Today we're announcing our $25 million Series A funding, led by FirstMark, with participation from Bain Capital Ventures, Decibel, Zetta Venture Partners, and Step Function Ventures. My thanks to David Waltcher and the FirstMark team for leading the round, and to our existing investors for continuing to back us.
Nine months out of stealth, we’ve earned the trust of Fortune 500 enterprises, and organizations across financial services, healthcare, and technology, along with fast-growing companies including Cribl, HealthEdge, and Bain Capital. The platform has run more than 300 million agentic investigations and produced over 4,000 high-confidence findings.
We started as the first platform to run fully autonomous, vendor-agnostic threat hunts driven by intelligence. This round lets us widen the aperture. That same behavioral system of record now powers a hunt-first security analytics platform, and we're shipping three new capabilities to help customers spend less time reacting to alerts and deploy detections faster than ever.
We’ve shipped three new features to expand the platform’s capabilities for our customers. Insider risk management collapses a person's or an AI agent's scattered accounts, identities, and hosts into a single Actor you can monitor and flag with a single switch. Correlation rules turn unrelated blips across endpoint, identity, and cloud into one detection with a full evidence chain your team can test, tune, and edit end to end. And the Command Center is the home base that tells you where to hunt, what to investigate, and which coverage gaps matter most, including the ones still sitting in your SIEM.
Defenders need to close the coverage gap, and the place it's being tested hardest right now is the speed at which AI is entering the enterprise. Hunt-first analytics is how teams get ahead of those threats before they become incidents.
The rise of shadow AI
When OpenClaw went viral earlier this year, the speed of curiosity was the story. Within a week, Nebulock alone observed more than 50,000 OpenClaw-related events across 40% of our customer base. We pushed detections to every environment before those events turned into incidents.
That's the world we defend now. Managing the speed of AI adoption is a challenge, but the harder problem is quieter. Some threats now hide inside ordinary activity, and we've started calling them green flags.
A green flag is what you get when an attacker logs in with valid credentials and behaves like any other user, or when your sanctioned AI agent starts doing something nobody authorized. No rule trips, and nothing about the activity looks wrong on its surface. By every traditional measure it's routine, which is exactly why it gets through.
The opportunity beyond reactive alerts
For years, security operations were built to catch what is obviously wrong: malware, known-bad indicators, clear anomalies. That model is breaking, and the numbers are blunt. Verizon's 2026 DBIR found the median attacker now leans on AI across 15 different techniques, and that the window from a vulnerability going public to actively exploited has collapsed from months to hours. Adversaries move at machine speed now and, more often than not, are already inside with credentials you issued or riding tools you deployed.
The infrastructure built to catch all of this is already underwater. CardinalOps' most recent annual report found that enterprise SIEMs miss roughly 79% of the MITRE ATT&CK techniques adversaries actually use, and that 13% of the rules already deployed are broken and will never fire. The risk runs inward too: in Gravitee's 2026 survey, 82% of executives were sure their policies covered unauthorized agent actions. 88% had already suffered a confirmed or suspected AI agent incident anyway, and only 21% could actually see what their agents were doing.
The threats getting through are not the ones that look wrong. They are the ones that look legitimate.
The future is context
You do not catch a green flag by writing more rules or buying a smarter agent. Both have a narrow depth of field by judging events in isolation, one at a time, and at that resolution a green flag stays invisible. It only becomes visible when the resolution improves and you ingest the events as a sequence, read in context and across time.
Context is the unlock. Nebulock turns your organization's context into a behavioral system of record, so your team can reason what is happening across endpoint, identity, cloud, network, and SaaS instead of tallying alerts. Because Nebulock knows which identities, data stores, and dependencies carry the business, we see when a string of unremarkable actions adds up to something else. The platform evolves with your program and your business rather than waiting for the next incident to force a change. Cribl's team calls Nebulock "another teammate working without impacting our budget," with CISO Myke Lyons crediting it with moving his team "from reacting to alerts to proactively uncovering threats."
The better terrain belongs to defenders. An attacker can rent capability, polish their tooling, and move at machine speed. But an attacker, automated or not, still has to act inside your environment to get what they came for. They have to authenticate, enumerate, pivot, and reach the systems that matter, and when most intrusions ride valid credentials, the decisive evidence is behavioral, not a signature. That intent leaves traces on ground you own: the telemetry, the context, and the hard-won knowledge of what normal looks like, as long as you have something built to read it.
Most of the market builds the other way, outward from a single agent the vendor owns, or from third-party alerts that trigger action. We build inward, from the telemetry you already have, with a rich behavioral detection capability designed to fill the gaps that inevitably exist and grow over time. After all, a system of record for behavior cannot belong to a vendor's sensor or its alerts. It has to sit above all of them.
Threat hunting is only the start
We started this journey with the thesis that threat hunting was an overlooked half of security operations. As we’ve partnered with customers, we’ve expanded our mission. To reduce complexity, deliver faster time to value, and most importantly, uplevel the defender. Since day one, we've aimed to deliver hunt-first, always-on security operations to every team, regardless of size, skillset, or budget. Expert threat hunting should not demand endless headcount, months of integration, or a pile of tools that never talk to each other. The next era of security operations belongs to systems that are proactive by default and context-rich by design. We are building it for everyone, not just the teams who can already afford a hunt program.
We've quadrupled the team since our public launch less than a year ago, and we're continuing to hire across engineering, product, and go-to-market.
To our customers, thank you for trusting us with your hardest problems. To our investors, thank you for believing in this category. To the team, thank you for building with urgency at exactly the right moment, and to my family, thank you for your steadfast support.
We're just getting started.
