Here’s a fun way to think about cybersecurity: sometimes the thing that makes you safer also makes you vulnerable. Take Anthropic, the AI-safety company. Earlier this month, due to a simple human error, about 2,000 of its internal files accidentally leaked out. It’s the kind of headline that makes investors in cybersecurity stocks—and the ETFs that bundle them—nervously check their portfolios. And sure enough, it sent a shockwave through the sector.

The Global X Cybersecurity ETF (BUG) took a notable 4.5% single-day plunge last week. It was a moment where the market seemed to be asking: if a company focused on AI safety can have a basic security slip-up, are the old ways of defending digital fortresses even enough anymore? The jitters weren't happening in a vacuum. According to reports, U.S. officials last week privately warned major banks about a powerful new AI system that could expose critical cybersecurity weaknesses. The message was clear: the threat landscape is evolving, fast.

But the Anthropic incident might just be a symptom of a much deeper, more fundamental problem. According to a survey by the Trusted Computing Group, a staggering 91% of companies haven’t even figured out a strategy for quantum-resistant encryption yet. Let that sink in. Meanwhile, the 2026 Thales Data Threat Report adds another layer of concern: 61% of firms see "harvest-now-decrypt-later" attacks as their primary threat. That’s where bad actors steal encrypted data today, banking on future tech (like quantum computers) to crack it open later. And here’s the kicker: only 47% of sensitive data stored on clouds is currently encrypted, which is actually down from 51% last year. So, the threat is growing, but the basic defense of encryption isn’t keeping pace.

AI Is Forcing Everyone to Rethink the Playbook

If you look at what companies are actually doing, though, you can see the gears turning. The industry is in the middle of a hard pivot toward AI-native and automated security. It’s not just talk.

SentinelOne Inc. (S) has expanded its work with Alphabet Inc. (GOOGL) to build autonomous threat detection using cloud tech. Elastic N.V. (ESTC) just scored a FedRAMP High accreditation, which is basically a golden ticket to handle the U.S. government’s most sensitive data. Rapid7 Inc. (RPD) is pushing into machine-level investigation after buying an agentic AI solution. And Broadcom Inc. (AVGO) is weaving together endpoints and cloud protection into a comprehensive suite on its new Symantec CBX platform.

At the same time, a whole new crop of companies is popping up to tackle the quantum problem. They’re building cryptographic platforms designed to find and fix weak encryption—getting ready for a future where today’s encryption standards might be rendered obsolete by quantum computers. It’s a market that’s still mostly under the radar, especially in the public ETF world.

Are Cybersecurity ETFs Stuck in the Past?

Which brings us back to those ETFs. The sell-off in BUG is a pretty neat example of a growing mismatch. The ETFs are holding baskets of stocks built for the last war, while the next one is already being planned in labs focusing on AI and quantum.

BUG isn’t alone. The First Trust Nasdaq Cybersecurity ETF (CIBR) and the Amplify Cybersecurity ETF (HACK) also offer broad exposure across endpoints, networks, and cloud security. Interestingly, all three funds were up about 4% on Monday. Maybe that’s the market starting to price in the new challenges—and opportunities—that these leaks and warnings are highlighting. After all, more problems mean more potential customers for cybersecurity firms.

But here’s the catch: the portfolios of these ETFs are still overwhelmingly reflective of the conventional cybersecurity framework. You won’t find meaningful investments in quantum-safe encryption startups or companies building truly self-sufficient, AI-driven defense mechanisms there. They’re betting on the incumbents adapting, not necessarily on the new guard taking over.

That dynamic could get more pronounced. If institutional investors start shifting their money toward companies working at the convergence of AI and cryptography, the old ETF compositions might start to look outdated. Sure, there will be volatility in the coming months—there always is. But the longer-term story seems to be pointing toward a reweighting. The future gains in cybersecurity might not be spread evenly across the sector. They’re likely to be concentrated in the firms that are building the defenses for the AI and quantum era, not the ones still perfecting defenses for the last generation of threats.