Our Investment in Prime Security: Turbocharging Product Security Teams

Today, Prime Security emerged from stealth to introduce the public beta of its Prime Product Security Platform and the $6M seed round led by Foundation Capital. We were the first investor in Prime Security, and I’ve personally been on the board of directors since inception, working closely with the founders for several months before incubating the company at the beginning of this year.

Prime Security provides security engineering teams an opportunity to leverage modern AI infrastructure to augment their work. The company does this by building guardrails into the software design phase to detect, prioritize and mitigate security and compliance risks in planned software engineering work. Here’s the story of how the journey began, why we invested, and what’s ahead.

A founding team built across two continents

Prime brings together a truly special founding team across the US and Israel, with each of the four founders bringing individual strengths across go-to-market, product, and engineering. The partnership journey began when I was originally introduced to Dimitry Shvartsman in April 2022 by his former boss, then PayPal CISO, Assaf Keren. Dimitry has lived the problem that Prime Security is solving today – he was the Head of Cybersecurity Strategy at PayPal, responsible for leading the 50-person security engineering and architecture team. While at PayPal, Dimitry ended up becoming one of my go-to customer experts when evaluating new product security startups. But in summer 2023, he texted me to say he was feeling the founder’s itch and wanted to chat about a new idea he had started thinking about.

We got to work on the vision for Prime Security and I started to make introductions to customers and operators to test our messaging, but we were missing a founding team. Dimitry and I spoke to several co-founder candidates, but one conversation really stuck. Dimitry’s friend from his days in the Israel Defense Forces (IDF), Matan Markovics had just left Own Company to work together with two other former colleagues, Michael Nov and Danny Hanga, on a startup. They had been brainstorming a few different ideas but hadn’t landed on anything firm. Dimitry’s vision to leverage large language models (LLMs) and automate the day-to-day tasks of product security teams piqued their interest, and we now had the makings of an exceptionally talented founding team. 

Each member of this team brings something special to the story with expertise across go-to-market, product, and engineering. Michael (CEO) was most recently Chief of Staff to Own’s CTO where he led multiple teams including M&A and product strategy, helping the company expand into the SaaS security domain. Many in my network describe him as one of the best networked executives in the NYC-Israel enterprise software ecosystem. Dimitry (CPO) brings the customer point of view necessary to ensure we solve a real pain point. Matan and Danny founded a company together, which they subsequently sold to Own, and are widely considered by founders and operators in the Israeli cybersecurity community to be two of the smartest engineers out of Israel’s top technical intelligence unit. The team is split between New York City and Tel Aviv, two hotspots of global cybersecurity innovation.

Product security is a bottleneck in the modern software development process

Enterprise migration to the cloud turbocharged during the COVID-19 pandemic and continues to be in full force. According to data from the latest Morgan Stanley CIO survey, 40% of application workloads are in the public cloud today and this will grow to 56% by end of 2026. As enterprises migrate to the cloud, developers have more direct access to the underlying infrastructure and can push application updates to production bypassing IT. According to Gartner, 47% of application deployment tasks administered by IT have been automated and this figure is expected to grow to 70% by 2025.

In this changing landscape where developers are more empowered with IT automation, security teams have largely fallen behind. The security engineer is responsible for configuring and managing security tools such as network and application firewalls, intrusion detection systems and data access. The security architect is responsible for designing the overall security system required to protect an organization and its applications from threats. Both these roles typically need to respond to multiple requests from engineering and IT teams throughout the day as part of the design and run phases of application development. Conversations with security leaders have found that 30-50% of security engineering tasks and ~20% of security architect tasks are repetitive and can be automated with sufficient context.

Leveraging automation to support overburdened product security teams

Prime Security introduces a new opportunity for security engineering and architecture teams to leverage automation for lower order tasks to reduce the security burden while not compromising on threat readiness. The company plans to ingest data from three different sources: reasoning data, which includes historical decisions and documentation from sources like Jira and Confluence; tools data from both security (e.g. CrowdStrike, Palo Alto Networks) and IT (e.g. AWS, Azure, Workday, Okta) products; and process data from policies, best practices, and standards internal to the company (typically held in Adobe PDF, Microsoft Office, etc.).

Data across these sources will be aggregated and normalized to provide a full picture of the customer’s security environment. Prime Security’s risk-aware engine leverages a multi-modal approach with a vector database capability for embeddings. In order to ensure privacy and security controls, customer-specific data is saved, and model processing is done in a dedicated customer environment. Only reasoning and metadata is extracted from the customer’s environment for models’ management and improvement of query responses.

With its public beta launch, the company is initially focusing on the software design stage, one that is rife with risk but has been overlooked for years due to technical complexity. Prime analyzes all planned engineering work, can identify security risks at their inception, provide context for each risk and share a step-by-step process on how to mitigate the risk. The product is already deployed at a dozen customers and the team has ingested hundreds of thousands of tickets so far. Prime can automatically respond to the vast majority of tickets leaving ~5-10% open tickets where the suggested recommendation needs to be assessed by a human.

The tasks that the company plans to focus on do not require 100% model accuracy given that this accuracy is not achieved even when the tasks are done manually. Software automation combined with a human in the loop process will result in higher overall performance while also saving time that can be spent on more complex tasks like mitigating code vulnerabilities.

Joining the Prime Security team on this journey are several great partners including Chip Hazard of Flybridge Capital and prominent angels from the Own Company (Sam Gutmann, Adrian Kunzle, Ariel Berkman) and PayPal (Sri Shivananda, Assaf Keren) networks and the broader cyber and IT ecosystem (Dimitri Sirota, Bobby Patrick, Dotan Bar Noy, Lior Levy, Hadar Zeitlin, Omer Schneider).

Shining a spotlight on product security

Prime Security’s platform has already been tested by customers across multiple sectors and is now ready for public release. There are ~20K mid-market companies and ~5K enterprises that don’t have enough security engineering and architecture talent to keep up with software development innovation. We believe Prime Security can bridge this gap and turbocharge these teams by providing software that augments human labor. There is a $3B ARR opportunity for the taking and we’re excited to see the Prime Security team lead the charge.

Prime Security is headquartered in New York, NY with an office in Tel Aviv, Israel and they are actively hiring across multiple functions – you can check open listings here!