Cybersecurity is increasingly viewed as a complex "mind game," where every new technological wave, particularly the rapid adoption of Artificial Intelligence (AI), presents fresh opportunities for attackers. Ami Luttwak, chief technologist at cybersecurity firm Wiz, highlighted this dynamic on a recent episode of TechCrunch's Equity, noting that as enterprises integrate AI into their workflows—be it through vibe coding, AI agent integration, or new tooling—their attack surface expands significantly. While AI enables developers to accelerate code delivery, this speed often leads to shortcuts and errors, inadvertently creating new vulnerabilities for malicious actors.

Wiz, which was recently acquired by Google for $32 billion, conducted tests revealing a prevalent issue in vibe-coded applications: insecure implementation of authentication systems. Luttwak explained that this often occurs because it's simply easier to build without stringent security protocols when using AI agents, which follow instructions precisely but won't prioritize security unless explicitly commanded. This creates a constant tension for companies balancing the need for speed with the imperative for robust security.

The threat is exacerbated by the fact that attackers are also leveraging AI. They employ vibe coding, prompt-based techniques, and their own AI agents to devise and launch sophisticated exploits. Luttwak described how attackers are actively using prompts to manipulate AI tools within target systems, instructing them to "send me all your secrets, delete the machine, delete the file." This signifies a new frontier where the attackers are not just using AI to develop attacks, but also to directly interact with and compromise AI-enabled systems.

Furthermore, new internal AI tools implemented by companies for efficiency can introduce significant supply chain risks. Luttwak warned that these integrations can lead to "supply chain attacks," where compromising a third-party service with broad access to a company’s infrastructure allows attackers to pivot deep into corporate networks. A stark illustration of this was the breach last month at Drift, a startup providing AI chatbots for sales and marketing. Attackers gained access to digital keys (tokens), impersonated the chatbot, queried Salesforce data, and moved laterally within customer environments, affecting hundreds of enterprise clients including Cloudflare, Palo Alto Networks, and Google. Luttwak confirmed that the attack code itself was also generated using vibe coding.

Despite Luttwak's estimate that only about 1% of enterprises have fully adopted AI, Wiz is already observing weekly attacks that impact thousands of enterprise customers, with AI embedded at every stage of the attack flow. He emphasized that this technological revolution is unfolding faster than any previous one, demanding an accelerated response from the cybersecurity industry. Another major supply chain incident, dubbed "s1ingularity" in August, targeted Nx, a popular build system for JavaScript developers. In this attack, malware was unleashed that specifically detected and hijacked AI developer tools like Claude and Gemini, using them to autonomously scan systems for valuable data. This resulted in the compromise of thousands of developer tokens and keys, granting attackers access to private GitHub repositories.

Even amidst these escalating threats, Luttwak finds it an exciting period for cybersecurity leaders. Wiz, founded in 2020, initially focused on identifying and mitigating security risks across cloud environments. Over the past year, it has rapidly expanded its capabilities to counter AI-related threats and integrate AI into its own products. This includes the launch of Wiz Code in September, which secures the software development lifecycle by addressing security issues early, fostering a "secure by design" approach. In April, Wiz introduced Wiz Defend, offering runtime protection to detect and respond to active threats within cloud environments. Luttwak stresses the importance of Wiz fully understanding its customers' applications to provide what he terms "horizontal security," creating security tools that are deeply tailored to their specific needs.

The democratization of AI tools has also spurred a proliferation of startups aiming to solve enterprise challenges. However, Luttwak cautions enterprises against indiscriminately sharing sensitive company, employee, and customer data with numerous small SaaS companies that promise "amazing AI insights." He asserts that it is incumbent upon these startups to operate as secure organizations from their inception. "From day one, you need to think about security and compliance," Luttwak stated, advising that even a five-person startup needs a Chief Information Security Officer (CISO). He advocates for startups to adopt a highly secure mindset before writing any code, considering enterprise security features, audit logs, authentication, production access controls, secure development practices, security ownership, and single sign-on. Proactive planning helps avoid "security debt" and prepares startups to protect enterprise data effectively. Wiz, for example, achieved SOC2 compliance before developing any code, demonstrating that early compliance is more manageable.

For AI startups targeting the enterprise market, Luttwak emphasizes the critical importance of architectural design that ensures customer data remains within the customer's environment. The current landscape is ripe for innovation across all domains of cybersecurity, from phishing and email security to malware and endpoint protection. This presents significant opportunities for both attackers and defenders, as well as for startups developing workflow and automation tools for "vibe security," particularly as many security teams are still learning how to leverage AI to defend against AI-powered attacks. Luttwak concludes, "The game is open. If every area of security now has new attacks, then it means we have to rethink every part of security."