Make Hardware Great Again: How AI Is Shaking Up The Cybersecurity Market
DISCLAIMER: This note is intended for US recipients only and, in particular, is not directed at, nor intended to be relied upon by any UK recipients. Any information or analysis in this note is not an offer to sell or the solicitation of an offer to buy any securities. Nothing in this note is intended to be investment advice and nor should it be relied upon to make investment decisions. Read our full disclaimer, here.
Can Anything Save Us From The Matrix?
by Dave Noble
There has been much discussion in the media recently about AI eating software accompanied by doom-mongers predicting that software will go the way of the dodo.
However, AI can’t do everything and I believe that there are opportunities to invest in a sector that has a software element that AI is NOT, IMHO, able to reproduce. That sector is cybersecurity.
@Alex King, Cestrian has alluded to the fact that with greater propagation of AI, there is a need for security. This is a double-edged sword because AI has the potential to improve security but it also has the potential to break incorrectly implemented security measures.
Security (specifically the protection of electronic data and secrets) is based on using keys to encrypt data, secrets, and to authenticate EVERYTHING in a connected system.
A security system is only as strong as its weakest link, so a ‘best practice' is to use defense in depth; a layered approach to security to ensure that from its very foundation a security system is able to withstand remote (logical) or physical attacks from adversaries or potential attackers.
Bad actors have several distinct advantages over organizations tasked with protecting enterprise and government data. They have unlimited time, often with nation-state sponsored attacks they have unlimited budget; they can choose when, where and who to attack.
The further from the hardware that the keys are generated, the more it can be disrupted, e.g. if it employs legacy algorithms for encryption in middleware or application layer software.
So, if keys are generated by semiconductors, the foundational root of an electronic system, these ‘root’ keys can be used to ‘wrap’ other derived keys or keycodes (derived from the root key) as execution of commands is initialized further up the stack so that access to everything above it - firmware, hypervisors, operating systems and applications – requires multiple keys, all initialized from the root key, to maintain the integrity of the entire system. Any weakness in the ‘stack’ will be exploited, and most of the cybersecurity companies have experienced some level of successful attack against them leading to theft of data.
Because these key codes or other data has to be transmitted across a data bus – internally, across a link in a disaggregated data center, or a network link to or from a cloud system, that data has to be protected by encryption which we will come onto later.
Software on its own is
- Easy to copy
- Easy to reverse engineer
- Easy to debug (while running)
- Easy(er) to attack with what are known as side channels
- Easy to tamper with
So, beware of a software only based security system.
However if the provisioning (or creation) of the keys is undertaken in hardware and it is implemented correctly, it cannot be disrupted or discovered by AI based attacks.
This is because AI is programmed by algorithm so its deterministic. In other words, it cannot generate something that is truly random (it’s only pseudo random). Secrets encrypted with keys generated in hardware are secure from AI and quantum computing attacks.
So, what are the requirements for secret keys in silicon?
Mathematical Requirements
o It must be unpredictable
o Unique to each device (DUK – Device Unique key)
Physical Requirements
o Invisible to attackers – ideally invisible even to the designers of the system
o Unclonable (cannot be copied from one device to another)
o Immutable (not changeable by attackers, does not ‘wear out’ over time)
A good example of a secure root key is an SRAM PUF (Physical Unclonable Function). SRAM PUFs use the physics of the hardware, e.g. SRAM, to generate a value that is unique to each device, that is random, and the mechanism cannot be tampered with by temperature and power fluctuations (some data centers experience over 1,000 power ‘events’ in a 24 hour period), is resistant to radiation (good for use in space) and will not wear out when deployed in devices with long lifecycles (aerospace, automotive, critical infrastructure, etc.)
These attributes make the discovery of a root key difficult to ‘learn’ thereby making them resistant to AI or ML (Machine learning) based attacks.
Encryption
Encryption has been used to protect secrets since ancient times. If you want to know more about the history of cryptography, I recommend reading The Code Book by Simon Singh. It’s an entertaining read for non techies.
Encryption is at its most basic, the use of mathematical formulae to create a code to encrypt or hide, a secret. The secret being the key that puts a lock on everything in an electronic system.
Modern day encryption has two flavors; symmetric in which an encryption/decryption method is known to two parties using a shared key – and asymmetric which involves a private key - which is never shared - and a public key.
Symmetric is used for encryption/decryption of large data volumes, so is speed efficient, and less compute intensive. However, because it uses a shared key, risk of key interception is a risk. Most modern symmetric encryption uses AES. 128-bit AES is currently sufficient but is probably not quantum resistant, so many entities now use 256-bit AES.
Asymmetric encryption is used for secure key exchange. Because it uses a private key it is more secure than symmetric. Traditionally asymmetric encryption used RSA, ECDH (Elliptic Curve Diffie-Hellman) for key encryption and exchange. These became less reliable so the current standards use Elliptic Curves (ECC-192, ECC-256, ECC-384) which use scalar multiplication of prime numbers, so they cannot be reverse engineered. The number represents the number of bits in the prime.
However, quantum compute is - or will be - a major threat to security measures based on these traditional math based encryption algorithms (RSA, ECDH, ECDSA, ECC-256, 384, 521, etc.), even more of the threat than AI.
To counter this a range of post quantum cryptography (PQC) algorithms have been designed and approved by NIST.
Any cybersecurity vendor that wishes to tender for government/defense contracts needs to have a plan for implementing these algorithms now with full implementation before 2030. For more details about these algorithms and timelines for implementation you can find them HERE
So, it’s important to know which security companies use their own chips (PANW, FTNT), which use 3rd party off the shelf CPUs ( ZS, NET, CRWD), the hardware security in these chips and whose hardware includes a post quantum cryptography (PQC) roadmap, without which their systems will be vulnerable in the future.
Isn’t Quantum Computing Some Years Away?
Quantum computers are not commercially available, yet. But any data which is not secured today – even if encrypted with current encryption technologies – is at risk.
Harvest now, decrypt later (HNDL) is a cyberattack strategy used by malicious actors - again, probably nation state attackers with unlimited budget and access to massive amounts of storage – who steal and store encrypted, sensitive data today, in anticipation of being to decrypt the data using quantum computing in the future. This threat makes currently secured data (e.g., state secrets, personal, and financial data) vulnerable. If a cybersecurity company’s client data (financial services, government) is stolen in this way the remediation cost for client compensation and rearchitecting future security mechanisms would run into billions of dollars.
So, it is important to implement PQC algorithms in a cybersecurity system as soon as possible to prevent data being exploited now or in the future.
What Does This Mean for Cybersecurity Players?
For the purposes of this topic, I was going to segment the cybersecurity players into 3 buckets
1. those who implement security in software
- after conducting further research it appears that none of the major cybersecurity companies fall into this category
2. those who run their security on third party vendor hardware and rely upon either 3rd party hardware security
- this includes ZS, CRWD and NET
3. those who design their own ASICs and implement security – particularly post quantum cryptography (PQC) as part of their security strategy
- this includes PANW and FTNT
Zscaler ( $ZS )
Zscaler’s solution was originally a software only solution. Then in 2024, they introduced SD-WAN (Software Defined Wide Area Network) Branch Connector hardware appliances. These appliances are used to provide access to the Zscaler cloud for its customers. They are based on Intel Atom processors, which include an Intel TPM 2.0 device for security. Unfortunately, these devices have a checkered history most recently a series of issues including a flaw that allows attackers to execute code, bypass security controls, and read/overwrite sensitive data, with fixes requiring updated firmware. An additional concern is that hey devices may be co-located with other devices in a data center, so they may not be protected from an anti-tamper perspective.
These are probably sufficient for secure access to the Zscaler cloud for users, but it does not address how they protect their cloud from attacks on firewalls and network breachers.
CrowdStrike ( $CRWD )
CRWD states in a recent blog about AI threat protection that they use AI on their Falcon platform to prevent breaches. Their security measures are all software based. CRWD state that their Falcon platform is integrated with Nvidia GPUs for their security.
I have worked with Nvidia over a number of years and they are strong proponents of hardware security, including PQC algorithm implementation. I would therefore view it as a positive that the security of CRWD’s software can be managed by Nvidia hardware, but in order to keep their PQC strategy up to date, CRWD will need to rely on Nvidia (or any other hardware vendor that they choose to partner with) for their hardware security needs. CRWD will need to be nimble to accommodate any interface updates necessitated by Nvidia’s hardware security implementations.
Cloudflare ( $NET )
Cloudflare uses 3rd party hardware vendors, and Intel was a sole source until a couple of years ago. NET now uses AMD EPYC and Nvidia GPUs for its AI workloads.
They do state that they have been working on PQC since 2017 and that they enabled PQC on their network in 2022. But, given that early PQC drafts were not published until 2023 I’m a little skeptical of this. Their chief PQC researcher worked at a PQC IP company until 2021 so their definition of PQC may be slightly different to current published standards.
On the plus side NET recognizes the urgency of PQC and they use PQC for key exchange at the application level (TLS). However, as there is no underlying hardware security – other than that provided by their cloud partners – they are reliant on a 3rd parties for prevention of cloning or breaching of any devices in their network. AMD and Nvidia both have good hardware security, and AMD has already started implementing PQC that it acquired as part of its acquisition of Xilinx FPGAs a few years ago. (Xilinx is a significant hardware security contractor the US Government)).
Cloudflare claims that 52% of internet traffic that went through their cloud in 2024 was PQC encrypted. This leads me to believe that their implementation of PQC in the network may be increasing. But for end-to-end security, if users do not update their browsers to PQC compliant, the end-to-end security is not protected against. In other words “if a quantum attack happens in our network/cloud and it gets in because you have not updated your browser, you are liable”
Fortinet ( $FTNT )
FTNT designs their own ASICs and seem to be the most forward thinking in terms of a layered approach to security.
As highlighted in @HermitWarrior ’s excellent recent Q4 earnings review, FTNT is moving towards using hardware-based post quantum algorithms for encryption of distributing keys.
Richard Iacuelli
The are quite overt about the potential vulnerabilities in existing cybersecurity systems, and how PQC needs to be implemented as a matter of urgency. They do not mention how or where the keys are provisioned (created), perhaps for security purposes. They are integrating their software platform onto Nvidia Bluefield DPUs (formerly Mellanox ) so this could be a source of key provisioning. But the fact that they are using (their) hardware for key distribution probably means that they are using hardware to generate the root keys. This means that they have control over the provisioning and distribution of keys using post quantum encryption/decryption.
Palo Alto Networks ( $PANW )
Like FTNT, PANW also design their own ASICs. Their security is based on hardware based firewalls with network and systems data encrypted with current symmetric and asymmetric algorithms (RSA, ECDH) , and post quantum algorithms (ML-KEM) being added as they are approved by NIST.
PANW’s HSM encrypts keys with AES meaning that encryption for data transfer is secure. The only concern here is that if an attacker obtains the key from a device on the network, is that key static or is it dynamic in that a key that worked on one occasion will not work on a subsequent occasions because a system randomized the key provisioning.
However, PANW is using hardware for the underlying key encryption so one can assume that this is secure and will protect against Harvest Now Decrypt Later (HNDL) attacks.
In this current financial environment, software/SaaS is seen as being higher margin, and more advanced technology than hardware based systems, because of the ability to update systems without disrupting users.
But, I would argue that having one’s own proprietary hardware for provisioning and distributing keys securely across a large enterprise network makes the vendor more ‘sticky’ in an account. It is harder to displace a hardware based system, particularly if the hardware is sold as part of the turnkey system. For vendors, hardware represents a fixed cost for the bill of materials, so it is easier to hold the line with unit price, with smaller discounts. Software companies, in my experience, offer significant discounts to maintain growth. That may help in the short term, but in the long term it can cannibalize growth.
(Call me an old dinosaur!)
TL;DR
Provided that the security measures designed by the cybersecurity companies are implemented correctly and with the relevant hardware security and post quantum cryptography, theirs and their customers’ devices, systems and networks should be protected against AI-based attacks and quantum compute based attacks in the future.
Each of the cybersecurity companies has suffered breaches to their systems over the last few years. These are the events we know about, and it is likely that there are more breaches that we do not know about than those publicized.
I am not an analyst and not qualified to make stock recommendations.
If I had to bet on a cybersecurity stock for the long term, I would obviously look at the financial fundamentals first.
However, if I were assessing these companies from a security perspective, which has implications for reputational risk and customer retention, I would be influenced by other factors including
- how does it plan and implement its security strategy – with minimal disruption to existing large customers ?
- does it develop its own security from the ground (hardware) up – meaning it is less reliant on 3rd parties for the security of its customers and its reputation ?
- does it partner with security focused entities ? and
- is it prepared (now) for protection against post quantum cryptographic attacks at all potential attack points in its customers’ networks
Dave Noble, 17 February 2026.
DISCLOSURE: Cestrian analysts' personal accounts may hold long and/or short positions in any of the above-named stocks.