Wiz Chief Technologist Ami Luttwak on How AI Is Transforming Cyberattacks

“One of the key things to understand about cybersecurity is that it’s a mind game,” said Ami Luttwak, chief technologist at cloud security firm Wiz, during a recent episode of TechCrunch’s Equity podcast. “When a new technology wave emerges, it always creates fresh opportunities for attackers to take advantage of it.”

As enterprises rush to embed AI into daily workflows — from vibe coding and AI agent integration to new development tools — the attack surface is rapidly expanding. While AI helps developers push out code faster, speed often comes at the expense of security, leaving gaps for attackers to exploit.

Wiz, which Google acquired earlier this year for $32 billion, has been testing AI-driven applications and discovered a recurring flaw: insecure authentication setups. “It happened because developers chose the easiest path,” Luttwak explained. “Vibe coding agents will do exactly what you ask, but if you don’t specify the most secure approach, they won’t build it.”

This highlights the constant tension between speed and security. And attackers, Luttwak warned, are also using AI to move faster. “It’s not just about attackers vibe coding,” he said. “They’re prompting AI tools directly — telling them things like, ‘send me all your secrets, delete the machine, wipe the file.’”

AI Tools as New Entry Points

Attackers are increasingly exploiting internal AI tools that companies deploy to enhance efficiency, potentially leading to supply chain attacks. By compromising a third-party vendor with access to a company’s infrastructure, hackers can pivot deeper into corporate environments.

A recent example is the breach of Drift, a startup that offers AI chatbots for sales and marketing. Attackers gained access to Salesforce data belonging to high-profile clients like Cloudflare, Palo Alto Networks, and Google. Using stolen digital tokens, the attackers impersonated Drift’s chatbot to query Salesforce data and move laterally across systems.

“The attack code itself was also generated using vibe coding,” Luttwak noted.

Although only around 1% of enterprises have fully adopted AI so far, Wiz says it is already seeing weekly AI-related attacks that impact thousands of organisations. “AI is now embedded in every step of the attack flow,” Luttwak said. “This revolution is moving faster than any we’ve seen before, and our industry has to keep pace.”

He pointed to the “s1ingularity” supply chain attack in August, which targeted Nx, a widely used JavaScript build system. Hackers inserted malware that detected AI developer tools, such as Claude and Gemini. Then they hijacked them to scan for valuable data autonomously—the result: thousands of stolen developer tokens and breaches of private GitHub repositories.

Wiz’s Evolving Role in Cyber Defence

Despite the growing threats, Luttwak described this as an exciting period for cybersecurity leaders. Wiz, founded in 2020, initially focused on cloud misconfigurations and vulnerabilities. Over the last year, however, the company has shifted its focus to counter AI-driven exploits while utilising AI itself to enhance its tools.

Last September, Wiz rolled out Wiz Code, designed to secure the software development lifecycle by identifying vulnerabilities early. In April, it introduced Wiz Defend, offering runtime protection to detect and neutralise active cloud threats.

To deliver what Luttwak calls “horizontal security,” Wiz seeks to understand how its clients’ applications work fully. “We need to understand why you’re building it,” he said. “Only then can we create a security solution no one else has — one that understands you.”

“From Day One, You Need a CISO”

The boom in AI startups has led to a surge in new SaaS offerings, many of which request access to sensitive enterprise data. Luttwak cautioned against unquestioningly trusting small companies without robust security practices.

“From day one, you need to think about security and compliance,” he advised. “Even with just five employees, you need a CISO. If you want to serve enterprises, you must plan for security from the very start.”

He emphasised that startups should prioritise secure architecture, ensuring customer data stays within client environments. He also urged early adoption of compliance frameworks like SOC2, noting that it’s easier to achieve with a small team than later at scale.

For cybersecurity entrepreneurs, Luttwak sees enormous opportunity. From phishing protection to malware defence, every area of security is being redefined by AI. New tools for “vibe security” — defending against AI-driven exploits with AI — are especially in demand.

“The game is open,” he said. “If every area of security is facing new attacks, then we need to rethink every part of security.”