The recent mass media love affair with ChatGPT has led many to believe that AI is a \u201chere and now\u201d technology, expected to become pervasive in enterprise and consumer products in the blink of an eye. Indeed, Microsoft\u2019s $10B investment in OpenAI, the company behind ChatGPT, has many people expecting a complete and thorough integration of AI into Microsoft\u2019s product line, from Office365 to Xbox.\n\nThe company has already integrated ChatGPT into its Bing search engine and GitHub Copilot, announced that ChatGPT is now available in its Azure OpenAI service, and is looking at further integration into its Word, PowerPoint, and Outlook apps.\n\nBut is AI becoming mainstream in security? We\u2019ve seen AI advancements in the cybersecurity world for the better part of the past decade. Companies like Cylance (acquired by Blackberry), and Darktrace, and many others, were marketing their AI-based security technology on billboards and signs at Black Hat and along the 101 near SFO in 2017 and 2018.\n\nFrom my perspective in the venture world, AI penetration has barely scratched the surface of the cybersecurity market. But to do a sanity check, I recently spoke to over a dozen top CISOs, security executives, and practitioners. Their feedback confirmed my initial thoughts about AI in the early stages of the market. But more interesting to me was that these experts disagreed on where AI played a meaningful role today.\n\nAI in the cybersecurity market\n\nAs all my experts pointed out, AI is excellent today at helping a human sort through large quantities of data, reducing \u201cbackground noise,\u201d and finding patterns or anomalies that would otherwise be very difficult and time-consuming to discover.\n\nAI is also good at creating new threat variants and patterns based on its modeling of the past. However, AI is not adept at predicting the future, despite what some marketing materials may lead you to believe. It may help demonstrate what a future attack could look like, but it cannot produce a result with certainty showing whether a specific exploit will be unleashed.\n\nAnother broad belief among the experts was that the AI hype is ahead of reality. While every vendor talks about AI, the executives believe there little (to no) AI integration in most of the products they use today.\n\nOne prominent F500 security executive stated, \u201cWhile many vendors claim the use of AI, it is not transparent to me that it is there. For example, AI might be the secret sauce within SIEM technologies or complement threat detection and threat hunting activities. But my skepticism is due to the lack of transparency.\u201d If this skilled and experienced executive doesn\u2019t know \u201cwhere the beef is,\u201d where is the reality today?\n\nThe perceived reality\n\nPerception is reality, they say, so what do these industry experts perceive? Or conversely, where is today\u2019s AI reality?\n\nThe common belief among those I spoke with is that AI is and will be valuable when large datasets are available, both for training and within the actual use case. The experts view SIEM, email phishing detection, and endpoint protection as three of the most likely segments where AI plays a somewhat more significant role today and will likely continue to provide value.\n\nIn the SIEM\/SOAR category, AI plays a role today, sorting through large quantities of security event data to help humans more quickly detect and respond to threats and exploits. Splunk, in particular, was mentioned as a leading AI_enabled provider in this segment. Again, this view was not universally agreed to by the experts, but most thought that AI penetration was most likely relevant here versus other categories.\n\nIn the email filtering and anti-phishing category, large amounts of email data can be used to train systems from companies like Proofpoint and Mimecast, which effectively find many phishing attacks that arrive in an inbox. Several executives I spoke to believed that some AI was powering these products. However, at the same time, a few questioned whether AI was the driving force behind the categorization and detection.\n\nEndpoint companies have leveraged data collected from millions of machines for years to help train their systems. Formerly, these systems produced signatures for pattern-matching across their installed base. Today these products can use AI to detect more dynamic exploits.\n\nWhile no AI-based system can detect every zero-day attack (as mentioned earlier, AI can\u2019t predict the future), these newer products from companies like CrowdStrike are perceived to close the gap more effectively.\n\nOne of the F500 executives I spoke to thought with 100% certainty that CrowdStrike was the best example of a company that demonstrated AI-delivered value. On the other hand, two of the CISOs mentioned that they had no proof that AI was really inside this vendor\u2019s endpoint product, even though they were paying customers.\n\nFrom just these three segments mentioned above, and the discrepancies in opinion, it is clear that the cybersecurity industry has a problem. When some of the top executives and practitioners in the industry don\u2019t know whether AI is deployed and driving value, despite the marketing claims, how do the rest of us understand what drives our critical defenses? Or do we care?\n\nPerhaps we just abstract away the underlying technology and look at the results. If a system prevents 99.9% of all attacks, does it even matter whether it is AI-based or not? Is that even relevant? I think it is, as more of the attacks we will see will be AI-driven, and standard defenses will not hold up.\n\nAI as problem solver\n\nLooking to the future and other security segments, AI will play a significant role in identity and access management, helping discover anomalous system access. One CISO hoped AI would finally help solve the insider threat problem, one of today's thornier areas. In addition, there is a belief that AI will help partially automate some of the Red Team\u2019s responsibilities and perhaps automate all of the Blue Team\u2019s activities.\n\nOne topic was the threat that adversaries would use ChatGPT and other AI-based tools to create malicious applications or malware. But another suggested that these same tools could be used to build up better defenses, generating examples of malicious code, before bad actors actually use them, and these examples could then help inoculate the defensive systems.\n\nAnother concern is that AI-generated code, without proper curation, will be as buggy or buggier than the human-authored code that it was trained on. This creates vulnerable code at a wider scale than possible and will create new issues for AI-based vulnerability scanners to address.\n\nA final key point was the belief that Microsoft, Google, Amazon, and others would provide the underlying AI algorithms. The smaller cybersecurity players will own the data and the front-end product that customers interact with. But the back-end brain would leverage tech from one of the bigger players. So, in theory, an AI-based security company won\u2019t technically own the AI.\n\nAI in the future\n\nWe are in the early days of AI\u2019s penetration into our security defenses. While AI has been in the research community for decades, the technologies and platforms that make it practical and deployable have just been launched in the past few years. But where will things be in the next 5-10 years? \n\nI have a clear investment thesis on AI-enabled cybersecurity solutions and believe we will see much broader and deeper enterprise penetration within the next decade. From the point of view of my experts, the general beliefs are that AI will become a reality in multiple segments, including the three mentioned above.\n\nWhile the experts believe AI will play an increasingly important in every segment of security, chances are higher in areas like:\n\nThere is so much uncertainty about where AI resides today in cybersecurity solutions and what it does or doesn\u2019t do. But I believe this uncertainty will drive entrepreneurs to create a new wave of products to help navigate this new frontier. This will likely go well beyond cybersecurity, covering all the software products used in an organization.\n\nAI applications over the next 5-10 years will be fascinating, to be sure. Today\u2019s hype may be more than the reality, but plenty of surprises will be ahead as this market evolves.