One of the key things to understand about cybersecurity is that it is a mind game. If a new technology wave is coming, there are new opportunities for attackers to start using it. As enterprises rush to embed AI into their workflows, whether through vibe coding, AI agent integration, or new tooling, the attack surface is expanding. AI helps developers ship code faster, but that speed often comes with shortcuts and mistakes, creating new openings for attackers.
A recent test found that a common issue in vibe coded applications was insecure implementation of the authentication system, which verifies a user’s identity. That happened because it was just easier to build like that. Vibe coding agents do what you say, and if you did not tell them to build it in the most secure way, they will not. There is a constant tradeoff today for companies choosing between being fast and being secure.
But developers are not the only ones using AI to move faster. Attackers are now using vibe coding, prompt-based techniques, and even their own AI agents to launch exploits. You can actually see the attacker is now using prompts to attack. It is not just the attacker vibe coding. The attacker looks for AI tools that you have and tells them to send all your secrets, delete the machine, or delete the file.
Amid this landscape, attackers are also finding entry points in new AI tools that companies roll out internally to boost efficiency. These integrations can lead to supply chain attacks. By compromising a third-party service that has broad access to a company’s infrastructure, attackers can then pivot deeper into corporate systems.
That is what happened last month when a startup that sells AI chatbots for sales and marketing was breached, exposing the Salesforce data of hundreds of enterprise customers like Cloudflare, Palo Alto Networks, and Google. The attackers gained access to tokens, or digital keys, and used them to impersonate the chatbot, query Salesforce data, and move laterally inside customer environments. The attacker pushed the attack code, which was also created using vibe coding.
While enterprise adoption of AI tools is still minimal, with only around one percent of enterprises having fully adopted AI, attacks are already being seen every week that impact thousands of enterprise customers. If you look at the attack flow, AI was embedded at every step. This revolution is faster than any revolution we have seen in the past. It means that we as an industry need to move faster.
Another major supply chain attack occurred in August on a popular build system for JavaScript developers. Attackers managed to unleash malware into the system, which then detected the presence of AI developer tools and hijacked them to autonomously scan the system for valuable data. The attack compromised thousands of developer tokens and keys, giving attackers access to private GitHub repositories.
Despite the threats, this has been an exciting time to be a leader in cybersecurity. Our company, founded in 2020, was originally focused on helping organizations identify and address misconfigurations, vulnerabilities, and other security risks across cloud environments. Over the last year, we have expanded our capabilities to keep up with the speed of AI-related attacks and to use AI for our own products.
Last September, we launched a product that focuses on securing the software development lifecycle by identifying and mitigating security issues early in the development process, so companies can be secure by design. In April, we launched another product which offers runtime protection by detecting and responding to active threats within cloud environments.
It is vital for us to fully understand the applications of our customers if we are going to help with what is called horizontal security. We need to understand why you are building it so we can build the security tool that no one has ever had before, the security tool that understands you.
The democratization of AI tools has resulted in a flood of new startups promising to solve enterprise pain points. But enterprises should not just send all of their company, employee, and customer data to every small SaaS company that has five employees just because they promise amazing AI insights. Of course, those startups need that data if their offering is going to have any value. That means it is incumbent upon them to make sure they are operating like a secure organization from the start.
From day one, you need to think about security and compliance. From day one, you need to have a chief information security officer, even if you have five people. Before writing a single line of code, startups should think like a highly secure organization. They need to consider enterprise security features, audit logs, authentication, access to production, development practices, security ownership, and single sign-on. Planning this way from the start means you will not have to overhaul processes later and incur security debt. And if you aim to sell to enterprises, you will already be prepared to protect their data.
We were compliant with a specific compliance framework before we had code. Getting that compliance for five employees is much easier than for five hundred employees. The next most important step for startups is to think about architecture. If you are an AI startup that wants to focus on enterprise from day one, you have to think about an architecture that allows the data of the customer to stay in the customer environment.
For cybersecurity startups looking to step into the field in the age of AI, now is the time. Everything from phishing protection and email security to malware and endpoint protection is fertile ground for innovation, both for attackers and defenders. The same is true for startups that could help with workflow and automation tools to do vibe security, since many security teams still do not know how to use AI to defend against AI. The game is open. If every area of security now has new attacks, then it means we have to rethink every part of security.