On September 24, during the main technical forum of the 2025 Hangzhou Yunqi Conference, Ouyang Xin, head of the cloud security product line at Alibaba Cloud Intelligence Group delivered a keynote speech, sharing Alibaba Cloud’s security dual-drive development strategy in the era of AI Agent explosion:
Providing customers with native security protection integrated into the entire AI Agent development process;
Continuously empowering security products with AI for intelligent upgrades, creating Agentic-SOC security operations, offering customers more cost-effective security options.
Continuous iterative innovation in cloud security driven by dual forces
Integrating AI Agent developmentfor native security protection across the entire process
In the past year, AI Agents have been continuously exploding, which has also driven the ongoing heat of AI models and AI infrastructure. Behind the rising user engagement and attention lies increasingly significant security risks:
-
Over $1 billion worth of computing power has been hijacked globally;
-
As of the end of September this year, DDoS attack peaks have reached 22.2 Tbps;
-
In the 2025 OWASP TOP10 for LLM Application risks, prompt injection ranks first, highlighting the potential vulnerabilities of large models…
The first step in protecting AI Agent assets is to clearly and accurately understand their risks. Unlike previous approaches that only considered security perspectives, cloud security starts from the entire business process built around AI Agents, identifying various security risks faced by AI Agents during interactions and calls with different components.
First is the Environment, which provides underlying resources such as computing power, network, data, and permission control for AI Agents, facing risks such as computing power abuse, vulnerability exploitation, and sensitive information theft;
Second is the Context and Tool layers that provide services/tools like RAG and Memory for AI Agents, which frequently encounter issues like API abuse, identity escalation, and credential leakage;
Then is the large model service, where AI Agents face new risks such as prompt injection, model hallucination, output of prohibited content, and returning malicious files/URLs during the process of calling models to provide services;
Finally is the application layer risk. Currently, most AI applications provide services to end customers in web form, and traditional web risks such as DDoS attacks and web intrusions still exist, but the increase in AI traffic has also brought new risks such as sensitive information leakage and AI BOTs.
Risks in the AI Agent business chain
Three-layer protection system: Security integrated into business processes Alibaba Cloud Security has natively integrated security across the entire AI Agent development process, providing customers with a full-stack protection system that spans model infrastructure (Environment, Context, Tools), the model itself (Model), and AI applications (Application).Seamlessly integrating security into business flows, providing customers with efficient, convenient, and low-latency security protection.
Native security integrated into the entire AI Agent development process
AI infrastructure layer: Fourfold challenges of computing power protection, security configuration, data leakage, and identity escalation
AI infrastructure refers to all the environmental and tool support needed when building AI Agents, including computing power, storage, network, identity, data, etc. Alibaba Cloud’s cloud security center, cloud firewall, IDaaS, data security center, and key management services provide customers with end-to-end AI infrastructure protection.
End-to-end protection system for AI infrastructure
Comprehensive coverage of computing platform scenarios
Extending from host security and container security to Serverless, PAI, and other AI-native workloads, supporting both one-agent and agentless modes, achieving full lifecycle protection for AI model training clusters, inference services, and cloud-native assets, providing a truly unified protection capability for computing platforms.
Enhancing visibility of cloud assets and continuous risk assessment
Customers’ AI models, tools, and services are often scattered across multi-cloud environments, making it difficult to manage and assess them globally, leading to resource waste and security blind spots. Issues such as misconfiguration and asset exposure can further trigger data leakage and attacks. This year, Alibaba Cloud’s cloud security center launched the AI-BOM + AI-SPM products, achieving transparency from “black box” to “transparent” and establishing a cloud-based AI asset management and security posture management system.
| AI-BOM | AI-SPM |
| Identification of AI assets on the cloud, covering 5 major cloud platforms and identifying over 190 AI components, providing a precise map for security risk governance; | Posture management covering the entire lifecycle of AI assets, providing over 400 vulnerability detection rules and over 200 AI-specific rules, helping customers achieve exposure reduction, compliance reinforcement, and remediation of misconfigured security settings. |
AK-free machine identity management
With the proliferation of AI agents, the number and complexity of Non-Human Identities (NHI) have exploded. Common NHI credentials include: AK&SK, API keys, OAuth tokens, and certificates. Once identities are stolen or permissions are abused, it can lead not only to attacks on the Agent but also to data leakage risks.
After years of exploration, Alibaba Cloud continues to provide KMS encryption hosting solutions for identity management of AI Agents, offering convenient credential management through native advantages such as automatic rotation and one-click activation. Additionally, Alibaba Cloud’s IDaaS supports AK-free solutions in multi-cloud scenarios, allowing large model applications to access cloud resources through temporary credentials, dynamically adjusting access permissions based on scenarios, avoiding permanent credentials to enhance security throughout the entire process.
End-to-end data encryption
Alibaba Cloud’s Key Management Service (KMS) provides encryption capabilities for over 90 cloud products, covering three stages: model data preparation, model training and fine-tuning, and model application and deployment. During this process, suspicious requests are identified and blocked through data detection and response, effectively preventing risks such as sensitive information theft due to AK leakage.
AI model layer: End-to-end model risk detection
Large models are the brains of AI Agents, and the processing of input prompts and the arrangement of output content directly determine the service quality of AI applications. This is also a major area for new security risks in the AI era: prompt injection, malicious files, sensitive information leakage, content violations… As AI education, AI office, and AI customer service become increasingly popular, enterprises need more comprehensive security protection.
Alibaba Cloud officially launched the AI security guard product this year, which, after multiple iterations, now covers end-to-end input and output content protection for AI systems:
At the model interaction layer, it can protect against prompt attacks, content compliance, model hallucinations, and perform sensitive data detection on final content outputs to ensure that the output content is authentic and compliant;
During the model input process, AI systems generally support multi-modal content input. Attackers can attack AI systems by embedding malicious programs or code in uploaded files. The AI security guard’s capabilities for detecting malicious URLs and files can effectively protect against such attacks;
The AI security guard also supports detection of new risks such as memory poisoning, tool contamination, and prompt crawling under Agents;
Comparison of AI security guard and open-source guard effectiveness
AI application layer: Integrated security protection
The explosion of AI applications has also brought many challenges to web applications. On one hand, new types of attacks such as prompt injection and jailbreak are impacting model security; on the other hand, computing power is becoming a major cost for enterprise IT support. Alibaba Cloud has observed that AI Bot traffic has increased by 300% in the past six months. This year, Alibaba Cloud’s Web Application Firewall has also upgraded its WAAP application security protection scheme, launching LLM-WAF capabilities, natively integrating AI security guards, and releasing a new version of BOT management, effectively reducing 21% of computing power attacks.
At the same time, the WAF’s API security capabilities can achieve full-line monitoring of sensitive data flow in AI business, enabling rapid discovery of API assets related to large models and automatically detecting privacy data leakage risks to meet compliance requirements.
Integrated AI application protection
Security agents + large modelsCloud security intelligent upgrade
While providing end-to-end security protection for AI Agents, the rapid development of AI is also feeding back into the intelligent upgrade of security products. Alibaba Cloud Security processes hundreds of billions of security detections daily, and with the support of the underlying model, they become valuable training data. Through meticulous data processing and algorithm optimization, the cloud security team has built dozens of security agents (AI Agents), integrating AI into every stage of security through Multi-Agent capabilities, effectively enhancing security product capabilities in areas such as threat detection, security operations, identity and anti-fraud, content security, and data security.
In the security operations (SecOps) field:
There have been improvements in virus detection, threat detection, intelligent analysis, and response. The overall false positive rate for threat detection has decreased by 80%, detection rates for malware, scripting languages, and web shells have increased by 5-20%, and the success rate of automated investigation and analysis of attack events has increased by 15%;
In the data security field:
Traditional data classification and grading rules are complex and incomplete. By integrating the underlying model (Qwen-Plus) for higher precision semantic recognition, the accuracy of data classification has improved by 35%, especially in recognizing complex formats such as tax registration numbers and bank card numbers; at the same time, over 800 types of cloud data have been identified, desensitized, and encrypted, with built-in AI recognition capabilities for over 30 types of documents and images;
In the real-person authentication field:
The challenges of Deepfake are becoming increasingly prominent. By integrating the multi-modal large model (Qwen-VL), the recall rate for detecting forged Deepfake faces has improved by 10% compared to previous small models, effectively preventing identity fraud; at the same time, real-person authentication now covers over 6000 globally recognized document classifications and identifications;
In the content security field:
Cloud security has developed a dedicated content review large model, integrating the full range of Qwen3Guard review models, with detection capabilities improved by 30%, especially in identifying more subtle and complex violations such as bias, discrimination, and violence, covering complex risk types in cross-modal detection, with a recall rate improvement of 10%;
Optimal cost-performance: Three-layer linked detection system
Although AI has improved detection and recognition capabilities for complex attacks and content, cloud security does not rely solely on large models to solve all problems. Instead, based on effectiveness and cost considerations, a comprehensive solution combining rule engines, small models, and large models is adopted:
Rule engines are the “cornerstone” of security detection, providing rapid response and stable detection for known attacks;
Small models are lightweight intelligent detection models, akin to “industry special forces,” with good generalization and specialized detection capabilities;
Large models expand the detection range, enhancing overall recall and accuracy through semantic understanding and associative reasoning, addressing blind spots in traditional capabilities and discovering unknown attacks;
The three-layer linkage employs the most suitable detection methods for different types of threats, allowing customers to enjoy the enhanced security effects brought by large models while maximizing cost savings. This is Alibaba Cloud Security’s firm choice in the AI era.
Three-layer linked detection system
Security agents: New upgrade of Agentic-SOC
The deep integration of security agents with products has greatly improved operational efficiency in the cloud. Alibaba Cloud’s Cloud Threat Detection and Response (CTDR) has been fully upgraded this year, constructing the Agentic SOC business process through multi-source data access, intelligent analysis and decision-making, automated handling, and continuous optimization, establishing a complete cloud threat analysis and response system. This has significantly improved the efficiency of incident investigation and handling.
In this process, the analysis results from the AI scheduling brain will be executed through four key security agents:
AI intelligent judgment Agent: Responsible for alert judgment, log correlation, and multiple verifications;
AI alert aggregation Agent: Conducts analysis tracing, complex event linking, and traceability graph generation;
Execution Agent: Automates execution based on dynamic scripts and intelligent orchestration;
Security report Agent: Generates root cause analysis, attack narratives, and intelligent recommendations for subsequent analysis;
The support of AI capabilities has significantly improved the success rate of automated incident investigations from 59% to 74%, while 70% of response actions can be completed without human intervention, greatly reducing operational costs and improving threat handling efficiency.
So far, Alibaba Cloud has collaborated with cutting-edge AI companies such as Moonlight and Silicon-based Flow to build security solutions for AI infrastructure protection and AI model ecosystem protection, and has expanded the protective boundaries of security agents in terms of security effectiveness and operational efficiency with companies like Shiseido, Shentong, TNGD, and Guming.
In addition to capability enhancement, cloud security is also continuously committed to providing customers with a more convenient security experience. “Cloud-native security” is our consistent philosophy, seamlessly integrating security capabilities into cloud products. Currently, Alibaba Cloud’s security capabilities are deeply integrated with 28 cloud infrastructure products, lowering the usage threshold for users. For example, the native integration of the data security center with databases allows for one-click activation of security functions, achieving data classification and encryption capabilities.
Deep integration of cloud-native security
In the future, Alibaba Cloud Security will continue to explore and seek the optimal solution among security, AI, performance, and cost, providing customers with smarter and more cost-effective security products.
Alibaba Cloud Security
An internationally leading provider of cloud security solutions, with over a hundred core capabilities across eight major security domains including zero-trust SASE, data security, and traffic security, helping various industries build a cloud-native architecture characterized by high integration, intelligence, and self-evolution. Alibaba Cloud’s security capabilities have been recognized by authoritative institutions: in the 2023 Forrester report on “Infrastructure as a Service Platform Native Security Wave™”, Alibaba Cloud was promoted to the Strong Performer quadrant, receiving the highest scores in standards such as container security; in the IDC report on “China’s Public Cloud Network Security as a Service Market Share, 2022”, Alibaba Cloud ranked first in market share; and in the Gartner® Magic Quadrant for Network Firewalls, Alibaba Cloud has been in the “Challengers” quadrant for two consecutive years. As a leader and practitioner in cloud-native security technology, Alibaba Cloud achieves transformative breakthroughs through the tight coupling of security capabilities with the cloud, significantly enhancing security efficiency, availability, stability, and collaboration; the cloud service has a natural immune gene built-in, working together with users to safeguard the security of the digital native world in the cloud.