Our investment in AirMDR: Closing the cyber inequity gap
06.13.2024 | By: Sid Trivedi
Last week AirMDR emerged from stealth to announce its SMB-focused autonomous Managed Detection and Response (MDR) platform and the $5M seed round led by Foundation Capital. We were the first investor in AirMDR and incubated the company in summer 2023. I’ve personally been on the board of directors since inception and worked closely with the team from day zero.
Advances in automation have given AirMDR a chance to level the playing field in cybersecurity, giving small and medium enterprises the same detection and response capabilities as Fortune 2000s. Here’s the story of how the journey began, why we invested, and what’s ahead.
A massive and unprotected attack vector
SMB executives have long believed that hackers pose a threat only to the largest companies—those with big brands to protect and plenty of capital to pay ransom demands. But this isn’t entirely true. Hackers have recognized that SMBs typically have limited cybersecurity tooling or knowledge and so are much easier targets. During the COVID-19 pandemic, small businesses were attacked at twice the rate of larger organizations.
SMBs have started to recognize that they are the weakest link, and they want to fix this problem. The most recent US Chamber of Commerce Survey from Q1 2024 found that cybersecurity threats are now the biggest concern for SMBs, ahead of supply chain breakdowns, theft, weather, or even another pandemic. Despite this strong demand, there is a significant talent shortage in cybersecurity (3.5M unfilled positions globally), and according to data from the World Economic Forum and Accenture, over half of SMBs don’t have the skills to respond to and recover from cyberattacks.
On the other hand, large companies typically have an internal 24/7 security operations center (SOC) that monitors alerts from across their IT and security tooling to detect threats and respond to them in real time. For a mid-size business of ~1-2K employees to maintain this level of capability you need to build a team of at least a dozen security analysts, detection engineers, and automation engineers. You also need to pay for the necessary software to log alerts, build playbooks, and run orchestration. Even for mid-market enterprises, this can end up costing $1-$3M a year.
This is where managed detection and response (MDR) providers come in. These providers become a mid-market customer’s outsourced security team and augment the in-house SOC for larger enterprises. MDR providers combine technology and human expertise to perform remote threat hunting, monitoring, and response. According to data from Emergen Research, the global MDR market was $4.9B in 2021 and is estimated to grow to $21.9B by 2030. It’s one of the fastest-growing segments in cybersecurity, but it’s mostly powered by services—typically located offshore in lower-wage economies.
Reinventing MDR with a virtual AI analyst
The rise of large language model innovation, supercharged by the launch of ChatGPT in November 2022, started to get me thinking about the opportunity ahead for new cybersecurity innovation. Two areas where I believed we would see significant innovation using generative AI are in a reinvention of detection and response tooling and the opportunity to target SMB cybersecurity. When Microsoft launched Security for Copilot in March 2023, I shared some of my thoughts on startup opportunities publicly on LinkedIn.
Kumar Saurabh saw this post and sent me a note:“This is a super interesting area for me. I do not have a concrete enough plan yet to start executing – but I am seriously exploring that area. My gut tells me that a new product should exist in that space.”
Kumar is no stranger to the detection and response category. He was one of the early employees at ArcSight, which helped to create the SIEM (Security Information and Event Management) market, and where he led the analytics and solutions teams. He eventually rose to become Director of Engineering and stayed right through the company’s IPO. After this journey, in 2010 alongside Christian Beedgen he co-founded Sumo Logic, a cloud-native SIEM platform that provided log management and analytics services. He ran engineering at Sumo and when he left at the end of 2015, half the company reported to him. Even after a successful IPO and thousands of new team members, employees have shared with me that part of the core codebase that runs the search query capabilities at Sumo Logic still comprises the original code written by Kumar. Most recently, Kumar served as CEO and co-founder of LogicHub, a cloud-native SOAR (Security Orchestration, Automation and Response) platform that was acquired by Devo in September 2022.
After some initial brainstorming, we spent a few months discussing how to leverage LLMs within detection and response. Both of us believed that one of the biggest opportunities created by generative AI was to completely reinvent the MDR through automation and target the underserved small and mid-market customer base. We believed a new startup could embed context learned from security-specific events and build on top of existing LLMs. The goal would be to reduce costs while significantly improving response times using a virtual AI analyst for each piece of the platform experience – from onboarding, detection content deployment, playbooks, threat hunting, and response actions.
Most importantly, instead of exposing a virtual analyst directly to the customer, we would leverage the AI analyst internally so that our own human SOC team could train the chatbot over time. This would ensure that customers didn’t have to deal with issues around the quality of responses and hallucinations. For the customer, the entire experience would feel like just another MDR platform, but under the hood, it would be a completely different engine.
Once the idea had crystallized into a product vision, we incorporated the company and signed a term sheet to lead the seed round in June 2023. Tae Hea Nahm of Storm Ventures, who was an early investor in Kumar’s last company LogicHub, also joined us as we began this journey.
Assembling the A-team
To go after a big vision in a competitive market, you need a world-class team. Kumar’s first partner in this journey was Anthony Morris who was an early employee at LogicHub and ran their MDR service. With experience working at top-tier SOC teams at Bank of America and Experian, Anthony knows what a good SOC looks like and wants to bring that same experience to SMBs. In fall 2023, Sekhar Sarukkai, the technical co-founder of Skyhigh Networks introduced me to his CPO, Anand Ramanathan. After long careers at Skyhigh, McAfee, Proofpoint, and Cisco, Anand was thinking about his next role and really wanted to go early. We were looking for a product leader and quickly realized that Anand brought the right mix of deep market insight, an execution-focused attitude, and the humbleness to realize what he didn’t know.
One of my former portfolio companies, Attivo Networks, which sold to SentinelOne for $617M in March 2022, also became a key ground for us to recruit talent. Carolyn Crandall, Attivo’s CMO became available in October 2023, and we knew she would be an excellent fit given her experience running marketing orgs at Cisco, Juniper, and Riverbed. Carolyn can make products stand out in the crowd and run focused demand-generation campaigns. And just as we thought things couldn’t get any better, in December 2023, Srikant Vissamsetti, the technical visionary behind Attivo, called me to say that he was thinking about what to do next. Srikant built Attivo’s platform to scale to over 300 customers across 6 continents and ran an engineering team of over 100 employees. This was a hire we couldn’t miss, and I immediately called Kumar. We got to work convincing Srikant to join us as CTO and by the start of the New Year he was all in.
With Kumar, Anthony, Anand, Carolyn, Srikant, and 20 other engineers, we have a dream team that brings enterprise-grade expertise to the SMB market.
Pulling back the curtains
After a year of building, we’re finally ready to share the AirMDR platform publicly. We want to deliver on the promise of quality and speed— something that most human-oriented MDRs have failed to do—while also opening the market to a customer base that previously couldn’t afford a cybersecurity team. Our 24/7 human SOC leverages our virtual analyst (named Darryl) to investigate, triage, respond to, and contain threats. With AirMDR’s automation capabilities, we’ve shown that Darryl can perform tasks in under 5 minutes which would normally take human analysts over an hour to do. AirMDR’s platform supports each company’s business tech stack of choice with over 200 vendor integrations out of the box covering 90% of the integrations a typical customer might require.
We’ve already connected the team with several early customers and advisors like Nick Muy, Chris Castaldo, Assaf Keren, Kane Lightowler, and Mahendra Ramsinghani. This is also the only cybersecurity investment where we fit the customer profile, and I’m proud to say that Foundation Capital is also a paid customer of AirMDR.
We’ve had a long history of investing in novel approaches within detection and response security. From Phantom Cyber (which helped create the SOAR market) to Respond Software (which worked to automate the security analyst role before LLMs) to Anvilogic (which provides enterprises with a multi-platform SIEM architecture) to Permiso (which helps companies manage real-time cloud threats). We believe that AirMDR unpacks another new opportunity and focuses on a customer base we haven’t yet touched—the SMB market. We’re excited for AirMDR to finally bridge the cyber inequity gap. Congratulations, Kumar and the entire AirMDR team.
AirMDR is headquartered in Menlo Park, Ca. If you’d like to try their MDR platform, you can do so risk-free and for a limited-time 40% discount using an exclusive link here.
Published on 6.13.24
Written by Foundation Capital
