“A crucial aspect to grasp about cybersecurity is that it’s largely psychological,” Ami Luttwak, chief technologist at cybersecurity company Wiz, explained to TechCrunch during a recent episode of Equity. “Whenever a new wave of technology emerges, it presents fresh chances for [attackers] to exploit it.”
As businesses rapidly incorporate AI into their operations—whether through vibe coding, integrating AI agents, or adopting new tools—the potential points of attack are multiplying. While AI enables developers to deliver code more quickly, this acceleration often leads to overlooked details and errors, which in turn create vulnerabilities for attackers to exploit.
Wiz, which Google acquired earlier this year for $32 billion, recently ran some experiments, according to Luttwak, and discovered that insecure authentication was a frequent flaw in vibe-coded apps—the very mechanism that confirms a user’s identity and blocks unauthorized access.
“The reason for this is that it’s simply easier to build that way,” he noted. “Vibe coding agents follow your instructions, and unless you specify the most secure approach, they won’t implement it securely.”
Luttwak emphasized that organizations today constantly have to balance speed and security. But it’s not just developers leveraging AI for efficiency—attackers are also adopting vibe coding, prompt-driven methods, and even their own AI agents to carry out attacks, he added.
“Now, you can actually observe attackers using prompts as part of their attacks,” Luttwak said. “It’s not limited to attackers using vibe coding. They actively search for your AI tools and instruct them, ‘Reveal all your secrets, erase the machine, delete the file.’”
In this evolving environment, attackers are also exploiting new AI tools that companies deploy internally to improve productivity. Luttwak explained that these integrations can open the door to “supply chain attacks.” By breaching a third-party service with extensive access to a company’s systems, attackers can then infiltrate deeper into the organization’s infrastructure.
This scenario played out last month when Drift—a company providing AI chatbots for sales and marketing—was compromised, leading to the exposure of Salesforce data from hundreds of enterprise clients such as Cloudflare, Palo Alto Networks, and Google. The attackers obtained digital tokens, used them to mimic the chatbot, access Salesforce data, and move laterally within customer systems.
“The malicious code was deployed by the attacker, and it too was created using vibe coding,” Luttwak remarked.
Luttwak estimates that although only about 1% of enterprises have fully embraced AI tools, Wiz is already witnessing weekly attacks that affect thousands of enterprise clients.
“If you analyze the [attack] sequence, AI played a role at every phase,” Luttwak observed. “This transformation is happening at a pace we’ve never seen before. It means our industry must accelerate as well.”
He referenced another significant supply chain incident, known as “s1ingularity,” which targeted Nx—a widely used build system for JavaScript developers—in August. Attackers managed to inject malware that identified AI developer tools like Claude and Gemini, then commandeered them to autonomously search for sensitive information. This breach exposed thousands of developer tokens and keys, granting attackers access to private GitHub repositories.
Despite these risks, Luttwak believes this is an exciting era for cybersecurity leadership. Wiz, established in 2020, initially aimed to help organizations detect and resolve misconfigurations, vulnerabilities, and other security issues in cloud environments.
Over the past year, Wiz has broadened its offerings to keep pace with the rapid evolution of AI-driven threats—and to incorporate AI into its own solutions.
In September, Wiz introduced Wiz Code, a product designed to secure the software development lifecycle by identifying and addressing security problems early, enabling organizations to be “secure by design.” In April, Wiz rolled out Wiz Defend, which provides real-time protection by detecting and responding to active threats in cloud environments.
Luttwak stressed that for Wiz to deliver what he calls “horizontal security,” it’s essential to thoroughly understand their clients’ applications.
“We need to know your reasons for building it … so I can create a security tool unlike any other, one that truly understands your needs,” he explained.
‘You need a CISO from the very beginning’
The widespread availability of AI tools has led to a surge of startups claiming to address enterprise challenges. However, Luttwak cautions that companies shouldn’t hand over all their business, employee, and customer data to “every small SaaS vendor with a handful of staff just because they promise, ‘Give us your data and we’ll deliver incredible AI insights.’”
Naturally, these startups require access to data for their products to be effective. Luttwak argues that this makes it their responsibility to operate securely from the outset.
“Security and compliance must be priorities from day one,” he insisted. “You need a CISO (chief information security officer) from the very beginning—even if your team is only five people.”
He advised that startups should adopt the mindset of a highly secure organization before writing any code. This means considering enterprise-grade security features, audit trails, authentication, production access, development protocols, security accountability, and single sign-on. Planning for these elements early prevents the need for disruptive changes later and avoids what Luttwak calls “security debt.” If you plan to serve enterprise clients, you’ll be ready to safeguard their information from the start.
“We achieved SOC2 compliance [a security standard] before we even wrote any code,” he revealed. “And here’s a tip: it’s far easier to get SOC2 certification with five employees than with 500.”
He added that the next critical consideration for startups is their system architecture.
“If you’re launching an AI startup with enterprise clients in mind from the outset, you must design your architecture so that customer data remains … within the customer’s own environment.”
For cybersecurity startups entering the market in the AI era, Luttwak believes the timing is ideal. Areas like phishing defense, email security, malware protection, and endpoint security are all ripe for innovation—both for attackers and defenders. The same holds true for startups developing workflow and automation tools for “vibe security,” since many security teams are still learning how to use AI to defend against AI-powered threats.
“The field is wide open,” Luttwak concluded. “With new forms of attacks emerging in every area of security, it’s time to rethink every aspect of our defenses.”
