A cybersecurity report allegedly compiled with the help of AI has led to a lawsuit against Palo Alto Networks and the recently acquired Koi Security. Software company MeetingTV claims it was wrongly portrayed as part of a Chinese cybercriminal operation, with far-reaching consequences for the availability of its services.
According to The Register, the case centers on a threat intelligence blog post published by Koi Security in late December, several months before Palo Alto Networks acquired the company. MeetingTV claims the report contained serious factual errors, which it alleges stemmed from AI analyses conducted without sufficient human oversight. The startup is seeking damages and a retraction.
AI allegedly made incorrect connections
According to the complaint filed, Koi Security used its own analysis platform, Wings, to draw connections between various cyber campaigns. AI plays a key role in this process. In doing so, MeetingTV was allegedly wrongly linked to a purported Chinese threat group named DarkSpectre.
The plaintiff argues that these conclusions were not based on sound technical evidence but were the result of erroneous correlations that were subsequently published as facts without sufficient verification.
Palo Alto Networks confirmed to The Register that it is aware of the lawsuit. The company points out that the report in question was published before the acquisition of Koi Security was finalized. According to the vendor, the investigation was conducted with the intention of identifying cyber threats, and the matter will be resolved in court.
Blockades by security firms
MeetingTV states that the consequences of the report were immediately noticeable. Various security vendors and internet service providers reportedly flagged the company’s domains and services as malware or command-and-control infrastructure, preventing customers from accessing the services.
According to founder and CEO Michael Robertson, it was only because of these blocks that he discovered the report existed. Koi Security reportedly did not contact him prior to publication to verify the findings. He says there was still no response afterward. It was only after Robertson approached several security firms that one of them informed him that the block was based on the Koi Security report.
Robertson says that some parties, including Verizon and Palo Alto Networks itself, have still not lifted the blocks. As a result, he says, his company continues to suffer damage.
Doubts about technical evidence
A key element of the lawsuit is a browser extension mentioned in the original report as the link between MeetingTV and the alleged cyber campaign. According to MeetingTV, this extension does not exist at all. The company says it repeatedly asked Koi Security for additional technical information but never received it.
According to the complaint, a significant portion of the analysis was therefore based on a technical lead that cannot be verified. MeetingTV suspects that an AI model fabricated this link and that the findings were published without sufficient human oversight.
Discussion on AI in threat intelligence
The lawsuit touches on a broader discussion about the use of generative AI in cybersecurity. AI is increasingly being used to analyze large amounts of threat intelligence and establish connections between incidents. At the same time, it remains well known that large language models can present incorrect or fabricated conclusions when the results are not carefully reviewed.
Robertson argues that this is precisely why human verification remains essential when AI is used for analyses that could have major consequences for organizations. According to him, such verification was completely lacking in this case, resulting in his company being labeled worldwide as part of a cybercriminal network without any solid evidence to support that claim.