A courtroom fight is brewing over a cybersecurity report that a small startup says leaned too hard on artificial intelligence and got it wrong. MeetingTV, a modest webinar platform, has sued threat-intelligence outfit Koi Security and Koi’s new owner, Palo Alto Networks, arguing that a December research report wrongly tied MeetingTV’s infrastructure to a Chinese hacking operation. The company calls the mistake an AI hallucination and says the fallout has been brutal, with enterprise security vendors blocking its domains and scaring off customers. Koi eventually pulled a MeetingTV domain from its list of indicators of compromise, but MeetingTV says vendors have been slow to follow suit and the damage has not let up.
What Koi published and then walked back
On December 30, 2025, Koi released an investigation it dubbed “DarkSpectre,” detailing what it described as a sprawling campaign that relied on hundreds of browser extensions, domains and other indicators of compromise. Meetingtv[.]us appeared in that list, putting the startup’s main address in the same bucket as infrastructure tied to malicious activity. In a February 12 update, however, Koi said it had gone back to revalidate the listing and now found “no evidence that this domain is connected,” according to Koi Security. The domain was removed, but by that point the original data had already made the rounds.
MeetingTV says it remains blocked
MeetingTV founder Michael Robertson told Axios that his team has expended considerable effort to get unblocked, yet its infrastructure still shows up as blocked inside many enterprise products. Axios reviewed scans indicating that some vendors had softened their labels on MeetingTV by early June, but the delisting process was anything but consistent.
How the case is playing out in court
MeetingTV lodged its initial complaint on March 18, then followed up with a First Amended Complaint on May 13 that formally added Palo Alto Networks as a defendant, according to Justia. Koi moved to dismiss the original filing on April 28 and also asked the court to strike portions of the complaint, kicking off rounds of briefing and scheduling. The case picked up another wrinkle when the Southern District of California rejected MeetingTV’s June request to serve foreign defendants by email. Last Tuesday's order explains the judge’s reasoning, and that filing is available on Justia.
Why AI and intel chains matter
Behind the legal wrangling is a growing tension in cybersecurity research. Firms like Koi lean heavily on automated systems to sift through extensions, code and behavior at massive scale. Koi’s DarkSpectre writeup says its Wings engine uses a mix of static analysis and agentic AI to surface high-risk indicators of compromise at speed. That kind of automation can spot big campaigns quickly, but the MeetingTV lawsuit highlights the flip side: once a respected researcher publishes an IOC, downstream vendors and corporate block-lists and allow-lists often absorb those signals automatically and then spread them further.
The acquisition backdrop adds another layer. Palo Alto Networks disclosed in a securities filing that it closed its purchase of Koi on April 14, pitching the deal as a way to bring agentic endpoint security into its portfolio, according to Palo Alto Networks. MeetingTV’s claims now land squarely in the middle of that strategy, effectively challenging how reliable those shiny new tools really are when a business ends up on the wrong side of an algorithmic call.
Legal implications
At the center of the lawsuit is a clash that has trailed security research for years. Koi argues that its cybersecurity reporting is protected speech and that it never said MeetingTV was the hacker, only that its infrastructure appeared among technical traces tied to the campaign. MeetingTV counters that, labels aside, the research functioned as a public red flag for its service and did real reputational and operational harm, according to reporting by Axios. The startup has also asked the court for early, narrowly tailored discovery aimed at preventing deletion or obscuring of relevant evidence. Axios reported that Koi’s response to the amended complaint was due tomorrow, a procedural deadline that could shape what happens next.
All eyes now turn to two straightforward questions: whether Koi files a detailed response in court and whether the judge grants MeetingTV the early discovery it is seeking. If that happens, both sides would get their first real chance to test which data fed into Koi’s findings and how those signals rippled through security vendors. The broader reminder for everyone else is that fast, automated intel can produce fast downstream effects, and that scrubbing a false positive out of a security ecosystem is often far harder than flagging it in the first place.
