MeetingTV Sues Palo Alto Networks Over AI-Linked Threat Report

A videoconferencing startup has filed suit against Palo Alto Networks and its recently acquired threat intelligence firm Koi Security, alleging that flawed security research has effectively blacklisted its infrastructure across the cybersecurity industry.

MeetingTV filed its initial complaint against Koi Security on March 18, claiming the firm wrongly identified its websites as infrastructure connected to a Chinese hacking operation in a December 30 report. Palo Alto Networks, which acquired Koi in April, was added as a defendant in an amended complaint filed in May.

Why it matters

The case raises critical questions about accountability in threat intelligence research and the cascading effects when security findings spread through industry products. If AI systems are generating erroneous threat assessments, the implications extend far beyond individual companies to the reliability of cybersecurity defenses industry-wide.

The allegation at the center

MeetingTV's amended complaint focuses on what it describes as a fundamental error in Koi's analysis. The company argues that a browser extension Koi cited as linking a "Zoom Stealer" campaign to a broader cybercrime operation cannot actually be identified among the extension IDs listed in the report. MeetingTV contends this discrepancy could indicate an AI-generated hallucination or another critical flaw in Koi's methodology.

While Koi does use AI systems to analyze software and browser extensions, MeetingTV's court filings do not provide direct evidence that AI produced the allegedly false findings.

The damage and the response

After Koi published its report, multiple cybersecurity vendors began blocking MeetingTV's domains based on the threat intelligence. MeetingTV CEO Michael Robertson says the company contacted Koi's leadership before filing suit, requesting corrections and outreach to other security vendors.

Koi updated its report on February 12, removing one MeetingTV domain and stating it found "no evidence" connecting that domain to malicious infrastructure or threat actors. However, Robertson says MeetingTV's infrastructure remains blocked across numerous security products months later.

"We have expended considerable effort to get unblocked," Robertson told Axios, which first reported the details of the lawsuit. "It's laborious and often impossible because there are hundreds of lists, and it's unclear which connectivity companies or businesses use which security company."

Robertson said most security vendors either did not respond to removal requests or indicated their enterprise customers would expect continued blocking. As of early June, some vendors had downgraded MeetingTV's domains from malicious to medium-risk classifications.

The defense

In an April motion to dismiss, Koi argued that cybersecurity research constitutes protected speech and that its report never directly accused MeetingTV of being a threat actor. The firm also pointed to other potential reasons for blocking, including past complaints about the platform and separate research from cybersecurity firm Proofpoint that also labeled MeetingTV as malicious. Robertson said the Proofpoint dispute was resolved quickly.

A Palo Alto Networks spokesperson said the company believes "Koi's cybersecurity research reflects its commitment to identifying and exposing threats to users and enterprises" and expects the dispute will be resolved through legal proceedings. The company declined to address specific questions about AI use or MeetingTV's allegations.

Koi has until June 30 to respond to the amended complaint. MeetingTV has requested an early discovery phase to preserve potential evidence.

The details of this case were first reported by Axios.