AI vs. AI: The arms race for security

It’s become a familiar pattern: A new artificial intelligence model proves it can do a human task (or someone suggests it can). Suddenly, it’s assumed that progress now will make certain jobs obsolete later. Investors panic. The sector in question sells off. And suddenly, current cash flow and fundamentals don’t matter. The fear of whether an industry will exist in two years takes over. The extrapolation turns into hysteria. Cue the broad-based selling. Then, it happens all over again.

In the face of AI jitters, there is a corner of the market that has been swept up in indiscriminate selling: cybersecurity. If AI increases efficiency in a traditional office function to the point of making human tasks redundant, imagine what it can do to the frequency and strength of automated attacks. Not to mention, scaled operations. Therein lies the marriage of geopolitical fragmentation and a technological revolution. The more that geopolitical conflict involves AI-based warfare, the more governments and corporations will spend to defend against it. That means using AI to defend against AI.

And this time, rather than disrupt an industry, it’s pushed it into overdrive. (Even if the market doesn’t see it yet.) 16% of enterprise cyberattacks¹ are AI-generated, with effects that are 24% worse.² Those numbers are growing. The business risks of getting it wrong are simply too high. And the more use cases that AI has, the more fronts enterprises and governments have to defend. At risk are the large language models (LLMs), the data, agents and code, among other ingredients.

In 2025, the global average cost of a data breach reached $4.4 million,³ marking a decline for the first time in five years, according to an IBM report. The drop comes as a result of faster identification and containment. Of the companies that reported AI-related security incidents, 97% did not have the digital security mechanisms needed to protect themselves.⁴ Being unprotected is not only risky, but an expensive venture as conflicts begin to be fought with lines of code in addition to lines of soldiers.

Anthropic, an AI powerhouse, learned first-hand how it can happen when outside actors manipulated its own Claude code to launch cyberattacks—not just against Anthropic, but also large tech companies, financial institutions and government agencies—with only 10%-20% human intervention. The incident demonstrated that not only can AI systems execute sophisticated attacks that would otherwise require a full team of experienced hackers, but that they are also essential to providing the defense.

Driven by a rapidly fragmenting world, security concerns are accelerating the need not just for AI, but sovereign AI. It’s not enough to innovate. Nations have to reshore digital infrastructure, prioritize data sovereignty and expand the role of companies willing to invest in public priorities. That’s just step one. Step two is securing the infrastructure, and building resilience against both physical and digital threats.

To address it, the world is spending at a pace and level that it never has before. Global cybersecurity spending is projected to reach $240 billion in 2026, and grow at an 11% compound annual growth rate to $320 billion by 2029. AI-driven cybersecurity spend is growing three to four times as fast.⁵

As overall defense spending increases globally, more and more of it is being allocated to this arena. The United States alone called for a $1.5 trillion U.S. defense budget for 2027, marking a more than 50% increase from 2026. Spread across various departments and security agencies, cybersecurity, AI and other digital tools make up large and growing parts of the budget. Across the Atlantic, NATO targets sit at 3.5% of GDP with an additional 1.5% earmarked for defense-related infrastructure—which includes improving cyber and digital security. 

And there is still more work to be done. It's not enough to spend on defense, but to create the frameworks to respond. That's what’s happening around the world. Take Latin America, for example, which the World Bank identified as one of the fastest-growing regions for disclosed cyberattacks. As a result, it's been made a top priority in the region when developing legislation and policy to address the risk.

It’s a simple formula: more companies and governments use AI. Cyberattacks get more sophisticated and frequent. The technology creates a need to protect more components. Governments spend more on defense and security policy. Fiscal tailwind. AI is used to fight AI. The industry survives, and grows.

In an era of AI panic, this long-term dynamic may not be seen immediately. Cybersecurity, after all, is subject to the same knee-jerk market reaction. It also sold off when Anthropic released an AI tool to detect online vulnerabilities. But it has yet to prove it can do it in real-time. The assumption is it will eventually. That’s the danger. But, that doesn’t change the trajectory of the trend. And historically, policymakers have wanted multiple players involved in building the security apparatus. The convergence of government priorities and the critical need for advanced, AI-enabled defense solutions means higher corporate spending and expanded federal contracts. That isn’t going anywhere for a while.