4 min read
As AI reshapes how software is built and deployed, the surface area for attacks is growing rapidly. Developers are shipping faster than ever, and we’re seeing new code paths, new threat models, and new vulnerabilities.
That’s why I’m excited to share that Talha Tariq is joining Vercel as our CTO (Security).
Talha brings deep expertise in security at scale, having served as CISO & CIO at HashiCorp for seven years before becoming CTO (Security) at IBM following its acquisition. There, he oversaw security across all IBM divisions including software, AI, and post-quantum cryptography.
Link to headingProduct-first AI safety and security
It’s getting harder to tell automated systems from humans. We’re seeing an explosion of AI-generated code, new protocols like Model Context Protocol (MCP), novel attack vectors, and advanced reasoning now in the hands of both defenders and attackers.
This shift demands a different approach — one rooted in product and technical innovation, not policy or process. Talha shares that vision.
What excites me most about Talha is his track record of building security products developers actually want to use. At Vercel, he’ll go beyond traditional CISO scope, leading security research, product R&D, engineering, and trust & safety to help us ship industry-leading capabilities.
Vercel powers some of the world’s most important apps, serving billions of requests daily. As AI redefines software and the infrastructure that runs it, we have both the opportunity and responsibility to lead on security — protecting not just our platform, but helping secure the broader internet through the tools and infrastructure we give developers.
I sat down with Talha to discuss his vision for security at Vercel and the challenges ahead.
Link to headingYou spent seven years at HashiCorp and then moved to IBM as CTO (Security). What led you to come to Vercel?
Talha: I’ve always been passionate about cutting edge tech, and solving problems at a global scale to improve the security, trust, and safety of the internet.
When I look at the companies making the biggest impact, Vercel stands out. It’s not only creating products that developers love, but we also share a vision for how to secure the web of the future, and create open and trustworthy tools for developers to shape that future.
Link to headingThe AI era is introducing entirely new security challenges, from prompt injection attacks to the sheer volume of AI-generated code. How do you think about securing development in this environment?
Talha: The current era of AI presents both security risks and opportunities. On the risk side, GenAI and LLM tech is maturing fast, but we are still early in the adoption phase.
On the opportunity side, I’m excited about using AI to solve for security problems that were historically more difficult to solve at scale. We can influence standards like MCP, A2A and build safeguards in the AI stack and SDKs to enable developers to implement controls and coverage.
Security needs to move away from being the "department of no" and be deeply embedded in product development.
Link to headingYou've talked about solving security problems through product development rather than bureaucracy. What does that philosophy mean in practice?
Talha: As a career CISO, I’ve always needed more secure products, not more security products. Security should be a first-class part of any platform, not something bolted on after the fact. That means building security for everyone, not just experts. If developers and end users get secure-by-default tools, it raises the bar for the whole ecosystem.
I also believe security should be embedded in product development — not operate as the “department of no.” The best security orgs solve problems by building tools that improve hygiene and reduce risk, whether through better identity and access, secrets management, AI safety, or platform reliability.
Link to headingIdentity verification is getting harder as AI makes it easier to impersonate humans. How should we be thinking about authentication and bot detection in 2025 and beyond?
Talha: GenAI makes it cheaper and easier to impersonate humans, which raises the stakes for identity verification. As human and machine activity become harder to distinguish, we’ll need collaboration across tech, government, and academia to rethink how we verify identity and build trust.
While policy takes time, I’m optimistic that technology can surface emerging risks and offer practical ways to mitigate them.
Talha: As someone who is passionate about technology, security, and the potential of the open web to improve humanity, I wanted to work for a company that shared those values.
Of course, the immediate focus is on the Vercel ecosystem and its customers, but I look forward to building security frameworks and tools that are open, transparent, and what practitioners would love to use.
Link to headingBuilding a more secure web
From our Web Application Firewall to platform-level safeguards, we’re investing in security as a core part of the developer experience. With Talha’s leadership, we’re building tools that protect by default—so teams can move fast, stay secure, and focus on shipping.