Two of China's most respected hedge fund managers just told their investors that the global AI rally has become a "super bubble" and the collapse point may not be far away. Yang Dong of Wealspring—who called the top of the market right before the 2007 crash—flagged the overvaluation specifically: AI companies lacking durable competitive moats, running ordinary business models, and dependent on constant capital injection just to sustain growth. Shanghai Banxia went further, telling investors that the trigger for the correction has already appeared, pointing at slowing revenue growth at frontier model labs as the first visible crack. When people with that kind of track record start using words like "super bubble," it is worth paying attention.

What the Funds Are Actually Saying

Read past the scary headline and the argument gets specific—and more interesting. Yang Dong's complaint is not that AI does not work. His complaint is that a huge slice of AI companies have built their entire pitch on a technology layer rather than a defensible business underneath it. Banxia added that the early warning sign is already visible in slowing revenue growth at frontier model labs, which means even the companies at the top of the stack are starting to show strain. This is not an attack on artificial intelligence as a capability. It is a valuation critique dressed in market cycle language—the same thing investors said about the internet right before the dot-com bust.

Every Bubble Is a Filter

Here is where this gets relevant for anyone building or buying software, especially security tooling. The dot-com crash did not kill the internet. It killed companies with a domain name and no revenue model. Amazon and Google walked out of that correction stronger because they were solving real problems people paid for. The crash was not a funeral—it was a filter. It separated the businesses with actual cash flow from the ones running on narrative and momentum. The same logic applies to AI capability warnings today. When frontier models demonstrate genuine exploitation capabilities against Chromium and Firefox, the question is not whether the capability is real. It is whether the business built around it has real demand on the other side—customers who would pay for the outcome regardless of what technology stack delivers it.

Two Kinds of AI Companies

If a correction is coming, there are really only two kinds of companies in this market. The first uses AI as the pitch itself. The product is "we have AI" and the value proposition lives entirely in the demo and the funding round deck. When capital tightens, these companies have nothing to fall back on because the AI was the whole story. The second kind uses AI as the engine for a job people already needed done and already paid for. The customer does not care that it is AI under the hood. They care that the problem got solved faster, cheaper, or better than the alternative. For these companies, an AI correction is not an extinction event—it is a clearing of competitors who were never really in the same business. The test is simple: if you stripped "AI powered" from your pitch, would anyone still buy? If the answer is no, the bubble warning is about you.

Why Security Sits on the Right Side of the Filter

Nobody buys security because it has AI in it. They buy it because the cost of not having it is catastrophic and concrete—a number you can put in a spreadsheet. Regulatory fines, customer churn, incident response costs, ransom payments, legal exposure, the deal that died in due diligence because the buyer failed a security review. The ROI of finding a vulnerability before an attacker does is not a projection on a pitch deck. It is the breach that did not happen. That is why security spending survives downturns while other technology budgets get cut first. When capital tightens, companies cut speculative bets and nice-to-haves. They do not cut the thing standing between them and a seven-figure incident with regulatory consequences. AI in security is not a story about a future that might pay off—it is a tool that compresses work that used to take a senior researcher a week into an analysis that runs in minutes.

What a Correction Would Actually Do

If the funds are right and a correction comes, it would be healthy for serious security companies rather than harmful. A downturn clears out vendors selling "AI security" as a label rather than a result, because the buyer's first question in a tight budget cycle becomes: what did this actually catch? It pushes the whole market toward proof over promises. It also changes buyer psychology. In a bull market, companies buy security to check a box. In a correction, they buy it because they cannot afford not to. The motivation gets sharper, the buyer gets more sophisticated, and the products that deliver measurable results win accounts that the hype machine used to scatter across dozens of vendors. The cloud misconfiguration problem does not get cheaper to ignore when the Nasdaq drops. The cost of an exposed storage bucket or a misconfigured IAM policy is the same regardless of where equity markets are trading.

Key Takeaways

  • Yang Dong (Wealspring) and Shanghai Banxia warned that AI valuations lack fundamental moats, not that AI capabilities are fake
  • Every market bubble is a filter, not a funeral—the dot-com crash killed domain names without revenue but left Amazon and Google stronger
  • Security spending survives downturns because the cost of a breach has a concrete number attached to it
  • A correction would benefit serious security vendors by pushing buyers toward proof over promises and clearing out AI-label competitors who cannot answer 'what did this actually catch'

The Bottom Line

The super bubble warning is not about AI failing—it is about which companies built real businesses versus which ones built their valuation on a technology buzzword. Security has always been one of those problems that customers pay to solve in any market, because the math does not change when valuations compress. If the correction comes, the companies left standing will be the ones with the clearest answer to "what do I get for my money." In security, that answer is a vulnerability found and a breach prevented—which is an answer that holds up whether the Nasdaq is at 18,000 or 8,000.