Every security vendor now claims “AI-powered” something. The marketing has gotten aggressive enough that I can’t blame small business owners for being sceptical.

Let me separate what’s genuinely useful from what’s just buzzwords.

What “AI” Actually Means in Security

When vendors say AI, they usually mean one of these things:

Machine learning for detection: Algorithms that learn what “normal” looks like and flag anomalies. This has been around for a decade and is genuinely useful.

Natural language processing: AI that understands text - useful for phishing detection, document classification, and conversational interfaces.

Large language models (LLMs): The ChatGPT-style AI that’s newer and getting a lot of attention. Useful for summarising incidents, answering questions about security data, and generating reports.

“AI” as marketing: Rules-based automation relabeled to sound modern. Not actually AI, but often sold as such.

The first three are real and valuable. The fourth is why scepticism is healthy.

Where AI Actually Helps

Phishing detection:

This is probably the most mature and valuable application of AI in security.

Traditional phishing detection relied on known-bad signatures: this sender is malicious, this URL is malicious, this attachment matches known malware.

AI-based detection looks at patterns: does this email match how this sender normally writes? Is the urgency unusual? Does the request make sense given the relationship?

The result is catching sophisticated phishing that would bypass signature-based tools. Both Microsoft 365 and Google Workspace now use AI extensively for email protection, and it’s meaningfully better than what we had five years ago.

User behaviour analytics:

AI can build profiles of normal user behaviour and flag anomalies:

• User logs in from an unusual location
• User accesses files they’ve never touched before
• User downloads unusual amounts of data
• User works at unusual hours

This catches insider threats and compromised accounts that other tools miss.

The ACSC’s Essential Eight doesn’t explicitly require this, but it’s a powerful complement to the controls that are required.

Endpoint detection and response (EDR):

Modern EDR tools use AI to spot malicious behaviour patterns, not just known malware signatures.

When ransomware encrypts files, it follows patterns. When attackers move through a network, they leave behavioural traces. AI can spot these patterns even when the specific malware is new.

This is why EDR has become essential for businesses of any size. The AI does heavy lifting that would be impossible for humans to do manually at scale.

Alert triage:

Security tools generate alerts. Too many alerts. AI can help prioritise:

• This alert matches a pattern that’s usually a false positive
• This alert matches a pattern associated with real attacks
• These three alerts are probably related to the same incident
• This alert should be investigated first based on risk

This reduces alert fatigue and helps limited security resources focus on what matters.

Where AI Falls Short

Understanding context:

AI doesn’t understand your business. It doesn’t know that your finance team legitimately processes large transactions on Fridays. It doesn’t know that your CEO is travelling this week. It doesn’t know that you’re in the middle of a major project that changes normal patterns.

This leads to false positives that require human judgement to resolve. AI is a filter, not a decision-maker.

Novel attack techniques:

AI learns from patterns. If attackers do something genuinely new - something that doesn’t match any pattern in the training data - AI may miss it.

This is the fundamental limitation: AI is good at finding things similar to what it’s seen before. It’s less good at finding things that are genuinely novel.

Adversarial attacks:

Attackers know security tools use AI. Sophisticated adversaries specifically design attacks to evade AI detection:

• Staying within “normal” behaviour patterns
• Moving slowly to avoid triggering anomaly detection
• Using legitimate tools for malicious purposes
• Mimicking normal user behaviour

The AI arms race is real. Detection improves, evasion techniques improve, detection improves again.

What SMBs Should Actually Do

1. Use the AI you already have

If you’re on Microsoft 365 Business Premium, you have Defender for Business with AI-powered threat detection. Make sure it’s configured properly.

If you’re using Google Workspace, AI powers their phishing and malware detection. Verify it’s enabled at the strongest settings.

Most SMBs already have AI security tools - they just haven’t optimised the configuration.

2. Consider managed EDR

Endpoint detection and response is now accessible for small business. Services like:

• CrowdStrike Falcon Go
• Microsoft Defender for Business
• SentinelOne
• Huntress (designed specifically for SMBs)

These use AI for threat detection but don’t require security expertise to manage. Many can be deployed through IT providers.

3. Don’t buy “AI” for its own sake

When evaluating security tools, ask specific questions:

• What specific problems does this AI solve?
• What’s the false positive rate?
• What happens when the AI is wrong?
• Does this require security expertise to operate effectively?

If the answer is vague buzzwords about “next-generation protection,” be sceptical.

4. Integrate with human expertise

AI is a tool. It needs human judgement for context, for complex decisions, and for handling novel situations.

Working with AI consultants Sydney or similar specialists can help configure AI tools properly and interpret their outputs. The combination of AI detection and human expertise is more powerful than either alone.

The Vendor Landscape

A quick tour of what major vendors are actually offering:

Microsoft:

• Copilot for Security (expensive, enterprise-focused)
• Defender for Business (AI-enhanced, SMB-appropriate)
• Entra ID Protection (identity-focused AI)

Google:

• Chronicle Security Operations (enterprise)
• Workspace AI protections (available to all Workspace users)

CrowdStrike:

• Charlotte AI for threat investigation
• Falcon AI for detection and response
• Actually substantive AI, not just marketing

Palo Alto Networks:

• AI-powered SIEM and XDR
• Enterprise-focused but powerful

SMB-focused options:

• Huntress (AI-assisted threat detection with human oversight)
• Blumira (simplified SIEM with AI triage)
• Perch Security (now ConnectWise SIEM)

The pattern: enterprise vendors have sophisticated AI that requires expertise to use. SMB-focused vendors wrap AI in simpler interfaces.

Cost Considerations

What’s essentially free:

• AI enhancements in Microsoft 365 and Google Workspace (included in plans you’re probably already paying for)

Affordable for SMBs:

• Managed EDR services ($3-10 per endpoint per month)
• SMB-focused security platforms ($500-2,000 per month for small businesses)

Enterprise pricing:

• Advanced AI platforms like Copilot for Security
• Full SIEM/SOAR deployments
• Dedicated threat intelligence feeds

For most Australian SMBs, the affordable tier provides meaningful protection. Enterprise tools are overkill unless you have dedicated security staff.

My Honest Assessment

AI in security is real, useful, and worth adopting. It’s not hype - it’s a genuine improvement over previous approaches.

But it’s also oversold. AI doesn’t replace security fundamentals. It doesn’t eliminate the need for human judgement. It doesn’t catch everything.

Think of AI as a force multiplier. It makes security teams more effective. It makes tools smarter. It catches things that would otherwise be missed.

But you still need the fundamentals in place. Patching. MFA. Backups. User training. The Essential Eight framework.

AI makes good security better. It doesn’t make bad security good.

What’s Coming Next

The pace of AI development is rapid. What I expect over the next few years:

More natural language interfaces: Asking security questions in plain English instead of complex query languages. This is already emerging and will become standard.

Better integration: AI that works across multiple security tools, correlating data from endpoints, identity, email, and network. Less siloed detection.

Autonomous response: AI that doesn’t just detect threats but takes action automatically. This exists today but will become more sophisticated.

Personalised baselines: AI that learns your specific business context, reducing false positives and improving detection accuracy.

The direction is clear: more AI, better AI, more accessible AI. The question for SMBs is how to adopt it practically without overcomplicating their security posture.

Specialists like AI consultants Brisbane are increasingly helping businesses navigate this - figuring out which AI capabilities are worth adopting and how to implement them effectively.

Practical Next Steps

1. Audit what you have: List your current security tools and verify AI features are enabled and configured.

2. Fill the gaps: If you don’t have EDR, that’s the highest-value addition for most SMBs.

3. Talk to your IT provider: Ask what AI capabilities they’re using and whether you’re getting the benefit.

4. Be a sceptical buyer: When vendors pitch AI, ask for specifics. Vague claims are warning signs.

5. Keep fundamentals first: AI enhances the Essential Eight; it doesn’t replace it.

The best AI security is the kind that works in the background, catching threats and reducing noise, without requiring you to become an AI expert.

That’s achievable. Start with what you have, add what you need, and don’t overcomplicate it.