Cyber stocks plunge, but Anthropic’s security tool isn’t a killer app
Investors panic over AI-driven code scanning, though the threat to cybersecurity firms appears limited.
If there’s one thing investors love, it’s panicking over every new AI feature that hits the market.
In recent weeks, shares of software and cloud services (SaaS) companies have plunged following the launch of AI vibe-coding tools that allow users to build advanced applications using natural language. Data analytics and digital forensics firms fell after Anthropic introduced an add-on to its AI assistant, Claude, turning it into an autonomous agent capable of automating certain enterprise tasks. Wealth management stocks slid after the debut of AI-driven tax planning tools from startups such as Altruist. And all of this happened within a single month.
Typically, such reactions are exaggerated, either premature (because the tools are not yet ready for widespread enterprise deployment) or detached from reality (because their long-term impact is unlikely to match investors’ worst fears). But this weekend’s panic stood out even by recent standards.
Cybersecurity stocks fell sharply on Wall Street on Friday after Anthropic launched an update that adds code-level security scanning capabilities to Claude. Anthropic is widely considered one of the strongest players in the enterprise AI market, and new features aimed at organizations tend to ripple quickly through adjacent sectors. This time, cyber investors reacted swiftly, and brutally.
CrowdStrike fell 8%. Cloudflare dropped 8.1%. Zscaler declined 5.5%, SailPoint slid 9.4%, Okta fell 9.2%, and Israel’s JFrog plunged nearly 25%. The Global X Cybersecurity ETF lost 4.9%, reaching its lowest level since November 2023.
The selloff was particularly striking given the sector’s massive gains over the past three years. CrowdStrike, for example, has risen nearly 250% during that period, despite suffering a major software update glitch that crashed computer systems and disrupted essential services such as airports and hospitals.
At first glance, investor concerns are understandable. A new AI-powered security tool appears to threaten parts of the cyber industry’s business model.
But in reality, Anthropic’s new capability is relatively narrow. The tool scans code for vulnerabilities and suggests fixes for human review. It is designed to help development teams identify weaknesses that traditional static analysis tools might miss.
It is useful, but it is not a replacement for cybersecurity platforms.
CrowdStrike, for example, provides cloud-based endpoint protection that combines antivirus capabilities with threat detection and real-time response. Cloudflare protects against distributed denial-of-service (DDoS) attacks and secures network infrastructure. SailPoint and Okta specialize in identity management and detecting suspicious user behavior.
Claude’s new feature focuses on identifying potential weaknesses in source code during development, long before the software becomes operational.
Further evidence that this is not a revolutionary disruption can be found at Google. The company has long used an internal Gemini-based tool capable of identifying code vulnerabilities and suggesting fixes. Despite this, Google has maintained extensive cybersecurity operations, and nevertheless agreed to acquire Israeli cloud security firm Wiz in a $32 billion deal.
Cybersecurity is a vast, complex and constantly evolving field. A niche product aimed at development-stage code scanning does not eliminate the need for endpoint protection, identity management, network defense or threat intelligence.
Or, as the analogy goes: inventing a home smoke detector does not eliminate the need for a fire department.
For now, the market’s reaction appears more Pavlovian than rational, a reflexive fear of AI disruption rather than a sober assessment of product capabilities.
That said, one caveat remains: this assessment holds true only at the time of writing. AI development is advancing at extraordinary speed. It is entirely possible that within weeks, perhaps even days, a new product could emerge that poses a genuine threat to cybersecurity incumbents and justifies a sharp repricing.
But Claude’s latest feature is not that product.
