AI & Data Resources | Infinum

Pen Testing, Red Teaming, and Why No Scanner Can Replace Either

Sean McCarthy — Wed, 01 Apr 2026 14:02:28 +0000

Pen testing and red teaming are often used interchangeably. Both probe your defences. Both find what’s broken. But they ask fundamentally different questions, and the one you choose shapes how wide you assess your business security.

Penetration testing and red teaming both start from the same premise: hire someone to break in before the bad guys do. But they’re different tools for different problems, and conflating them is one of the more common mistakes organisations make.

Two approaches, similar goal

Penetration testing is focused.

You define the scope – a specific application, a network segment, a set of systems – and testers go step by step in an attempt to find and exploit vulnerabilities within it.

Most engagements use a gray box approach: testers are given enough context to work efficiently. Credentials, access, scope. Enough to find what matters within a fixed timeframe.

Red teaming is the opposite of narrow. It’s intelligence-led and scenario-driven, built to simulate a sophisticated adversary targeting your organisation specifically.

The approach changes depending on who you are – a red team targeting a bank crafts different phishing emails, chooses different attack vectors, and pursues different objectives than one targeting a logistics company.

The whole exercise is shaped by what real threat actors are actually doing to organisations like yours.

Pen testing	Red teaming
Narrow, system-focused scope	Whole-organisation scope
Often gray box by default	Intelligence-led, scenario-based
Time-boxed engagement	Simulates a real, tailored adversary
Finds specific technical vulnerabilities	Tests people, process, technology

When do you need which?

Pen testing is right for checking specific systems – after a new build, before a release, or as part of a compliance cycle (TIBER-EU and DORA both require it).

Red teaming is for organisations with mature security who want to stress-test the whole picture: not just whether systems are patched, but whether your people, processes, and assumptions hold up under a realistic attack.

Technical depth isn’t enough

The best pen testers and red teamers share two things: deep technical expertise and genuine creativity.

The technical side is obvious – you need to understand how systems behave under pressure, and how to adapt when a vector doesn’t work as expected. But creativity is what separates good from exceptional.

Testing isn’t a checklist. When a system reacts unexpectedly, the question isn’t “what does the tool say next?” – it’s “what does this tell me, and where does it lead?” That kind of thinking can’t be scripted. It has to be developed.

You need to think like an attacker – then explain the risk in language a board member can act on.

The second half of that matters as much as the first.

A brilliant technical finding is worthless if it can’t be translated into plain language. The job isn’t just to find vulnerabilities – it’s to help the organisation understand what they mean and what to do about them.

Why no scanner replaces this

Automated tools are good at finding what’s already known – catalogued CVEs, misconfigured headers, outdated libraries.

They’re fast, they’re consistent, and they’re useful. But they operate on fixed logic. They flag what they’re programmed to flag, and they stop there.

A skilled tester doesn’t stop there.

They notice how a system reacts, chain together findings that no single tool would connect, and pursue lines of attack that require judgment – not just pattern matching.

Automated scanners also can’t walk through your front door pretending to be IT support, or craft a phishing email convincing enough to fool a trained employee.

Nine times out of ten, real attackers get in through people, not ports. A scanner has nothing to say about that. Manual testing does.

This is why organisations that rely on automated tools as their primary security layer end up with a false sense of coverage. The scanner ran clean – but that’s only true for the things the scanner knows how to look for.

Attackers aren’t limited by that constraint.

A vendor with a quiet network connection into your environment, a help desk employee who clicks the wrong attachment – these don’t show up on a dashboard. They show up when it’s too late.

Want to discover security vulnerabilities before attackers do?

Explore the full list of our cybersecurity services.

So, the question isn’t whether to test.

It’s whether you’re testing the right things, in the right way, with people who can tell the difference. Automated tools have their place – but they’re a floor, not a ceiling.

The post Pen Testing, Red Teaming, and Why No Scanner Can Replace Either appeared first on Infinum.

Is AI-Generated Code Secure? What Business Leaders Need to Know About AI and Application Security

Hrvoje Filaković — Fri, 06 Mar 2026 13:47:45 +0000

AI is changing how software gets built: faster timelines, leaner teams, fewer blockers. But does all that speed come at a cost? We put AI to the test in a real-world security experiment, and what we learned should matter to anyone leading modern product, platform, or tech teams.

According to Collins Dictionary, vibe coding is officially the word of the year – and if you’ve spent literally any time around engineering teams lately, that probably doesn’t surprise you.

Obviously, it’s catching on fast.

Microsoft recently shared that around 30% of the code in some of its repositories is now AI-generated. This shift is one of the defining cybersecurity risks of 2026 — our cybersecurity trends overview covers the trade-off between vibe coding and security in depth.

At Infinum, we see this trend up close, both in internal experimentation and in conversations with clients who are increasingly curious about AI-assisted development.

The appeal is clear: development is faster, prototypes turn into products at record speed, and teams feel confident shipping.

But is that confidence earned? We decided to find out.

Security doesn’t work on vibes

A growing belief is quietly taking hold in many teams:

“If I tell the AI to make it secure, it probably will.”

That assumption is understandable because AI is very good at reproducing patterns that look correct. When prompted, it can generate code that resembles common security practices and includes familiar terminology, giving the impression that risk has been addressed. But is it, really?

Instead of debating, our cybersecurity engineer designed a simple, hands-on experiment.

He asked AI to build apps with varying levels of security guidance, from none to OWASP-level detail, and then he tried to break them.

We didn’t want to test whether AI could write code. We know it can.

Likewise, the goal wasn’t to assess if AI builds insecure apps by default. We wanted to test whether adding “make it secure” to your prompt is enough to stop vulnerabilities – and how that changes as you get more specific.

Let’s see the results.

The apps we built (and broke)

We asked AI to build three medium-complexity web applications, realistic enough to offer an attack surface, but not so complex that AI failed to build them. One app was generated with no security input at all, one with light guidance, and one with detailed, best-practice-driven instructions.

App	Security guidance	Security quality	Outcome
Simple Project Tracker – task and project manager for small teams	None	Poor	Multiple critical issues in input validation, design, and session handling, easily leading to worst-case exploitation scenarios. Users could make themselves admins.
Project Resource Hub – internal portal for sharing documents and guides	Light	Mixed	Critical issues reduced, but several vulnerabilities remain that could still expose sensitive information, such as SSRF and malicious file uploads.
Niche Vault – hobbyist catalog site for personal collections	Detailed & OWASP-based	Better, but insufficient	Significantly fewer vulnerabilities; none severe, but still issues that could pose risks over time. Missed CSV injection, rate-limiting, and open redirects.

Turns out, not even specific prompts are enough to build applications that can survive real-world attacks.

Want to learn all technical details of the experiments, including exact prompts, a detailed overview of found issues, and our engineer’s conclusion?

Explore the complete overview of this experiment.

What actually went wrong

Even with better prompts, the same kinds of security gaps kept popping up.

AI didn’t forget libraries or miss syntax. It just couldn’t reason about how things might go wrong, and that’s where real-life threats were.

While we are aware that this is an experiment of a limited scope, it is still important to note recurring issues we recognized:

Trust in user input

AI simply trusted what users said about themselves. In multiple apps, user roles (such as admin) were accepted directly from client input, with no validation or enforcement. If someone claimed to be an admin, the system said: “Sure, sounds legit.” Just like that, admin access was self-serve.

Broken or missing access control

Even when roles were assigned correctly, features didn’t enforce them properly. There were no ownership checks, no context validation, no guardrails. Anyone logged in could view, modify, or delete other users’ data.

Feature-level defenses, system-level blind spots

AI knew to sanitize an input field, but it didn’t think about how that input might travel through the system. Security was applied in pieces, not as a pattern, which means defenses weren’t absent; they were just easy to step around. This fragmentation is also why software supply chain security requires a systemic approach — the weakest link is rarely where you’re looking.

Reactive security instead of proactive thinking

The apps didn’t lack rate limiting, but rate limiting was only added to endpoints the prompt specifically called “sensitive.” In other words, if you want a feature to be secure, you have to explicitly tell the AI – every time.

No imagination for abuse cases

And this might be the most important insight of all: the AI assumed good-faith users. It never asked the question that is the foundation of real-world security: What if someone does the wrong thing on purpose?

In conclusion, the issues discovered weren’t bugs in the traditional sense. They were assumptions – that roles are respected, that the app can trust user input, that attackers won’t be creative.

Most of the problems were not broken locks, but doors that simply weren’t locked because AI assumed nobody would try them.

HRVOJE FILAKOVIĆ,
CYBERSECURITY ENGINEER

But attackers are creative, and they have all the time in the world to look for what you missed.

Why this matters beyond the code

Security is not just a dev problem. It’s a systems-thinking problem, and it affects every role involved in shipping software.

For CTOs & Heads of Engineering

AI speeds things up, no question, but it can’t replace architectural thinking.

The biggest failures in these apps weren’t in the code; they were bad assumptions about how trust, roles, and permissions work. Even when AI adds security controls, it struggles to secure the system as a whole.

We’ve all recently witnessed this: in our deep dive into OpenClaw (ex Moltbot), we explored what happens when AI sidekicks are given broad access with no guardrails. The takeaway? When AI has too much control, your data is very likely at risk.

Again, that’s an architectural one. And it’s still up to humans to get it right.

For Founders & Execs

All three apps worked. Some even looked secure. But they could still be exploited in serious ways, often through features that seemed harmless.

Remember this: AI gives a false sense of security. Without hands-on testing, issues like these show up only after damage is done. If you’re building with AI and need it to be secure from the start, our custom AI development services combine speed with security by design.

For Security Leaders

The vulnerabilities we found didn’t have CVE numbers. They weren’t from outdated libraries or missing headers. They were logic and abuse-case failures – the exact kind of problems automated scanners don’t catch. Addressing these systematically through structured security governance, risk assessment, and compliance frameworks is exactly what governance, risk, and compliance services are designed to support.

Manual penetration testing still matters because it mirrors how attackers behave, not just what vulnerabilities exist – and AI-assisted code makes this more important, not less.

For Developers

AI can implement what you tell it, but it’s not a security expert. It won’t catch logic flaws, system-wide assumptions, or the creative misuse attackers are known for. For a practical look at how to work with AI coding assistants without sacrificing code quality, see our roundup of AI tools for development teams.

Writing secure apps still requires developer intuition, threat awareness, and curiosity about how features might be abused.

The key takeaway: “Please make it secure” is not a security strategy. AI can help you build faster only if you know exactly what to ask for, and even then, it often misses the bigger picture.

So, yes. AI-generated code can be secure, but it takes judgement, experience, and most importantly, testing.

What should you do now

Use AI. Embrace the speed. Build more, experiment faster, prototype wildly.

But don’t confuse working code with secure code.

Bring in experienced engineers. Secure software doesn’t just happen, it’s built intentionally. SSDLC practices are more essential than ever when code is being generated at speed. For mobile developers in particular, intentional security means implementing runtime protections that resist reverse engineering — something we explore hands-on in our guide to Android anti-root, anti-hook, and anti-debug mechanisms. Before scaling AI-assisted development across your team, it helps to have a clear AI strategy — one that accounts for security, governance, and the right use cases from the start.
Test like an attacker. Manual penetration testing reveals what AI misses: the logic flaws, the edge cases, all the blind spots that open into serious vulnerabilities.

Why automated scanners won’t help

Automated tools catch known and “low-hanging fruit” types of vulnerabilities. But issues discovered in this experiment weren’t in any vulnerability database, because they weren’t traditional bugs – they were incorrect assumptions about how systems would be used.

The AI knew the best practices, it just couldn’t connect the dots to anticipate misuse. That’s what manual testing is for – to expose unknown risks.

Automation wouldn’t have caught that, but manual testing told us whether the system could survive a curious attacker.

Want to see how your AI-generated app holds up?

Let’s test it, break it (safely), and help you fix what matters most.

The real takeaway

The apps worked and security looked reasonable.

But AI inherently doesn’t understand security, which is especially obvious once software interacts with real users, real data, and real incentives to misuse it. Security failures rarely come from missing syntax or forgotten libraries; they emerge from incorrect assumptions about behavior, trust, and intent.

AI builds what you ask for.
It protects what you explicitly mention.
It doesn’t secure the system as a whole.
It doesn’t imagine creative misuse.

Attackers do nothing but imagine misuse.

This is exactly why manual penetration testing exists: not to check a box, but to ask the one question that AI won’t:

“What happens if someone does the wrong thing on purpose?”

Security still requires human intent and adversarial thinking. No matter how well you prompt it, AI can’t protect against what it doesn’t anticipate.

If your app was built with AI assistance, this isn’t a theoretical risk. It’s a structural one.

If you want real, certified humans to have a go at your app – partner with Infinum’s security team to test your app the way real attackers would. We’ll help you find the blind spots, close the gaps, and build safer systems, so you can move fast without leaving yourself exposed. If we find zero issues, the beer is on us.

The post Is AI-Generated Code Secure? What Business Leaders Need to Know About AI and Application Security appeared first on Infinum.

Why Model Context Protocols (MCP) Will Define the Next Wave of AI-Enabled Businesses

Stefan Vodilovski — Mon, 23 Feb 2026 15:51:17 +0000

For the past two years, most organizations have been consumed by a single, driving question: “How can we leverage AI in our business?” But as the market matures, the more critical question becomes: “How can we provide AI with the live context needed to function effectively?”

The “Static Context” Trap

There is a typical scenario that an organization lives through in its pursuit of AI utility. In an effort to deliver immediate value, an organization feeds an LLM its Confluence pages and a collection of internal PDFs. The model answers questions accurately, and the implementation feels seamless. Stakeholders are satisfied with the newfound efficiency. The results are an instant success.

However, the organization inevitably hits a wall as the reality of a moving business catches up with the static data of the past. If context is not retrieved dynamically, the AI cannot participate in a workflow – it can only summarize old news. This creates a strategic ceiling.

Most AI pilots reach a fatal point when they are too disconnected from the live environment to be trusted with business operations. Failure then spills into customer experience, internal operations, and revenue-impacting workflows. Eventually, it becomes clear that the issue is not the model’s intelligence but a lack of a live connection to the company.

That’s why the next wave of AI-enabled businesses will be defined by Model Context Protocols (MCP). This critical infrastructure bridges the gap between static reasoning and real-time business reality.

The industry has spent two years fixating on the LLM’s brain while neglecting the nervous system required to connect it to the enterprise.

Enter the Model Context Protocol (MCP)

From a business perspective, model context is not about tokens or prompts. It is about ensuring that AI systems:

Know exactly what they are allowed to see.
Understand who they are acting on behalf of.
Operate within clear boundaries and policies.
Access relevant and up-to-date business information.
Behave consistently across teams, products, and channels.

This is the foundation of how we approach AI and data engineering — every system we build is designed from the start with defined access boundaries, governance, and real-time data integration.

A Model Context Protocol is a structured way to define and deliver the knowledge and actions a model can make. This is an operating contract rather than a technical protocol. It provides the AI with a “source of truth” that updates in sync with the business.

From “Advice” to “Action”

The transition from static data to dynamic protocols changes the utility of AI. This is best illustrated by an example emphasizing the difference between an assistant that remembers information and an assistant that knows how to fetch it.

The Static Way: Relying on Memory

In a static approach, an organization uploads thousands of PDFs, product manuals, and pricing sheets to a vector database. The AI is then prompted to use these documents to answer questions. However, as documents become outdated and regulations evolve, the system begins to fail.

Consider a customer asking for the current cancellation policy for an enterprise account in Germany. A static AI might reference a 2024 PDF and confidently provide an outdated answer. It has no way to verify whether that policy is still valid or even applies to that specific region. The customer ends up frustrated and exits the chat.

This forces a human agent to intervene to fix the mistake manually. In this model, the engineering team’s daily workload is consumed by the repetitive task of feeding the model new data snapshots instead of building new capabilities.

This is one of the core pain points in AI chatbot development — we’ve documented how knowledge base staleness and hallucination undermine even well-scoped chatbot projects.

The MCP Way: Relying on Access

In the MCP Way, the business defines a standardized context layer. This protocol specifies exactly which tools the model can use and which data sources it can access in real time. Instead of relying on a folder of old files, the AI operates like a user with a live internet connection.

When asked about the same German cancellation policy, the AI identifies the region and customer type. It then uses the protocol to hit the live policy API and the subscription store. It recognizes the most recent “instant” policy tag and confirms the customer’s eligibility. Because it has a secure communication layer, it can provide more than just a text response. It triggers the cancellation through Infobip MCP Servers or another messaging tool.

This is the jump from an AI that talks to an AI that operates, ensuring that every action is grounded in verified, real-time data. This shift is at the heart of AI automation — moving beyond smart responses to systems that execute workflows end-to-end.

The Strategic Shift in Business Architecture

The value of structured model context extends beyond improving answers. When context is delivered via a Model Context Protocol, AI systems shift from isolated responders to reliable participants in business processes that operate within defined boundaries, using approved data and actions. Building these systems from the ground up is what our AI agent development services are designed for — from prototype to production in a structured, risk-managed engagement.

Most importantly, MCPs enable this without hard-coding logic into every application. Whether an organization is building internal tools or integrating with the ChatGPT Apps SDK, a robust protocol ensures engineers do not have to rebuild the connection between the brain and the data each time. The organization builds the protocol once, and the AI scales with the business.

The No-Brainer Approach

The industry has spent two years fixating on the LLM’s brain while neglecting the nervous system required to connect it to the enterprise. Model Context Protocols are the neurons that bridge this gap.

As models commoditize, competitive advantage shifts from raw intelligence to architecture. The winners will not be defined by the size of their LLM budget, but by the sophistication of the nervous system that gives their AI the agency to act. If you’re ready to build that nervous system, our custom AI solutions team designs production-grade AI architectures built around your workflows and data.

The post Why Model Context Protocols (MCP) Will Define the Next Wave of AI-Enabled Businesses appeared first on Infinum.

Security Gaps in Vibe-Coded Applications

Hrvoje Filaković — Wed, 11 Feb 2026 11:32:15 +0000

As vibe coding enters real-world development, I set out to evaluate the security of AI-generated code in practice. After building and attacking three vibe-coded applications with increasing security guidance, clear improvements emerged – alongside consistent gaps.

Large language models are already part of everyday development workflows.

Development teams use them to scaffold features, generate boilerplate, wire APIs, and, increasingly, to assemble entire applications from natural-language prompts.

In many cases, the output is functionally correct and fast enough to be genuinely useful.

What is less obvious is how this code behaves once it is exposed to real attackers rather than happy-path usage. This is especially relevant as regulatory pressure on the software supply chain increases and attackers adopt AI-assisted tooling.

We examined how security posture changes as we instruct an AI model to implement different levels of secure development best practices.

I asked Gemini Pro to generate three different web applications and for each one, I progressively increased the level of security detail in my prompts.

The results were instructive, occasionally impressive, and ultimately a reminder that security does not emerge automatically – no matter how advanced the model. For a business-focused interpretation of these findings, see our AI-generated code security risks guide for CTOs and business leaders.

The plan and methodology

To make the experiment realistic, I needed applications complex enough to expose meaningful attack surfaces, but not so large that the AI would collapse into contradictory logic or endless refactoring loops.

I intentionally avoided very simple apps (e.g., To-do apps), since their limited functionality results in a small and unrealistic attack surface, while overly complex systems often exceed what current models can reliably reason about end-to-end.

Medium-complexity web applications turned out to be the sweet spot. They are large enough to expose meaningful security issues, but not so large that the AI collapses under its own code.

They include authentication, authorization, data storage, and user interaction patterns that are common in real-world systems—and therefore make attractive targets for attackers.

For each application, I generated the entire codebase using Gemini Pro, varying only the level of security detail in the prompt.

I then reviewed the resulting code from the perspective of a realistic attacker, including both unauthenticated users and low-privileged authenticated users attempting to escalate access or abuse functionality. The focus was on practical exploitation paths rather than theoretical weaknesses.

The test subjects

Based on these criteria, the following three web applications were born:

Simple Project Tracker

A lightweight tool for small teams to manage projects and track tasks, vibe coded with no explicit security instructions.

Project Resource Hub

A centralized internal portal for storing and accessing important documents, links, and guides (similar to a mini-wiki), built with light security instructions.

Niche Vault

A site for hobbyists to catalog and showcase personal collections (e.g., vinyl records, comics, board games, etc.), created with detailed and precise security instructions (e.g., OWASP guidelines).

Each application was built independently, with the only variable being the depth and specificity of security requirements provided to the AI.

Discoveries and vulnerabilities

In this section, we analyze the key vulnerabilities identified across the three generated applications. Rather than listing every individual issue, the focus is on the most impactful findings, recurring security patterns, and the extent to which the level of prompt detail directly influenced the security posture of the generated code.

Results at a glance: What broke and why

The following table provides a high-level summary of the results from the tested applications.

Application	Security quality	Notes
Simple Project Tracker	Poor	Multiple critical vulnerabilities across input validation, authorization, and session management.
Project Resource Hub	Mixed	Major improvements, but still several exploitable issues.
Niche Vault	Better, but insufficient	Major improvements, but several exploitable issues remain.

The trend is clear: more detailed security prompts lead to better outcomes – but not to secure-by-default systems.

For security researchers looking to understand what these runtime gaps look like from an attacker’s perspective on mobile, where protections like root detection and Frida detection can be systematically defeated — see our walkthrough of Android penetration testing techniques.

Simple Project Tracker: No security, just vibes

The first application generated was the Simple Project Tracker, a lightweight web application where regular users can create, update, and sort tasks, while administrators can additionally create projects and assign users.

No explicit security requirements were provided. The prompt focused solely on functional goals such as building a lightweight project tracker with database integration, role-based user and admin access, and all files needed for local deployment. As a result, the following prompt was used:

I would like to build a simple project tracker web application. Please include a database integration and an API that distinguishes between user and admin permissions. The goal is to have a completely operational application that remains lightweight by focusing exclusively on high-impact, necessary features. Additionally, make sure to generate every file necessary to run the web application locally.

The AI was only told what the application should do, not how it should defend itself.

For this application, AI selected the following technology stack:

Frontend: HTML, Tailwind, JavaScript
Backend: Node.js
API: REST (express.js)
Database: SQLite3

As illustrated in the screenshot below, the generated web application exhibited a polished and well-designed interface.

Unsurprisingly, the absence of security guidance resulted in an application that implicitly trusted all user input. There was no input sanitization anywhere in the codebase, which led to pervasive cross-site scripting vulnerabilities across forms, task descriptions, and project metadata.

Below is an example of the generated code.

The registration flow was particularly revealing. User roles were assigned directly from client-controlled input:

{
  "username": "herc",
  "password": "password",
  "role": "user"
}

Changing “role” to “admin” was enough to gain full administrative privileges. There was no server-side validation, enforcement, or role integrity check.

Authorization was equally fragile. While the application exposed separate API endpoints for managing tasks and projects, none of them implemented ownership checks.

Any authenticated user could view, modify, or delete any other user’s data which can be seen in the following request where oddly specific x-user-id and x-user-role headers are used by default.

Session handling further reinforced the trust-in-the-client model. Authentication state was stored in unsigned cookies containing raw user objects:

{"id":2,"username":"user","role":"user"}

Overall, in terms of design and functionality, the AI delivered exactly what was requested. However, from the security standpoint, the application had no sense of security at all and every possible aspect was completely insecure.

Functionally, the application worked exactly as requested. From a security standpoint, it operated entirely on the assumption that “logged-in users will behave correctly.” Needless to say, attackers do not follow that assumption.

Project Resource Hub: Better, but not bulletproof

The second application, the Project Resource Hub, was designed as a platform where users could share resources such as files, links, and documentation, while administrators were able to manage all users.

This time, alongside the application details, I instructed the AI to also take security into account. Each feature was required to be implemented in a way that was secure and resistant to abuse, rather than merely functional.

… web application details …

You may use modern, standard technologies commonly used in contemporary web application development, such as a database and an API. The application must support multiple users and include an administrator role. There should be at least 2–5 distinct features for both regular users and administrators to demonstrate a reasonable level of application complexity.

Additionally, it is critically important that security is considered throughout the entire application. Every feature should be designed and implemented securely, following best practices and ensuring that no functionality can be easily exploited.

This time, the AI was instructed to consider security throughout the application, without explicit defense measures.

Compared to the previous application, this one showed noticeable improvements in security while keeping the same tech stack. Specifically, the AI implemented several measures, including:

JWT tokens for authorization
Rate limiting on login, file uploads, and other sensitive routes
Cross-Origin Resource Sharing (CORS) configuration
File upload validation
Content Security Policy (CSP)

As illustrated in the screenshot below, the generated web application was simple and provided functionality for storing several resource types.

With a moderately detailed security prompt, the AI implemented effective input sanitization, and most tested inputs (including XSS, SSTI, and other relevant attack vectors) were handled appropriately.

Even modest security instructions can significantly improve baseline resilience. However, a deeper inspection revealed critical blind spots in less than five minutes.

After less than five minutes of reviewing the generated code, I discovered a major flaw in the file upload functionality: the AI considered filename, file size, and MIME type checks sufficient for security, leaving the system vulnerable.

Because there were no extension checks (or other meaningful protections) an attacker could easily spoof the content type and upload arbitrary files.

[...]
-----------------------------235905183813478547083317251969
Content-Disposition: form-data; name="file"; filename="shell.exe"
Content-Type: application/pdf

{any_malicious_content_here}
[...]

Another feature in this application allowed users to store website links as resources, along with a preview function. Such feature by its description alone is a hacker’s dream to test for SSRF and unsurprisingly, the generated code was vulnerable.

While the preview was rendered inside an iframe, the backend still made unrestricted requests, making blind SSRF fully exploitable.

Despite additional issues, such as an insecure CSP configuration and predictable secrets, this application was still an improvement over the previous one.

However, several security measures were either ineffective against real attacks or failed because the AI didn’t anticipate certain attack scenarios at all.

Niche Vault: Not the Fort Knox just yet

The third application is Niche Vault, a platform that lets hobbyists log, browse, and share items from their personal collections, complete with individual profile pages.

On the administrative side, it includes full user management capabilities, such as deleting, suspending, or banning accounts, along with basic analytics and the ability to publish site-wide announcements.

For this project, I placed a strong emphasis on security from the outset.

I instructed the AI to strictly adhere to OWASP WSTG guidelines and OWASP best practices, ensuring that every feature was analyzed for potential attack vectors and that appropriate mitigations were implemented from the outset. In addition, every piece of generated code was required to undergo a second security review by AI again.

A minimal web application designed for hobbyists to log, manage, view, and share items from their personal collections, such as vinyl records, comics, or similar collectibles.

…web application features…

Security is the highest priority. Ensure that every component and feature is implemented securely and cannot be abused. Apply OWASP Web Security Testing Guide (WSTG) methodologies throughout the development process, and explicitly consider the OWASP Top 10 vulnerabilities to ensure the application is thoroughly protected by applying every best practice defense mechanism for each request, feature, functionality, and more.

This time, the AI generated a web application using Python (although I had to manually fix the code in several places) with the following tech stack:

Frontend: HTML, Jinja2 (templating engine), Bootstrap
Backend: Python, Flask
API: REST (implicitly created by Flask routes)
Database: SQLite, accessed via SQLAlchemy

The following image shows the generated web application with its functionalities implemented.

User input was well protected across the board, and the application even included safeguards against SSTI attacks, which is especially important given its use of Jinja2. Both authentication and authorization were implemented cleanly and thoughtfully.

After explicitly requiring adherence to security guidelines and best practices, with a second security review step mandated for all generated code, the AI produced a robust application that exceeded my expectations. However, even here, vulnerabilities surfaced.

The application was not without flaws. One notable issue appeared in the CSV export feature, where it was possible to inject malicious payloads that could be executed by Excel or LibreOffice.

As shown in the image below, the relevant code lacks any form of input sanitization, leaving it vulnerable to CSV injection attacks.

As a result, an attacker can embed a malicious payload. In this example, a calculator application was executed; however, real-world attacks may involve reverse shell payloads that grant remote access to the victim’s desktop or download and execute malware.

=cmd|' /C calc'!'A1'

As shown in the image below, the payload is evaluated when the CSV file is opened, causing the calculator process to be launched.

It goes without saying that the following prerequisites are required for the attack to work:

1. Dynamic Data Exchange (DDE) needs to be enabled.

2. Victim needs to enable such content to be opened after a few warnings.

Similarly, for the LibreOffice, the “Evaluate formulas” options needs to be ticked.

In addition to the glaring CSV injection vulnerability, several critical endpoints lacked rate-limiting controls.

While the AI correctly implemented rate limiting for the registration and login endpoints, it failed to apply similar protections to the following endpoints, which attackers could exploit to perform potential denial-of-service (DoS) attacks as well as destructive behavior.

/post/new
/admin/toogle_ban/{user_id}
/admin/delete_user/{user_id}

Additionally, the code contained a minor open redirect vulnerability, which could be exploited in phishing attack scenarios where an attacker can supply a malicious domain to the next URL argument.

login_user(user)
return redirect(request.args.get('next') or url_for('dashboard'))

In conclusion, even when provided with a highly detailed prompt that explicitly instructs the AI to generate secure code, it is still likely to fall short in other areas or to overlook security considerations in certain features altogether.

Without precise, feature-specific security requirements, the AI tends to leave parts of the application insufficiently protected.

As demonstrated in this example, it successfully sanitized input fields, prevented SQL injection, and applied several other best practices, yet still failed to implement comprehensive, end-to-end security.

Ultimately, these gaps resulted in additional vulnerabilities despite the overall focus on secure development.

The secret tokens predictability game

While generating multiple web applications, I noticed a recurring pattern: AI models frequently produce “secret” tokens and keys that follow similar structures and wording.

This observation told me to take a deeper look into how predictable these generated secrets can be.

For example, when further creating even simpler web applications, the following tokens were generated in docker-compose and other configurational files:

dev-key-change-in-prod-982374
change_this_to_something_long_and_random_12345
your_ultra_secure_random_string_here
must_be_changed_to_secure_key_987123

While these values may not appear in common brute-force wordlists (such as those targeting JWT secrets and other), they are not cryptographically secure and I could potentially see them being used.

The real risk is not that an attacker brute-forces a single secret, but that AI-generated applications at scale may share similar default or placeholder secrets that are not cryptographically secure. An attacker could leverage this predictability by compiling lists of common AI-generated keys and testing them across mass-produced, “vibe-coded” web applications.

Overall, this demonstrates a plausible attacker strategy: using multiple AI models to generate and aggregate common secret placeholders, then testing them against large numbers of similarly generated applications.

The verdict

Bottom line is:

Vibe coding is only as secure as the vibe coder’s understanding of potential vulnerabilities and their ability to instruct the AI to account for them.

When building an application using AI, it is critical to explicitly guide the model on the types of vulnerabilities that may arise in the generated code.

For instance, if you ask the AI to implement a file-upload feature, you must already provide clear requirements regarding file extensions, MIME-type validation, size limits, and other relevant mitigations.

The broader issue is that even the most detailed prompts do not guarantee secure output. AI can still generate insecure code or introduce subtle loopholes in unexpected places, and create critical business logic issues.

If you are using AI to accelerate development, the takeaway is not to avoid it. It is to treat it as a powerful assistant, not a security authority. Security remains a deliberate engineering discipline, not an emergent property of better prompts.

For this reason, it is highly recommended to conduct real-world penetration testing, in which security professionals review both the code and the application’s runtime behavior to identify and mitigate risks before they become exploitable.

Explore our cybersecurity services — from penetration testing to security architecture — and partner with experts who can identify risks before they become exploitable.

The post Security Gaps in Vibe-Coded Applications appeared first on Infinum.

From RAG to Riches: Strengthening Your Cloud AI Foundation with Databricks

Nikola Miladinović — Tue, 13 Jan 2026 16:32:40 +0000

Your RAG system works great until it doesn’t. As AI workloads scale, cloud-native tools begin to show cracks in governance, versioning, and observability. We explore how Databricks fills these gaps without replacing your existing AWS or Azure infrastructure.

Most teams already run reliable AI workloads on AWS or Azure. These platforms come with mature services that power modern production systems. Azure OpenAI, Cognitive Search, Blob Storage, AWS Bedrock, OpenSearch, and S3 all support high-quality RAG architectures and handle identity, networking, scaling, and operational reliability with ease.

But as AI systems grow, technical demands increase, data volumes expand, new document sources emerge, multiple teams work with the same information, and models evolve more frequently. That’s when cracks start to show. Cloud-native tools, built primarily for storage, compute, and serving, struggle to keep up. They lack unified governance, lineage tracking, and transformation pipelines needed to maintain consistency across growing AI workloads.

The challenge then shifts from building a functional RAG system to orchestrating a governed data foundation, exactly what custom AI solutions are designed to address.

At Infinum, we use Databricks as part of our data engineering practice to future-proof our clients’ AI architecture. We’ll walk you through its core capabilities, brick by brick, to show you how they work together to help you scale your cloud AI with confidence.

Unity Catalog: one layer to rule them all (your data, models, and vectors)

Unity Catalog is the central governance and metadata layer of the Databricks platform. It brings data, models, vector indexes, and functions under a single, consistent structure, so everything is defined, tracked, and secured in one place. This means simplified permission management and the elimination of fragmentation caused by different services each maintaining their own access rules.

Unity Catalog also automatically captures lineage, making it easy to trace how data flows through each stage of your AI pipeline, from ingestion to preprocessing, embedding, retrieval, and inference.

The result is a unified and predictable governance model that reduces complexity and supports reliable AI development across teams and cloud environments.

From unversioned storage to reproducible data with Delta Lake

With governance handled by Unity Catalog, the next layer to stabilize is storage itself. RAG systems thrive on structure and stability. But in practice, documents change frequently, models are retrained, and embeddings are regenerated. Without versioning and transactional integrity, it’s hard to explain model behavior or validate changes.

Delta Lake solves this challenge by layering ACID guarantees, schema enforcement, and time travel on top of cloud storage. Each Delta table becomes a versioned source of truth for both structured data from databases and unstructured data like PDFs and HTML. Ingestion becomes predictable instead of brittle. Teams can replay experiments without guessing which files existed at a given point in time. Even unstructured content can be governed just like structured tables, using managed volumes.

For teams prioritizing reproducibility and transparency, Delta Lake adds the versioning and transactional guarantees that object storage alone cannot provide.

Why retrieval belongs next to your data

With stable, versioned data in place, the next challenge is fast, reliable retrieval. Some engineering teams choose to complement their existing retrieval stack with Databricks Vector Search, especially when co-locating retrieval with the underlying data provides a performance or governance advantage. Integrating retrieval into the lakehouse platform offers several benefits:

Synchronized indexes: Vector indexes stay in sync with the Delta tables that feed them.
Automatic embedding updates: Embeddings can be configured to refresh automatically when source documents change.
Lower latency: Retrieval queries run in the same compute environment as the data, reducing round-trip times and response times.
Consistent governance: Indexes inherit permissions, lineage, and catalog rules, keeping access control and tracking consistent.
Easier evaluation workflows: Co-located retrieval is ideal for comparing embedding models or running offline simulations to detect drift.

Unity Catalog handles governance, Delta Lake tracks every version from raw files to embeddings, and Databricks Vector Search continuously syncs with your data as it changes.

For teams focused on performance, governance, and evaluation, this level of integration adds speed and structure to otherwise complex retrieval pipelines.

Keep your models where your data is

Getting data and retrieval right is only part of the equation. Now’s the time to plug in the models.

Databricks Model Serving can help you deploy open-source foundation models, fine-tune custom variants, or run embedding models directly alongside their data, without bolting on separate infrastructure. Whether you’re working with large language models for generative AI or specialized embedding models for your RAG application, everything remains connected through Unity Catalog.

You can track the entire lifecycle of a model from initial training to production deployment. This enables a multi-model strategy, allowing you to select the best tools for each use case without introducing operational complexity.

No more duct-taping your AI pipelines together

Modern retrieval-augmented generation workflows require more than just storage and compute. They need orchestration, monitoring, and continuous improvement loops. Databricks provides integrated tooling for the entire RAG architecture:

AI Playground: Quickly prototype and test different foundation models and prompts in an interactive environment. Experiment with how generative AI models respond using context from your data.
Mosaic AI Agent Framework: Build intelligent agents that go beyond simple Q&A. These agents can perform complex, multi-step tasks by querying structured data, retrieving documents from vector stores, and synthesizing answers. For a deeper look at how agents connect to external systems, see our overview of Model Context Protocol and AI-enabled businesses.
Databricks Workflows: Long-lived pipelines that ingest documents, clean them, segment them, embed them, index them, and validate them, all within the lakehouse. Keeping data-intensive steps in one place eliminates cross-service coordination overhead.

You can’t improve your system if you can’t observe it

As RAG systems mature, observability becomes just as critical as modeling itself. Retrieval performance shifts gradually. Embeddings drift as data evolves. Large language model answers change with new versions.

Lakehouse Monitoring lets you track everything from data quality to model behavior, all in one place. Instead of piecing together logs across disconnected services, you get a single, consolidated view of AI behavior in production, which pairs well with AI data visualization approaches for surfacing those insights to stakeholders.

A user query is enriched with relevant context from Vector Search, answered by a large language model, and continuously evaluated through Lakehouse Monitoring to ensure data quality, retrieval relevance, and response reliability.

A question every AI team should ask

If your AI workload doubled in size tomorrow, would your current data and governance structures scale with the same confidence as your application layer?

If the answer isn’t a clear yes, it might be time to lay a stronger foundation with Databricks.

Introducing Databricks into an existing environment is not a platform replacement. It is an architectural enhancement that consolidates governance, data reliability, model lifecycle management, and observability.

The underlying cloud continues to operate application and networking layers, while Databricks provides the durable, governed data foundation needed for long-term AI operations. With Databricks capturing ~17% of the data warehouse market as of November 2025, its role in enterprise AI infrastructure continues to grow.

If you’re ready to accelerate your RAG architecture or take the next leap in your AI platform, our team can help you build a modern, scalable foundation designed for long-term success.

See how we built a real-time data intelligence platform for Midtown Athletic Club as an example of data engineering in practice.

The post From RAG to Riches: Strengthening Your Cloud AI Foundation with Databricks appeared first on Infinum.

AI Automation: What It Is and How AI-Powered Workflow Helps Your Business

Tanja Bezjak — Mon, 22 Dec 2025 12:16:50 +0000

Businesses are enthusiastically adopting artificial intelligence, with McKinsey reporting that 78% of companies now use at least one AI tool. Not surprisingly, the adoption rate is even higher in tech companies.

With this information in mind, it is only natural that AI automation is a much sought-after innovation.

Of course, you might want to understand it better before you decide you need it for your operations. We are here to help you with that.

What is AI automation?

AI automation is the process of using advanced technologies to make standard automated operations smarter and context-aware. It reduces the manual effort your team needs to put in by using AI and intelligent automation for tasks such as data analysis, report generation, and workflow optimization.

AI automation uses a mix of software, data, and decision logic to quickly and automatically execute tasks that normally require time and human judgment.

The specific technologies involved depend entirely on the business case: sometimes it’s simple rules, sometimes it’s document processing, and in certain cases it can include machine-learning or NLP models. The goal is always to make a workflow faster, more consistent, and less manually intensive.

Instead of predicting the “right” action on its own, AI supports the decisions that have already been defined. It can classify information, extract meaning from text or images, or surface relevant insights so that the system can follow the workflow the business has set.

When conditions change, the model can adjust its behavior within those boundaries, which makes it more flexible than fixed, step-by-step scripting.
As the system is used, its components can be refined through controlled cycles of periodic updates or retraining based on new data.

In short, AI automation expands what traditional automation can do by helping systems understand inputs and choose the right path in a defined workflow, all within clear business rules and oversight.

Since the process is still responsive, AI automation can be very useful in areas where you want constant monitoring. In cybersecurity, it can spot suspicious behavior and trigger alerts instantly. In fraud detection, it can analyze transactions in real time to prevent losses.

Similarly, it can also be very useful for initial screening tasks, where the technology can decide who to send the problem to. For example, AI can be used to scan medical test reports and X-rays to make initial diagnoses, significantly reducing manual effort. They then forward it to the specialists who verify it and recommend treatment.

This makes the process of getting healthcare quicker for patients and frees up healthcare providers to focus on the people who need them most.

Curious as to how technology professionals use AI? Here are the five ways we use AI solutions at Infinum.

How is AI automation different from traditional automation?

Traditional Automation, without AI, is a mechanical process that follows fixed and predefined rules. For example, a conveyor belt is automated: You flip a switch, and it starts moving. It might be programmed to stop if there is no weight on it, but it cannot react to a situation for which it was not explicitly programmed.

In contrast, AI-driven process automation can adapt its behavior based on input: it can interpret unstructured text, classify information, or extract relevant details, allowing the workflow to respond appropriately without manual intervention. The automation still follows defined steps, but the AI components enable the system to process a wider range of human input, formats, and real-world variability.

A simple example is a smart chatbot. The user enters a query using natural language, and the tool interprets the intent to create an appropriate response accordingly, leveraging large language models.

At a slightly more advanced level, AI agents take this a step further. Agentic AI can autonomously or semi-autonomously automate entire processes rather than individual tasks. They can plan, reason, and even collaborate with other systems or humans to achieve their goals.

Intelligent automation: Taking AI automation further

Intelligent automation (IA) is the next level of AI automation. Here, instead of tasks or processes, entire ecosystems are automated. They can run, adapt, and improve over time, all on their own.

There are three key technologies that power these digital workers:

Robotic process automation (RPA)

This component is made up of software, not hardware, “robots” that automate repetitive, rule-based digital tasks. For example, they may be used to copy data between systems, generate reports, or update customer records without requiring any creativity or strategy. In these cases, RPA mimics human actions to complete these jobs, while saving you time and reducing manual errors.

Business process management (BPM)

BPM tools help visualize processes so you can identify bottlenecks and orchestrate work between humans, bots, and systems. This visualization helps you define how tasks and data flow across your organization, reducing complex workflows that slow productivity.

Artificial intelligence

This is the layer that adds reasoning, learning, and adaptability. AI analyzes data to identify patterns and make proactive decisions based on context. AI includes technologies such as ML, NLP, and computer vision.

With these components working together, you can move beyond automating isolated tasks. Intelligent automation can handle end-to-end workflows. It can detect issues, trigger corrective actions, and even enhance business outcomes. Getting there requires AI that’s properly integrated into your systems, not bolted on. Our custom AI solutions are built for exactly this kind of production-grade, workflow-embedded deployment.

Essentially, while AI automation makes individual processes smarter, intelligent automation transforms how entire business operations function. For AI agents to operate reliably in these workflows, they need live access to the data they’re acting on — the infrastructure that makes this possible is explained in our overview of Model Context Protocols.

How AI automation works

To create AI automation, you need to integrate processes with artificial intelligence. The processes create the framework around which algorithms are built.

These algorithms use the same decision-making logic that a person would, and are trained on business data. This informs them of the type of information and the patterns to expect.

The logic built into them allows them to use new data to spot these patterns and make predictions. Meanwhile, ML allows them to learn from it, so the systems continuously refine and improve their results.

Here is a quick overview of the parts that come together to make this technology work:

Foundational models and cloud services

This infrastructure enables AI automation to function and scale effectively, with foundational models serving as the “thinking” component and cloud services as the delivery mechanism.

Data collection and processing

Data is the fuel that powers your system. Both structured and unstructured data need to be collected and made ready to be used in AI training.

AI model training

The AI-ready data is used to “teach” the model how to complete its assigned tasks, using the following techniques:

Machine learning algorithms: While not all automation solutions will include ML elements, some will use it to further optimize their operations and enable additional features, as needed. In these cases, automation solutions will be empowered with ML algorithms, including:

Supervised learning: The model is given explicitly labeled data, so it learns how to categorize it.
Unsupervised learning: The training data is unlabeled, and the model must find patterns and meaning on its own.
Reinforcement learning: The model learns from the feedback it receives while interacting with its environment.

Deep learning: A subset of ML that uses neural networks with many layers to automatically discover features and patterns in large volumes of data.
Natural language processing: The ability of a model to understand and interpret the way people talk and respond in a similar manner.

Execution

The model is deployed into the workflow, where it uses the decision engine to make predictions, and applies these to determine how to action the next step.

Continuous learning

Also known as lifelong or incremental learning, this allows the model to perpetually refine algorithms and improve results based on the new data it receives.

Not sure about how to draft your AI strategy? Let us give you a hand.

Benefits of AI-powered automation in your business

We already know that AI automation can free up your human workers by taking over routine tasks. Let us take a look at how this can benefit your business:

Fewer errors, more accuracy

Unlike people, AI does not get bored or distracted. Once a system has been trained, it will carry out tasks consistently, without losing focus or requiring much human intervention. As a result, you will see fewer or even zero mistakes. Automation with AI can empower your workers to deliver better, faster results, especially when tasks are repetitive.

Faster operations

AI automation can complete even the most complex tasks in a matter of seconds. It helps your team deliver more work, but without a corresponding increase in mistakes. This improves efficiency across the board and eliminates redundant work, boosting your employees’ morale.

Real-time responsiveness

AI can identify the new inputs and process them in the blink of an eye. This allows your business to adapt to changes and issues in real time. As a result, your operations stay agile, and any potential problems are caught by automated systems before they escalate.

Scalable growth

As your business grows, you need more hands on deck to complete the workload manually. Automating processes with AI, however, means you can handle more complex data, interactions, and transactions without hiring more staff. You might need to buy or rent more resources, but that will only be required if the growth is exponential.

Data-led decision-making

Artificial intelligence can analyze large data sets to find trends and enable predictive analytics. It helps you extract actionable insights from your business information. Most importantly, it does so quickly, often in real time. As a result, you can make informed decisions based on hard facts and numbers.

More time for human creativity

Not everything can be replaced with technology, but you can automate tedious work so that your human resources are free to focus on strategic or creative endeavors. It helps your people innovate and solve complex problems without worrying about “busy work.” That helps your business productivity and boosts employee morale and engagement.

AI automation use cases

Reading about benefits in an abstract sense does not paint a very clear picture. Here’s how businesses across industries are applying AI automation to solve their challenges:

Finance and accounting

The finance industry is heavily regulated, so accuracy and compliance are a priority. You also need to make quick, data-driven decisions. AI automation is the ideal solution here, reducing manual work and human error in data-heavy tasks.

One of its most important uses in financial services is to flag anomalies and detect potential fraud in real time. However, it can also reconcile transactions and automate expense reporting and invoice processing to save teams hours of administrative work.

The result is cleaner data, faster reporting, and improved financial visibility.

Healthcare and life sciences

Automated AI systems scan X-rays, lab results, and medical records to provide initial diagnoses. Urgent cases are prioritized and flagged for specialists to look at, while routine cases can be automatically given treatment plans. This reduces waiting times for patients and allows healthcare professionals to focus on direct care.

AI tools also streamline the administrative side, by automating appointment scheduling, patient record updates, and discharge documentation to save time and reduce paperwork.

Manufacturing and logistics

In manufacturing and logistics, automation technologies predict problems before they occur, to keep operations running smoothly. They monitor equipment performance to detect maintenance needs and automatically adjust production schedules. 

These technologies can reroute shipments to optimize delivery times based on real-time conditions. The result: fewer delays, lower costs, and stronger supply chain resilience.

Marketing and sales

AI marketing automation personalizes engagement at scale. It segments audiences based on behavior and demographics to create tailored messages that deliver more engagement and results, improving customer experience. 

AI-powered automation analyzes customer data to predict purchasing intent and suggest the best next action for each lead to improve conversion rates and help teams focus on high-value prospects.

Human resources

Automated tools can screen resumes to match candidates to roles. They can even handle initial communication. Once employees are onboarded, AI-driven HR systems can manage routine queries and update records automatically. 

This leaves HR professionals free to focus on talent development and culture-building.

Customer service and support

AI automation tools streamline customer interactions. Chatbots and virtual assistants powered by generative AI development provide round-the-clock support. They handle common questions and route complex issues to the right human agent. 

Meanwhile, customer service teams can spend their time on the conversations that need a human touch.

We helped the surgeons at Mount Sinai Hospital to identify prosthetic implants with an AI-powered app. Read more about it in our case study.

Challenges of implementing AI automation

Implementing AI workflow automation solutions can be a great way to optimize your operations. However, the process requires careful planning, or it will not increase efficiency. 

Here are some caveats to consider:

Data quality and accessibility

AI and automation systems are only as good as the data that powers them. If your data is outdated, inconsistent, or siloed across departments, your models will not deliver accurate results. This is the problem Databricks is specifically designed to address, and we cover how in our article on scaling AI with Databricks. Clean, structured, and accessible data is often a bigger hurdle than the technology itself.

Integration with existing systems

It is highly likely that your business runs on a combination of legacy platforms and custom software. Seamlessly integrate your business-critical software into your existing ecosystem with the help of a bespoke software development company.
 
Without proper integration, you will find it hard to ensure that AI delivers insights and actions across your entire ecosystem. If you aren’t careful, automation efforts could potentially create new silos instead of eliminating them.

Skills and expertise gaps

You need more than coding knowledge to implement AI automation. You also need expertise in data engineering, process mapping, and user experience design, along with a clear understanding of your business goals. 

Most teams don’t have all these capabilities in-house, which can make it hard to move from pilot projects to production-ready systems.

Ethics, compliance, and governance

AI systems must handle data responsibly. Bias, privacy concerns, and regulatory requirements can create significant risks if not addressed early. 

Establishing strong governance practices, from data management to model transparency, is essential to ensure automation remains ethical and compliant.

Automate your business with the right partner

Several of the above challenges can be mitigated by working with the right technology partner, such as Infinum. 

We have the experience that allows us to develop solutions tailored to your needs, so they can integrate easily with your existing technology and workflows.  

Most importantly, our methods, reporting, and internal processes meet strict, internationally recognised security standards. With Infinum, the security of your AI automation solution will be in safe hands. 

We have a large team that can help you navigate strategy development, data engineering, model building, deployment and integration, as well as ongoing monitoring and maintenance. 

Interested in learning more about how we can help you with your AI automation journey? Talk to us!

The post AI Automation: What It Is and How AI-Powered Workflow Helps Your Business appeared first on Infinum.

Your Brand Needs a ChatGPT App Strategy, Now

Branimir Akmadža — Tue, 11 Nov 2025 17:27:03 +0000

OpenAI’s new Apps SDK unlocks a powerful new frontier where apps live inside ChatGPT – interactive, real-time, and seamlessly part of natural conversation. This shift is going to redefine how customers discover, interact with, and purchase digital products. And it’s a big deal.

There are moments in tech when everything changes: the rise of the web, the move to the cloud, the boom of app stores. We believe we’re witnessing the next one: apps inside ChatGPT.

What are the apps inside ChatGPT, and how do they work?

OpenAI’s new Apps SDK allows developers to build native apps that live inside the ChatGPT interface, enabling users to transact, explore, and interact through natural language.

Instead of asking users to visit your site, download your app, or fill out a form, you’ll be able to meet them where they already are: inside ChatGPT, right in the flow of conversation.

WELCOME TO THE ERA OF CHATGPT APPS.

Whether users are booking a trip, checking their finances, or buying a product, the entire customer journey happens in one interface: fast, intuitive, and frictionless.

For users, it means fewer redirects and smoother interactions. For brands, it opens up a new channel, a new revenue stream, and a more direct way to turn interest into action.

At Infinum, we’ve been building mobile and web apps for 20 years. We know how to work with app stores, backend platforms, complex UX, and intelligent, agentic automation.

ChatGPT Apps feel like a natural next step, and we are ready to help you claim a place in the new AI-native web.

Why GPT Apps are a turning point for digital experiences

ChatGPT is no longer just a place to ask questions.

With over 800 million weekly ChatGPT users, it’s quickly becoming a connective layer of the internet, bringing together natural information, easily accessible information, and now services into one unified flow.

Success now means being genuinely useful at the exact moment of need, not the loudest voice in the room.

People don’t search for answers anymore – they expect to ask and get them instantly. With 74% of consumers embracing chat and voice assistants, brands have a once-in-a-generation opportunity to capture first-mover advantage, define the new standard of customer experience, and be truly innovative in their vertical.

KASPER KUIJPERS, FOUNDER & CTO OF YOUR MAJESTY, PART OF INFINUM

And while it was only a matter of time before ChatGPT moved beyond search and became a platform for doing, this isn’t happening in isolation.

Microsoft Copilot, Google Gemini, and Meta’s AI efforts are all moving toward embedding services into conversational AI. But OpenAI’s ChatGPT is leading the way with native app capabilities.

What GPT Apps can do for your business

Get discovered at the right moment

ChatGPT actively recommends apps based on users’ requests. Your brand can appear in conversations that match your offer, opening an organic path to discovery.

Reduce friction to boost conversions

No downloads, no redirects, just a question and an answer. Embedding your product or service directly in the conversation shortens the conversion funnel.

Build a high-intent revenue stream

Unlike traditional ads that try to create interest, GPT Apps connect you with people who already have it. You’re meeting users right when they’re expressing a need, turning intent into action.

Shape the market as an early mover

Like in the early days of the App Store, early adopters will shape expectations, gain visibility, and build loyalty, all while unlocking opportunities for new kinds of applications and businesses to emerge.

Learn from real interactions

Every conversation tells you something: what users want, where they drop off, and how you can improve their experience.

What you can build inside ChatGPT Apps

ChatGPT Apps combine the best of conversation and interactivity, creating experiences that feel both natural and capable. Here’s what you can build:

Conversational commerce experiences

Let users discover, compare, and purchase products directly in chat. Offer personalized recommendations, real-time inventory checks, and seamless checkout flows.

For bonus points, let users delegate actions like “If this laptop’s price drops below X, buy it.” The agent can track prices and automatically execute approved actions.

Personalized recommendations, booking, and scheduling

Combine AI with your business logic to provide custom suggestions: products, learning paths, travel plans, or wellness routines tailored to each user’s needs.

Building off of recommendations, allow users to book appointments, trips, rentals, or restaurant tables through simple conversation. With calendar integrations and smart prompts, booking becomes effortless.

Data analysis & visualization

Let users analyze personal or business data: spending, health, traffic, engagement, and more, and get instant visualizations, comparisons, and insights.

Configuration & support

Turn FAQs, troubleshooting, and account management into guided conversational flows. Users can set up services, customize products, solve issues, update details, or access information without switching channels or contacting support.

Real-time transactions

Let users complete actions like money transfers, document signing, or file uploads directly in ChatGPT conversations.

Microlearning & training

Deliver short, interactive lessons for education, compliance, or professional development, perfect for learning in context or on the go.

Which industries can benefit from Apps inside ChatGPT?

While retail and ecommerce are the obvious front-runners, because of the direct path from browsing to purchase, any business offering a product or service can benefit from GPT-native experiences.

Travel services can handle accommodation, car rentals, ticketing, and dining booking, confirmations, and itinerary changes through natural queries. In finance and insurance, users can analyze spending, receive optimization advice, or complete policy onboarding, all without forms or separate logins.

In healthcare, apps can track metrics from wearables and suggest personalized health actions or recommend lifestyle adjustments. For education, GPT-native apps can analyse lessons and learning materials, generate study plans, and adapt based on progress. Even real estate, legal, and public services can use this channel to offer instant document reviews, local insights, or access to experts. And with the Internet of Things, GPT-native experiences can bridge voice, sensors, and automation, letting users control, monitor, and optimize connected devices just by asking.

The unifying theme? If your customers can ask for it, we can build an experience for it.

How to prepare for ChatGPT App integration

ChatGPT App development takes both strategic readiness and technical execution. We recommend focusing on speed, ROI, and user experience.

STRATEGIC READINESS

Identify conversational moments

Ask: where would chat feel more natural than forms or menus? Review support tickets, drop-off points, and key product flows. Look for places where a simple prompt can replace a multi-step process.

Need help mapping this? We can guide discovery and user research.

Audit your data

Map out your data sources, formats, and ownership. Check for accuracy, duplication, and sensitive fields that shouldn’t be exposed. Classifying your data early prevents compliance risks and ensures AI works with clean, reliable inputs later on.

Design for conversation

GPT Apps aren’t websites in a chat box, they’re apps that feel like dialogue. That means designing flows that are short, contextual, and responsive. Focus on natural prompts, clear responses, and interaction patterns that match how people actually talk while staying true to your brand voice.

TECHNICAL EXECUTION

Connect your systems

Your backend probably doesn’t need an overhaul – just a smart integration layer that exposes it through the Model Context Protocol. By implementing an MCP server around your API, you’ve already done most of the work to join the GPT Apps ecosystem. Then, add secure session handling and real-time sync to enable dynamic content.

Build and test with the Apps SDK

Set up the Apps SDK, implement OpenAI’s Model Context Protocol, and build a responsive front end. Validate with real user flows, track where users succeed or stall, and iterate quickly to ensure product-market fit.

Prepare for marketplace launch

A compelling app isn’t just functional, it’s discoverable. Once your app is ready, we can help refine branding, connect analytics, and ensure conversion optimization post-launch.

Want to move fast? Try our Agentic Sprint and turn the right business use case into a live AI agent prototype in just 10 days.

Technical foundation for GPT Apps

To build a production-ready GPT App, your stack should include:

Well-documented APIs for core business functions (e.g., pricing, account access, bookings)
Secure authentication flows to manage sessions within the GPT context
Lightweight frontend assets (HTML/CSS/JS) that can be rendered inline or full-screen inside ChatGPT
Structured data sources like product catalogs or user history for personalized responses
Integration via Model Context Protocol (MCP) so ChatGPT understands and responds in sync with your app’s state
Optional: analytics hooks to monitor usage, performance, and conversion in real time

We help you scope, prioritize, and build what’s needed, starting with use cases that deliver clear user and business value.

Why act now?

GPT Apps are in early rollout, which means the market is open, but it won’t be for long. Just like early app store adopters or companies that invested early in mobile, the ones who explore ChatGPT apps first will enjoy:

Greater visibility as one of the few apps in a category

More room to define interaction patterns and user expectations

Better data, sooner, giving you a head start on optimization

By the time this ecosystem matures, brands that moved early will have more traction, more insights, and a stronger position.

Should you build in-house or outsource?

If you already have strong in-house teams across AI, UX, and platform engineering, you can probably build internally.

But if speed, quality, and confidence matter, partnering with a team like Infinum can get you further, faster.

For over two decades, we have been building award-winning digital products that succeed in competitive ecosystems, including the Apple App Store, Google Play, and enterprise marketplaces.

We know what it takes to build for evolving platforms.

Our experience with marketplaces, app standards, and the OpenAI Apps SDK means we can turn early ideas into launch-ready products with clarity and precision.

What we offer:

Discovery workshops to align goals and identify opportunities
Rapid prototyping and MVP delivery to test the market quickly
Full-stack engineering for production-ready GPT Apps
Post-launch support, analytics, and iteration

Your move: build where 800M users already are

ChatGPT-native apps represent a shift in how users find and use digital products. Infinum is here to help you be part of that change, from strategy to shipping.

Let’s turn your service into a ChatGPT-native app and get you in front of 800 million users, faster.

The post Your Brand Needs a ChatGPT App Strategy, Now appeared first on Infinum.

What Consumers Really Think About Their Smart Devices

Blanka Bogdanović — Tue, 23 Sep 2025 11:57:07 +0000

As smart homes promise to revolutionize our daily lives, we investigated what devices consumers are actually bringing into their homes – and how satisfied they really are with them.

The Internet of Things (IoT) is no longer just an innovative concept fitting for a vision of a future society – it has quietly and gradually evolved into an integrated technology that shapes our daily lives. Smart connected devices (SCDs) already allow us to control our homes remotely, track our health metrics, and connect our everyday objects to the digital world.

With the global IoT market forecasted to reach $5,3 trillion by 2032, understanding consumer behavior and adoption patterns has never been more crucial for businesses looking to capitalize on this growth.

At Infinum, we conducted extensive research examining consumer attitudes, lifestyles, and behaviors as factors that impact the widespread adoption of smart connected devices. Our findings provide unique insights into IoT adoption patterns that can inform your product development and marketing strategies.

Understanding smart devices adoption through research

Our study examined 948 participants primarily from European countries, with the UK, Portugal, Poland, and Italy representing the most significant markets in the sample. The majority of participants were under 35 years old with bachelor’s, master’s, or doctoral degrees, living predominantly in urban areas.

We investigated ownership and satisfaction rates across 16 different smart connected devices, ranging from connected printers and activity trackers to smart home systems and health monitors. These insights offer valuable direction for businesses developing IoT products in 2025 and beyond.

Ownership of smart connected devices– the numbers

Our research revealed compelling statistics about smart connected device adoption:

87.3% of respondents have used smart connected devices
75.9% owned at least one smart connected device

Most frequently owned devices

Our research revealed clear leaders in the smart device marketplace, with practical and personal devices dominating consumer purchases.

This ownership pattern reveals interesting insights about consumer priorities. Personal devices that enhance productivity, health monitoring, and convenience take precedence over more complex household systems. This preference is particularly pronounced among younger respondents with low to modest incomes, who tend to invest in personal devices rather than whole-home systems.

Next in the series: How Consumer Lifestyle Influences IoT Adoption

Want to know why people adopt some smart devices and ignore others? Our next article explores how consumer lifestyle and values shape adoption patterns – and what that means for your product strategy.

Satisfaction rates: what makes users happy?

When it comes to SCDs, ownership doesn’t always equal satisfaction, and how customers feel about using a device is critical feedback for product development and marketing strategies. Our research found that satisfaction rates varied considerably across different smart connected devices.

Overall, 80% of respondents were somewhat or completely satisfied using connected lights, activity trackers, and smartwatches, indicating these categories have most successfully met consumer expectations.

The demographic factor: younger users make budget-conscious choices

The differences in fulfillment of expectations and satisfaction appear to be related to demographic profiles. Younger respondents with low to modest incomes preferred owning personal smart connected devices like connected printers, activity trackers, and smartwatches over household systems.

Communicating the capabilities of smart hubs clearly can help set accurate consumer expectations, leading to higher fulfillment and satisfaction.

It’s reasonable to assume these users owned less expensive versions of the most frequently owned devices. In this context, they might be more satisfied and their expectations more fulfilled if smart devices are fun to use and if the less expensive products resemble the look, feel, and functions of their more expensive, idealized versions.

Microtrend: why activity trackers outperform smart hubs

An interesting pattern emerged in our data: activity trackers consistently achieved higher satisfaction rates than home assistants and smart hubs. This reveals important lessons for IoT product development:

Budget considerations matter.

Our participants’ low to modest income levels explain their budget-friendly purchase decisions. Less costly activity trackers can successfully monitor fitness metrics, but more affordable home assistants don’t match the capabilities of premium versions. Failing to create an idealized “smart home” certainly affects user satisfaction.

Onboarding complexity impacts satisfaction.

The setup process for smart hubs is more challenging and requires connection to other devices to start creating a smart home. Connecting numerous smart devices and customizing settings takes time, disrupting the user experience and lowering customer satisfaction.

Although home assistants offer a broader range of capabilities, people who have owned both activity trackers and smart hubs were significantly more satisfied with activity trackers. This suggests that simpler, more focused devices that perform their core functions well may lead to higher satisfaction than more complex systems with steeper learning curves.

Key insights for product development

The connection between product satisfaction and expectation fulfillment can guide your product development decisions:

Build around usefulness

Identify areas where user expectations are unmet and invest in features aligned with their needs. A free way to get valuable insight is to monitor user satisfaction through product reviews, focusing on expectation fulfillment, and upgrading your product to match user expectations.

Set accurate expectations.

Since customer satisfaction hinges on how fulfilled their expectations are, it is crucial to market smart devices in a way that accurately communicates their capabilities and limitations. This will help manage user expectations and result in higher user satisfaction.

Consider entertainment value.

Where applicable, consider adding gamification, customization, or entertainment options. An entertaining user experience resonates with a younger audience and might be an appealing benefit for them.

Communicate hub capabilities clearly.

Clear communication about the capabilities of smart hubs can help set accurate consumer expectations, leading to higher fulfillment and satisfaction.

Also in this series

• How Consumer Lifestyle Influences IoT Adoption
• Smart Devices User Personas: Four Types of IoT Consumers
• Smart Connected Devices Product and Marketing Guidelines

As the IoT market continues to expand, understanding what drives ownership and satisfaction of smart connected devices will be crucial for businesses looking to succeed in this space. Our research shows that personal devices with clear, focused functionality and easy setup tend to achieve higher satisfaction rates, particularly among younger, budget-conscious consumers.

By aligning your product development and marketing strategies with these insights, you can better meet consumer expectations and increase adoption of your smart connected devices. The key lies in creating useful, pleasant experiences that are easy to use and reliable – the factors our research identified as the strongest predictors of smart device adoption.

This article draws from Infinum’s comprehensive research examining factors that influence smart device adoption. Download the full report for more detailed insights on IoT adoption trends and effective product development strategies.

The post What Consumers Really Think About Their Smart Devices appeared first on Infinum.

Smart Connected Devices – Product and Marketing Guidelines

Blanka Bogdanović — Tue, 23 Sep 2025 11:55:16 +0000

Smart device adoption hinges on more than just innovative technology. Our research-backed guidelines reveal how to develop and market IoT products that address the unique needs, concerns, and desires of different consumer segments.

As connected products continue to permeate our homes and lifestyles, designing and marketing smart devices is not only about getting the tech right. It’s about understanding people – how they live, what they value, and what drives their choices.

This article is bassed on our research into smart device user behavior, which surveyed 948 consumers across Europe. The study examined how lifestyle, values, and demographic factors influence IoT adoption, offering insight into both barriers and motivations.

In previous articles in this series, we looked at which devices consumers own and love, how lifestyle and values affect adoption, and how personas can guide your product strategy. Now, we turn insight into action – offering product development and marketing guidelines to help you create smarter devices for smarter users.

Product recommendations for smart connected devices

Prioritize usability

The single biggest predictor of adoption is usefulness. Consumers need to see clear, practical value from the devices they bring into their homes. Focus on developing practical design solutions that enhance the device’s functionality. Of course, always test your solutions with real users and apply the relevant findings.

Further, our research showed that customers value aesthetically pleasing and attractive products, so ensure your products demonstrate visual appeal. This is especially important to Curious Curtis and Ambassador Amanda (check out the article about smart device user personas here), who are most likely to live a trend-seeking lifestyle and purchase smart connected devices.

Simplify the user experience

Users compare your app’s UX to all the other digital solutions on the market, so applying tested, modern UX practices is crucial. Make your user experience intuitive and user-friendly. Focus on efficiency and provide an appealing look and feel. You’ll get a sleek interface your consumers will find irresistible, no matter how tech-savvy they are. Streamlining the onboarding process will ensure all users can set up and control the device easily.

Also, provide diverse customization options – allow users to personalize device settings, interfaces, and functionalities to align with their unique preferences and needs.

For reluctant users: Implement automation features gradually to allow customization and build user trust. Reluctant users are least likely to be tech-savvy, so it’s important not to overwhelm them with options. Tone down the complexity and ensure the basic functionalities are easily accessible.

For smart-device enthusiasts: Make sure your smart devices seamlessly integrate with other devices and platforms in the user’s ecosystem. This ability to interconnect enhances the devices’ overall functionality and utility.

Utilize ethically-produced hardware

As environmental concerns become more prominent, offering sustainable options can set a brand apart in the competitive market, appealing to the growing demand for eco-friendly products. Embrace social responsibility holistically but authentically, and smartly engage in important conversations by creating product lines that financially support causes customers care about.

For green smart devices users: Embrace eco-friendly material sourcing to appeal to users who value environmental sustainability and global welfare.

Social influence in software

Integrating a social component into the software can help build a community, encouraging interaction and enhancing app usage. Emphasized connectivity and shared experiences among users contribute to the overall appeal of smart devices.

For smart-device enthusiasts: Community-building components often integrate social media, collaborative platforms, or communication tools, which allows IoT enthusiasts to become part of niche groups. Features that enable them to share insights or exchange information can be a stepping stone in turning curious users into ambassadors.

Additional value enhances perception of usefulness

Building additional value into your digital product, such as inspiration or creative functionalities, educational content, or community-building components, enriches the connected experience and increases the perceived usefulness of a device.

For smart-device enthusiasts: Thanks to in-depth data analytics and machine learning algorithms, devices can learn from user behavior over time. Providing practical, personalized recommendations based on anticipated user needs and automating new actions makes for a superb user experience.

Tailoring your marketing approach

Different segments of the IoT consumer market require distinctly different marketing approaches. Based on our research into consumer personas, we’ve developed specific strategies for both reluctant users and power users.

Marketing smart devices to reluctant users

To engage reluctant consumers, create a communication strategy that addresses their reservations and makes the devices more approachable. Focus on the benefits, build trust, and provide a user experience aligned with their comfort levels.

1. Value proposition clarification

These users generally don’t find smart devices as useful, so it’s important to focus on the practical benefits of using them in everyday life. For example, emphasize how these devices can save time, enhance convenience, or reduce costs.

Marketing tip: Demonstrate the usefulness of smart connected devices in the real world through relatable use cases or attractive live events such as pop-up stores. Make sure to highlight how these devices seamlessly integrate into everyday life.

2. Assurance of privacy and security

As these users believe the risk for their privacy is high and display low trust in IoT companies, it is important to address their concerns. To build trust among reluctant users, highlight your robust security measures and the company’s commitment to protecting personal data.

Marketing tip: Accessible consumer support can help address any customer concerns and issues promptly, contributing to a positive user experience, and building trust.

3. Showcase entry-level devices

Offer budget-friendly products that cater to essential user needs. Highlight the cost-effectiveness, be clear about the product’s capabilities, and demonstrate how an initial investment goes a long way in terms of convenience and savings.

Marketing tip: Reduce the perceived risk and encourage users to get acquainted with the product through trial periods. That way, reluctant users get to test the devices with the assurance that they can easily return them if they’re not satisfied.

Exceeding expectations for smart devices power users

Power users know the essentials and want a holistic experience that makes their lives more fun, convenient, and cool.

1. Personalize the user experience

Power users know what to expect from smart connected devices in general, but they still want to see the personalized, practical benefits demonstrated in an exciting way. Emphasize predictive automation (anticipating, offering, and automating a new action based on previous user behavior) as an exciting trend that provides users with an unmatched user experience.

Marketing tip: Design a marketing campaign to showcase advanced customization features, communicating a one-device-fits-all approach. Ensure the campaign is modern, trendy, and fun because our power users are also fashionable.

2. Build a community

Experienced users want to connect with like-minded individuals to share their knowledge and get inspired by more passionate users. A quality smart devices community keeps the users connected, informed, and empowered, while contributing to the adoption of smart connected devices and their market success. A community-driven approach offers valuable market insights, revealing emerging trends and preferences.

Marketing tip: Introduce the premium tech product in a limited edition and create a sense of urgency and exclusivity to encourage early adoption. Continue to target that community with your marketing activities. For example, provide early access to updates or private events to nurture brand relationships and motivate the customers to engage with the product more.

3. Leverage specialized content and partnerships

Collaborate with content creators, influencers, or experts in relevant fields to provide exciting content and experiences for smart device enthusiasts. This could include exclusive features, expert insights, or limited-time partnerships.

Marketing tip: Power users care about fashion, so make sure you choose the content creators you’ll cooperate with carefully. Tech experts provide more authority, but may only reach a part of your audience. On the other hand, lifestyle influencers probably have a wider reach, but may offer less-reliable testimonials.

Missed the earlier articles in this series?

• What Consumers Really Think About Their Smart Devices
• How Consumer Lifestyle Influences IoT Adoption
• Smart Devices User Personas: Four Types of IoT Consumers

Bringing it all together – an integrated approach

The most successful IoT products find the right balance between technical excellence and effective marketing communication. By applying these guidelines with your specific audience in mind, you can create smart connected devices that not only perform well but also resonate with your target consumers on a deeper level.

When you align your product development and marketing strategies with the needs, values, and lifestyles of your target consumers, you can overcome adoption barriers and create compelling IoT experiences that drive both user satisfaction and business growth.

This article is part of a series based on Infinum’s comprehensive research examining factors that influence smart device adoption. For more insights on consumer lifestyles, personas, and IoT adoption trends, download the full research report.

The post Smart Connected Devices – Product and Marketing Guidelines appeared first on Infinum.

Smart Devices User Personas: Four Types of IoT Consumers

Blanka Bogdanović — Tue, 23 Sep 2025 10:45:06 +0000

From passionate early adopters to committed traditionalists, our research reveals four distinct IoT consumer types. Understanding these personas could be the key to developing smart devices that truly connect with your target market.

As the Internet of Things (IoT) continues to reshape our daily lives, understanding who adopts these technologies – and why – becomes increasingly crucial for businesses developing smart connected devices.

In the first part of this series, we explored which smart devices consumers actually own — and how satisfied they are with them. In the second, we looked at how lifestyle and personal values shape adoption decisions. Now, we’ll go one level deeper by introducing four consumer personas that bring those statistics and behavioral insights to life.

These personas were developed by Infinum’s marketing and product strategy teams using cluster analysis of our research data, based on responses from 948 European consumers across various markets and demographics. By examining demographic variables, lifestyle choices, values, previous usage, and ownership patterns, we’ve created detailed profiles that can guide product development and marketing strategies.

Let’s explore these four distinct smart device consumer personas and what makes each unique.

Tradition, harmony, and stability – Opposer Ollie

Opposer Ollie is a man in his mid-50s, a rural resident with a lower personal and household income. Ollie values tradition, safety, and harmony and emphasizes the value of social responsibility: appreciation, tolerance, and care for the welfare of all people and nature.

Ollie:

is pragmatic, functional, less tech-savvy, and trusts IoT companies the least of the four personas,
doesn’t follow trends, nor does he nurture a comfort-oriented or growth-focused lifestyle*,
values stability and isn’t passionate about achieving prestige or control over people or resources,
doesn’t find excitement, novelty, and challenge in life interesting,
probably never used or owned smart devices, and is the least willing to use them and recommend them to others – because he doesn’t find them pleasant or helpful, and he is not socially influenced to do so,
worries about privacy risks, and is therefore even less likely to use smart connected devices.

*To understand the lifestyle types referenced here – trend-seeking, growth-focused, and comfort-oriented – see our previous article, How Consumer Lifestyle Influences IoT Adoption.

Takeaway: If he ever decides to invest in smart devices, Ollie is most likely to invest in smart systems that are high on practical usefulness, especially if they are connected to his business. For example, smart lighting or security systems for his farm. That being said, Ollie will probably never explore trendy and sophisticated smart devices.

Reluctant Rebecca’s calming preferences

Reluctant Rebecca is a suburban mom in her early thirties with a moderate personal or household income. Rebecca lives a traditional life and is very dedicated to her family, embracing the steady rhythm of her daily routines.

Rebecca:

is organized and practical, focused on purchasing items that bring a tangible value to her household,
doesn’t follow trends or nurture a comfort-oriented or growth-focused lifestyle,
values tradition, and is less inclined towards excitement, novelty, or social prestige,
is below-average tech-savvy, which discourages her from trying out smart devices
finds social responsibility important, and probably socially engages in activities that support ethical causes.

Takeaway: Smart devices are low on Rebecca’s list of priorities; she finds them less useful and pleasant and is apprehensive about the privacy risks associated with them. Nevertheless, the smart device she might try out is a smart baby monitor, which aligns with her traditional values, personal income, and a practical outlook on technology.

Curious Curtis – fashion-forward, tech-savvy

Curious Curtis is an urban resident in his early thirties, enjoying a higher household income than the Reluctant Rebecca’s group, although their average net personal income remains on par. He works in a dynamic, modern workplace and has a rich social life. He often relies on tech gadgets in his daily activities.

Curtis:

has a strong sense of style and follows the latest trends,
nurtures a growth-focused and comfort-oriented lifestyle, showcasing a desire for continuous learning and a love for quality, calming experiences,
is tech-savvy, follows technology news, and admires premium devices he may not own yet,
finds smart devices an investment that satisfies his need for exploration and can easily integrate them into his modern and dynamic lifestyle,
usually owns up to three smart connected devices, which are not interconnected into a smart home.

Takeaway: Curtis’s openness to innovation and tech-savviness make him an important player in the world of connected living. With time and given more positive experiences, he is expected to evolve into a trendsetter, a smart devices advocate – an Ambassador.

Ambassador Amanda, smart living trendsetter

Ambassador Amanda stands out as an advocate and trendsetter for IoT technology use. In her early thirties and living in a busy city, Amanda enjoys everything modern, fashionable, and exciting. Beyond personal use, she becomes the go-to person for recommendations, embodying a modern woman who leverages the power of connected living.

Amanda:

enjoys a luxurious and trend-seeking lifestyle thanks to a higher personal income,
is highly tech-savvy and has the highest rates of smart connected device ownership and usage: she most likely owns multiple interconnected devices and is developing her smart home,
passionately invests in the newest models of all devices and enjoys their benefits, from brewing coffee from her bed to tracking complex data in her home security system,
invests in smart devices because she believes the price reflects a product’s quality
Is the least worried about privacy risks

Takeaway: Amanda is more than a smart device consumer – she is an influencer, advocating the benefits of a connected lifestyle and proving that embracing technology is a way of life. Amanda usually purchases premium-level devices for leisurely use because, for her, the device is a status symbol: everyone knows the product is expensive.

Next in the series: Smart Connected Devices – Product and Marketing Guidelines

Now that you know who your users are, how do you design and market devices they’ll actually want to use? The next part of the series offers concrete guidelines to inform your strategy.

Marketing applications of IoT consumer personas

Understanding these personas provides valuable insights for product development and marketing strategies. For instance:

When targeting the Curious Curtis segment, emphasize how your smart device enhances both personal growth and comfort while aligning with current trends.
For Ambassador Amanda, focus on premium features and the status associated with being an early adopter of innovative technology.
With Reluctant Rebecca, highlight practical benefits for family life and address privacy concerns directly.
For Opposer Ollie, if targeting this segment makes sense for your product, emphasize practical applications with clear business value and robust security features.

These personas represent different stages in the IoT adoption lifecycle, from early adopters like Ambassador Amanda to potential late adopters like Opposer Ollie. By recognizing where your target audience falls within this spectrum, you can tailor your messaging and product features accordingly.

Key persona comparison

Persona	Demographics	Smart connected device usage	Economic status	Values & lifestyle
Opposer Ollie	Oldest age group, predominantly male, rural residents.	Least frequent users and owners, least willing to use and recommend connected devices.	Lower personal and household income.	High emphasis on tradition, safety, and stability; less concerned with social status and excitement. Least trendy, less inclined towards comfort-oriented and growth-focused lifestyles.
Reluctant Rebecca	Balanced age distribution, predominantly female, suburban residents.	Moderately frequent users and owners, moderately willing to use and recommend connected devices.	Moderate personal and household income.	Moderate emphasis on tradition, with a focus on understanding and protecting welfare. Moderate trendiness, less drawn to excitement, and novelty.
Curious Curtis	Broad age distribution, urban residents.	More frequent users and owners, more willing to use and recommend connected devices.	Moderate personal and household income.	Low emphasis on tradition and understanding the welfare of people and nature, high on excitement. More trendy, nurtures growth-focused and comfort-oriented lifestyles.
Ambassador Amanda	Broad age distribution, least represented in rural areas.	Most frequent users and owners, most willing to use and recommend connected devices.	Highest personal and household income.	High emphasis on excitement, social status is important. Highly trend-seeking, but nurtures both growth-focused and comfort-oriented lifestyles.

More in this series

• What Consumers Really Think About Their Smart Devices
• How Consumer Lifestyle Influences IoT Adoption
• Smart Connected Devices Product and Marketing Guidelines

Build devices that resonate with your consumers

These four personas represent distinct segments within the IoT consumer market, each with unique values, lifestyles, and attitudes toward technology. By understanding these differences, businesses can develop more targeted products and marketing strategies that address the specific needs and concerns of each group.

As we explored in our previous article on lifestyle influences on IoT adoption, trend-seeking individuals like Ambassador Amanda are most likely to embrace smart devices, while those who value social responsibility, like Opposer Ollie, may be more skeptical. These personas build on those insights by providing concrete examples of how these values and lifestyles manifest in real consumer segments.

By recognizing which persona best represents your target audience, you can craft more effective messaging, develop features that address their specific needs, and ultimately create smart connected devices that truly resonate with consumers.

This article is based on Infinum’s comprehensive research examining factors that influence smart device adoption. For more insights, download the full report on IoT adoption trends and consumer preferences.

The post Smart Devices User Personas: Four Types of IoT Consumers appeared first on Infinum.