Bringing intelligence to assets, new White House cybersecurity strategy, and the news – Tim Morris – ESW #447

Adrian Sanabria

1. FUNDING/M&A courtesy of the Security, Funded newsletter, issue #231 – That’s Quite the Return

   VIBE CHECK What AI security assumption from 2023 aged the worst?

   • 46% - AI will replace most security analysts
   • 31% - We have time to figure this out
   • 15% - LLMs are too unreliable for real security work
   • 8% - Creating compliance frameworks will work

   Comments:

   • “A close one for me, this. But real-world LLM-based offsec tooling is getting better. Still a lot of noise out there, but the progress is real.“
   • “Humans are too unreliable for real security work, especially given that our adversaries are AI-enabled. Trying to fight today's malicious hackers without AI is like fighting a battle in 2026 armed only with knives and clubs.”

   LAYOFFS

   • Palo Alto Networks, a United States-based suite of cloud and network security tools, laid off 400 employees, or 10% of its workforce, after acquiring CyberArk and restructuring. <- this is not surprising - according to LinkedIn, CyberArk had around 4,000 employees. We'll probably see more layoffs here in the near future, this might just be the first round.

   FUNDING

   • GitGuardian, a United States-based automated secrets and non-human identity detection platform, raised a $50.0M Series C from Insight Partners and Quadrille Capital. <- surprising, for a company that originally just scanned code for secrets!
   • Reco, a United States-based SaaS security posture management platform, raised a $30.0M Series B from Zeev Ventures.
   • Segura, a Brazil-based privileged access management (PAM) platform, raised a $25.0M Venture Round from Riverwood Capital.
   • Complyance, a United States-based security and compliance automation platform, raised a $20.0M Series A from Google Ventures.
   • Nucleus Security, a United States-based automated threat and vulnerability remediation platform, raised a $20.0M Series C from Delta-v Capital. <- looks like a down round - with Kenna getting shut down, they should be getting a boost, but I suspect this market just isn't doing well overall.
   • Backslash Security, an Israel-based Application Security Platform, raised a $19.0M Series A from KOMPAS VC.
   • Lema AI, an Israel-based continuous third-party risk management platform, raised a $17.5M Series A from Team8.
   • Clearly AI, a United States-based automated third-party security questionnaire response platform, raised a $8.4M Seed from Basis Set Ventures.
   • ZAST.AI, a United States-based agentic AI-driven application security platform, raised a $6.0M Seed from Hillhouse Capital.
   • $50m from RSAC's private equity owner, spread evenly across 10 innovation sandbox finalists: Charm Security, Clearly AI, Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, Realm Labs, Token Security, and ZeroPath
   • Veria Labs, a United States-based continuous threat exposure management platform, raised a $3.2M Seed from Amino Capital, Gokul Rajaram, MA7 Ventures, Matias Woloski, Paul Graham, Rock Yard Ventures, and Seaplane Ventures.
   • CYDELPHI, a United States-based automated digital forensics and incident response platform, raised a $3.0M Seed from Glasswing Ventures.

   ACQUISITIONS

   • Acuvity, a United States-based visibility and governance platform for AI application usage in the enterprise, was acquired by Proofpoint
   • Anchor, a United States-based certificate lifecycle management platform, was acquired by Keycard
   • Arco Cyber, a United Kingdom-based unified threat and risk prioritization platform, was acquired by Sophos
   • Autonomous Plane, a United States-based threat and risk prioritization platform, was acquired by Endor Labs
   • Check Point acquires THREE startups:
   • Cyata, an Israel-based agentic AI governance and security platform
   • Cyclops Security, an Israel-based cybersecurity mesh architecture platform
   • Rotate, a United States-based managed detection and response platform
2. TRENDS: Open source registries underfunded as security costs rise

   TL;DR - cybercrime and AI is making it orders of magnitude more difficult to maintain safe repos, but the repo maintainers don't have orders of magnitude more people to deal with these new problems.

3. WHOOPSIE: Microsoft says bug causes Copilot to summarize confidential emails
4. RESEARCH: Vibe Password Generation: Predictable by Design – Irregular

   Hilarious. I shouldn't be surprised that people might try to use an LLM as a password generator, based on past behavior. SIGH.

5. STANDARDS: Google Chrome ships WebMCP in early preview, turning every website into a structured tool for AI agents

   Websites have to be redesigned to comply with WebMCP, so it will be interesting to see how quickly people adopt it. The whole idea here is to make websites AI-friendly, so that there's less scraping and guesswork.

   Another way of looking at it is redesigning the Web to be API-friendly without having to build APIs.

6. PRIVACY: FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled

   Privacy isn't dead... yet!

7. ESSAYS: Prompt Injection Isn’t a Vulnerability

   I mean, it is though

8. ESSAYS: Defining Risk

   A great piece from Ayman on defining and measuring risk.

9. ESSAYS: The changing buy vs. build calculus for security

   This is a big deal - if you only read one of our stories this week, make it this one. AI is totally changing the buy vs build calculations, but not for everything. It's worth some careful thought and adjustment to tool use strategies.

10. SQUIRREL: He Leaked the Secrets of a Southeast Asian Scam Compound. Then He Had to Get Out Alive

    A wild story worth checking out. There are few winners in a lot of cybercrime and large-scale scams. The people performing the scans are often not doing it willingly.