A year ago, we came out of stealth with a $75M Series A and a thesis. SOCs cannot scale by hiring more analysts and engineers. They cannot scale by writing more SIEM rules. They scale by combining humans with task-specific AI agents that have real context. We called the result an Agentic SOC.
Today, we are announcing $125M in Series B funding to accelerate that mission, with incredible investors including Mayfield, Khosla Ventures, HarbourVest, Peak XV, Seligman Ventures, and AICONIC ventures. Our total funding is now $200M. We tripled our valuation in a year, grew past 130 people, and processed millions of investigations across our customer base.
But the more important number is the one our customers feel every day. Median time to investigate is dropping from hours to minutes. Detection coverage is expanding without customers needing detection engineering, with over 800+ combinations of conditions that can indicate a potential threat or anomaly. Alerts that used to sit in a queue are now resolved before an analyst sees them. Customers are using Vibe Hunting, our natural language threat search, to answer questions every day that would otherwise have required writing extensive queries.
That gap between how fast attackers move and how fast most SOCs respond is widening. With this funding, Exaforce is armed and ready to close that gap and give defenders the advantage.
The threat model has already shifted
Defenders are not facing the same adversary they were facing eighteen months ago. AI changed the economics on the offensive side first.
Phishing kits now generate site-specific lures in seconds, with copy that reads cleaner than the marketing emails the target sees from their own vendors. Reconnaissance that used to take a human operator a week of careful enumeration is now a script that runs against your IaaS API surface in a single afternoon. Initial access brokers are using LLMs to triage stolen credentials at scale, picking the highest value targets out of dumps that used to sit unsorted. Once inside, attackers are chaining cloud and SaaS misconfigurations across identity providers, code repos, and storage in ways that look like normal admin activity until you trace the full sequence.
The shared property across all of these is speed and sophistication. The dwell time window has compressed, and the signal looks more like noise than ever.
A SOC built on event-only SIEM data, point-in-time alerts, manually tuned anomaly baselines, and correlation rules written by hand cannot keep up with that.
Why semantic context beats LLM wrappers
Most solutions on the market today are wrappers around frontier models, with prompts that turn alert payloads into English summaries. This produces confident-sounding triage notes that fall apart the moment you ask anything that requires context beyond what those tools expect you to ask.
The problem runs deeper than that. Querying, correlating, and reasoning after the fact uses a large number of tokens, is inconsistent, and too slow to act on. That is why LLM wrappers fail even at triage.
Our Exabots run on top of a semantic knowledge model, not raw event logs. That model represents your environment as a graph of related entities. Identities and the permissions effective on them right now. Cloud resources and the configurations attached to them. Endpoints and the users who own them. Code repositories and the service accounts deploying from them. Network paths and the segmentation between them. SaaS apps and the data leaving them.
Every event and alert we ingest gets resolved against that graph. An alert in this model is a node connected to the identity that triggered it, the resource it touched, the configuration of that resource at the moment of the event, the peers of that identity, and the historical pattern of similar activity. When an Exabot reasons about that alert, it has all of that context loaded as structured input.
What customers are seeing
The numbers we care about most are the ones customers feel every day. A 94% reduction in mean time to investigate at one customer, three hours down to ten minutes. Six FTEs of monthly capacity returned to another. Time-to-first-response inside thirty days from onboarding for teams replacing legacy MDRs.
The pattern behind those numbers is consistent. Teams that had been stringing together multiple tools and query languages to get a picture of an event now have one. Patrick McKinney, VP of Security at Invisible Technologies, put it plainly after evaluating several options. What differentiated Exaforce, he said, was "the ability to unlock the full value of our data, from enriched event ingestion to detection, response, and automation, all within a single platform."
The same pressure applies to organizations with tighter data constraints. For security teams at biotech companies like Guardant Health, the sensitivity of the data and the pace of AI-driven attacks leave little margin. Their CISO Steve Mancini describes the shift where analysts now use "natural language search to get actionable answers about security events and security posture in a single tool instead of juggling disparate interfaces and query languages." Coverage expanded without headcount.
That is the trade-off we built for. Fewer tools to context-switch across. Less time reconstructing what happened. More time acting on it.
Where the funding goes
We are putting the capital into three things: the platform, geographic reach, and the experience around both.
We are investing further in multi-modal AI and expanding the semantic knowledge graph that anchors it. The next phase brings richer reasoning across unstructured data alongside the structured graph, deeper code and identity context, and faster knowledge-graph updates so that Exabots are always reasoning against the live state of your environment, not a snapshot from ten minutes ago.
Additionally, demand from Japan and Europe has outpaced our ability to serve it from the US alone. We are scaling go-to-market across both regions, with regional MDR coverage and local language support. More to come.
Finally, the experience around the platform is key as we expand on the areas above. Customer success, threat research, MDR oversight, and support. The product is only as good as the operational rigor wrapped around it, especially for customers running it as a co-managed service.
What comes next
The security space is full of people who know how broken the current model is. Practitioners who have spent years triaging alerts by hand, writing rules that fall behind in weeks, and managing tools that generate work instead of reducing it. Engineers who have built real-time systems at scale and know what it actually takes to make them reliable. Threat researchers who think in adversary tradecraft, rather than focusing on what checks the compliance check box.
That is who we are looking for. If you have been waiting to work on a security problem that is genuinely unsolved, we are hiring. To the teams already running Exaforce, thank you. To the teams still evaluating, request a demo.
