RunSybil raises $40M to automate penetration testing with AI agents that hack like humans

Exclusive: RunSybil, a startup using AI to automate penetration testing, raises $40M in VC funding in round led by Khosla Ventures | Fortune

RunSybil, an AI cybersecurity startup that uses AI agents to automatically hack company software to find security weaknesses, has secured $40 million in venture capital funding. The round was led by Khosla Ventures, with participation from S32, the Anthology Fund from Anthropic and Menlo Ventures, Conviction and Elad Gil, along with angel investors including Nikesh Arora, Amit Agarwal, Jeff Dean, and other founders and leaders from companies including OpenAI, Palo Alto Networks, Stripe and Google. The company did not disclose the valuation it achieved in the new funding round. The company's AI agent, Sybil, conducts continuous autonomous penetration tests against live applications -- finding, exploiting and documenting real security vulnerabilities without humans in the loop. That's different from other security tools currently making headlines, such as Claude Code Security, which analyzes source code in applications for known vulnerabilities before it is deployed. RunSybil instead tests software that is already running, probing live systems the way a hacker would -- by exploring systems, chaining vulnerabilities together and testing authentication boundaries to find paths to sensitive data. Companies have long relied on a mix of penetration tests -- where outside security experts, or "ethical hackers," try to break into their systems; bug bounty programs that reward independent hackers for reporting flaws; and internal "red teams" that simulate real cyberattacks. RunSybil says its AI system can automate much of that work, continuously probing applications for vulnerabilities as new code is deployed. RunSybil argues this kind of automation is becoming necessary as AI reshapes how companies operate. Procurement, legal, finance, engineering and operations are all being rebuilt with AI -- including the growing use of AI agents. Yet security testing is still often treated as a discrete, scheduled event managed by a separate team on its own timeline. That mismatch can be especially challenging for highly regulated industries such as finance, insurance and health care, which face strict legal and audit requirements around cybersecurity. RunSybil was co-founded in 2023 by Ari Herbert-Voss, who joined OpenAI as its first security research hire in 2019, and Vlad Ionescu, who previously led offensive security red teams at Meta. Together, they say they represent a rare intersection: people who understand how to build frontier AI systems and how to hack into complex software. "We check every box that needs to be checked -- for auditors, regulators and compliance teams," Herbert-Voss said. But the real work, he said is transforming where, when and how customers discover and fix security issues: "Not as a project, but as a permanent capability embedded in how they build." Vinod Khosla, who made an early bet on OpenAI in 2019 and often invests in companies he considers to be on the technological frontier, told Fortune that "what it takes to add security and penetration testing to the AI world is definitely frontier -- RunSybil is on the edge." There is currently little competition in this part of the offensive security market, he said, though security incumbents such as Palo Alto Networks may eventually move into the space. For now, "nobody's really knowledgeable about it except individuals like [Herbert-Voss]," he said, adding that he has long been concerned about AI's cyber capabilities falling into the hands of adversaries such as China. "We invest in founders who tackle large, unsolved problems with technically ambitious solutions," he added. "[Herbert-Voss and Ionsecu] are building exactly the kind of platform security teams will need as software complexity and AI-driven development accelerate." Herbert-Voss has long been steeped in both hacking and AI. Growing up in a mostly Mormon community in Utah, he said he was drawn to the online hacker scene in middle and high school but pivoted away after friends "started getting arrested." While pursuing a Ph.D. at Harvard University studying machine learning and ways to make algorithms more efficient, he first heard about OpenAI. He dropped out of Harvard, he said, after becoming convinced that the rapid scaling of AI models -- training larger systems with more data and computing power -- would unlock powerful new capabilities. "Once OpenAI dropped GPT-2, I said wow, this changes everything about the economics of what it would take to run a cyber campaign," he explained. He sent a couple of hacker demos to OpenAI CEO Sam Altman and Jack Clark, then-head of policy at OpenAI who went on to co-found Anthropic. Both of them expressed their concerns about the potential misuse of LLMs and asked Herbert-Voss to come on to do security research. But by 2022, Herbert-Voss said he also began to see how quickly offensive cyber capabilities could evolve once powerful language models became widely available, including to malicious actors. Those same advances, he said, could dramatically expand cyber threats. That led to Herbert-Voss's decision to leave OpenAI and start RunSybil as a research project. RunSybil currently works with startups including Cursor, Turbopuffer, Notion, Baseten, and Thinking Machines Lab, as well as what the company says are major financial institutions and Fortune 500 companies. (The company declined to name any of those Fortune 500 or financial customers.) Herbert-Voss said that customers have already reported finding critical vulnerabilities that had gone undetected using traditional methods.

RunSybil raises $40M to automate offensive security with AI agents - SiliconANGLE

RunSybil raises $40M to automate offensive security with AI agents Offensive security startup RunSybil Inc. said today it has closed on a $40 million round of funding to help enterprises find and fix critical vulnerabilities in their software before the attackers get to them first. The round was led by Khosla Ventures and saw the participation of several venture capital heavy hitters, including Menlo Ventures, Anthropic PBC's Anthology Fund, S32 and Conviction. Notable angel investors in the round include Elad Gil, Palo Alto Networks Chief Executive Nikesh Arora, Datadog Inc. President Amit Agarwal and Google DeepMind Chief Scientist Jeff Dean. The investors RunSybil has managed to attract offer a big hint to the nature of RunSybil's offensive security platform. It leverages autonomous artificial intelligence agents to simulate the behavior of sophisticated human hackers. Unlike traditional cybersecurity tools that require access to a company's source code, RunSybil's agents interact with systems via their standard interfaces, searching for forgotten endpoints and probing for authentication boundaries. They use reasoning to try and replicate an attacker's intuition, then chain together multiple minor vulnerabilities to try and uncover paths to sensitive data that's usually overlooked by legacy scanning tools. It can be thought of as an AI-powered red team, looking to exploit systems and validate security gaps in real time. RunSybil argues that traditional scanning tools leave a persistent visibility gap in cybersecurity due to their reliance on static code analysis and infrequent manual testing. While existing tools excel at identifying known patterns, they're unable to properly replicate how attackers explore and manipulate live systems. Enterprises also have the option to pay for traditional penetration testing, which offers a more thorough examination of its security, but this is done by human experts, meaning it's slow and comes at a steep cost. As such, most companies only do penetration testing once or twice a year. Some companies rely on bug bounty programs to entice third-parties to explore their systems looking for weaknesses, but the results of these can be inconsistent. Independent researchers are motivated by the rewards on offer, and so they try to cherry pick the easy-to-find bugs and secure a quick payout, rather than conducting more comprehensive assessments of a system's architecture. In other words, there are problems with every kind of cybersecurity testing method, said RunSybil co-founder and CEO Ari Herbert-Voss. "Both approaches miss huge chunks of your actual attack surface," he explained. "We're the first to provide comprehensive black-box testing using AI to reason like a security researcher and find critical vulnerabilities without ever seeing a line of code." The startup says its novel approach has already delivered results for AI startups such as Cursor and Notion Labs Inc., as well as a number of unnamed Fortune 500 companies. Those companies report detecting critical flaws that were repeatedly missed by traditional bug bounty hunters and penetration tests. It also claims to have reduced the number of false positives by 90% compared to standard security scanners. One advantage of RunSybil's approach is that its AI agents learn from each previous interaction with a system, which means they become more capable over time. According to Herbert-Voss, it's like having access to an elite, highly-paid team of security researchers. Khosla Ventures founder Vinod Khosla said RunSybil's approach to security testing will lead to a fundamental shift in how modern software is protected. "We invest in founders who tackle large, unsolved problems with technically ambitious solutions," he explained. "Ari and Vlad are building exactly the kind of platform security teams will need as software complexity and AI-driven development accelerate." With its war chest now stuffed with cash, RunSybil plans to accelerate its research and development and expand its agentic security testing capabilities further. At the same time, it will scale its go-to-market teams and hire more researchers.