The Next Phase of Cloud Security Intelligence

Cloud security has always been a race against change. Containers arrived, then serverless, then multicloud. Each wave forced defenders to rethink visibility, control and response. Now artificial intelligence is accelerating that cycle again, faster than any shift before it. The result is a fundamental reset in how cloud teams detect, decide and act.

For the past decade, cloud native application protection platforms promised a single pane of glass. They scanned configurations, tallied vulnerabilities and enforced policies across sprawling estates. That model remains useful for hygiene and compliance. It is not enough for AI heavy environments where models, agents and data pipelines act with speed and autonomy, sometimes in ways their creators did not anticipate.

Static tools, dynamic threats

Posture based security assumes stability. AI thrives on motion. A large language model can spin up resources, query sensitive data and modify code in seconds. A developer can push an agentic AI into production that chains tasks across multiple services, without full visibility into its behaviour under the hood.

Few leaders know that complexity better than Dror Kashti, co-founder and CEO of Sweet Security. After more than 25 years in the Israel Defense Forces, including leadership roles within Unit 8200 and service as a CISO, Kashti helped oversee Project Nimbus, the IDF migration to the public cloud. His conclusion is blunt. “AI builds amazing capabilities, also for attackers. For years it was easier to be on the offensive side because you only needed one open door. But AI brings a new balance, it can finally give the defense an edge.”

That reflects a broader pivot. Attackers have long enjoyed the speed of automation. Defenders now have the chance to fight at machine speed with machine understanding.

AI is both engine and attack surface

The paradox of AI in security sits at the centre of every strategy conversation. AI is the engine that accelerates detection and response, and it is the new attack surface that introduces fresh classes of risk. The mission therefore divides into two fronts. AI for security, where machine learning correlates, prioritises and recommends action. Security for AI, where teams protect models, prompts, data and the orchestration layers that connect them.

Den Jones, founder and CEO of 909Cyber, puts it plainly. “AI will help the good guys keep the bad people out, find vulnerabilities, look at configurations and close open doors into the environment, but it will also help the bad guys, who are using AI for deepfakes and highly convincing phishing campaigns.” The takeaway is clear. CNAPP innovation cannot stop at compliance. Platforms must learn, infer and act, because the same algorithms that defend networks are being used to breach them.

Kashti makes a similar point from the cloud runtime. Rule packs alone cannot keep up with systems that learn and adapt. “It is not about writing more rules. When you add AI, you are learning your own environment, how your agents behave normally, and that lets you distinguish the abnormal.” Behavioural baselining, powered by live telemetry, is what catches the subtle shifts that static tools miss.

Runtime becomes the control plane

The centre of gravity is moving from configuration snapshots to runtime context. Defenders need to know what applications, identities and AI agents are doing now, not what a manifest says they should be doing. System calls, API requests, prompt traffic and data access patterns are no longer exhaust logs, they are the raw material for intelligence. Feed that stream into learning systems, and you move from alert floods to comprehensible stories. It is the difference between a red dot on a map and an understanding of whether it is a parade or an invasion.

A glimpse of the shift

Investment flows are a signal. Sweet Security’s recent Series B, positioned around a unified cloud and AI runtime control plane, is one example of where the market is heading. The aim is to map models, watch for prompt injection, trace agent decisions and flag behaviour that deviates from a learned baseline. The cheque size is less important than the thesis behind it. Across the industry, vendors are racing to weave real time interpretation into CNAPP platforms. Posture checks are table stakes. The frontier is continuous understanding.

Beyond prevention

Runtime intelligence will not replace traditional controls, it will rewire how teams prioritise and respond. Instead of spending cycles on every low impact misconfiguration, teams can focus on risks that matter in production. Learning systems can filter noise, cut alert fatigue and shorten decision time.

There is also a cultural shift to reckon with. Many future incidents will not begin with a nation state or a criminal gang. They will begin with a developer who ships an unsafe agent into production. As Kashti warns, “the biggest risk is not always the attacker, it is the engineer who unknowingly pushes an unsafe AI agent into your environment.” That is why guardrails, approval workflows and mapping tools for agent behaviour now sit alongside firewalls and IAM policies in the essentials list.

Where CNAPP goes next

The next generation of CNAPP will think and learn. It will fuse telemetry from workloads, identities and AI systems to reason about intent, not just activity. It will score and prioritise by risk, not by the number of rules. It will respond automatically to meaningful deviations from a learned baseline, with human in the loop controls that match the sensitivity of the action.

Jones’s reminder that AI helps both sides is the heart of the matter. Security will be less about keeping pace and more about predicting the next move. CNAPPs that interpret runtime behaviour across humans, workloads and agents will set the new standard for defensive advantage.

The shift from posture to perception is underway. As AI blurs the line between code and cognition, the winners in cloud security will be those who defend at machine speed, with machine understanding, and with governance that keeps the human purpose clear. The goal is not to watch more. The goal is to understand faster, act earlier and reduce the blast radius when the unexpected happens.

Photo Credit: DepositPhotos.com