TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY CYBER RISK CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS Lessons From AI Hacking: Every Model, Every Layer Is Risky After two years of finding flaws in AI infrastructure, two Wiz researchers advise security pros to worry less about prompt injection and more about vulnerabilities. Robert Lemos,Contributing Writer February 20, 2026 5 Min Read SOURCE: SUMMIT ART CREATIONS VIA SHUTTERSTOCK When Hillai Ben Sasson and Dan Segev set out to hack AI infrastructure two years ago, they expected to find vulnerabilities, but they didn't expect to compromise virtually every major AI platform they targeted. The two researchers — who work in offensive and defensive research, respectively, at cloud-security firm Wiz — wanted to experiment with how they could attack the AI infrastructure being deployed as part of foundational models, AI services, and in-house AI projects. Yet, what started as simple attacks on the AI supply chain — such as abusing the widely used Pickle format to run arbitrary code — evolved into a comprehensive threat assessment spanning five distinct layers of the AI stack. They plan to present the lessons learned over their two years of research at the upcoming RSAC Conference in March. Perhaps the most important lesson: Focus on the infrastructure used to to train, run, and host AI services, and not on prompt-injection attacks, says Segev, a security architect in the Office of the CTO at Wiz. Related:Supply Chain Attack Secretly Installs OpenClaw for Cline Users LOADING... "Don't get me wrong— I think prompt injection is definitely a novel attack vector," he says. "But technologies and services are introduced every day — MCP [model context protocol] is a good example — all those technologies are introduced with so many vulnerabilities on the infrastructure layer that, if you are not looking at the fundamentals of security [and] understanding the threat model ... then you're really missing out on the big picture." The presentation comes as businesses across every industry are attempting to figure out how to best use AI and not miss out on potential innovations and cost savings, and moving ahead despite security concerns. An overwhelming majority of CISOs (83%) are worried about the level of access that AI has to their company's systems, especially because most (71%) believe that AI has access to core business systems and have found unsanctioned AI tools running in their environments, according to the 2026 CISO AI Risk Report. The rapid pace of AI development has resulted in companies rushing insecure products to market, repeating past mistakes of prioritizing speed over security, Segev says. LOADING... AI Security's in a Pickle Take the Pickle format, for example. Often used as a way to store model weights, the format mixes data and code, allowing malicious Pickle files to readily run malware on systems. Because many of the formats and infrastructure came from data researchers, most decisions did not include threat modeling and a focus on security issues, says Hillai Ben Sasson, a senior security researcher at Wiz. Related:Dell's Hard-Coded Flaw: A Nation-State Goldmine "We were really surprised to find out that AI models and AI model formats often have security vulnerabilities by design, like the Pickle format, which is a really, really popular way to store AI models," he says. "We were really intrigued by this and we started thinking, what if we deploy malicious models to all the big AI providers and we see what happens?" In the end, the two researchers built up a threat model that has five layers, based on parts of the AI lifecycle. The first is model training, during which data leakage is perhaps the biggest risk. In 2023, Wiz reported that an overly permissive file-sharing link allowed anyone to access a massive 38TB data store being used by Microsoft to train its models. Next, at the inference stage, where users interact with the models, Wiz researchers discovered numerous vulnerabilities in production models, such as DeepSeek, and services, such as Ollama. Vibe Coding's Poor Security The third level, the application layer, includes prompt injection, but also issues with vibe coding platforms, such as Base44. Wiz researchers found a vulnerability that could have allowed attackers to gain access to any private enterprise application. In fact, the vibe-coding platforms have a poor record of security, says Segev. Related:RMM Abuse Explodes as Hackers Ditch Malware "We don't have exact numbers, but almost every vibe-coded app we set out to look for, we were able to hack in minutes," he says. "The reality is that AI security is — I don't want to say broken — but it's really compromised at the infrastructure layer." The researchers expanded their model to two other layers as well. The AI clouds that host models and applications have their own set of vulnerabilities. "You can compromise the AI cloud and therefore compromise all the customers of that cloud," Ben Sasson says. The researchers even found vulnerabilities in the hardware and systems on which AI infrastructure is based. Wiz researchers had found vulnerabilities in NVIDIA's Triton Inference Server that could have been chained together to allow an unauthenticated attacker to gain complete access to the AI model. "This was perhaps the craziest finds of them all ... because you find one vulnerability in this library and then everyone uses this library," Ben Sasson says. "It's like one vulnerability for every single cloud provider, every single AI application, every single step of the AI process. Everyone was vulnerable to this." Close the Loop on AI Security There are no fast fixes for the current problems with AI security, especially because so many of the issues are in others' hands, says Segev. Wiz currently uses a security agent to conduct regular security reviews that checks any code, service, or applications. Rather than "implement and forget," security agents could bring regular compliance checks as piece of the AI ecosystem are created, he says. "Having the ability to close the loop is something that will be more common and is going to introduce better protocols, better standards, and more security," he says. "Attackers are becoming so much more sophisticated that [companies] just won't have the ability to stay exposed with some vulnerabilities for long. It'll take minutes before it'll be exploited." RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY It Takes Only 250 Documents to Poison Any AI Model by Jai Vijayan, Contributing Writer OCT 22, 2025 APPLICATION SECURITY OWASP Highlights Supply Chain Risks in New Top 10 List by Jai Vijayan, Contributing Writer NOV 10, 2025 APPLICATION SECURITY Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool by Nate Nelson, Contributing Writer NOV 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detect