The Phish from Within
It is no secret that the cybersecurity world is abuzz with the potential innovations AI can herald in the field. As the breadth and volume of AI's impacts increase, the surface area cybersecurity is responsible for expands dramatically. It would be wise then to assume that the industry - awash with AI-funding from Accel, Sequoia Capital, and a16z - would be trending towards the next cybersecurity super-product?
What if I promised you another basic AI-phishing education platform instead?
It's morbid, really. The pitch decks blur together. The "revolutionary AI" claims echo across identical PowerPoint templates. What strikes me most is the sheer audacity of it all - companies claiming to prevent phishing attacks whilst executing, in my view, the most sophisticated phishing operation in corporate history. Phishing for capital, naturally.
IRONSCALES - Founded 2014, $126M raised. Claims 10,000 customers globally. Yet their revenue figures? Conspicuously absent from every press release and every investor deck publicly available. One data source estimates approximately $11M in revenue. Another suggests they hit $40M. The range itself tells you everything. When a cybersecurity company has been operating for a decade and won't disclose basic financials.
SlashNext - Founded 2015, raised $43M. Claimed $40M in revenue before being acquired by Varonis in September 2025 for an undisclosed sum. Started as network threat detection, pivoted to phishing prevention, then pivoted again to "generative AI protection." The chameleon strategy. When the buzzwords change faster than the underlying technology, one begins to suspect the product is marketing, not code.
Vade (formerly Vade Secure) - Founded 2009, raised approximately $127M. French outfit claiming to protect over 1 billion mailboxes worldwide. Extraordinary claim. The mathematics are rather interesting: if one monetised even a dollar per mailbox annually, that would represent $1B+ in revenue. Their actual revenue? Estimates range from $12M to $44M depending on the source. What they're doing, rather cleverly, is counting every mailbox that passes through ISPs using their filtering technology as "protected." Counting the audience isn't the same as monetising it, but it makes for spectacular marketing materials.
Armorblox - Founded 2017, raised $46.5M. Cisco acquired them in 2023 for an undisclosed sum. Industry estimates place the acquisition value between $71M and $97M - barely above what they raised in funding. When Cisco - a company notorious for disclosing acquisition prices - won't disclose this one, the message is clear. The founders secured employment. The investors secured a face-saving exit that probably didn't return capital. Natural language understanding for email security, they claimed. Cisco probably understood the natural language of "acqui-hire" rather clearly.
The pitch follows a remarkably consistent pattern:
What they studiously avoid mentioning:
The Uncomfortable Truth
These companies have collectively raised over $800M to solve a problem that Microsoft and Google are solving for free as a bundled feature. The hyperscalers - with more data, more engineers, more compute, and superior models - provide baseline email security at no marginal cost.
The business model is elegant in its simplicity: convince mid-market CISOs that they need a specialist solution because the free one isn't adequate. Never mind proving your solution is demonstrably better. Never mind that retention metrics suggest customers frequently churn back to native solutions. Just maintain the growth narrative long enough to exit.
Every single one of these companies added "AI-powered" or "leveraging generative AI" to their marketing between 2022-2023. The underlying technology - often basic machine learning or heuristic pattern matching - remained largely unchanged. But "GPT-powered" gets you meetings. "Transformer models" gets you headlines. "Generative AI" gets you a valuation bump.
These aren't technology companies building differentiated products. They're narrative companies building compelling stories for venture capitalists. The product is the pitch deck. The customer is the investor. The exit is the only feature that genuinely matters.
Here's the rather delicious irony: these companies are executing precisely the attack pattern they claim to prevent.
Consider the anatomy of a phishing attack:
Now examine the enterprise sales pitch:
They're not preventing the phish. They ARE the phish. The sophistication is rather admirable, actually.
The CISOs buying these solutions aren't purchasing security. They're purchasing insurance against blame. When the breach inevitably occurs, they can gesture at the expensive AI-powered solution they deployed and demonstrate they "took appropriate measures." Everyone wins - the startup gets revenue, the CISO keeps their position, the VCs exit.
Everyone except the company's shareholders, whose capital is being redirected from productive uses. And the security teams whose time is consumed managing yet another dashboard. And the customers whose data remains vulnerable regardless.
But those are externalities, aren't they?
The exits tell the story. Armorblox to Cisco for approximately what they raised. SlashNext to Varonis for an undisclosed (read: disappointing) sum. Others will follow the same pattern - acquisitions below the last funding round, dressed up with press releases mentioning "strategic value" and "technology integration."
The fundamental problem remains: you cannot build a venture-scale business selling incremental improvements to free products from Microsoft and Google. The unit economics don't function. The retention doesn't hold. The differentiation erodes as the hyperscalers invest billions into the same problem space.
But you can extract substantial founder salaries whilst the venture funding lasts. You can secure employment via acquisition. You can return some capital to early investors whilst later investors take write-downs.
That doesn't make for compelling pitch decks, though.
Sma
