Mythos rejuvenated the cybersecurity sector. Earnings put the recent rally to the test

Chief executive officer at Palo Alto Networks Inc., Nikesh Arora attends the 9th edition of the VivaTech trade show at the Parc des Expositions de la Porte de Versailles on June 11, 2025, in Paris.

Chesnot | Getty Images

Anthropic's Mythos model offered a much-needed lifeline to cybersecurity firms in the age of artificial intelligence.

Yet, this week's cybersecurity earnings offered a brutal reminder that even with tailwinds, sometimes good just isn't good enough as shares of CrowdStrike and Palo Alto Networks lost 8% and 3%, respectively.

"People probably got a little over their skis," said Joseph Gallo, a software analyst at Jefferies. "Both gave accelerating guides, but at the end of the day ... a lot of these AI benefits take time, and this is a multi-year process."

Cybersecurity stocks sold off early in the year as concerns that new AI tools, capable of building apps at lightning speed, would upend their business models and, by association, every software firm.

The introduction of Mythos, a model deemed too powerful to release because it could be easily used to exploit software vulnerabilities, renewed enthusiasm for the sector, boosting shares of CrowdStrike and Palo Alto Networks more than 70% each between April and the end of May.

Both companies were early partners in Anthropic's exclusive Project Glasswing testing program, which the AI lab expanded to 150 additional partners this week, including Rubrik and Tenable.

This quarter's earnings marked the first major test for that Mythos-driven rally, and upbeat results and aggressively optimistic AI commentary from both cyber giants weren't enough for investors demanding immediate signs of an AI windfall.

Palo Alto Networks and Crowdstrike year-to-date stock chart.

The concept of good not being enough is no new phenomenon on Wall Street. Even AI darling Nvidia has succumbed to this phenomenon after failing to meet lofty estimates.

Investors headed into earnings with a similar sentiment and the hope that AI tailwinds would help cyber firms blow earnings out of the box.

Wall Street found much to cheer in those prints, but investors may be overlooking the notion that these tailwinds could take months to pay off, Gallo said.

Typical enterprise sales cycles last nine to 12 months, meaning most signs of an uptick from AI likely won't show up until the 2027 calendar year. The fourth quarter of the calendar year, Gallo added, is typically the strongest buying season for customers as businesses reset their budgets for the new year.

If an enterprise "just launched an AI product in the last quarter or two, I don't think it's fair to expect this massive uptick already."

CEOs at the world's largest cyber companies made that point clear.

Read more CNBC tech news

Model routing is a fix for AI overspending. That's a problem for OpenAI and Anthropic

Trump administration, OpenAI discussing possible government stake in the AI startup

Apple WWDC: Tim Cook's AI legacy at stake in his final developer conference as CEO

Alphabet is seeking fresh capital as stock's 4-week losing streak tests investor appetite

Palo Alto CEO Nikesh Arora told analysts this week that demand is off the charts in the Mythos era and over 1,200 companies had reached out to the cybersecurity firm to talk AI strategy. So far, the company has held 800 meetings over the last six weeks, close to 100 of which Arora said he conducted.

While demand patterns are showing positive signs, he said analysts shouldn't expect an immediate "windfall" next quarter as businesses buy into cyber, but he anticipates "robust growth."

"I wouldn't get ahead of my skis and start throwing the kitchen sink and numbers for cybersecurity companies, because there is still a process, a mechanism, a cycle that people buy in, and there's execution and deployment," he said.

CrowdStrike CEO George Kurtz echoed a similar sentiment.

The company lifted its fiscal 2027 net new annual recurring revenue growth on AI tailwinds.

Kurtz told analysts in an earnings call that AI detection and response, or AIDR, is a huge new segment that could dwarf the endpoint security market but is only in the "early innings." The company's second-quarter pipeline has already surpassed $50 million, he added.

"Once it goes really mainstream and entire companies adopt it across all of their employee and workloads, I think you're going to see just another increase in incremental opportunities," he said.

watch now