AI is reshaping cyber security at pace, accelerating both attack and defence.
This article explores how innovators can protect AI driven cyber security technologies through a balanced approach to patents and trade secrets.
Cyber security has always been an arms race. Even as defenders evolve better protection and test their systems for exploits, attackers are always developing new infiltration methods. As digital systems grow in scale and complexity, the volume and sophistication of cyber attacks continue to rise.
Artificial intelligence has turned the speed up a gear, with both attackers and defenders utilising AI to identify and exploit (or protect) vulnerabilities. As AI driven cyber security tools become increasingly valuable, companies should consider how their innovations are developed, deployed and protected.
How AI is being adopted by cyber security innovators
Attackers are beginning to use AI to automate vulnerability discovery, tailor social engineering attacks and adapt techniques in real time. AI is also being applied to offensive security, such as automated penetration testing and ‘red team’ tools that adapt as defences change.
Defenders are deploying AI agents to monitor complex systems, identify vulnerabilities and anomalies, and respond at machine speed, often across environments that would be impractical to secure manually. Increasingly, AI is also being used to predict which vulnerabilities are likely to be exploited next, allowing organisations to prioritise remediation before an attack occurs. This shift from reactive defence to predictive risk management is one of the key drivers behind AI adoption in cyber security.
AIs themselves also present their own vulnerabilities, through techniques such as prompt engineering and data poisoning. As a result, new cyber security tools are emerging to protect both internal and customer facing AI agents.
Balancing transparency and security in AI driven cyber security
There is no once-size-fits-all approach for protecting innovation in AI-based tools. Each case requires detailed consideration of the commercial goals, and crafting of an IP strategy to protect these goals. However broadly seeking, there are two key IP rights to consider:
Some elements of AI driven cyber security tools are well suited to protection as trade secrets. Aspects such as internal training methods and core model weights, or orchestration logic may never be visible to customers, allowing their secrecy to be maintained indefinitely. Similarly, trade secret protection may be the only option for particularly sensitive features, where any disclosure could weaken a system’s security or make it easier to circumvent. However, trade secrets have drawbacks. Active steps must be taken (and maintained) to protect them, and they can create difficulties when interacting with potential partners.
For this and other reasons, patents remain an important tool. They allow companies to protect innovation while enabling a degree of transparency. This may be particularly relevant for source available or auditable security software, or for start-ups seeking to draw attention (and investment) to their innovations. Patents can also play a role in partnerships and exits, where they serve as clearly defined licensable/sellable assets.
The optimal balance between patents and trade secrets is likely vary between companies, and even within the same company over time. For instance, a cyber security startup seeking investment may file a patent covering the broad architecture of its system, while keeping the most sensitive details of its implementation as trade secrets.
Patentability considerations for cyber security innovators
A fairly common misunderstanding is that software and AI cannot be patented. This may arise because patent law in the UK and Europe (and many other countries) states that computer programs “as such” are not patentable. In fact, software- and AI-based inventions are often patentable, but care must be taken to demonstrate that the invention provides a technical effect or solves a technical problem.
Another point of confusion, particularly in dual-use technologies such as hacking tools, relates to legality. Since patents are a legal right, there is sometimes an assumption that “illegal” uses of a technology cannot be protected. In fact, broader protection is available and may be quite valuable. While UK & European patent law prohibits patenting inventions “contrary to morality”, this is a higher threshold than simply “illegal”. An invention is not excluded simply because it could be misused. Indeed, with technologies such as penetration testing tools, a patent may need to cover both offensive and defensive uses, to protect against competitors in the “offensive security” market.
What can we conclude about cyber security, innovation, strategy and IP?
As AI continues to reshape cyber security (and other fields), innovators should ensure new innovations are strategically protected. The success, or failure, of AI-based approaches may increasingly shape commercial outcomes.
Our team at Potter Clarkson is experienced at providing strategic IP advice on cyber security and AI to startups, investors, and established firms. If you have any questions, please do get in touch.
.jpg)
