“One of the key things to understand cybersecurity is that it is a mental game,” he told Techcrunch in a mental game, “said Ami Luttwak, head of technology of the Wiz cybersecurity firm. Recent Equity Episode. “If a new technological wave is approaching, there are new opportunities to [attackers] To start using it. ”
As companies rushed to embed the AI in their workflows, either through the coding of both, the integration of the AI agent or the new tools, the attack surface is expanding. AI helps developers to send the code faster, but that speed often comes with shortcuts and errors, creating a new opening for attackers.
Wiz, which was Acquired by Google earlier this year for $ 32 billionTests carried out recently, says Luttwak, and discovered that a common problem in applications coded by Vibe was an insecure implementation of authentication: the system that verifies the identity of a user and guarantees that it is not an attacker.
“That happened because it was easy to build like this,” he said. “Environments coding agents do what you say, and if you didn’t tell them to build it in the safest way, he won.”
Luttwak pointed out that today there is constant compensation for companies that choose between being fast and safe. But developers are not the only ones who use AI to move faster. The attackers are now using the coding of both, techniques based on indication and even their own AI agents to launch exploits, he said.
“You can see that the accessory is now using indications to attack,” Luttwak said. “It is not just Vibe’s coding of accessories. The accessory looks for tools that you have and tells them:” Send me all its secrets, delete the machine, remove the file. ”
In the midst of this landscape, the attackers are also finding entry points in new artificial intelligence tools that companies launch internally to increase efficiency. Luttwak says these integrations can lead to “supply chain attacks.” By compromising a third -party service that has broad access to the infrastructure of a company, attackers can go more deeply in corporate systems.
Techcrunch event
San Francisco
|
October 27, 2025
That is what happened last month, drifting, a startup that sells chatbots for sales and marketing, was raped, Expose Salesforce data or hundreds or business clients As Cloudflare, Palo Alto Networks and Google. The attackers obtained access to digital tokens or keys, and used them to impersonate the chatbot, consult the Salesforce data and move laterally into customer environments.
“The accessory pushed the attack code, which was also created using vibrate coding,” Luttwak said.
Luttwak says that, although the business adoption of AI tools remains minimal, considers that about 1% of companies have adopted completely AI, Wiz is already seeing attacks every week that affect thousands of business clients.
“And if you look at the [attack] Flow, AI was embedded in each step, “said Luttwak.” This revolution is faster than any revolution we have seen in the past. It means that we, as an industry, need to move faster. ”
Luttwak pointed out another great attack chain attack, called “S1ingularity”, in August in NxA popular compilation system for JavaScript developers. The attackers managed to unleash malware in the system, which detected the presence of AI developer tools such as Claude and Gemini and kidnapped them to scan the system to obtain valuable data. The attack committed thousands of tokens and keys to developers, giving the attackers access to Github’s private repositories.
Luttwak says that despite threats, this has an exciting moment to be a cyber security leader. Wiz, founded in 2020, originally focused on helping organizations identify and address malfiguration, vulnerabilities and other safety risks in cloud environments.
Around the last year, Wiz has expanded his capabilities to keep up with the speed of the attacks with AI, and use AI for their own products.
Last September, Wiz launched the Wiz code that focuses on the safety of the software development life cycle by identifying and mitigating early security problems in the development process, so companies can be “safe per design.” In April, Wiz launched Wiz Defend, who sacrifices the protection of the execution time when detecting and responding to active threats within the cloud environments.
Luttwak said it is vital for Wiz to completely understand the applications of its customers if the startup will help with what he calls “horizontal security.”
“We need to understand why you are building it … so that you can build the security tool that no one has had before, the security tool that understands it,” he said.
‘From day one, you need to have a ciso’
The democratization of AI tools has resulted in an avalanche of new new companies that promise to solve business pain points. But luttwak says enterprises Shouldn’t Just Send All of Their Company, Employee, and Customer Data To “Every Small Saas Company That Has Five Employees Just Because The Say, ‘Give Me All Your Data, and I Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Give Youightts. ” “” “” “” “” “” “” “” “” “” “” “” “..
Of course, these new companies need that data if their sacrifice will have any value. Luttwak says that means that they are responsible for operating that they operate as a safe organization from the beginning.
“From the first day, you must think about security and compliance,” he said. “From the first day, you must have a CISO (Director of Information Security). Even if you have five people.”
Before writing a single line of code, new companies should think like a highly safe organization, he said. They need to provide business security features, audit records, authentication, access to production, development practices, security ownership and single login. Planning in this way from the beginning means that he won the review processes later and incuring what Luttwak calls “security debt.” And if your goal is to sell to companies, you will be prepared to protect your data.
“We would fulfill SOC2 [a compliance framework] Before having a code, “he said.” And I can tell you a secret. Obtaining soc2 compliance for five employees is a lot that for 500 employees. ”
The next most important step for new companies is to think about architecture, he said.
“If you are a startup that focuses on the company from day one, you must think of an architecture that allows customer data to remain … in the customer environment.”
For new cyber security companies that seek to enter the field in the AI era, Luttwak says it is now the time. Everything, from Phishing and Email Security protection to malware protection and end point, is a fertile land for innovation, both for attackers and defenders. The same is true for new companies that could help with the workflow and automation tools to make “environments”, since many security equipment still does not know how to use AI to defend themselves against AI.
“The game is open,” Luttwak said. “IFY’s security area now has new attacks, so it means that we have to rethink every part of security.”
