Cybersecurity stocks mistakenly "hit" by AI? Morgan Stanley sees a $220 billion opportunity

```

The narrative of AI disrupting the cybersecurity sector is being re-examined.

In the past few weeks, Anthropic released Claude Code Security and announced that the Mythos AI model scored full marks on its own cybersecurity benchmark test, sparking market panic over AI upending the cybersecurity industry. Related stocks fell by about 25% cumulatively.

However, Morgan Stanley stated in its latest report that this sell-off reflects the market's structural misjudgment of the threat posed by AI, rather than genuine deterioration in fundamentals. Investors have underestimated the expansion in defensive demand driven by AI and overestimated its disruptive impact on existing vendors—incremental security opportunities spawned by AI could reach $220 billion, several times the market share currently at risk (about 10%), with the net size of the cybersecurity software market expected to be about 10% higher than today.

Sector drops about 25%: Concerns overestimated

Triggering this wave of sell-offs were a series of announcements from AI-native enterprises. According to MarketWatch, Anthropic released Claude Code Security and Mythos AI model scored full marks in its in-house cybersecurity benchmark, making investors fear AI will significantly undermine the value of traditional cybersecurity solutions and triggering large-scale reductions.

Morgan Stanley noted that some AI-native enterprises have already begun pre-release model partnerships with selected cybersecurity vendors. Both Palo Alto Networks and CrowdStrike participated, aiming to jointly establish security "guardrails" before models are formally deployed. This move itself indicates that AI providers view cybersecurity as a precondition for scaling models, rather than a replacement.

For internal sectoral disagreements, Morgan Stanley pointed out that long-term investors are generally bullish, believing AI reduces attack costs and increases attack frequency and complexity, thus continually strengthening security budgets from the demand side; hedge funds are more pessimistic, doubting the traditional vendors' long-term ability to resist AI-native competitors.

Morgan Stanley believes the current debate closely resembles historical narratives during the early stages of cloud migration where "cloud providers will replace the security industry", concerns which proved to be overly magnified.

$220 Billion Incremental Opportunities Far Exceed Disruption Losses

Morgan Stanley estimates that the current cybersecurity market is about $300 billion (including services), accounting for 6% to 7% of total IT budgets.

Disruption risks are mainly centered on “preventative security”—tasks such as vulnerability management, application security testing, and cloud configuration management can be performed asynchronously and are relatively tolerant to latency, making them easier areas for AI models to intervene. This segment accounts for about 10% of the overall market.

Meanwhile, incremental security demand resulting from AI is rapidly taking shape: as enterprises deploy AI models, agents, and data pipelines at scale, protecting these new assets will generate considerable additional budgets. Morgan Stanley estimates this new demand is enough to offset market losses, expanding the net market size of cybersecurity software by about 10% compared to today.

Data from the attack side further strengthens the demand logic: currently, 80% to 90% of attacks are generated by AI, with attack costs approaching zero. This not only fails to weaken the rationale for security expenditures, but fundamentally strengthens the need for real-time detection, response, and identity security capabilities.

The Strongest Defensive Barriers

Morgan Stanley divides the cybersecurity market into three levels: preventative security, control point/border security, and runtime security, highlighting that AI’s disruptive impact is highly uneven across these levels.

Runtime security is difficult to disrupt because after AI models enter production, threats such as prompt injection, data leaks, and model abuse must be captured and addressed in real time; they cannot be eradicated during development and training. Both control point and runtime security require low latency and deterministic responses, which fundamentally conflict with current probabilistic AI models. CrowdStrike, Palo Alto Networks, Okta, and SailPoint are leveraging their capabilities in endpoint, network, and identity security to extend into the AI layer, constructing dynamic execution "guardrails" around real-time AI systems.

Cost logic is also not to be ignored. Morgan Stanley points out that processing high-frequency security tasks such as email filtering or authentication with large language models may incur computational costs several orders of magnitude higher than existing solutions.

Currently, email security and identity platforms typically charge low single-digit dollars per user per month, handling hundreds of thousands or more events, meaning marginal cost per event is less than a cent; running token-based AI models at similar scale introduces significantly higher computational expenses. Morgan Stanley believes in the near term, AI is more likely to play an "augmentation" role in cost-sensitive, low-latency scenarios, rather than completely replace existing architectures.

Non-Human Identity Becomes the Next Core Battleground

The proliferation of AI is pushing the strategic importance of identity security. As the number of APIs, machine identities, and autonomous agents—collectively "non-human identities" (NHI)—grows rapidly, traditional human-centric identity management frameworks can no longer cover emerging risks.

Morgan Stanley points out that AI-driven systems often run with high privileges, can access sensitive data across distributed environments, and greatly expand attack surfaces for credential abuse, privilege escalation, and unintended access paths.

Identity security is evolving from mere "authentication" to encompass continuous validation, fine-grained access control, and real-time execution management across the entire lifecycle. As AI agents autonomously run database queries, trigger workflows, and interact with external systems, identity becomes the primary mechanism for enforcing trust boundaries and policy controls.

TD Cowen analyst Shaul Eyal also pointed out that every AI agent on every platform needs identity credentials, and Okta and SailPoint are currently the only listed pure identity security stocks, with scarce value.

Platform Integration and Flexible Pricing Are Core Barriers

Morgan Stanley believes the top cybersecurity companies in the AI era should possess three core traits: a clear agent security roadmap and rapid AI product release capabilities; a flexible consumption-based pricing framework (such as CrowdStrike’s Falcon Flex) to reduce friction for customers deploying new capabilities; and an overall value proposition based on runtime execution, proprietary data advantages, and cost efficiency.

From budget trends, Morgan Stanley expects funding to shift from fragmented point solutions to integrated platforms; in the long run, continuous expansion of the attack surface will drive cybersecurity to become the most defensive priority area in enterprise IT spending—the firm’s CIO survey indicates cybersecurity software is the least likely IT project category to be cut.

~~~~~~~~~~~~~~~~~~~~~~~~

The above content is from Chasing Wind Trading Desk.

For more detailed interpretation, including real-time analyses and frontline research, please join 【Chasing Wind Trading Desk ▪ Annual Membership】

Risk Disclaimer and Terms of ExemptionMarkets have risks and investments require caution. This article does not constitute personal investment advice and does not consider the unique investment objectives, financial situation, or needs of individual users. Users should consider whether any opinions, viewpoints, or conclusions in this article suit their particular circumstances. Investment based on this is at your own risk. ```