardrails) and then expand. Anyone selling you a fully autonomous SOC-in-a-box right now is selling the 2030 version of a 2026 product.

What to do in the meantime: invest in the unsexy foundations. Telemetry quality. Identity controls. Asset inventory. Exposure management. Recoverability. AI is a multiplier on whatever foundation you already have. If the foundation is bad, the AI will make decisions on bad data faster.

If you're an analyst watching this

Your job is not going away in the next 24 months. The people telling you it is are either selling something or repeating someone who's selling something. What is going to change is which parts of the job you spend time on. Less tab-flipping for context. More designing detections, tuning the AI's output, and being the human who pushes back when the model is confidently wrong.

The skill that compounds in this environment is the ability to read raw telemetry and form your own opinion before looking at what the tool said. Analysts who can do that are going to be more valuable, not less. Analysts who learn to rubber-stamp AI output are going to find themselves replaced by a cheaper analyst who also rubber-stamps AI output.

Learn to read pcaps. Learn to read auth logs unaided. Learn to write detections. Those are the durable skills. The AI-tool-of-the-month is the disposable one.

The takeaway

The r/cybersecurity post wasn't wrong to be losing its mind. The AI cybersecurity market in 2026 has a hype-to-reality ratio that would make a 2017 ICO blush. But underneath the marketing there are real, narrow, useful applications that practitioners should be exploiting. The trick is being able to tell which is which, and the only way to do that is to demand evidence and run your own tests instead of trusting the slide deck.

If you're trying to make sense of which AI tools in your stack are pulling weight versus which ones are expensive autocomplete, I've been writing up tool comparisons using the same evaluation framework — applied to the dev side first because that's where the data is cleanest. Start with Cursor vs Claude Code vs Aider. Same skepticism, applied to tools you can actually A/B today.

Stay skeptical. Read the logs. Don't buy the deck.