The words business majors rejoice and simultaneously those dreaded by engineers of all types: "AI-powered threat detection."
The most successful phishing operation in corporate history isn't targeting your inbox. It's targeting your company's security budget. The attachment isn't malware - it's a pitch deck. The payload isn't ransomware - it's a six-figure annual contract for "AI-powered behavioural analysis" that solves a problem Microsoft already solved for free.
It is no secret that cheap capital, inflated valuations, and the promise of exponential returns create an environment where the con and the legitimate become indistinguishable. When everyone's fishing for the same pool of capital, the question becomes: who's actually preventing the phish, and who's simply running a more sophisticated version of it?
I've been tracking this particular corner of the cybersecurity market with something approaching morbid fascination. The pitch decks blur together. The "revolutionary AI" claims echo across identical PowerPoint templates. What strikes me most is the sheer audacity of it all - companies claiming to prevent phishing attacks whilst executing, in my view, the most sophisticated phishing operation in corporate history. Phishing for capital, naturally.
Abnormal Security - Founded 2018, raised $546M total, most recently at a $5.1B valuation (August 2024). They claim to have crossed $200M in ARR and protect 17% of the Fortune 500. Rather impressive, until one does the maths. That's approximately $346M raised to generate $200M in annual revenue. The implied customer acquisition costs are, shall we say, astronomical. They've convinced CISOs that Microsoft - the company with hundreds of millions of Office 365 mailboxes and essentially infinite machine learning resources - somehow missed the trick on email security. Bold claim. One wonders if the real anomaly being detected is the business model itself.
IRONSCALES - Founded 2014, $126M raised. Claims 10,000 customers globally. Yet their revenue figures? Conspicuously absent from every press release, every investor deck publicly available. One data source estimates approximately $11M in revenue. Another suggests they hit $40M. The range itself tells you everything. When a cybersecurity company has been operating for a decade and won't disclose basic financials, I find myself wondering what precisely they're selling. The product, or the illusion of progress?
SlashNext - Founded 2015, raised $43M. Claimed $40M in revenue before being acquired by Varonis in September 2025 for an undisclosed sum. Started as network threat detection, pivoted to phishing prevention, then pivoted again to "generative AI protection." The chameleon strategy. When the buzzwords change faster than the underlying technology, one begins to suspect the product is marketing, not code.
Vade (formerly Vade Secure) - Founded 2009, raised approximately $127M. French outfit claiming to protect over 1 billion mailboxes worldwide. Extraordinary claim. The mathematics are rather interesting: if one monetised even a dollar per mailbox annually, that would represent $1B+ in revenue. Their actual revenue? Estimates range from $12M to $44M depending on the source. What they're doing, rather cleverly, is counting every mailbox that passes through ISPs using their filtering technology as "protected." Counting the audience isn't the same as monetising it, but it makes for spectacular marketing materials.
Armorblox - Founded 2017, raised $46.5M. Cisco acquired them in 2023 for an undisclosed sum. Industry estimates place the acquisition value between $71M and $97M - barely above what they raised in funding. When Cisco - a company notorious for disclosing acquisition prices - won't disclose this one, the message is clear. The founders secured employment. The investors secured a face-saving exit that probably didn't return capital. Natural language understanding for email security, they claimed. Cisco probably understood the natural language of "acqui-hire" rather clearly.
The pitch follows a remarkably consistent pattern:
What they studiously avoid mentioning:
The Uncomfortable Truth
These companies have collectively raised over $800M to solve a problem that Microsoft and Google are solving for free as a bundled feature. The hyperscalers - with more data, more engineers, more compute, and superior models - provide baseline email security at no marginal cost.
The business model is elegant in its simplicity: convince mid-market CISOs that they need a specialist solution because the free one isn't adequate. Never mind proving your solution is demonstrably better. Never mind that retention metrics suggest customers frequently churn back to native solutions. Just maintain the growth narrative long enough to exit.
Every single one of these companies added "AI-powered" or "leveraging generative AI" to their marketing between 2022-2023. The underlying technology - often basic machine learning or heuristic pattern matching - remained largely unchanged. But "GPT-powered" gets you meetings. "Transformer models" gets you headlines. "Generative AI" gets you a valuation bump.
These aren't technology companies building differentiated products. They're narrative companies building compelling stories for venture capitalists. The product is the pitch deck. The customer is the investor. The exit is the only feature that genuinely matters.
Here's the rather delicious irony: these companies are executing precisely the attack pattern they claim to prevent.
Consider the anatomy of a phishing attack:
Now examine the enterprise sales pitch:
They're not preventing the phish. They ARE the phish. The sophistication is rather admirable, actually.
The CISOs buying these solutions aren't purchasing security. They're purchasing insurance against blame. When the breach inevitably occurs, they can gesture at the expensive AI-powered solution they deployed and demonstrate they "took appropriate measures." Everyone wins - the startup gets revenue, the CISO keeps their position, the VCs exit.
Everyone except the company's shareholders, whose capital is being redirected from productive uses. And the security teams whose time is consumed managing yet another dashboard. And the customers whose data remains vulnerable regardless.
But those are externalities, aren't they?
The exits tell the story. Armorblox to Cisco for approximately what they raised. SlashNext to Varonis for an undisclosed (read: disappointing) sum. Others will follow the same pattern - acquisitions below the last funding round, dressed up with press releases mentioning "strategic value" and "technology integration."
The fundamental problem remains: you cannot build a venture-scale business selling incremental improvements to free products from Microsoft and Google. The unit economics don't function. The retention doesn't hold. The differentiation erodes as the hyperscalers invest billions into the same problem space.
But you can extract substantial founder salaries whilst the venture funding lasts. You can secure employment via acquisition. You can return some capital to early investors whilst later investors take write-downs.
That doesn't make for compelling pitch decks, though.
Sma Das
