The cofounder of Wiz, Google's $32 billion acquisition target, says vibe coding must be met with 'vibe security'

Yahoo

04-08-2025

Google's $32 billion bid to buy Wiz challenges the notion of a mega-deal drought in tech.
Ami Luttwak helped build Wiz through a pandemic and a new tech paradigm.
He tells Business Insider why the rise of AI demands new security approaches.
When Google agreed to buy Israeli-American cloud security firm Wiz earlier this year, making for the search giant's largest acquisition, it threw a $32 billion bucket of water on the idea that the mega-deal drought was here to stay.
In March, Google agreed to acquire the five-year-old startup at an all-cash price roughly equal to Iceland's gross domestic product last year, pending regulatory sign-off. The acquisition now stands as an early litmus test of the Trump administration's willingness to green-light pricey Big Tech mergers and acquisitions.
For Wiz cofounder and chief technology officer Ami Luttwak, the moment feels like déjà‑vu— the same founding team sold its last outfit, Adallom, to Microsoft in 2015.
Founded in March of 2020, Wiz crash-landed in a pandemic that yanked workloads out of on-prem server racks and thrust them into the cloud almost overnight. The crew pivoted from network exposure to cloud security and says that within 18 months, it was posting $100 million in annual recurring revenue.
Now the company finds itself riding an even wilder wave.
The ability of artificial intelligence to write code has turned every developer into a feature factory. However, Luttwak says the proliferation of new attack surfaces leaves most security teams overwhelmed and outnumbered. Luttwak's answer? If builders can "vibe-code" an app in an hour, security has to vibe right alongside.
In an interview at Business Insider's headquarters in New York City, we asked Luttwak about building a company through a pandemic, a new tech paradigm, and making cloud security part of an engineer's workflow. He declined to answer any questions about Google's planned acquisition.
This Q&A has been edited for clarity and length.
This is pretty much the same team between your first startup and Wiz?
It is the same team, basically. The team is what makes the company and defines how it operates. It's not the specific direction or idea.
When we left Microsoft, we didn't know what we wanted to build. We just said, 'We have a chance to get back together, so let's do it.'
You started out with another service, right?
We started in networking, then COVID hit, and no one wanted to talk about a future network architecture. It was all about, 'How can you help me now?' We had to pivot, but we like to pivot. That's the fun of startups — to find real problems, not the theoretical problems you think exist.
Cloud security at the time was already a mature market. There were hundreds of solutions in the market. It's like when you go to a concert, the crowd is full, and you say, 'I got here too late, there's no way I can get close to the stage.'
But in reality, none of the solutions actually solved the real problem. The market existed to help customers securely manage the cloud, but what companies actually needed was security for everything they had in the cloud.
In the first year, we got to $14 million in annual recurring revenue, which was 10 times what we expected.
Wiz grew as part of a mad dash of companies moving to the cloud. How does the disruption of the pandemic compare to what's happening now with artificial intelligence?
We were remote first. We could hire any candidate we wanted. We could get any customer we wanted. This really helped us in the sense that the big companies had no advantage over us.
The pandemic accelerated stuff. AI changes stuff.
We must forget everything we've done until now and approach security very differently. The reason is simple: Everyone can build very fast.
I'm talking a hundred times as fast as before. It's not just the number of applications increasing — it's the number of people in the company who can build stuff.
The history of security in the enterprise was much more centralized. 'You want to build something? Come to me. I will tell you what to do.' That's approaching it like a building inspector. In today's world, a builder can "vibe code" something in one hour. And there are hundreds of developers to every one security person.
The challenge for us is making security teams and developers work together when the business pushes them to move fast. Engineers clash with security. They say, 'I don't have time for it. I'll deal with it later.'
Security is mission-critical to a company, and yet it's seen as second-class within engineering.
It's second-class, but it's also boring.
If you want to build an application, you think about how cool it will be. Are you thinking about security?
We say security has to be democratized — self-service. We simplify the complexity so anyone can own security. If you build it, you have to own it. It doesn't scale any other way.
We need to find a way as an industry to allow you to vibe code, but also vibe security while you do it.
How do you do that?
It has to be designed so it's easy to use. The iPhone was nice to use — it wasn't just about the features. You have to enable anyone to use the features that, before, you needed to be an expert.
You probably see some of the same challenges with hiring— pitching talent to do boring, but impactful workHow has your pitch to candidates evolved through the years?
I don't have to explain to technical people why cyber is cool. There's good and bad, and we are the people who find the problem before the bad guy comes.
We're just five years old, although I admit there is a challenge around people saying, 'you're not a startup anymore.' I tell them, I'm forty-something. You decide if you're young or not. I feel like we're still a startup.
What are you hearing from customers lately?
I'm trying to cope with two different pressures. Some customers expect us to use AI to be smarter, and some are so afraid of the risks that they say in our contracts, 'do not use it at all.'
We have a lot of discussions with customers. I try to tell them there's no way I can commit to that. There's a chance a support email will come, and a summary will run.
We are a highly regulated entity, but we are also expected to run very fast. The challenge is: how can we leverage AI internally without putting data or customers at risk?
I've read about how much code AI writes at Google or Microsoft, and it seems like showboating.
We don't know the real impact on productivity yet, that's the truth. The amount of code being generated doesn't really mean that you can take away strong engineers from complex systems.
We are starting to build different pipelines: an internal flow for employees and an external flow for the product. Support automation is a whole team we're now building that connects to sensitive systems and does very complex analysis.
So, you accelerated during the pandemic. You're now riding the AI wave. Do you worry about an AI-native generation of cloud security startups coming to eat your lunch?
Every company on the face of the earth feels there is a risk to its business. If they feel safe, they're probably even less safe.
AI is only as smart as the data that you give it. Our advantage is that we understand your environment better than anyone. We are like Google Maps. You have a lot of layers: traffic, satellite, and businesses. You need all the layers to ask how long it is going to take me to get to the restaurant.
We have all the layers. We understand the code, the network, the identity, the secrets, the applications, the malware, and the exposure. So we have the data. Now, for us, it's all about enabling the security teams to use the data in an AI-friendly way.
Read the original article on Business Insider