Source: www.lastwatchdog.com – Author: bacohido
The promise of AI in cybersecurity has been loudly heralded—yet quietly limited.
Related: What is IaC?
Machine learning has proven effective at spotting anomalies and flagging misconfigurations. But resolving those issues remains largely manual, slow, and labor-intensive. A recent Cloud Security Alliance survey found:
•75% of teams spend at least one-fifth of their time manually processing alerts
•18% take more than four days to remediate critical vulnerabilities
•Over 60% cite duplicate alerts and false positives as major pain points
Even remediation tools powered by generative AI tend to output natural language suggestions that require manual review, rewriting, and testing.
Gomboc AI, co-founded in 2022 by former CISO Ian Amit and engineer Matthew Sweeney, is betting on a different path: deterministic AI. Instead of probabilistic guesses, Gomboc’s approach generates explainable, standards-aligned code changes to remediate infrastructure-as-code (IaC) vulnerabilities—with minimal risk of breaking functionality.
The company’s tools integrate directly into Git workflows, automatically generating pull requests to fix misconfigurations. Gomboc was recently featured in four of Gartner’s 2025 Hype Cycle reports—alongside hyperscalers and major vendors—validating its focus on safe, automated remediation. These tensions are exactly what Gomboc aims to resolve.hypers
We spoke with Amit about deterministic AI, DevSecOps friction, and what it takes to actually reduce cloud security risk.
LW: What’s driving the renewed push to automate security—beyond just detection?
Amit: It’s about survival at scale. Automation isn’t magic—done poorly, it just multiplies mistakes faster. The key is targeted, explainable automation that actually closes the loop.
Teams are drowning in alerts and backlogs. The old model—detect, ticket, and hope someone fixes it — no longer works. Manual remediation is too slow and error-prone. The shift now is toward resolving issues at the pace of innovation, not just flagging them.
Amit
Security needs to move from being the department of “no” to becoming a real enabler. Automating remediation at the code level means finding, fixing, and moving on—without the endless back-and-forth. Done right, security becomes a background process that keeps up with the business.
LW: How do you define deterministic AI—and why does it matter now?
Amit: Deterministic AI is about certainty. Unlike generative AI, which can give different outputs for the same input, deterministic AI always returns the same result—based on policy, logic, and defined rules. It’s explainable and auditable by design.
In cloud engineering, that means predictable, standards-aligned fixes with no surprises. And in this context, predictability matters. Organizations can’t afford ambiguity. You need code changes you can trust to work—not suggestions you have to second-guess.
Deterministic AI shifts security from a guessing game to an engineering discipline: precise, repeatable, and ready for production from day one.
LW: Why is infrastructure-as-code the right place to prove out secure automation?
Amit: IaC is the ideal proving ground. It’s structured, version-controlled, and central to how cloud environments are built. That makes it perfect for embedding security early.
When you automate fixes at the IaC level, you’re not chasing problems after the fact. You’re enforcing guardrails before anything hits production. It’s also a layer that’s inherently testable and repeatable, so automation adds value without disrupting delivery velocity.
This is where engineering, security, and compliance all converge. That’s where automation has the biggest payoff.
LW: What does inclusion in Gartner’s Hype Cycles suggest about where this market is going?
Amit: It signals that the industry is moving past buzzwords and toward practical solutions. For us, it validates that deterministic, policy-driven remediation isn’t just visionary—it’s necessary.
Gartner highlighting AI Assistants for IaC as a high-benefit, emerging technology reflects that consensus is forming: the future of cloud security isn’t about more dashboards, it’s about tools that fix things. Real problems. At scale.
Being listed alongside shows that targeted innovation can go toe-to-toe with big players—so long as it solves real pain for engineers and security teams. Recognition is nice, but the real measure is impact in the field.
LW: How is compliance evolving as automation becomes embedded in engineering workflows?
Amit: Compliance is shifting from periodic checklists to continuous, code-driven enforcement. When automation is built into engineering workflows, compliance checks happen automatically — every time code is written or deployed.
That makes audit prep easier, reduces surprises, and improves your security posture. It also frees up teams to focus on building, rather than manually mapping controls to standards like CIS or NIST.
Ultimately, automation makes compliance proactive instead of reactive — a part of delivery, not a drag on it.
LW: What’s one lesson you’ve carried from being a CISO to building tools for security teams?
Amit: Solve the right problem. It’s easy to build dashboards or surface more alerts. But if you’re not reducing the backlog — if you’re not making life easier for both security and DevOps — you’re just adding noise.
The value is in bridging silos, automating the repetitive, and making security feel like part of the engineering flow. The best tools don’t just identify issues — they make them go away.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
The post SHARED INTEL Q&A: From alert to fix — Gomboc brings trusted AI to Infrastructure-as-Code first appeared on The Last Watchdog.
Original Post URL: https://www.lastwatchdog.com/shared-intel-qa-from-alert-to-fix-gomboc-brings-trusted-ai-to-infrastructure-as-code/
Category & Tags: Q & A,Top Stories,Uncategorized – Q & A,Top Stories,Uncategorized
Views: 2
