The state of AI in cyber, a mid-2026 review.

It is worth stopping, once in a while, to write down where the field actually is rather than where the headlines put it. Here is our read on AI in cyber as of the middle of 2026, the parts we think are real and the parts we think are noise.

Agentic tooling has arrived, unevenly.

Autonomous and semi-autonomous tools are now real products: triage copilots in the security operations centre, agents that drive a penetration test, assistants wired into the ticketing stack. The good ones save real time. The weak ones are a demo that does not survive contact with a messy environment. The dividing line is almost always the same, whether the tool keeps a human decision point where a wrong move is expensive, or whether someone removed the human to make the demo cleaner.

Models are starting to find real bugs.

Language models paired with fuzzing and program analysis have begun surfacing genuine vulnerabilities in real codebases, not just toy examples. This is the development with the longest shadow. It helps defenders harden code before shipping, and it helps attackers find the same bugs. Which effect dominates depends on who has the better pipeline, and that is a race, not a settled result.

Evaluation is the unglamorous bottleneck.

Public capability benchmarks like Cybench and the NYU CTF set have made it possible to measure what these models can do on security tasks, which is progress. But a capture-the-flag score is not the same as fitness for the work an analyst does. We still lack good shared measures for calibration, for useful refusal, for whether a model's triage matches a senior practitioner's. The benchmarks tell you a model is capable. They do not tell you it is trustworthy.

Adversaries are using the tools, modestly.

Vendors who run frontier models have reported state-aligned and criminal groups using them, mostly for unremarkable work: translation, scripting, reconnaissance, tidying up code. Not yet for the autonomous-attacker scenario that makes a good headline. The realistic worry for now is acceleration of the ordinary, faster phishing, faster recon, lower language barriers, rather than a qualitatively new kind of attack. That can still change.

Governance is catching up.

Frameworks now exist to talk about this with some precision. MITRE ATT&CK for adversary behaviours, MITRE ATLAS for attacks against machine-learning systems themselves, the OWASP Top 10 for large language model applications for the failure modes of building on them, STIX and TAXII for moving the intelligence around. None of these are complete. All of them beat the vocabulary we had two years ago.

“The benchmarks tell you a model is capable. They do not tell you it is trustworthy.”

Our position.

Mara is built for the defensive half of this picture, on purpose, with the offensive half refused. We think the next two years are won not by the most capable model but by the most trustworthy one: the model a tired analyst at 3 a.m. can believe, because it hedges when it should, refuses when it must, and shows its work. That is the thing we are trying to build, in the open, with the people who do this for a living.