~$20M ARR at acquisition
Founded by ex-Google researchers David Haber and Mateo Rojas-Carulla. Wedge: Gandalf (gamified prompt-injection awareness) gave them viral developer adoption. Sold inside their first 18 months of meaningful revenue.
Track Atlas · OPC ATLAS
AI Security & Red Team: Acquired Fast, Sold Direct, Not Built for Solo Founders
Lakera → Check Point. Robust Intelligence → Cisco. Protect AI → Palo Alto. The exit comp is fast — but the entry bar is high.
AI security is the rare AI subcategory where 2026 has already produced strategic acquisitions instead of growth-stage rounds. Lakera, the prompt-injection defense leader, was acquired by Check Point in early 2026. Robust Intelligence was acquired by Cisco in 2024 for an undisclosed sum (industry-estimated ~$400M). Protect AI was acquired by Palo Alto Networks for ~$700M in 2025. HiddenLayer, the model-supply-chain defender, sits at $200M+ valuation, ~$30M ARR, M&A target rather than IPO candidate. The driving force is OWASP LLM Top 10 going from a 2023 whitepaper to a 2026 audit checklist that every regulated bank, hospital, and government department now requires. The category is real, the buyers are urgent, the pricing is enterprise ($100K-1M+ ACV). But the entry bar is high — you need a security pedigree, design partners in regulated industries, and a sales motion that goes through CISOs and procurement, not PLG. Solo founders are not advised. The right archetype here is the ex-DEFCON red-teamer paired with an enterprise-sales co-founder, not the indie hacker.
01 · 2026 Market Reality
The category split is along the kill chain. (1) Runtime / prompt-injection defense: Lakera (acquired by Check Point 2026, was ~$20M ARR), Prompt Security (~$10M ARR Series A), Calypso AI (~$25M ARR, defense + intelligence community focus). (2) Model supply chain / ML-bom: HiddenLayer (~$30M ARR, $200M+ valuation, scanning model artifacts for embedded malware), Protect AI (acquired by Palo Alto 2025 for ~$700M, ML-BOM scanning + Huntr bug bounty platform). (3) Red-team-as-a-service: Haize Labs (~$10M ARR), Grayhouse, the consulting wave on top of OWASP LLM Top 10 — typically $50K-200K engagements. (4) Agent-specific: Tier Zero (raised $15M Series A 2025 for agent runtime security), Robust Intelligence pre-acquisition (now inside Cisco AI Defense Suite). 2026 dynamics: (a) The OWASP LLM Top 10 went from a whitepaper to an enterprise audit requirement — every Fortune 500 must produce evidence of prompt injection defense and model supply chain scanning, which means a hard deadline for budget commit. (b) Big security incumbents (Cisco, Palo Alto, Check Point, CrowdStrike) are aggressively acquiring rather than building, which means the exit window is wide open but the IPO window is closed. (c) Regulation tailwind from EU AI Act (effective 2026) and US executive orders forces budget. (d) The agent layer (computer-use, browser-use, MCP servers) is the unsolved frontier — securing an agent that touches 30 SaaS apps is a different problem than securing an LLM endpoint, and there's no clear leader yet.
02 · Companies to Watch
~$30M ARR · MAESTRO framework
Founded by Chris Sestito (ex-Cylance research lead). Focus is model supply chain — scanning model weights for embedded malware, MITRE ATLAS contributor. Sales motion targets defense and Fortune 500 CISOs. M&A target.
Now inside Cisco AI Defense Suite
Founded by Yaron Singer (Harvard professor). The early winner — sold to Cisco at the peak of their ARR curve. Now competes with the rest of this list inside Cisco's go-to-market. Lesson for founders: M&A is the predictable exit.
~$700M acquisition · ML-BOM leader
Founded by Ian Swanson (ex-AWS) and team. Strategy: build the open-source bug bounty platform Huntr first, sell ML-BOM scanning to enterprises second. The acquisition validates the bug-bounty-as-distribution playbook for security categories.
DoD / IC / Fortune 500 focus
Founded by Neil Serebryany. Defense + intelligence community focus from day one. SBIR contracts, DARPA-style projects, then expanded into commercial. The pedigree path: cleared founders, cleared customers, cleared technology.
Automated red-team-as-a-service
Founded by Leonard Tang (ex-Harvard researcher). Wedge: automated red-teaming-as-a-service for enterprise LLM deployments. Sells the test infrastructure as a SaaS plus expert services. Modern model for indie security firms.
SASE-style AI gateway
Israeli founders Itamar Golan and Lior Drihem. Wedge: a SASE-style gateway that proxies all AI traffic from corporate networks (employees using ChatGPT, Gemini, internal LLMs) and applies DLP + injection defense. Distribution through IT not security.
Agent runtime security
New entrant focused specifically on agent-layer security — the next frontier. Securing agents that touch dozens of SaaS apps via MCP is the unsolved 2026-2027 problem. Bet is agents become the dominant attack surface.
03 · Green Lights & Red Flags
🟢 Green light · Consider entering
You have a security pedigree the buyer recognizes
CISOs buy from people who have shipped at companies whose names they know. Ex-Crowdstrike, ex-Palo Alto, ex-Cylance, ex-Mandiant, ex-Anthropic safety, ex-OpenAI red-team, ex-major-bank AI risk team — these names open the first 10 meetings. Without one of them, the deal cycle is 18 months instead of 6.
You can land 3 design partners in your first 60 days
If your professional network can put you in front of 3 Fortune-500 CISOs (or one CISO and two Tier-1 banks) ready to sign a $50K pilot in 60 days, the math works. Without that network, you'll spend two years cold-emailing into procurement and miss the M&A window.
You have a focused agent-layer or supply-chain wedge
The prompt-injection gateway category is closed (Lakera + Prompt Security + Cisco). But the agent layer (MCP servers, browser-use, tool-call permission models) is unsolved and the EU AI Act audit forces budget. A focused wedge here can hit $5M ARR in 24 months and be acquired by 30.
🔴 Red flag · Hold off
You're a solo indie engineer with no security background
This category is allergic to indie. CISO procurement requires SOC 2, ISO 27001, named references, MSA legal review, vendor risk assessment. You cannot run that as a one-person company. If solo is your only option, choose another track in this atlas — eval, browser agents, or creator tools.
Your wedge is "AI firewall for ChatGPT"
This space had ~15 entrants in 2024-2025. The DLP-style gateway is now owned by Prompt Security, Lasso, Aim Security, plus the AWS Bedrock Guardrails feature. You will not crack this without a security-incumbent acquisition path already lined up.
You're building this because "AI security is hot"
Pricing is enterprise, sales cycles are 6-9 months, integration is brutal. If you don't have a personal opinion on prompt-injection defense vs jailbreak detection vs supply chain scanning vs guardrails, you don't have the technical conviction this category requires.
04 · Three Ways In
Agent-layer security (the open frontier)
Ex-red-team eng + enterprise sales co-founder
Vertical red-team-as-a-service
Senior offensive security lead + 2 testers
Compliance + audit-evidence layer
Ex-Big 4 GRC + technical co-founder
05 · Founders Who Fit Best
The Lone Engineer (with security DNA)
Only the version of you with offensive security background or AI safety research pedigree. Without that, this track is not for you. With it, the agent-layer security wedge is your single highest-leverage opportunity — and an acquisition path is well-paved.
Industry Veteran (security flavor)
If you spent 8-15 years in security operations at a Fortune 500, your CISO rolodex is the most valuable input in this category. Pair with one strong AI/ML engineer and you have an acquirable company in 24 months.
Community Operator
This category is the worst fit for community/operator types. Buyers are CISOs in 8-month sales cycles, not Discord communities. Look at marketing-and-ai-avatars or sales-sdr-gtm tracks instead.
06 · Monday Morning First Step
If you have the security background and want to test this track this week, run this 2-hour exercise. (1) Open the OWASP LLM Top 10 page, read it cover to cover, take notes on which categories you have strong personal opinions on. (2) Open your LinkedIn — count how many current CISOs, VP Security, or AI Risk leads you can text directly. If under 5, you are not ready for this category yet. (3) For the 5+ contacts, text this exact note: "Quick one — is your team currently buying or building for OWASP LLM Top 10 audit evidence? Curious what's working and what's not." (4) If 3 of 5 reply with "we're scrambling" or "we hate every tool we tried," your wedge is named. The companies in this category that hit acquisition all started with 3 CISO design partners committing in the first 90 days. The ones that died spent 18 months cold-emailing.
07 · What's Next
Worth reading
- OWASP LLM Top 10 (canonical reference) OWASP Foundation
- MITRE ATLAS (adversarial ML threat matrix) MITRE Corporation
- NIST AI Risk Management Framework NIST
People to follow
- Chris Sestito (HiddenLayer CEO) @Tito_Sestito
- Yaron Singer (ex-Robust Intelligence) @yaron_singer
- David Haber (ex-Lakera) @dhabermbz
Adjacent tracks
- AI Eval & ObservabilitySame buyer (security + engineering). Eval = correctness, security = adversarial. Combined wedge is the strongest play.
- AI Browser & Web AgentAgent runtime is the new attack surface — security and browser-agent tracks now overlap heavily.
- Full AI atlasSee where security sits in the 22 AI tracks.
Which kind of founder are you?
5 min · 12 questions · Free · Get your archetype + top 3 matching tracks
Take the quiz →