From Expert Systems to Agentic AI: The Evolution of AI in Cybersecurity

Welcome back to our AI for Humans series. In our last blog, "Bridging AI’s Breadth with Human Depth," we explored practical ways to use AI more effectively. This time, we’ll explore AI’s journey through decades of innovation to see how it has reshaped the cybersecurity landscape—and what it takes to stay a step ahead.

Picture this: It’s 2019. A company executive answers a call from someone they think is their boss—urgent and demanding a wire transfer. The voice is spot-on.

But it isn’t real—it’s an AI-generated voice clone. That year, scams just like this hit headlines worldwide, including one that tricked a UK energy firm into sending over €200,000.

Fast forward to today: voices are sharper, and scams more convincing. A single deepfake-enabled attack—a realistic AI-generated voice used for deception—can now steal millions, proof that AI is accelerating the evolution of old threats.

Attacks like these raise a pressing question: How much could the next decade rewrite the rules of digital security?

Learning From the Past to Secure the Future

The 2030s are expected to be anything but ordinary, especially with AI leading the way. As Fei-Fei Li, Stanford Professor and co-director of Stanford Institute for Human-Centered Artificial Intelligence (HAI), said in a 2025 interview with Delphina: “AI is a civilizational technology. There’s very little doubt that its impact on our society is transformational.” Exactly how—and how quickly—this transformation will unfold remains to be seen, but one thing is clear: keeping our digital world safe has become a mission-critical priority.

With rapid innovation on the horizon, it’s easy to keep our eyes on the future. But as AI-powered attacks remind us, it’s just as important to look back. Understanding the twists and turns of the past is essential for staying ahead of threats in cybersecurity.

Since the mid-20th century, AI research has gone far beyond automating routine tasks, pioneering ways for computers to learn, perceive, and transform—reshaping how we solve problems in many industries.

Today, driven by breakthroughs in machine learning and automation, AI plays an increasingly central role in cybersecurity. Describing AI as both a “shield and a sword” only scratches the surface—enabling defenders to lock down digital gates while arming attackers with sophisticated tools. The stakes are high, the landscape is shifting, and the risks—as well as the opportunities—are multiplying.

That’s why we’ve crafted this timeline: to trace AI’s evolution and help you grasp the scale of its transformation—and what it means for security professionals, organizations, and anyone invested in digital trust. So, let’s start at the beginning.

Short on time? Check out our infographic for an at-a-glance summary and a few notable highlights from the journey of AI outlined below.

1970s–1990s – Introduction of Early Expert Systems & Rule-Based IDS

In its earliest days, “artificial intelligence” in cybersecurity didn’t mean self-learning systems—it meant expert systems, rule-based programs using “if–then” instructions created by humans to make decisions automatically. These systems used pre-defined knowledge rather than learning from new data.

In 1986, computer scientist Dorothy Denning published her influential paper “An Intrusion-Detection Model” at SRI International, showing that computers could monitor networks and flag anomalies—unusual events that might signal malicious activity. These rule-based Intrusion Detection Systems (IDS) watched for suspicious patterns in network or system activity, introducing the idea that threats could be found by spotting abnormal behavior, not just matching virus signatures (digital fingerprints of known malware).

In the 1990s, AI research—including in cybersecurity—was shaped by an AI Winter, a period of reduced funding and interest after the early expert-system boom faded. Nonetheless, research in neural networks and Bayesian statistical methods continued to move beyond strict rule sets. The U.S. DARPA Intrusion Detection Evaluation Program (1998) created benchmark datasets to test rule- and learning-based prototypes. Commercial tools added heuristic malware detection—scanning individual files and programs for suspicious traits or behaviors even if they didn’t match a known virus—and early log-correlation systems that centralized event logs from multiple sources.

These innovations formed the foundations of Security Information and Event Management (SIEM) platforms and machine-learning-driven security analytics of the 2000s, and are still widely used in cybersecurity today.

2000–2015: Behavioral Analytics, Anomaly Detection, and Adversarial Machine Learning

By the 2000s, machine learning (ML) broke free from static rules—learning “normal” behavior for users, devices, and applications, then detecting behavioral anomalies such as an employee who typically logs in from California during business hours but suddenly accesses systems abroad at 3 a.m.

This approach caught threats traditional defenses often missed—like unusual employee activity (insider threats), stolen password use (credential misuse), or stealthy breaches designed to avoid detection.

By the early 2010s, advancements in supervised learning (decision trees, logistic regression), unsupervised learning (k-means clustering), and specialized anomaly detection (one-class SVM) enabled security tools to model behavior dynamically rather than rely solely on fixed rules. This evolution led to User and Entity Behavior Analytics (UEBA) in 2015—systems that watch for suspicious behavior patterns like a careful human observer, shifting security from reactive to predictive, context-aware threat detection. As these techniques matured, ML-powered anomaly detection became an integral part of the security landscape—driving fraud prevention, web application security, and endpoint monitoring to protect user devices.

But as ML-driven analytics became embedded in real-world products, a new concern emerged: if defenders were using ML, could adversaries target the models themselves? This gave rise to “adversarial machine learning,” focused on keeping ML secure when under attack.

They uncovered risks such as data poisoning, where training data is manipulated so the model learns the wrong behavior; evasion, where carefully crafted “adversarial examples”—like subtly altering a stop sign—cause confident mistakes; and privacy leakage, where attackers determine if specific records were used to train a model.

Some researchers also discovered that by asking a model questions and analyzing the answers, attackers could “clone” its behavior—even without seeing how it works internally.

These advances led to sharper attack tactics, and early countermeasures struggled to keep up. In response, new protective methods emerged:

• Adversarial training: include malicious examples in training.

• Certified robustness: mathematical guarantees models withstand certain attacks.

• Input sanitization: filter/change suspicious inputs before processing.

• Privacy-preserving approaches: differential privacy (adding statistical noise to data so no individual stands out) and federated learning (training models on users’ devices so raw data never leaves them).

These concepts and safeguards still form the foundation of AI security conversations today.

2016–2020: Breakthrough Events & Emerging Threats

By the late 2010s, AI moved from research promise to operational reality—equally capable of autonomous defense and offensive misuse. In 2016, the DARPA Cyber Grand Challenge at DEFCON 24 saw AI systems detect vulnerabilities, generate patches, and apply them in real time without human help. They could even spot incoming threats and launch countermeasures instantly. The challenge cut remediation from weeks to minutes, while revealing a cautionary tale of machine-led decisions without human oversight.

Meanwhile, foundational research was making revolutionary strides. Google’s 2017 Transformer architecture in their landmark paper “Attention is All You Need” planted the first seed for today’s modern large language models (LLMs). Transformers use an attention mechanism to focus on relevant data, capture long-range dependencies, and process information in parallel.

Building on this, BERT (Bidirectional Encoder Representations from Transformers) arrived in 2018, transforming Natural Language Processing (NLP) with the ability to understand words in context—powerful for detecting phishing patterns and analyzing threat intelligence. These innovations laid the groundwork for modern generative AI.

As AI’s capabilities expanded, threat actors adapted—by 2019, deepfakes and voice cloning had moved from novelty to serious business risk, enabling executive impersonation and fraud. In response to rising threats, adoption of User and Entity Behavior Analytics (UEBA)—available since 2015—accelerated as the technology was increasingly built into SIEMs, platforms that centralize and analyze security data across an organization’s systems. Using behavioral baselining, anomaly detection, and advanced correlation—often enhanced by risk‑based analytics to score and prioritize potential threats—these tools help analysts highlight suspicious activity and connect related events to identify indicators of compromise.

This four-year stretch cemented AI’s central role in shaping the cybersecurity playing field, setting the stage for even more sophisticated and high-stakes uses in the decade ahead.

2022–2024: A New Era of Generative AI

By the early 2020s, generative models—AI systems creating new text, images, and code by learning data patterns – transformed cybersecurity. November 2022 marked a turning point with OpenAI’s release of “ChatGPT,” an AI chatbot able to answer questions, debug code, brainstorm, and produce everything from phishing emails to detailed security reports. As it moved from niche developer use to public access, organizations updated governance policies and tightened controls to prevent misuse.

In 2023, those concerns shifted from theory to practice as HYAS Labs unveiled Black Mamba, a proof-of-concept showing how a large language model (LLM) could generate polymorphic malware—code that changes with each run. With no files to scan or traditional command-and-control infrastructure, this self-evolving malware evaded Endpoint Detection and Response (EDR) systems and exfiltrated credentials. Black Mamba demonstrated how LLMs could automate, adapt, and personalize threats that challenge traditional defenses.

It didn’t take long for the underground ecosystem to take notice; dark-web marketplaces began offering “malicious GPTs” like “FraudGPT” and “WormGPT”. These ranged from lightly repackaged open-source models to simple prompt libraries. Many had little proven capability, but their accessibility and marketing fueled hype, lowering the barrier for AI-driven cybercrime.

This wave of experimentation exposed deeper, systemic weaknesses in generative AI. The same capabilities that make LLMs powerful also introduced a new class of risks, which the Open Worldwide Application Security Project (OWASP) outlined in its Top 10 for LLM Applications (see SURGe’s research on the topic here), including:

• Prompt injection: tricking a model into ignoring instructions

• Tool-call hijacking: redirecting model integrations to leak data or take unwanted actions

By early 2024, these LLM‑specific risks were demonstrated in practice when researchers prompted GPT‑4 to recreate critical exploits from detailed Common Vulnerabilities and Exposures (CVE) descriptions. The model outperformed traditional scanners when given high‑quality context, illustrating that crafted inputs can produce functional exploit code—reinforcing the need for rapid patching, careful disclosure, and strict input controls.

That same year, security operations advanced with the introduction of LLM-powered assistants. Unlike earlier ML tools that focused on scoring and clustering alerts, these generative AI systems could answer analyst queries in plain language, summarize logs and threat reports, correlate data, and draft recommended investigation steps. They provided conversational, context-rich support—a step towards more autonomous, task–oriented AI.

By the end of this period, generative AI had reshaped cybersecurity on both sides of the threat equation, making governance and agility as critical as the technology itself—and paving the way for agentic AI.

2025–Present: Rise of Agentic AI

By early 2025, rapid advances in generative AI opened the door for Agentic AI—systems built on large language models (LLMs) that can pursue specific goals through sequences of actions—often by autonomously calling external tools, APIs, or services. Unlike traditional systems, agentic AI can perceive its environment, make decisions, and adapt strategies in real time with limited or no human intervention.

While their full real-world effectiveness in malicious operations remains uncertain, their autonomy and adaptability have raised legitimate concerns. In theory, malicious agents could operate across three broad phases:

1. Preparation: probing networks for weaknesses, credentials, and tools
2. Infiltration: breaking into systems, establishing backdoors, spreading, and evading detection
3. Execution: stealing data, disrupting services, and spreading misinformation

Security leaders have taken notice, as Diana Kelley, CISO of Protect AI, warns: “Malicious AI agents could dynamically adjust their behavior to avoid detection by learning from failed attempts, modifying attack patterns, and rotating through different techniques to automatically discover which ones are most effective at going under the detection radar.”

However, when agents make API calls to hosted services, install local models (e.g., via Ollama), or embed prompts into malware—rare today but illustrative—these workflows can leave traces that offer security teams clearer opportunities for detection.

On the defensive side, early agentic AI concepts are appearing in tools like Foundation AI's PEAK Threat Hunting Assistant, which blends LLM chats, deep research, and security telemetry to guide analysts through the research and planning necessary to prepare for their hunts. This Human-in-the-Loop fusion compresses hours of work into minutes and shows how AI agents can act as force multipliers for their human users.

The growing speed and versatility of these systems may signal a paradigm shift in cybersecurity. In the wrong hands, agentic AI could act as a near-independent threat actor; in the right hands, it could become a powerful ally to security teams. Yet even the most capable agent still relies on exploitable access—making protection of credentials, tokens, and permissions critical. With identity‑centric attacks still dominant in current threat telemetry, strong identity security can greatly limit the impact of a compromise.

Key Takeaways for Defenders

Over decades of AI’s evolution—from rule‑based expert systems in the 1980s to modern agentic AI—certain practices have proven effective across threats:

1. Identity is a primary attack surface: Apply strong authentication (verifying identity legitimacy) and authorization (enforcing allowable actions). Enforce least privilege access, conduct regular reviews, and deploy multi-factor authentication (MFA) broadly. Tools like Cisco Duo offer phishing-resistant options (FIDO2/WebAuthn security keys), device trust checks, and adaptive policies.
2. Treat models and agents as untrusted: Isolate access, validate inputs/outputs, log actions, and enforce real-time policy.
3. Secure the AI supply chain: Vet models, datasets, and dependencies; prioritize signed and provenance-verified artifacts; maintain Software Bills of Materials (SBOMs) that include AI components (see Cisco’s research on AI Supply Chain).
4. Patch quickly and limit exposure: Shorten the time between identifying and fixing vulnerabilities, minimize exposed services, and tighten access.
5. Stay aligned with evolving standards: Follow NIST AI Risk Management Framework (RMF) and OWASP GEN AI Security Project guidance, and update governance policies as regulations evolve.

AI is now embedded in both defender workflows and adversary playbooks, driving a rapid, continuous evolution in cybersecurity. The fundamentals remain—it’s the same playing field, but both sides are more capable: defenders can move faster, and adversaries are growing stronger.

From decades of innovation, one truth stands out: AI’s impact is accelerating and will keep reshaping the threat landscape. It’s not a black box—the more we demystify AI and understand its mechanics, the better we can turn it into an advantage. Organizations that adapt with layered defenses—strong identity protection, least-privilege access, isolation of tools and data, thorough monitoring, and up-to-date standards—can harness AI’s benefits while limiting exposure. There’s no single “magic fix,” but a well‑engineered, multi‑layered approach can be highly effective.

Authors and Contributors: As always, security at SURGe is a team effort. Credit to author Vandita Anand and collaborators: Audra Streetman, Tamara Chacon, Marcus LaFerrera, David Bianco, and Ryan Fetterman.