Cybersecurity’s Next Challenge Is Too Much Security

AI is making software flaws cheap to find. The edge in cybersecurity is shifting from spotting threats to deciding, fast, which ones can actually hurt you.

Shivani Tiwari

Topics

  • News

    1. AI Dispatch | Infosys Pitches AI Growth

    2. India May Take Minority Stake In Sarvam AI

    3. India Eases Satcom Rules by Dropping Sourcing Clause

    4. EXL to Acquire IMerit in a $310 Million Deal

    5. RBI Proposes AI Kill Switch For Banks Under Model Risk Framework

    6. Vishal Sikka Launches Enterprise AI Venture Hang Ten

    • Image Credit- Chetan Jha/ MIT Sloan Management Review India

    Key Takeaways

    01

    AI is collapsing the cost of finding software flaws, which moves the industry’s hard problem from discovery to deciding which threats actually matter.

    02

    India’s cybersecurity product sector has more than quadrupled to $4.46 billion since 2020, yet its enterprises stay exposed through long, uneven supply chains that AI attacks pick apart node by node.

    03

    The next advantage will come from prioritization, integration, and machine-speed response, not from generating more alerts.

    On the evening of 12 June, Anthropic received a letter from the US Commerce Department and, within hours, switched off its two most powerful AI models for most of the planet. The order, citing national-security authorities, barred any foreign national from using Mythos 5 or Fable 5, whether abroad or in the United States, and even extended to the company’s own non-citizen staff. Anthropic complied and called it a misunderstanding.

    What made two language models subject to export controls was what they could do to software. Two months before, in April, Anthropic had taken the unusual step of not releasing its most capable system at all. It placed Claude Mythos Preview inside Project Glasswing, a coalition built with Apple, Google, Microsoft, Cisco, Broadcom, Palo Alto Networks, and more than 40 other organizations, and handed them the model to find and patch flaws before attackers could. According to the company’s account, it had already identified thousands of high-severity vulnerabilities, some of which had gone unnoticed for years in every major operating system and web browser.

    Not every one of those claims is settled. Independent researchers, including Luta Security’s Katie Moussouris, have questioned how far the demonstrated capability actually exceeded existing tools. The part that matters for business is simpler. One of the world’s leading AI labs decided these capabilities were real enough to lock down, and the US government decided they were dangerous enough to control. For the Indian cybersecurity industry, which has grown into a $4.46 billion export business largely by identifying threats, that pairing lands close to home.

    The real change underneath the headlines is economic. For as long as the industry has existed, finding a serious vulnerability has been slow, skilled and costly work, which is precisely what most security companies were built to sell. Let machines do it cheaply and at scale, and the scarce resource stops being a discovery tool. It becomes judgment, the ability to decide which of thousands of findings is worth acting on.

    Kunal Ruvala watches this from closer than most. He runs India for Palo Alto Networks, one of the firms inside Project Glasswing, so his teams have already put a Mythos-class model to work on live+ code. He describes the shift without melodrama. “The industry is not being reshaped because AI has suddenly invented an entirely new category of attack,” he says. “It is being reshaped because it is accelerating the old game so dramatically that many existing security assumptions start to break.”

    Discovery Is Getting Cheap. Judgment Is the New Bottleneck.

    For decades the industry measured itself by what it could find. Companies sold threat intelligence, endpoint monitoring, penetration testing and vulnerability assessment, all of it built on the premise that weaknesses are hard to spot. Ruvala thinks that the premise is about to give way. “Over the next 12 to 18 months, the single biggest shift will be how the industry deals with a sharp increase in vulnerability discovery and the consequences that follow from it,” he says.

    The consequences are the problem. Every vulnerability that surfaces creates work that did not exist the moment before. Someone has to judge how severe it is, test whether it can actually be exploited, weigh the damage it could do and coordinate a fix. Security teams are already drowning in the alerts they have. A model that multiplies the supply does not hand them an answer. It hands them a longer queue.

    The harder part is not the volume. It is that the newest models grasp how flaws combine. A misconfiguration that looks harmless on its own can turn dangerous once it is chained to a weakness three systems away, and several minor flaws can assemble into an attack path far worse than any of them alone. “The industry will need to prioritize based on real-world exploitability, attack paths and business impact rather than treating every vulnerability the same,” Ruvala says.

    This is the paradox the Mythos episode lays bare. Security teams spent years complaining they could not see their own threats. AI is about to let them see almost everything, and that turns out to be its own kind of trouble. A flood of intelligence is no easier to act on than a drought.

     “The concern isn’t that cybersecurity becomes less important. It’s that the nature of value in cybersecurity is changing.”

    — Kunal Ruvala, SVP and GM, India, Palo Alto Networks

    India’s Boom Sits on Its Weakest Node

    For India, the timing is awkward, because the industry is in the middle of a boom. The Data Security Council of India, or DSCI, counts more than 400 cybersecurity product companies, with combined revenue of $4.46 billion in 2025, up from $1.05 billion in 2020. That is a 34% compound annual growth rate, among the fastest in India’s tech economy. More than half of that revenue now comes from abroad, much of it from North America, the Middle East and Southeast Asia, where Indian vendors are increasingly seen as capable and politically neutral. Around 60,000 people work in the product ecosystem, and nearly 40% of the firms have raised outside capital.

    Read through a conventional lens, the sector looks set. The harder question is what all those companies actually sell. Many built their names on finding things, on research, detection, and specialized expertise, which is exactly the work AI is starting to commoditize. The firms that thrive this decade will be judged less on how many vulnerabilities they find than on whether they can tell a customer which handful, out of thousands, will actually cause harm. Spending will keep climbing either way. Fortune Business Insights estimates the global market at nearly $219 billion in 2025, rising to $700 billion by 2034. The open question is what that money increasingly buys.

    There is a deeper exposure, and it is structural. Most large Indian enterprises have hardened their own core systems over the past decade. What they cannot fully control is everyone they connect to, the contractors, software vendors, cloud providers and outsourced partners whose security varies wildly. India’s outsourcing-heavy economy makes those chains unusually long and unusually uneven, and AI does not bother with the front door.

    “AI-driven attacks don’t need to break the front door. They exploit the weakest connected node and then move laterally.”

    — Kunal Ruvala, SVP and GM, India, Palo Alto Networks

    “Most Indian enterprises aren’t fully prepared just yet,” Ruvala says. “And the gap isn’t about technology alone. It’s about mindset.” A model that can map the relationships between systems, identities and third-party connections at machine speed will find the weak joint faster than any human team. DSCI’s own threat data points in the same direction, attributing roughly a third of recent attacks to AI-driven supply chain compromise.

    The answer Ruvala points to is integration, not more tools. “A platformized approach, where telemetry, detection and response are unified, becomes critical,” he says. The edge moves from owning the most security products to understanding how the pieces fit together, and that is where the money is going too. “Investors increasingly see AI security not as a niche category, but as core infrastructure for the next phase of enterprise computing,” he says. Capital is flowing to firms that integrate data, automate prioritization and learn from real-world telemetry, not to those bolting AI onto old workflows.

    Implications by Role

    Security and technology leaders

    Stop assuming more visibility equals more security. The useful question is no longer which vulnerabilities exist, but which can actually be exploited and what they would cost the business. Shift budget from alert generation toward exposure management, attack-path analysis and impact-based remediation. And replace disconnected point tools with platforms that unify telemetry, detection and response, because that is where AI attacks find their openings.

    CEOs and boards 

    Treat cybersecurity as operational resilience, not an IT line item. When AI compresses the gap between a flaw being found and exploited from months to minutes, a breach can hit revenue, operations and customer trust the same afternoon. Judge security spending by whether it improves response speed and visibility, not by how many tools it adds.

    Policymakers

    The Anthropic episode shows that governments now regard frontier cyber capabilities as a national security matter. India will need its own stance on access controls, vulnerability disclosure, and critical-infrastructure protection rather than inheriting frameworks written by and for the countries that build the models.

    When Machines Make the Noise, Judgment Is the Edge

    For 20 years, cybersecurity vendors competed on visibility, on more alerts, more detections, more findings. That contest is ending. Organizations were never short of information. They were short of the attention to act on the right piece of it. When machines can generate both the signal and the noise in overwhelming volume, the advantage no longer belongs to whoever sees the most. It belongs to whoever can tell the difference.

    MIT Sloan Management Review’s AI Research Forum will make its India debut later this year, bringing together enterprise leaders, researchers, and practitioners to examine how autonomous AI is moving from experimentation to governed deployment at scale. To speak, partner, or attend, register here.

    Research Highlight

    This article is based on an interview with Kunal Ruvala, Senior Vice President and General Manager for India at Palo Alto Networks, a Project Glasswing launch partner. It draws on the Data Security Council of India’s Indian Cybersecurity Product Landscape Report 3.0, Anthropic’s public disclosures and the US export-control directive of June 2026, and global market estimates from Fortune Business Insights.

    Read next: The Transformation Paradox — Why Organizational Readiness, Not Technology, Determines Whether Strategy Survives Disruption

    Topics

    About the Author

    Shivani Tiwari is a Correspondent at MIT Sloan Management Review India, covering AI, cybersecurity, and the people and companies shaping the future of technology.
    View More

    Tags:

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.