Vanta's Christina Cacioppo on AI security adoption: 4 in 5 security leaders deploying AI agents to fight AI-powered attacks
Oct 30, 2025 with Christina Cacioppo
Key Points
- Four in five security leaders are deploying or planning to deploy AI agents to counter AI-powered attacks, a higher adoption rate than Vanta CEO Christina Cacioppo anticipated.
- Seventy percent of security leaders allow AI agents direct input on security strategy, reflecting default trust over scepticism within a profession built on risk mitigation.
- Cacioppo expects the first major AI-induced security incident will stem from basic misconfigurations rather than novel exploits, with the differentiator being that AI discovered the vulnerability first.
Summary
Vanta CEO Christina Cacioppo surfaced data from a survey of thousands of security leaders worldwide that points to aggressive AI adoption on the defensive side of cybersecurity. 4 in 5 security leaders are already using or plan to use AI agents to counter AI-powered attacks, a figure Cacioppo describes as higher than she anticipated. A separate finding shows 70% of respondents are allowing AI agents to provide direct input on security strategy, a posture she characterises as default trust rather than default scepticism, notably striking given the audience is security professionals.
The AI-versus-AI dynamic is shaping how practitioners think about threat detection. Rather than treating AI-driven code scanning as a bounded task, security teams are increasingly running open-ended, token-intensive sweeps across entire codebases, accepting that the agent may return nothing actionable. Cacioppo frames this as a parallelisation benefit: the cost of a null result is low, and the upside of catching a live vulnerability justifies the compute spend.
On the question of when a high-profile, AI-induced security incident will materialise, Cacioppo's view is that it will arrive sooner rather than later, but is unlikely to involve sophisticated attack choreography. Her expectation is that AI will surface a basic misconfiguration, an exposed database or an equivalent of the Equifax breach pattern, rather than some novel exploit. The attack vector will be mundane; the differentiator will be that AI found it first.
Compliance training is flagged as an area ripe for AI-native rebuilding. Cacioppo points to phishing simulations as an early example of personalisation at scale, where models scan a target's actual inbox behaviour to craft lures rather than sending generic fake newsletters. She expects adaptive, context-aware training to displace the static video-and-click format that has dominated the category for decades.
Internally, Vanta is treating AI proficiency as a baseline hiring and performance criterion going forward. Cacioppo's framing to staff is that AI will not replace roles outright, but employees who use AI effectively will displace those who do not. The company is building both training programmes and explicit job expectations around this premise, positioning AI fluency as a core competency rather than an optional skill.
Cacioppo's broader model for the current moment borrows from economist Tyler Cowen: the centaur stage, human-plus-AI working in tandem. She draws the analogy to chess, where a multi-decade human-AI collaboration phase preceded full machine dominance, and expects security and compliance to follow a similar trajectory before autonomous agents take over end-to-end workflows.