Our investment in Lema AI.
Here’s a statistic that every CISO knows all too well: 60% of data breaches start with a compromised third-party vendor. Yet most companies still manage this massive attack surface with spreadsheets and annual questionnaires — tools better suited to the 1990s than today’s interconnected digital economy.
The problem is accelerating. The average enterprise now depends on more than 1,000 external vendors, from SaaS platforms to AI agents. These aren’t just service providers listed in a procurement database. They have direct access to your systems, your data, and your customers. When they get breached, you get breached.
Traditional third-party risk management tools aren’t built for this reality. They rely on “outside-in” security ratings; generic scores based on public data that are often wrong and out of date. They can’t tell you what your vendors are actually doing inside your environment right now. They can’t show you which vendor has access to your sensitive systems and data. And when a vendor gets compromised, they certainly can’t tell you how to shut down the threat before it spreads.
We need a fundamentally different approach. One that treats vendor security as an active threat modeling problem, not a compliance checklist.
Lema is emerging from stealth after raising $24M across seed and Series A rounds to rebuild third-party risk management from the ground up. Instead of a compliance platform with an AI wrapper, Lema’s focused on a completely new category: continuous vendor security powered by agentic AI that thinks like an attacker.
Founders Eddie Dovzhik (CEO), Tomer Roizman (CTO), Omer Yehudai (CPO) served together as security researchers and R&D leaders in Unit 8200, Israel’s elite cyber intelligence unit. The trio are offensive security researchers who bring an attacker’s mindset to a space that’s been dominated by auditors and checkbox-fillers.
Their deep cyber DNA shows up everywhere in how Lema has been built. The platform forensically analyzes every document your vendors submit and scours public sources for information vendors might prefer to keep quiet. Most importantly, it monitors in real time how vendors actually behave inside your environment — tracking data movement, permission changes, and access to critical assets.
Lema’s platform runs three core intelligence engines, all feeding into what they call Agentic Risk Engineering: Forensic Artifact Analysis automatically dissects unstructured vendor documents (e.g., SLAs, compliance reports, security questionnaires) to surface hidden risks and contradictions that human reviewers miss.
OSINT Recon continuously gathers intelligence from public sources, dark web monitoring, and breach databases to identify vendor vulnerabilities before they become your vulnerabilities. Most importantly, Blast Radius Monitor provides real-time visibility into exactly what would happen if a vendor got compromised. Which systems would be exposed? Which data would be at risk? Which users would be most impacted? What’s the precise sequence of actions needed to contain the threat?
By combining “inside-out” visibility with “outside-in” intelligence (what’s happening in the broader threat landscape), Lema can assess a new vendor in under five minutes and provide specific, actionable remediation steps.
Lema is tackling a massive and worsening problem with a differentiated approach — and they have the right team to pull it off.
Eddie previously scaled the early product at Noname Security from seed through Series C, learning how to take a technical platform to market in the enterprise cybersecurity space. Tomer and Omer led research and engineering teams in elite cyber organizations, building systems that had to work under the most demanding conditions imaginable.
What’s impressed us most is their go-to-market hustle. The Lema team built their customer base at supply chain and GRC conferences across America. Why? Because that’s where to find the folks responsible for vendor risk. They’re meeting CISOs and compliance officers where they live and learning their pain points. This combination of offensive security chops and bottoms-up market understanding is rare. The team isn’t trying to sell another security rating service. Instead, they’re transforming the old school GRC philosophy into real security engineering.
The market is responding. Lema already counts Fortune 500 companies among its customers, spanning highly regulated industries like financial services and healthcare. As one CISO told us: “Lema removes the compliance theatre of traditional security ratings by providing verified, evidence-backed risk data.” That’s the difference between checking boxes and actually reducing risk.
Lema is emerging from stealth at exactly the right moment. Companies are drowning in vendor relationships, and AI agents are proliferating across the enterprise — each one representing a new potential attack vector. Regulators are demanding more rigorous third-party risk management. And traditional TPRM tools are failing to keep up.
We backed Lema at seed when they were three relentless founders with a vision but no product. Watching them transform that vision into an industry-leading platform that customers genuinely love has been remarkable to witness. We believe Lema is fundamentally changing how enterprises secure their supply chains — moving from reactive compliance to proactive Risk Engineering.
The future of cybersecurity requires vendor ecosystems built on trust and backed by real security, not just paperwork. Lema is building the foundation for that future.
We’re excited to be along for the journey.
What we learned at World Tour Paris with portfolio companies Hugging Face and Mistral AI.
