“One of the key things to understand about cybersecurity is that it’s a mind game,” Ami Luttwak, chief technologist at cybersecurity firm Wiz, told TechCrunch on a recent episode of Equity. “If there’s a new technology wave coming, there are new opportunities for [attackers] to start using it.”
As enterprises rush to embed AI into their workflows — whether through vibe coding, AI agent integration, or new tooling — the attack surface is expanding. AI helps developers ship code faster, but that speed often comes with shortcuts and mistakes, creating new openings for attackers.
Wiz, which was acquired by Google earlier this year for $32 billion, conducted tests recently, says Luttwak, and found that a common issue in vibe coded applications was insecure implementation of the authentication — the system that verifies a user’s identity and ensures they’re not an attacker.
“That happened because it was just easier to build like that,” he said. “Vibe coding agents do what you say, and if you didn’t tell them to build it in the most secure way, it won’t.”
Luttwak noted that there’s a constant tradeoff today for companies choosing between being fast and being secure. But developers aren’t the only ones using AI to move faster. Attackers are now using vibe coding, prompt-based techniques, and even their own AI agents to launch exploits, he said.
“You can actually see the attacker is now using prompts to attack,” Luttwak said. “It’s not just the attacker vibe coding. The attacker looks for AI tools that you have and tells them, ‘Send me all your secrets, delete the machine, delete the file.’”
Amid this landscape, attackers are also finding entry points in new AI tools that companies roll out internally to boost efficiency. Luttwak says these integrations can lead to “supply chain attacks.” By compromising a third-party service that has broad access to a company’s infrastructure, attackers can then pivot deeper into corporate systems.
Techcrunch event Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025 Netflix, Box, a16z, ElevenLabs, Wayve, Sequoia Capital, Elad Gil — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444. Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025 Netflix, Box, a16z, ElevenLabs, Wayve, Sequoia Capital, Elad Gil — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before Sept 26 to save up to $668. San Francisco | REGISTER NOW
That’s what happened last month when Drift — a startup that sells AI chatbots for sales and marketing — was breached, exposing the Salesforce data of hundreds of enterprise customers like Cloudflare, Palo Alto Networks, and Google. The attackers gained access to tokens, or digital keys, and used them to impersonate the chatbot, query Salesforce data, and move laterally inside customer environments.
“The attacker pushed the attack code, which was also created using vibe coding,” Luttwak said.
... continue reading