Artificial intelligence may be revolutionising business operations, but it is also transforming the battlefield of cybersecurity. “Cybersecurity has always been a mind game,” says Ami Luttwak, Chief Technologist at Wiz, in a recent conversation with TechCrunch’s Equity.
“Whenever a new technology wave appears, it opens new doors for attackers to exploit.”
As organisations race to integrate AI into everything from coding and automation to AI-driven agents, the speed of innovation is inadvertently widening the attack surface. Developers are shipping products faster, but in doing so, they sometimes compromise on security hygiene, creating fresh entry points for malicious actors.
Wiz, a leading cloud security firm recently acquired by Google for 32 billion dollars, conducted internal tests that revealed a recurring flaw in applications built with “vibe coding,” a term for natural language-driven coding using AI assistants.
The flaw often appeared in how authentication systems were implemented.
“It wasn’t because developers didn’t care about security,” Luttwak explains. “It’s because AI agents follow your instructions literally. If you don’t explicitly tell them to build something securely, they won’t.”
The trade-off between speed and security is nothing new, but the rise of generative AI has raised the stakes. Attackers are no longer using only automated scripts or malware kits; they are using AI models themselves.
“You can actually see the attacker using prompts to attack,” Luttwak notes. “They find AI tools in your system and instruct them to send sensitive data, delete files, or even erase entire machines.”
Attackers are increasingly infiltrating AI tools deployed internally by companies to improve productivity, turning them into stepping stones for supply chain attacks. By breaching a third-party service with deep integration rights, they can move laterally within a corporate network.
For example, Drift, an AI-powered marketing and sales chatbot provider, was breached last month, compromising the Salesforce data of major enterprises including Cloudflare, Google, and Palo Alto Networks. Hackers exploited authentication tokens to impersonate the chatbot, query sensitive records, and navigate deeper into client environments.
“The attacker’s code was itself generated through vibe coding,” Luttwak reveals.
AI in every stage of attack
Although AI adoption in enterprises remains limited, Luttwak estimates that only about one percent of organisations have fully implemented it. Yet Wiz is already witnessing AI-driven attacks impacting thousands of businesses each week.
“If you trace the flow of a modern attack, AI is embedded at nearly every stage,” he says. “This revolution is faster than any we have seen before, and the security industry needs to move even faster to keep up.”
He cited another major incident, the “s1ingularity” attack on Nx, a popular JavaScript build system. In that case, the malware detected developer tools such as Claude and Gemini and hijacked them to automatically scan systems for confidential data. Thousands of tokens and private GitHub keys were compromised.
Evolving Wiz for the AI era
Founded in 2020, Wiz initially focused on identifying and fixing cloud misconfigurations and vulnerabilities. But with AI now central to both development and exploitation, the company has expanded its security capabilities.
In September 2024, Wiz introduced Wiz Code, a tool designed to secure software from the earliest stages of development, ensuring applications are “secure by design.” In April 2025, it launched Wiz Defend, a runtime protection suite that detects and mitigates active threats within cloud environments.
To Luttwak, these tools reflect a broader mission he calls “horizontal security”-- understanding a customer’s applications and workflows deeply enough to create adaptive defences. “We need to understand why you’re building something,” he says. “That’s how we create security tools that truly understand you.”
Building secure startups from day one
The growing number of AI startups promising enterprise-grade insights has also raised security concerns. Luttwak cautions businesses to be selective before sharing sensitive data with emerging SaaS vendors.
Startups, he says, must embed a security-first mindset from the beginning.
“From day one, you need to think about security and compliance. From day one, you need to have a CISO, even if your team only has five people.”
He recalls Wiz’s early journey: “We were SOC 2 compliant before we even had code. And trust me, it’s much easier to do when you have five employees than when you have 500.”
For startups serving enterprise clients, Luttwak says data architecture should be a top priority.
“If you are an AI company working with enterprises, design your system so customer data remains in their environment.” This approach not only strengthens security but also builds trust, a crucial element in today’s AI economy.
A new frontier for cybersecurity innovation
Luttwak believes this is a defining moment for cybersecurity innovation. Every area from phishing protection and malware detection to endpoint security and workflow automation is being reshaped by AI.
The next generation of startups, he says, will focus on “vibe security,” creating systems that use AI to defend against AI-powered threats.
“The game is wide open,” he concludes. “If every part of security is now under attack, it means we have to rethink every part of security.”
