The cybersecurity industry has come a long way over the years. Initially, some software developers more or less worked to suppress cybersecurity efforts, viewing white hat hackers uncovering bugs as enemies. Attitudes shifted, and many companies started offering rewards to white hat hackers who found vulnerabilities, and various other efforts have helped improve security. In practice, most “hacking” has actually been social engineering rather than code exploits. That said, when code exploits, and particularly unknown “zero-day” exploits, have been utilized, the damage has at times been immense. The NotPetya attacks, for example, are believed to have caused $10 billion in damages.
Hacking code with human hands is often a cumbersome process. Once hackers gain access to code, finding vulnerabilities often means reviewing lines upon lines of code, piecing together how the whole system works, and then hoping you find a vulnerability. This process has typically been slow and resource-intensive. Yet early indications from the Anthropic (ANTHRO) team suggest that we may soon be entering a new era of cybersecurity, and code hacking could become much easier if hackers have access to powerful AI models.
Fortunately, I expect powerful AI models to largely remain in the hands of cybersecurity experts striving to eliminate vulnerabilities. Once fully unleashed, Claude Mythos and other AI models may be able to quickly mitigate and close many vulnerabilities. By and large, black hat hackers shouldn’t have access to the most powerful models and the server farms needed to run them at full power. Still, specially designed black hat AI models, likely built off open-source models, could emerge as an immensely dangerous threat. The risks for companies big and small are considerable.
Thesis
The implications for cybersecurity as a practice will have an immense impact on cybersecurity stocks as investments. Many cybersecurity stocks have taken a hit since reports from Anthropic and now OpenAI began to make their way through the media. For now, I’m avoiding broad cybersecurity ETFs, like Global X Cybersecurity ETF (BUG), and instead being picky about cybersecurity investments, specifically gravitating towards companies positioned to succeed as AI upends the cybersecurity industry.
Why The Recent AI Developments Are Such A Big Deal
Anthropic’s Frontier Red Team, which focuses on making AI safer to use and defend against, released a detailed blog post covering the recent advances in cybersecurity with the Anthropic Claude Mythos model. The whole post is quite interesting and worth checking out, but be warned, it’s a long one. While I am broadly familiar with cybersecurity, I am admittedly not an industry expert. That said, several points in the blog post stood out and I believe are important for investors to be aware of.
- Mythos found bugs with minimal human intervention and oversight. In many instances, the model was simply told to find vulnerabilities and then write exploits without needing human assistance. Opus 4.6 had a near 0% success rate writing Firefox exploits. That model identified several hundred vulnerabilities but was able to exploit only two of them. Mythos was able to write 181 Firefox exploits.
- Mythos found a 27-year-old bug in the OpenBSD operating system and a 17-year-old bug in FreeBSD. These are especially noteworthy because the BSD operating systems have long been viewed as especially secure operating systems (OpenBSD, in particular, is especially well known for security). Among other things, FreeBSD is the base for Sony’s (SONY) recent PlayStation operating systems, and both are commonly used with routers and other networking devices.
- It was able to chain multiple vulnerabilities together to pull off complex operations. In one case, Mythos chained together 4 vulnerabilities to exploit a browser, breaking out of both the renderer and operating sandboxes. This is especially important as sandboxes are one of the most common and traditionally effective cybersecurity methods.
- AI can write exploits in mere hours that would take human hackers weeks to write. This could quickly spark an arms race as hackers rush to exploit vulnerabilities and security experts work to head off attacks and close vulnerabilities. Some companies, quite likely principal AI developers like Anthropic, could profit substantially from an increase in security risks.
- Vulnerabilities were found with every operating system and every browser. Windows has often borne the brunt of cybersecurity attacks. Part of this is due to the fact that Windows tries to maintain backward capabilities and support legacy software/hardware, which in turn can be more vulnerable. Part of this is simply because it’s the most widely used desktop OS, especially in the business world, and companies can be more plum targets. Going forward, alternative operating systems, like Mac, may be easier to target with AI’s assistance.
The most important developments here are arguably the economics of hacking. With the OpenBSD vulnerabilities, Anthropic was able to uncover multiple bugs, including at least one critical bug, while spending less than $20,000 to run a thousand-plus runs with the AI. Hiring a team of hackers and/or security experts is likely to cost far more while producing far less in terms of results.
Ultimately, Claude Mythos and other AI developments are likely to have a major impact on the cybersecurity industry. Certainly, cybersecurity stocks have already been impacted, with most taking a hit. BUG is down as well, although so far losses have been moderate. Yet for the time being, I would be wary of investing in BUG, as some of its holdings strike me as especially exposed to the risks of AI.
How AI Might Impact Specific Cybersecurity Companies
Before jumping into specifics, keep in mind that the cybersecurity sector is going through rapid change right now. Some companies are likely to make big moves to head off AI threats and tap into opportunities. My outlook on individual companies could change dramatically based on a single acquisition, PR news release, etc. A company that I view today as a Sell could end up being a Buy next week.
There are a few companies, however, that strike me as being especially vulnerable, and right now, BUG is holding considerable chunks of its portfolio in them. I’m only beginning to dig into these companies, and my outlook could change as I dig deeper. If I were writing an individual analysis of these companies, I’d go in expecting to come out with a lot of Sell ratings, although I wouldn’t expect some to ultimately end up as holds or even buys. However, my skepticism over several companies, which combined make up more than a third of BUG’s portfolio weight, has me especially wary.
Check Point Software and Fortinet
Check Point Software (CHKP) provides firewalls and is historically one of the largest players. The company is working to integrate AI solutions into its firewalls. Fortinet is in a similar position, focusing on firewalls, but also offering a variety of AI tools and features. However, Microsoft (MSFT), Google (GOOG), and Amazon (AMZN) are increasingly offering bundled security services. The companies combined control more than 60% of the cloud computing market and thus could end up substantially shrinking the market for third-party providers.
Okta, CrowdStrike, and SentinelOne
Okta (OKTA), CrowdStrike (CRWD), and SentinelOne (S) strike me as more AI-capable and are built from the foundation up to take advantage of AI tools and features. They’re likely in a better position than most cybersecurity firms to capture tailwinds. However, that doesn’t mean they’re invulnerable. Integrated, often free or low-cost solutions from Amazon, Google, and Microsoft could pressure margins and force these companies, among many others, to work harder (and spend more on research) to justify their value.
Offensive AI could also erode the effectiveness of these companies’ tools. SentinelOne is an industry leader in endpoint security, meaning it can monitor devices to detect bots, malware, and suspicious users. Offensive AI can be used to make behaviors, making threats harder to detect. For example, rather than encrypting hundreds of files at once in a ransomware attack, files might only slowly be encrypted over the course of several days.
Gen Digital
While the brand itself may not be familiar to many, the Gen Digital (GEN) products are among the most widely known cybersecurity tools for consumers and small businesses. The company’s portfolio includes Avast, Norton, and LifeLock. The company’s legacy signature programs are of increasingly questionable utility in a cybersecurity landscape defined by AI. Anti-virus signature software essentially digs through code looking for specific lines of code associated with known malware. However, AI-enabled malware can actually rewrite itself, say, changing variable names. As a result, signature check programs are at times essentially blind to these threats.
Like pretty much every other cybersecurity firm, Gen Digital is rolling out new products and tools to leverage AI and counter AI threats. This is going to be expensive, and free tools offered by Microsoft, Alphabet, etc., may be enough to satisfy most customers. Gen Digital is arguably more exposed to these tools than many other cybersecurity developers because the company has traditionally focused on consumers and small businesses. These parties are more likely to be satisfied with the features offered by free tools and less inclined to spend on more robust security tools.
In Summary
The above breakdown is pretty limited and not a deep dive into any of the companies. I would not assign a buy/sell/hold rating for any of the above companies based on the information presented here. The more important point is simply that the cybersecurity industry is in turmoil, and as such, I’d avoid broad cybersecurity ETFs and instead would take long, deep looks at companies to identify winners and potential losers.
BUG Fundamentals And Valuation Considerations
To the surprise of no one, BUG’s portfolio is made up of tech stocks. Roughly 82% of the stocks are U.S.-based, which shouldn’t come as a surprise given that the United States is currently the world’s software technology leader. The largest holding is Palo Alto Networks (PANW) at roughly 12% of the portfolio. Akamai Technologies (AKAM) is the second largest at roughly 9%. The top 10 holdings account for more than 60% of the weight, and overall, BUG has 28 equity holdings.
Seeking Alpha
Overall, the Original Postortfolio" rel="nofollow">portfolio’s P/E average, which weighs in at ~20, is quite attractive given that equities are quite expensive now with historically high P/E ratios. The category average hits nearly 24. The Price/Sales ratio weighs in at about 4. While this number would be high in many industries, P/S ratios above 8 are quite common in the tech sector, and the category average totals ~5.75.
Growth is not a strong spot for BUG, however, with sales growth measuring just 8.72%, compared to the ~12% category average. Some companies, like Zscaler (ZS) at 23.91% and SentinelOne at 21.89%, are growing quickly YOY. Others, like Akamai, are pulling in YOY growth of just 5.44%. Gen D is showing massive growth at 21.55% YOY, but integrating with Avast and Norton explains much of the growth.
Expenses are reasonable at .5%. Certainly, many (especially passive) ETFs offer lower expense ratios, but for a reasonably complex industry, .5% doesn’t strike me as unreasonable. BUG’s 0.05% dividend yield is essentially meaningless, but tech companies often are dividend-shy, so no surprises there. The 5.20% tracking error is a touch high given that it’s just 1.55% (median) for all ETFs, but this doesn’t really worry me.
Seeking Alpha
Seeking Alpha’s quant tools give BUG a Strong Sell rating. This is harsh, but not unreasonable given how steadily the ETF has slid. I assign a hold rating, but only because I believe that this ETF could rebound from the current lows, dragged upward by the best performers. Ultimately, however, I think there are better individual company picks out there, and if BUG was in my portfolio right now, I’d be tempted to look for the specific winners and would likely sell BUG if I found favorable individual investments.
Why I Could Be Wrong
AI augmentation has proven to be a productivity booster and cost saver in many industries. This could prove true once again, and all boats may end up rising at once, thus lifting BUG. Further, if I do opt to invest in individual stocks, I might end up simply making the wrong picks and could be left behind while BUG marches onward. Broad ETFs can lower risks, and even if a few of BUG’s holdings suffer major slides, if a few companies strike it rich, the ETF could post substantial gains.
Key Takeaway: Invest In Cybersecurity, Sure, But I’d Bug Out On BUG
I believe the next few years will be profoundly disruptive for cybersecurity. That AI can turbocharge malicious actors suggests that AI will drive demand for cybersecurity solutions. Some providers are likely to cash in big on this. However, I also believe some companies are at risk of being pushed out of the market or at least pushed towards the edge. As such, I’m wary of investing in a broad cybersecurity ETF.
Editor’s Note: This article covers one or more microcap stocks. Please be aware of the risks associated with these stocks.
Enjoyed this article? Sign up for our newsletter to receive regular insights and stay connected.