“One of the key things we need to understand about cyberspace is that it’s a mind game,” AMI Luttwak, a head technologist at Cybersecurity Wiz, told TechCrunch, “If there is a new wave of technology, there are new opportunities for [attackers] To start using it. ”
As businesses are in a hurry to incorporate AI into their work flows – either through VIBE coding, agents’ integration or the new tool – the attack surface is expanding. AI helps developers to carry code faster, but this speed often comes with shortcuts and errors, creating new openings for the attackers.
Wiz, which was acquired by Google earlier this year for $ 32 billion, has recently been conducting tests, Luttwak says and found that a common issue in Vibe encoded applications was an unsafe application of authentication – the system that verifies the user’s identity.
“This was because it was just easier to build that way,” he said. “Vibe coding agents do what you say, and if you didn’t tell them to build it in the safest way, they won’t.”
Luttwak noted that there is today a continuous trade for the companies they choose between fast and safe. But developers are not the only ones who use AI to move faster. Attackers are now using Vibe coding, prompt -based techniques, and even their own AI agents to launch farms, he said.
“You can really see that the attacker is now using prompts to attack,” Luttwak said. “It’s not just the encoding of the invader’s vibe.
Through this landscape, attackers also find points of entry into new AI tools that companies are growing internally to enhance effectiveness. Luttwak says these consolidations can lead to “supply chain attacks”. By establishing a third -party service that has widespread access to a company’s infrastructure, attackers can then rotate deeper into corporate systems.
TechCrunch event
Francisco
|
27-29 October 2025
This happened last month, when Drift – a start -up AI Chatbots for sales and marketing – was violated, exposing SalesForce data for hundreds of business customers such as Cloudflare, Palo Alto Networks and Google. The attackers gained access to chips or digital keys and used them to mimic the Chatbot data, salesforce questions and move laterally to customer environments.
“The attacker pushed the attack code, which was also created using Vibe coding,” Luttwak said.
Luttwak says that while adopting AI tool businesses is still minimal – it estimates that about 1% of businesses have fully adopted AI – Wiz already sees attacks every week affecting thousands of business customers.
‘And if you look at the [attack] The flow, AI was embedded in every step, “Luttwak said.” This revolution is faster than any revolution we have seen in the past. It means that we as an industry must move faster. ”
Luttwak noted another major supply chain attack, called “S1ingularity” in August in NX, a popular construction system for Javascript developers. The attackers managed to release malware in the system, which then detected the presence of AI programmer tools such as Claude and Gemini and rolled them to scan the system for valuable data. The attack has jeopardized thousands of brands and developer keys, giving access to access to private gitHub repositories.
Luttwak says that despite the threats, this was an exciting moment to be a leader in cyberspace. The Wiz, founded in 2020, initially focused on providing assistance to organizations to identify and face misinterpretations, vulnerabilities and other risks of security environments.
During last year, Wiz expanded its ability to keep up with the speed of AI-and-use attacks on its own products.
Last September, Wiz started the Wiz code that focuses on securing the software life cycle, identifying and mitigating security issues at the beginning of the development process, so that companies are “safe from planning”. In April, Wiz started the Wiz Defend, which offers execution protection, detecting and responding to active threats to cloud environments.
Luttwak said it was vital for Wiz to fully understand their customers’ applications if the start is going to help with what it calls “horizontal security”.
“We need to understand why you are building it … so I can build the security tool that no one ever had before, the security tool that understands you,” he said.
“From the first day, you must have CISO”
The democratization of AI tools has led to a flood of new newly established businesses that promise to solve business pain points. But Luttwak says businesses should not only send all the companies, employees and customers’ data to “every small SAAS company that has five employees just because they say:” Give me all your data and I will give you amazing AI information “.
Of course, these newly established businesses need this data if their offer is to have any value. Luttwak says that it means that it is obliged by them to make sure they act as a safe organism from scratch.
“From the first day, you have to think about security and compliance,” he said. “From the first day, you must have CISO (Information Safety Officer). Even if you have five people.”
Before drawing up a single code line, newly formed businesses should think as an extremely safe organization, he said. They must consider business security features, control records, authentication, access to production, development practices, security ownership and single connection. Planning in this way from the beginning means you will not need to review the procedures later and submit what Luttwak calls “security debt”. And if you seek to sell to businesses, you will already be ready to protect their data.
‘We are complying with SoC2 [a compliance framework] Before we had code, “he said.” And I can tell you a secret. SOC2 compliance for five employees is much easier than for 500 employees. ”
The next most important step for newly formed businesses is to think about architecture, he said.
“If you are AI starting that wants to focus on the business from day one. You have to think of an architecture that allows customer data to stay … in the customer’s environment.”
For the newly established cyberspace businesses who want to get into the field in the AI era, Luttwak now says the time. Everything, from the protection of electronic “fishing” and e -mail to malware and the protection of the end point is fertile ground for innovation, both for attackers and defenders. The same is true of newly established businesses that could help work flow and automation tools to “vibe”, since many security teams still do not know how to use AI to defend AI.
“The game is open,” Luttwak said. “If every security sector now has new attacks, then it means that we have to think about any part of the security again.”
