Just imagine a soap bubble for a moment. You blow air into a thin layer of soap, and something beautiful forms. The harder you blow, the more bubbles you get and the larger they become. Shimmering with rainbow colours in the light, soap bubbles attract attention. But inside, there’s only one thing: air. The bigger the bubble grows, the thinner the film around it becomes. Until suddenly, it bursts, and nothing is left. And since early 2025, hundreds of them have been floating around the market.

That’s how I currently look at many of the AI narratives in my field. In the market, everyone is blowing up their own bubble. Venture capital is the air going into it: the more money poured in, the bigger the bubble, the brighter it shines, and the more attention it attracts. In cybersecurity, I see it every week: yet another AI startup appears, promising that a smart agent will now handle your entire security. Without people.

It all sounds impressive, and of course, I also know that cybersecurity will fundamentally change because of AI. The disruption is already happening, so far with more success on the offensive side than the defensive. Pentesting is a good example. At the same time, I see another development that is truly fundamental. AI models (such as Mythos) are becoming increasingly capable of scanning huge codebases and identifying vulnerabilities that traditional scanners miss. In the coming years, this will likely lead to a wave of new patches, updates, and possibly more exploitation of zero-days, until the use of AI in software development becomes as common as earlier techniques like fuzzing and static code analysis.

The real question is simply: where in the cybersecurity chain does sustainable value actually emerge, and where are you just looking at a shiny bubble filled with air?

Let’s zoom out for a moment. Anyone looking at the macro view of AI will see an enormous money-burning machine. People who know me will immediately recognise my metaphor, “Can you smell it?” Companies are investing billions, generating only a fraction of that in revenue. Investors already assume that a portion of these initiatives will turn out to be bubbles that eventually burst. Only a small number of them will prove solid and genuinely reshape the market. And that’s how markets work.

We are also seeing the first cracks emerge in recent weeks in the stock market. A small number of AI and chip companies carry a disproportionately large share of total market value, while valuations in some cases have risen to extreme levels. At the same time, even strong results are not always rewarded anymore; companies like Broadcom delivered good numbers, but still took a significant hit. These are classic signals that expectations are rising faster than the underlying reality.

Yet, the AI bubble hasn’t truly burst. Market leaders like Nvidia remain profitable, dominant, and are building on a fundamental technological shift. What we are seeing now is not a crash, but a transition, from “AI growth at any cost” to a market that is increasingly critical, asking: where is the real value and measurable return?

That same shift is happening in my own field. Many AI initiatives in security are bubbles. They focus purely on detection, or only on automated response. Or they apply a smart agent to one small part of the security chain. The results may look impressive in a demo, but many of these bubbles will burst. The technology works, but there is simply too much mascara and makeup in the marketing, making the promises bigger than reality.

So how do you know which initiatives deliver real value and which are just shiny bubbles? For non-technical audiences, I often use a very simple comparison: your home.

Cybersecurity is essentially nothing more than securing a house, but digitally. You need three things:

• Prevention: a fence, a moat, good locks, solid doors.
• Detection: cameras and sensors that recognise patterns. Who is moving around? Where is something unusual happening?
• Response: calling the police (or us), automatically locking doors, or isolating a room once someone is inside, so they cannot escape with the loot. Contain and isolate early.

When I read current AI narratives, one thing stands out. Alongside a primary focus on simplifying analysis work, there is also a strong focus on that final step: automated response, even more than on investigation and detection, the automatic intervention when something goes wrong.

Recent market research, such as that from KuppingerCole, also places strong emphasis on autonomous response. It sounds amazing: a system that takes down the burglar all by itself.

But let’s take a closer look. Response, by definition, is the moment when you’re already too late. The burglar is already inside. Damage may already have been done. Of course, you still need to act quickly and effectively. But the real question is: couldn’t we have spotted earlier that someone was tampering with the fence?

That is where, for me, the real value of AI lies: not just acting when the burglar is already inside, but across the entire chain, continuously learning from prevention, detection, and response data together.

And that immediately introduces the condition. AI only becomes truly powerful when that data is not fragmented across multiple isolated tools, but comes together in one coherent model. If you ask me, the market focus is shifting more towards prevention, driven by the increased pace of everything surrounding AI-attackers, vulnerability discovery, and exploit development. The magnifying glass is increasingly focused on “prevention is better than cure.”

And especially on integrating prevention, detection, and response as a whole. If you can bring that together holistically to achieve higher cyber resilience, using AI in the right places, you win.

Because imagine this: you have locks from vendor A, cameras from B, sensors from C, and an alarm from D. Everyone monitors their own piece and keeps their own list. You can layer AI on top, but it struggles to maintain the overview. The data is fragmented, and cohesion is missing. Every vendor can apply AI, but none of them can see the full picture.

When everything works together from a single data structure, the game changes. Then the AI tool can already detect unusual behaviour at the fence, long before someone reaches the living room. That’s why I find integrated platforms like Microsoft’s so relevant. In a strongly integrated system, AI can actually correlate separate events and detect patterns.

Yes, apologies for the acronym, but see here.

But even if you invest in a standalone response tool, the next question is whether you want it to operate autonomously. And there’s another reason I remain cautious about the new automated response hype, and that reason is not technical.

Automated response to attacks, known as SOAR, has been around for about ten years. It hasn’t just suddenly emerged because of AI. Yet it has never fully broken through. Why not? Because executives are rarely willing to give a vendor the mandate to independently disable accounts, isolate servers, or shut down a production environment.

That’s not a technical issue; it’s about trust between the business and technology. People at the board level understand the impact of downtime: when a production system, webshop, or core business process stops, the consequences are severe. Meanwhile, technical teams understand the scale of the threat and the required measures. These two worlds do not always fully align, and that’s exactly where the tension around automated response arises.

Because if even humans struggle with these decisions, why would we hand them over entirely to an AI agent? That’s why I believe AI should primarily help us make better decisions, not replace them entirely. For critical decisions, human mandate remains essential for now.

Within our organization, AI is not an enemy; it’s a colleague. We deploy it where it makes people smarter:

• AI agents that take over repetitive analysis of phishing emails.
• AI agents that increasingly handle more complex investigative work requiring context.
• Noise filters that reduce the endless stream of alerts, so analysts don’t drown in alarms.
• Pattern recognition that reveals what type of attack is coming.
• AI agents that continuously improve in distinguishing real threats from noise. Where these techniques previously produced many false positives, we now see steady improvements in quality month by month.

The difference lies in the starting point. AI is already surprisingly good at understanding technical context: log data, vulnerabilities, attack patterns, configurations, and vast amounts of information. But the context of the customer’s world is something else.

Which systems are business-critical? Which processes must never fail? Which risks are acceptable, and which are not? These considerations go far beyond technology. That’s why AI supports our experts, but never replaces them. Our experts become more well-rounded (what we used to call T-shaped): deeply specialized, yet broad enough to collaborate across disciplines.

We make this choice because we always want to deliver quality. A 1% error rate from an AI agent might be acceptable for a customer service employee, and a business developer might even get away with 10%. But a 1% error rate in cybersecurity can mean the end of your business.

That’s why fully autonomous AI security is not the solution for the coming years, no matter how strongly the AI bubble may suggest otherwise.

Every bubble has its losers and its winners. The AI era is no different. But in AI cybersecurity, the bubble doesn’t burst on the stock exchange; it bursts at the customer. During a real incident. The moment an autonomous agent makes the wrong decision, or when no one has the mandate to intervene.

So, as an executive, don’t focus on which AI tool shines the brightest. Focus on whether your security is floating in a bubble or standing on a solid foundation. And use AI to give headspace back to your teams, managers, and specialists.

Set your course towards a strong, ideally highly automated integration of detection, response, and prevention. Because when you understand “how and where they move through your yard,” you can respond proactively. Data-driven prevention, early detection, and human craftsmanship: that’s where lasting value lies, while the rest bursts like a soap bubble.

In the end, it’s not the organization with the most AI that wins, but the attacker or defender who combines AI most intelligently with people, reality, and experience. That’s where the next few years will be decided.

And don’t forget: people do business with people. Emotion, trust, and risk are the three fundamental pillars of our existence, and perhaps of the entire market. It will take time before we hand over 100% to a machine.