AI-Powered Cyber Attacks On the Rise: Experts Warn Enterprises of Expanding Attack Surface and Supply Chain Threats

In the rapidly evolving realm of cybersecurity, Ami Luttwak, chief technologist at cybersecurity firm Wiz, underscores that the digital landscape is essentially a strategic mind game. As technological advancements unfold, such as the integration of AI into enterprise workflows, there emerges a corresponding increase in opportunities for malicious actors.

AI accelerates the speed of code development, but this efficiency often comes with shortcuts and potential errors, creating chinks in the armor that cybercriminals can exploit. Recently, Wiz, which was acquired by Google earlier this year, conducted tests and discovered a prevalent issue in applications developed using vibe coding—a lack of secure authentication implementation.

Luttwak explains that this is due to a simpler development process, as vibe coding agents execute commands without being instructed to prioritize security measures. Today, both developers and attackers are leveraging AI for expediency—developers for speedier code shipping, while cybercriminals use it to launch attacks through techniques like prompt-based attacks or even their own AI agents.

Recent incidents demonstrate that attackers are capitalizing on new AI tools deployed within corporate systems. In one instance last month, Drift, a startup offering AI chatbots for sales and marketing, was breached. The attackers gained access to digital keys known as tokens, enabling them to impersonate the chatbot and query sensitive Salesforce data, moving laterally across customer environments.

Luttwak notes that while enterprise adoption of AI tools remains minimal—he estimates only around 1% of enterprises have fully adopted AI—Wiz is already dealing with weekly attacks impacting thousands of enterprise customers. Furthermore, Luttwak highlights the rapid evolution of AI-related threats, stressing the need for industry players to adapt at a similar pace.

The landscape is rife with supply chain attacks, such as “s1ingularity,” which targeted Nx, a popular build system for JavaScript developers in August. Attackers managed to infiltrate the system and deploy malware that detected AI developer tools like Claude and Gemini, subsequently hijacking them to scan the system for valuable data.

Despite these challenges, Luttwak sees this as an exciting time to be a leader in cybersecurity. Founded in 2020, Wiz has expanded its capabilities to combat AI-related threats and even utilizes AI for its own products. Last September, Wiz launched Wiz Code, focusing on securing the software development lifecycle by identifying and mitigating security issues early in the process. In April, they introduced Wiz Defend, which offers runtime protection through active threat detection and response within cloud environments.

For effective horizontal security, Luttwak emphasizes the need to comprehend the specific applications of clients. “We need to understand why you’re building it … so I can build the security tool that no one has ever had before, the security tool that understands you,” he said.

The democratization of AI tools has spawned a multitude of startups promising to solve enterprise pain points. However, Luttwak advises enterprises against blindly entrusting their data to every small SaaS company simply because they promise AI insights. Instead, these startups must prioritize security and compliance from the outset, thinking like secure organizations from day one, with a CISO even for five-person teams.

Before writing a single line of code, startups should consider enterprise-level security features, audit logs, authentication, access to production, development practices, security ownership, and single sign-on. Adopting this mindset from the onset prevents the need for later overhauls and incurrence of what Luttwak calls “security debt.” For cybersecurity startups aiming to enter the field in the age of AI, Luttwak declares that the stage is set. Opportunities abound across various security aspects—from phishing protection and email security to malware and endpoint protection—as both defenders and attackers grapple with innovation.