AI vs. AI: Redefining Cybersecurity in the Age of Autonomous Code and Developer-Centric Defense
The Rise of Agentic Coding and the Supply Chain Threat
AI-accelerated development has been great for creativity and speed but it’s also changed the game for cybersecurity. Right now, I’m seeing two key threats:
First, agentic coding – we’ve moved beyond “vibe coding” where non-developers chat with AI to build apps. Now we’re starting to have AI agents that autonomously read, write, execute and modify code to solve problems end-to-end. These agents can install packages, spin up services, and change infrastructure without human oversight. It’s powerful, but imagine the security implications of an AI agent with infrastructure access making decisions at machine speed.
Second, supply chain attacks at unprecedented scale. With 85-95% of modern applications powered by open-source code, and AI models trained on this same code, we’re seeing attackers target the foundation everyone builds on. Research shows a 25% increase in exposed secrets in public repositories – 23 million in 2024 alone.
Why AI Outpaces Traditional Security Defenses
AI presents a speed mismatch. When it can generate thousands of lines in a few minutes, but security tools were designed for human-speed development, critical vulnerabilities slip through.
Secondly, we face fragmentation across the security stack. Organisations are juggling separate tools for code quality, application security and cloud security (and many sub tools within each category). This fragmentation means things get lost between tools, they miss context, or issues don’t get fixed due to developer fatigue and overload. These challenges create a perfect storm where AI accelerates both development and risk, while security tools actually slow developers down rather than protect them effectively.
And finally, a challenge that has existed for years; the huge number of false positives generated by traditional security tools – we’ve found that developers waste a lot of time triaging alerts that aren’t real threats. When developers are drowning in those, they also start ignoring all alerts – including the real threats. This is something that’s both amplified by AI and triggers worse consequences in the age of AI.
AI as a Defensive Force: Context, Fixes and Patterns
It’s the ability to use AI to protect and defend. You have, for instance, AI-powered context understanding. Traditional security tools throw alerts without understanding code context. Now, AI can analyse not just the code pattern but the entire application logic around it.
There’s also automated fix generation. AI can find problems, but it can also generate secure code to fix them. We’ve implemented AI that provides one-click fixes directly in the developer’s workflow. When our system detects a vulnerability, it flags it, and it understands the codebase context and suggests the exact code change needed to remediate it safely.
There’s also behavioural pattern detection at scale. AI can spot patterns humans can’t. We use AI to analyse millions of package updates and commits, identifying when maintainers silently patch security issues. Our AI caught sophisticated attacks by recognising unusual obfuscation patterns – like code hidden with whitespace – that traditional signature-based tools would miss.
Rethinking Risk: Why Continuous, Contextual Security Is Key
Businesses must fundamentally rethink security as continuous and contextual, not periodic and siloed. The old model of quarterly security audits and separate tools for different domains is dead.
Risk assessment must account for AI acceleration. If your developers use AI to write code 10x faster, your attack surface grows 10x faster too. Traditional risk models assume human-speed changes; they break down with AI-speed development.
Aligning Security with Developer Reality
We built Aikido on a simple premise: security should match how developers actually work, not force them into clunky platforms.
Our platform unifies code quality, application security (SAST, DAST, SCA), cloud security, and runtime protection in one system. When AI generates code in your IDE, we scan it in real-time. When dependencies update, we check for malware instantly. When attacks happen, we block them automatically.
Aikido’s Three-Pronged Approach: Prevention, Detection, Response
Prevention: Zen, our embedded firewall, transforms security. Unlike traditional WAFs that monitor from the outside, Zen integrates directly into your application with no need for external agents. Zen analyses data on the fly and blocks attacks automatically – it blocks attacks before they ever reach your database. With in-app context, Zen knows the difference between a malicious command vs legitimate input.
Detection: We don’t wait for CVEs. We analyse packages for signals of malicious code like obfuscated code, exfiltration scripts, or install-time commands, before they’re reported elsewhere. Our proactive approach to comprehensive coverage with real-time alerts gives teams a clear advantage, helping them stay ahead of potential security issues. We continuously monitor for vulnerabilities across code, dependencies, cloud infrastructure, and containers.
Response: We integrate seamlessly into the development workflow – from IDE plugins for VSCode, Visual Studio, Jetbrains IDEs, Cursor and Windsurf, to CI/CD pipelines. Our SAST scanner reduces false positives by up to 95%, which means developers see real issues, not noise. We automatically filter out obvious false positive alerts, which saves days. We embed security early – scanning source code for security risks before an issue can be merged.
How Aikido Streamlines AppSec Without Sacrificing Protection
Our core strategy is making security effective without overwhelming developers:
All-in-one platform approach: We’re an all-in-one AppSec platform built for developers – combining SAST, secret detection, OSS scanning and more – so they don’t have to juggle separate scanners. We aggregate multiple controls in one place – from code scanning to cloud infrastructure to runtime protection.
AI-powered auto-remediation: We provide one-click AI fixes, saving dev teams time.
Embedded runtime protection: Zen embeds protection directly inside your application. It doesn’t rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead. It can block attempts to manipulate database queries for malicious purposes, block attacks that inject and execute arbitrary system commands, and block attempts to access unauthorised files or directories.
Proactive malware detection: Our expert malware team is backed by AI to surface real threats fast, no noise, no wait. We filter out weaponised dependencies at the moment of import—keeping your codebase clean. We were first to detect and disclose malware in xrpl, a crypto-related NPM package, which was later blocked globally.
As far as best practices, we recently published this vibe coder checklist – and you can also check out our blog for more!
Register for free for Cybersec Netherlands 2025
As cyber attacks continue to threaten today’s tech landscape, this event is the premier platform for seasoned cyber security professionals and innovative start-ups to exchange knowledge and tackle cybersecurity challenges together. Organizations across all sectors will discover strategies to boost cyber resilience and safeguard critical assets. Don’t miss this chance to strengthen your cyber defenses.
Simultaneously with Cybersec Netherlands, the Data Expo takes place in Hall 12—the perfect spot for additional knowledge, insights, and inspiration in the field of data.