Cybersecurity Startups funded by Y Combinator (YC) 2026

Enterprises are racing to adopt AI, but often don't have the right controls in place or know how to verify vendors are compliant. LogosGuard turns AI policies into executable controls, stress-tests your AI products, and continuously monitors changes, giving enterprises the confidence to scale AI responsibly.

The most flexible enterprise compliance engine that makes GRC teams 10x more efficient. Already trusted by global leaders and the largest EU enterprises. What it does: - Extracts requirements from any file - Maps them to controls and policies - Shows gaps and monitors changes - Advises on maturity and next steps

Veria Labs is developing AI agents that hack better than the best human hackers. Founded by members of the #1 US competitive hacking team, we've already found critical bugs in AI tools, operating systems, fintech and billion dollar crypto exchanges. Now we're scaling that expertise through AI-native security tooling that operates faster than human researchers while finding deeper, more complex vulnerabilities that traditional tools miss.

Riverbank is an ex-NSA and DoD team creating the first AI native offensive red team, starting with the $3B pentesting market. We blend AI agents with experienced human operators to find what traditional vulnerability scanners miss and break through organizational cyber defenses with swarms of AI agents.

ContextFort gives security teams visibility and controls for AI browser agents. It’s a Chrome extension that: Detects when an AI agent takes control of the browser Records every action during the session (pages visited, clicks, text entry) Provides controls to prevent risky actions and cross-site data leakage

Right now, someone could look up your employees online, craft a perfect phishing email using what they find, and get into your systems by lunch. Or just call your help desk and pretend to be a new hire. No malware. No exploit. Just a conversation. GhostEye does this first. We continuously map your employees' real-world exposure the same way a threat actor would, then automatically generate and launch personalized phishing attacks, scam calls, texts, and deepfakes to test them before the real thing hits. Every attack is unique because every employee's exposure is unique. Quantified human risk scores that track over time. Employees shown exactly how they were compromised. Not a training platform. A security tool.

Probo acts like your compliance team. You tell us how you work, and Probo does the rest: 1. Set the right requirements - not overkill 2. Handle docs, risks, controls, evidence 3. Run the audit 4. Keep everything up to date afterward Founders shouldn’t lose weeks to this stuff. Even one day is too much.

Cotool is an agentic security platform that eliminates manual and repetitive work for security teams. Today’s cybersecurity teams remain bogged down by alert fatigue, context switching, and documentation overhead. Security teams don't need more dashboards with "AI-powered insights" — they need their time back. Cotool empowers teams to build security their way. Our platform provides an AI co-pilot that automatically assembles context across tools, a no-code agent builder that transforms successful investigations into reusable automations, and automated report generation, providing comprehensive documentation in seconds. Unlike solutions that force teams to adapt to vendor workflows, Cotool puts the power of AI directly in practitioners' hands, letting them shape tools around their unique processes. Early users have already cut time spent on investigation and detection engineering by 70%.

Insider threats cost the average enterprise $17.4M per year and take up to 3 months to contain. Most of those threats (employees leaking IP, contractors staging data for exfil, accounts misusing AI tools like Copilot) get buried in thousands of noisy alerts from traditional security tools. Candor changes this by telling your security team exactly who to watch before they cause damage. Zero tuning, detection from day one, and it actually learns from analyst feedback.

Archon helps software companies sell to the government by cutting the required federal compliance timeline (called FedRAMP) down from 16 to 6 months and cuts costs by $1M per company. Email us at inquiries@archon.inc

We built Gecko for teams that want to build secure code quickly without wasting time on security tools that don’t deliver results, or relying on one-time human pentests that quickly become outdated. Gecko uses AI to understand how your application should work, simulates relevant attacks to find critical vulnerabilities, and then verifies these vulnerabilities by exploiting them. It also helps you understand the risk of these vulnerabilities and applies a working fix to keep your code secure.

ZeroPath is a developer tool that autonomously detects, verifies, and submits fixes for vulnerabilities in your code. Engineers can use ZeroPath to find security problems that they might only otherwise catch in pentests or from bug bounty researchers.

Splendor provides year-round security coverage for startups that aren't ready to hire a CISO. Start with continuous embedded code review and exploit research, or scale to get a fractional security function covering board reporting, security roadmaps, and enterprise procurement reviews.

CodeAnt AI is the agentic code security platform, combining defense and offense in a single self-learning engine. Defense → AI Code Review: Cuts code review time down 80%. → Code Security: SAST, SCA, Secrets, IaC, SBOM in one scan. → Code Quality: Retires SonarQube across 30+ languages. Offense → AI Pentesting: 500+ exploit agents, 48-hour report. Free unless we find a critical. Plus Developer 360: engineering metrics that ship work. Works with GitHub, GitLab, Bitbucket, Azure DevOps. Every IDE, every CI/CD, every language. SOC 2 Type II & HIPAA Complaint.

Metalware develops advanced firmware security solutions for critical infrastructure, protecting industries like aerospace, defense, automotive, telecom, and healthcare from cyber threats. Our product is an automated, intelligent binary fuzzer that enables organizations to efficiently discover and remediate security weaknesses in hardware products before deployment.

Corgea is an autonomous application security platform that finds and validates vulnerabilities, then generates safe code fixes developers can apply in their existing workflow. In production customers like Zapier and Yageo, see ~20% more true positives and ~90% fewer false positives (vs their prior tooling), reducing triage and speeding remediation without adding headcount.

Variance builds AI agents for fraud, identity, and investigations for Fortune 500s, Marketplaces, and regulated financial services.

Matano is a modern SIEM, built for cloud-first security teams. It replaces traditional SIEM databases like Splunk or Elastic with a cybersecurity platform built on top of a cost-effective Security Data Lake.

Build, govern, and deploy enterprise AI agents and MCP servers Powered by your data, subject to enterprise controls

Overwatch Data offers real-time AI agents to scale fraud, cyber, and security teams. Our agents automate the threat intelligence and brand protection workflow, while also conducting risk reviews at scale to detect fraud and financial crime.

Malloc monitors and prevents anyone from recoding or transmitting data from your mobile device without your knowledge. Malloc uses on-device AI to detect zero-click spyware and abnormal activity and blocks any suspicious communication in real time. We sell this to individuals, enterprises and governments that care about their privacy.

Skypher is an AI agent platform that automates your security/privacy/ddq/esg compliance questionnaires response process making it 10x faster. We save dozens of hours for @Deel, @Retool or Adobe's engineering, sales, customer success, and security leaders on security questionnaires and speed up their sales cycle by 20%. Skypher was launched in 2019 in San Francisco and is now the market leader in security questionnaires response automation with 200+ global customers worldwide across North America, Europe and India. We work with Fortune 500 companies such as Adobe, McKinsey & Company, TeamViewer or CMA CGM as well as fast growing tech companies like Deel, TCN or Retool. With a team of over 30 people across Europe and North America with global offices in New York and Paris.

MedCrypt has developed a security toolkit that allows medical device developers to focus on diagnosing and treating disease, while ensuring their devices comply with security regulations and best practices. And since each installation of our software communicates with our MedCrypt network, we can use machine learning-based transaction monitoring algorithms to detect anomalous behavior, thwarting attacks in real time. This centralization of transaction data allows us to facilitate "Threat Sharing" between device vendors, helping build a community of device vendors offering the most secure devices possible. MedCrypt protects medical devices against malicious hacking. Each installation of our software communicates with our MedCrypt network, allowing us to use machine learning-based transaction monitoring algorithms to detect anomalous behavior, thwarting attacks in real time. This centralization of transaction data allows us to facilitate "Threat Sharing" between device vendors, helping build a community of device vendors offering the most secure devices possible. If someone hacks your connected thermostat, you’re uncomfortable. If someone hacks your pacemaker, you could be dead. MedCrypt is bringing modern software security technologies to an important, but underserved technology sector.

Salt Security protects the APIs that form the core of every modern application. Its patented API Protection Platform is the only API security solution that combines the power of cloud-scale big data and time-tested ML/AI to detect and prevent API attacks. By correlating activities across millions of APIs and users over time, Salt delivers deep context with real-time analysis and continuous insights for API discovery, attack prevention, and shift-left practices. Deployed quickly and seamlessly integrated within existing systems, the Salt platform gives customers immediate value and protection, so they can innovate with confidence and accelerate their digital transformation initiatives. Salt pioneered API security and is the industry leader for API security with a proven record of success. You can watch a 90-second overview video of the Salt Security API Protection Platform here: https://youtu.be/Z5nzavnBJj4

Leverage cutting-edge AI to detect exposed credentials in real time and protect your organization from high-impact data breaches.

Pronounced Zee-O-L. End-of-life (EOL) and outdated software are a black box of vulnerabilities with very limited remediation paths. These 2 factors combine to make managing them a necessary proactive practice. Xeol enables enterprises and Fortune 500s to create a proactive EOL management program that directly contributes to better vulnerability management and lower cyber insurance.

Tarsal is a data pipeline custom built for security teams. As security data grows 25% year over year, security teams desperately need access to best-in-class data infrastructure. Tarsal bridges the gap between the modern data stack and security teams, pioneering the modern security data stack.

Telivy helps small and medium businesses purchase the best cyber insurance coverage. Our proprietary ML-based risk platform assesses insurability gaps, offers remediation plans and brokers insurance quotes from A+ rated carriers.

Stacksi helps companies automate the process of answering enterprise security questionnaires so they can close deals faster and save their best engineers’ time for more strategic projects. Salespeople, CTOs, and CEOs of fast-growing enterprise startups can upload security questionnaires into our system. If the company already has written security policies, they can upload those documents, too. From there, Stacksi parses their documents, identifies gaps in their security policies vs. standards, and helps them establish a successful security program. Ultimately, we will help them 1) automate completion of security questionnaires, 2) quickly get through enterprise security audits and 3) improve their security posture.

Trust Center Platform SafeBase Trust Center enables Security teams to proactively share and automate access to security, compliance, and privacy information/ complete security questionnaires.

Hunter2 teaches modern appsec to engineering teams through interactive labs. Developers get hands-on practice exploiting and patching real web apps written in their tech stack.

Cymmetria is a cybersecurity company at the forefront of deception technology, and offers the only commercially available deception technology that has caught 5 nation-state APTs. Cymmetria’s deception products, MazeRunner and ActiveSOC, give organizations the ability to hunt attackers, detect lateral movement inside the perimeter, automate incident response, and mitigate attacks. The company also offers deception as a service, enabling organizations to customize deception technologies for their business environment. Founded in 2014 by security expert Gadi Evron, Cymmetria is changing the asymmetry of cybersecurity, giving defenders the upper hand. For more information, visit www.cymmetria.com.

Cyberfend offers a robust security solution to protect your web and mobile applications from sophisticated attacks and fraudulent activity. Cyberfend's solution detects account take-over, payment fraud and the use of stolen credentials. All of these problems are relevant to every consumer facing web and mobile product/service. Cyberfend’s solution uses a new security paradigm – human cognitive science coupled with advanced machine learning. The result is a robust detection system with near zero false positives and false negatives. Today Cyberfend protects nearly a billion login and payment transactions every month for many large e-commerce, web and payment customers. Cyberfend's product is at the intersection of almost every single cutting edge technology today : a) Our core product employs heavy machine learning b) On the backed, our product is cloud based and deals with enormous scale (customers are directing significant portions of their traffic to us) c) On the front end we need to deal with both web and mobile (IOS, SDK) challenges.Please visit us at: www.cyberfend.com. Cyberfend is backed by Y Combinator, SV Angel and A Capital. Cyberfend was acquired by Akamai Technologies in December 2016.