ThreatModeler acquires IriusRisk for over $100 million to tackle AI-driven security risks

Invictus-backed cybersecurity company ThreatModeler acquires competitor IriusRisk for over $100 million | Fortune

The rise of AI coding tools means developers can create software applications faster than ever, but the risk for hacks and exploits is growing in lockstep. ThreatModeler, a cybersecurity company that helps developers identify vulnerabilities in their applications, announced on Thursday it is acquiring its largest competitor, IriusRisk. The deal is for over $100 million, according to a source with direct knowledge, who added that the annual recurring revenue for the combined companies is around $50 million. In an interview with Fortune, ThreatModeler CEO Matt Jones said that his company's goal is to "democratize" the practice of vulnerability detection at a time when many must rely on basic tools from larger platforms like Microsoft or turn to AI for threat modeling, which Jones argues is insufficient and can lead to massive risks. Jones said the acquisition will let ThreatModeler keep pace as firms are scaling up their coding capacity like never before. "For us to be able to bring the two leaders together," he said, "We can be much more aggressive on [our] roadmap." Founded in 2010, the New Jersey-based ThreatModeler provides automated software that helps coders review security flaws in their applications before launching them. For many organizations, the alternative is relying on experts known as security architects, who review codebases after they're live, which can be a cumbersome and often belated process. Originally bootstrapped by founder Archie Agarwal, ThreatModeler took its first institutional funding in 2024 from the growth equity firm Invictus, which bought a majority stake in the company. Invictus will now be a majority investor of the combined businesses as well. Until the acquisition, which closed at the end of 2025, ThreatModeler's largest competitor was the Spain-based IriusRisk, with ThreatModeler even filing a patent infringement lawsuit against IriusRisk in early 2025. Aside from resolving the litigation, Jones said that the deal made sense for customers by combining the two platforms, which he described as "80%" similar. "What we're going to do is take the best of both and bring them together," he said. The combined firms will have around 300 customers, which Jones said are mostly Fortune 1000 companies like banks and big tech operations, though he declined to name specific ones due to security concerns. While ThreatModeler was founded well before the Nov. 2022 launch of ChatGPT set off the current AI revolution, Jones said that his company has integrated AI into its workflow, including a plan to launch an agentic product in the second half of next year that can adapt organizations' threat models as their applications evolve. The flip side of AI is that as organizations' coding capacity increases, so does their need for software like ThreatModeler. "The more code that gets cranked out, the more that needs to be evaluated," Jones said. Different jurisdictions, including the U.S., Canada, and the European Union, are also implementing mandates for companies such as financial institutions and hardware manufacturers to maintain their own cyberthreat models. As potential vulnerabilities accelerate, ThreatModeler's new main competitor is likely companies turning to AI to develop their own threat modeling approach. But Jones said part of his company's role is to educate on the need for robust cybersecurity practices. "If you do it yourself, you're kidding yourself," he said. "You may be thinking you're doing threat modeling, when in fact you might be creating more risk for yourself."

ThreatModeler acquires competing threat modeling startup IriusRisk - SiliconANGLE

ThreatModeler acquires competing threat modeling startup IriusRisk ThreatModeler Software Inc., a provider of cybersecurity posture analysis software, today disclosed that it has acquired a Spain-based rival called IriusRisk SL. The terms of the deal were not disclosed. When developers determine that an application may contain cybersecurity risks, they create what's known as a threat model. That's a diagram of the application's components and vulnerabilities. It also provides information on how a hacker might go about exploiting the vulnerabilities as part of a cyberattack. Creating threat models is a highly time-consuming task, particularly in large companies where developers may have to analyze dozens of applications. New Jersey-based ThreatModeler provides a platform that speeds up the process. Developers can use artificial intelligence features built into the software to automate certain aspects of the diagram creation workflow. According to ThreatModeler, its platform also speeds up certain related tasks. It can not only visualize the cybersecurity flaws in an application but also prioritize them by severity. For example, the platform might determine that a certain vulnerability should be prioritized because it's being actively exploited by a hacking group. The built-in AI generates remediation suggestions to speed up the remediation workflow. IriusRisk sells a competing threat modeling platform that automates many of the same tasks such as ThreatModeler. It also provides several features not supported by the latter company. At the start of a software project, developers put together a list of the features they plan to build. That list is often stored in Atlassian Corp.'s Jira platform. IriusRisk provides a tool called Bex AI that can analyze feature descriptions in Jira and flag any issues they contain. For example, the tool could point out if a proposed feature might weaken an application's encryption mechanism. Fixing vulnerabilities at the design stage is easier than in subsequent phases of the development workflow. Once a vulnerable feature is live, rewriting its code can take a significant amount of time. It may also require developers to update other application components that depend on the feature. IriusRisk says that its platform can be used to map out not only cybersecurity flaws but also other risks. The software highlights application components that breach data management regulations such as GDPR and HIPAA. Furthermore, companies can use the built-in diagramming features to visualize risks in their supply chains.