How to Use This Cybersecurity Resource

AI Cyber Authority operates as a structured public reference directory for the AI-integrated cybersecurity services sector in the United States. This page describes the organizational logic of the directory, the categories of professionals and researchers it serves, and the standards that govern how listings and reference content are structured. The cybersecurity sector intersects with regulatory frameworks administered by agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC), making accurate, current directory navigation a functional necessity for service seekers and procurement professionals alike.

Feedback and updates

Directory content across AI Cyber Authority is maintained against a defined review cycle. Listings, classification categories, and reference content are updated when regulatory standards change, when named service categories are reorganized, or when coverage gaps are identified through structured review.

NIST publishes ongoing updates to its Cybersecurity Framework (CSF), most recently formalizing CSF 2.0 through the NIST Cybersecurity Framework publication portal. When foundational frameworks such as CSF or NIST SP 800-53 are revised, classification structures within this directory are reviewed for alignment. Similarly, CISA advisories and sector-specific guidance documents published at cisa.gov are monitored for changes that affect how AI-integrated security services are categorized.

Factual corrections, listing disputes, and scope suggestions are handled through the contact page. Submissions are reviewed against named public sources before any content update is published.

Purpose of this resource

AI Cyber Authority functions as a national-scope directory and reference index for professionals, organizations, and researchers operating within the AI-augmented cybersecurity services sector. The directory does not provide legal, compliance, or professional advice. It maps the service landscape — identifying provider categories, qualification standards, regulatory touchpoints, and sector structure — to support informed service discovery and procurement decisions.

The cybersecurity services sector includes at least 4 distinct regulatory layers that shape how providers operate:

1. Federal baseline standards — NIST SP 800-53 (Security and Privacy Controls for Information Systems) and the NIST Cybersecurity Framework define the control taxonomies most enterprise and government procurement processes reference.
2. Sector-specific mandates — Healthcare organizations fall under HIPAA Security Rule requirements administered by the HHS Office for Civil Rights (hhs.gov/hipaa); financial institutions operate under GLBA Safeguards Rule standards enforced by the FTC (ftc.gov).
3. State-level requirements — California's CCPA and its CPRA amendments, enacted through the California Privacy Protection Agency, impose data security obligations distinct from federal frameworks.
4. Emerging AI-specific guidance — Executive Order 14110 (2023) directed NIST to develop AI safety and security standards, producing the NIST AI Risk Management Framework (AI RMF 1.0), which applies directly to AI-integrated security service providers.

The directory's classification structure is organized around these regulatory layers, not around marketing categories. A provider listed under "AI Threat Detection" is classified by the technical function and applicable compliance framework, not by vendor self-description.

The full scope of the directory's coverage is described in Directory Purpose and Scope.

Intended users

Three primary user categories navigate AI Cyber Authority for distinct purposes:

Service seekers and procurement professionals use the directory to identify qualified vendors and service providers within specific regulatory or technical categories. An organization subject to FedRAMP authorization requirements, for example, needs to locate providers whose AI security tooling has undergone the FedRAMP authorization process administered by the General Services Administration — not simply vendors who claim federal market experience.

Industry professionals and practitioners — including CISOs, security architects, and compliance officers — use the reference content to cross-reference service categories against named frameworks such as NIST SP 800-171 (Protecting Controlled Unclassified Information) or the DoD Cybersecurity Maturity Model Certification (CMMC) program administered through the Office of the Under Secretary of Defense for Acquisition and Sustainment.

Researchers and analysts tracking the structure of the AI-integrated cybersecurity market use the directory's classification taxonomy as a reference index. The distinction between, for example, AI-native security operations center (SOC) services and AI-augmented traditional MSSP offerings represents a meaningful structural boundary — one that affects both procurement criteria and regulatory applicability.

The AI Cyber Listings section presents the full provider index organized by these user-relevant categories.

How to navigate

The directory is organized into three functional layers:

Reference content covers the regulatory and standards landscape, service category definitions, and qualification frameworks. This includes summaries of applicable NIST, CISA, and sector-specific standards. Reference content does not endorse specific providers.

Listings index presents categorized provider entries. Listings are classified by primary service function, applicable compliance framework, and geographic service scope. Entries are cross-referenced against at least 1 named regulatory or standards framework to establish classification basis.

Classification boundaries distinguish between adjacent but distinct service types. The most operationally significant boundary within AI cybersecurity is between:

• AI-native platforms — tools and services built from inception on machine learning architectures for threat detection, response automation, or identity analytics; and
• AI-augmented legacy services — traditional MSSP, SIEM, or endpoint protection offerings that have integrated AI modules into existing product lines.

This distinction matters for procurement because FedRAMP authorization, SOC 2 Type II attestation, and DoD CMMC Level 2 or Level 3 assessments evaluate the underlying architecture and operational controls — not marketing positioning.

Navigation begins at How to Use This AI Cyber Resource for structural orientation, then proceeds to the listings index or reference sections based on the user's specific research or procurement need.