Cybersecurity has always been a discipline of interpretation, not just detection.
A scanner can tell you what is open. A log can tell you what happened. A CVE database can tell you what is known. But none of those things automatically tell you what matters most in a specific environment. That last part still requires context, prioritization, and judgment.
That is why I think the most interesting use of AI in security is not replacing analysts. It is augmentation. AI should help humans see patterns faster, explain technical findings more clearly, and move from raw evidence to better decisions.
But there is an important tension here.
As models get more capable, the mistake is not giving them too much room to reason. The mistake is giving them poor context and then trusting the answer anyway. In security, the goal should not be to force the model through a rigid checklist. The goal should be to give it strong evidence, useful tools, and a clear objective so its reasoning has something real to work from.
The danger is not that AI reasons too freely. The danger is that it reasons without evidence.
A model can produce a confident answer that sounds right while being wrong in exactly the ways that matter. It can name the wrong CVE, overstate the severity of a finding, recommend a fix that does not apply, or flatten important context into a generic answer. In cybersecurity, that is not just a writing error. It can send people in the wrong direction.
So the question is not, "Can AI analyze security data?"
The better question is: what should we give the AI so that its analysis is worth trusting?
I keep coming back to a simple split:
- deterministic tools should collect and structure facts
- trusted sources should provide vulnerability context
- AI should reason over that evidence with room to synthesize
- humans should review, challenge, and decide what to do
That is different from over-scaffolding the model. I do not want to hard-code every step of the analyst's thought process and force the AI to color inside those lines forever. That would probably age badly as models improve. But I also do not want an AI system that invents its own facts because the input was too vague.
The better pattern is to define the substrate, not micromanage the script.
Give the model structured evidence. Give it tools. Give it access to trusted sources. Give it the outcome you want. Then let it help reason through the problem.
Nmap is a good example. On its own, Nmap is excellent at collecting facts. It can identify hosts, ports, services, versions, CPEs, and script results. The terminal output is useful, but the XML is where things get more interesting. XML turns the scan into structured data that software can parse.
A service is no longer just a line of text. It becomes a host, port, protocol, product, version, script result, etc. That structure matters because it gives the AI something grounded to work from.
The model should not be guessing that Apache might be vulnerable because it has seen Apache vulnerabilities before. It should be looking at a parsed service, checking the exact product and version against trusted data, and then explaining what was found.
That changes the relationship between the human and the AI.
The AI is no longer the source of truth. The evidence is.
The model becomes an interface for understanding the evidence. It can summarize a noisy scan, explain why a service may be risky, draft remediation steps, or translate a technical finding into language a non-security stakeholder can understand. But the answer still has a chain behind it: scan result, parsed data, trusted context, human review.
That is the difference between AI as a shortcut and AI as an amplifier.
A shortcut tries to remove the hard thinking. An amplifier helps you think better.
In security, I do not want tools that simply sound confident. I want tools that preserve uncertainty, show their work, and make it easier for a human to ask better questions:
- What do we actually know?
- What is inferred?
- What source supports this?
- What context is missing?
- What would change the priority?
- What should we verify before acting?
That is where AI can be powerful. Not as an oracle, but as a reasoning layer on top of evidence.
The same idea applies beyond Nmap. Whether the input is a scan, logs, tickets, source code, alerts, policies, or documentation, the pattern should be similar: collect the evidence, structure it, ground the model, explain the result, and keep the human in the loop.
This does not mean AI should stay passive. I think security AI will become more agentic. It will query tools, inspect data, compare sources, generate hypotheses, test assumptions, and maybe handle larger pieces of the workflow than we are comfortable with today.
That is fine.
The line I care about is not autonomy versus no autonomy. It is grounded versus ungrounded.
An AI system that autonomously gathers evidence, checks sources, and explains uncertainty is much more useful than a chatbot that confidently guesses from memory. The problem is not that the model acts. The problem is when it acts without a reliable chain of evidence behind it.
This is also why I am skeptical of security AI that jumps straight to autonomy as the selling point. There are places where automation is valuable, especially for repetitive tasks. But security work often lives in the messy middle: incomplete data, business constraints, legacy systems, false positives, and tradeoffs that are not obvious from the outside. The test I apply is simple: can the system show where its claims came from, and does it admit what it does not know? If it can, autonomy is a feature. If it cannot, autonomy is a liability.
That does not mean AI should stay out of the workflow. It means AI should be placed carefully.
Let deterministic systems expose what exists. Let trusted sources show what is known. Let the model reason over the best context and tools available. Let the human decide what to do.
That is the kind of AI I trust in cybersecurity: not a replacement for expertise, but a system that helps expertise scale.
Define the substrate. Trust the evidence. Keep the judgment human.