Exclusive: Sysdig's Shantanu Gattani warns AI is supercharging cloud security threats
As the speed and complexity of cyberattacks continue to intensify, cloud security is being redefined in real time - and generative AI is emerging as both an accelerant and a stress test.
Speaking during an interview at Sysdig Accelerate '25 in Sydney, Shantanu Gattani, Senior Vice President of Product Management, Threat Research and Infrastructure at Sysdig, issued a stark warning: defenders must now match the speed of AI-fueled threats or risk becoming obsolete.
"We've published research where in cloud, it takes less than five minutes to blow things over," Gattani said. "If you can't detect within that time and respond within five seconds, then things are long gone."
The rise of LLM-powered attack tools, ephemeral infrastructure, and misaligned priorities across teams have formed what Gattani calls "a perfect storm" in cloud security.
"Even if you're cloud mature, visibility ends up being a problem," he said. "You're dealing with workloads that pop in and out before you even know they existed. So if you don't have real-time visibility, you're flying blind."
Speed, he emphasised, cuts both ways. While enterprises embrace the cloud to ship faster, that same velocity has opened cracks for adversaries to exploit. "Cloud promised agility, but now security has to keep up with that same delivery pipeline."
"That means catching issues early - when developers are still writing code - and delivering context straight into their workflows."
For Sysdig, that has meant building product integrations directly into dev toolchains, platform tooling, and ops consoles. "We meet developers where they are, rather than expecting them to come to us," he said.
"A developer shouldn't need to wake up and interpret dashboards - they should wake up to a ticket that says: 'here's the image to fix, here's why, and here's the version to upgrade to.'"
This outcome-oriented approach is what Gattani says sets Sysdig apart in a crowded space. "Security vendors love to talk about alert fatigue. Frankly, I'm fatigued by that conversation. The goal isn't to surface more data - it's to drive the fastest, most effective outcomes."
That's where AI comes in - but not without caution. "The market rushed to slap AI on everything," he said.
"But in security, hallucinations can be catastrophic. We've been very deliberate. We didn't just say, 'let's summarise alerts.' We built explainability, investigation tooling, and agentic AI into the platform - so we're not just surfacing data, we're telling you what matters, and what to do about it."
More than 80% of Sysdig's cloud-native customers have now adopted Sage, the company's AI assistant. Engagement is surging.
"We had one customer - we're not even their vulnerability management provider - we looked at their data and said, if you upgrade five images, you'll cut production vulnerabilities by 25%. If you upgrade ten, you cut it by 33%. Their jaws dropped. They didn't care about anything else - just tell them which five."
This kind of targeted remediation stems from Sysdig's roots in runtime protection.
"We started with Falco in 2013. Our founder, Loris, had built Wireshark and realised that in cloud, you can't sniff packets - you have to observe system calls. That's what runtime visibility is about: what's actually happening in memory, not what's theoretically vulnerable."
Gattani explained how their technology filters millions of theoretical vulnerabilities down to what actually matters. "If your workload has 500 packages, only five might be loaded in memory. Of those, maybe one is reachable. That's the difference between a meaningless report and actionable intelligence."
Despite these capabilities, many enterprises still drown in vulnerability overload. Gattani points to a deeper issue: incentives. "Developers don't care about security - they care about building great products and shipping on time. Platform teams want compliance, not governance. Security teams need to quantify risk. But when no one owns the outcome, nothing gets fixed."
He added that most businesses struggle to assign real monetary value to vulnerabilities. "You say there are a million vulnerabilities. Okay, but what's that worth in dollars? If the answer isn't clear, people move on."
Internally, Sysdig's own teams use the same AI systems that customers do, enabling a feedback loop that tightens product relevance and accelerates threat research. "It's like giving our customers a fourth team member," Gattani said. "Junior analysts learn faster. Senior analysts get more productive. AI doesn't replace the team - it scales it."
As companies race to adopt AI, they also need to secure it.
"You have to leverage AI for security - but also secure AI itself. Our platform makes sure models and workloads don't drift. You can't just build a powerful model and walk away. You have to monitor it continuously."
Sysdig's threat intelligence team plays a critical role here, running global honeypots and injecting real-world attack data into the platform.
New risks discovered by the team - like Ingress Nightmare or emerging exploit chains - are shipped as detection rules to customers in real time.
Asked how Sysdig balances speed with depth in detection, Gattani was direct: "We're the only cloud-scale platform that's truly real-time, with the context depth to back it. That's not marketing - it's architecture."
The future of cloud security, according to Gattani, will depend on visibility, automation, and AI - but used with precision, not hype.
"Doing security right means giving people the minimum amount of work that gets them the maximum impact," he said. "Anything else is just noise."