Most security companies sell you a better lock. A Security just raised $37M to sell you a burglar who works for you

The New York startup came out of stealth on June 9 with a $37M round led by Lightspeed, with Cyberstarts and a cap table of angels that reads like a category who’s-who, including the CEOs of Wiz and Cyera. The founders come out of AWS and Abnormal Security. The product hunts for “exploit paths,” the chains of small misconfigurations and vulnerabilities that an attacker, increasingly an AI attacker, could string together into a real breach. Instead of waiting for an alarm, it runs the attack first and maps your whole surface the way an adversary would see it. The pitch is blunt: become the offense before someone else does.

The mental model: Inversion.

That’s not just a feature. It’s a way of thinking.

Most teams attack a hard problem by asking how to win. How do we stay secure, how do we hold the perimeter. Inversion flips the question. Ask how you’d fail, then work backward to make that failure impossible. Charlie Munger built half his reputation on it: tell me where I’m going to die so I never go there. The military version is older. You plan against the enemy’s most dangerous course of action, not your own best case. Anyone who’s sat in a planning cell against a thinking adversary knows you start from their move, not yours.

A Security turned that instinct into a product. Defense by assuming you’re already compromised, then finding the path before the attacker does. The reason it works as a business and not just a slogan is that AI changed the math. Attackers can chain exploits at machine speed now, so a defender who only reacts is permanently a step behind. The only way to stay ahead is to think like the thing trying to break you.

It’s the same discipline we use building in regulated markets. At /mkt, you design assuming a regulator reads every line in the least charitable way possible, then build so there’s nothing to find. That’s inversion too. Start from the worst reading, not the friendly one.

Here’s the contrarian bit. The instinct most founders have under threat is to add. More monitoring, more alerts, more dashboards, the Splunk pile that A Security wants to replace. Their bet is that the winning move is to subtract and reframe: stop cataloging every theoretical thing that could go wrong and start from the one thing an attacker will actually do.

Inversion isn’t pessimism. It’s the most efficient form of optimism there is, because it spends your attention only where the real risk lives. Build like you’re trying to break in. Then make sure you can’t.

If this was useful, share it with someone who builds things. And if you want the full toolkit of 50 mental models, my book is coming soon.

Funding figures are drawn from public disclosures. Nothing here is investment advice.