Market Map: Our Security Portfolio
Enterprise security is being rebuilt from scratch — from how code is written, to how the cloud is defended, to how AI agents are governed. These companies are leading the way.
One of the biggest issues in cybersecurity right now is the gap between modern enterprise environments and the legacy tools still trying to protect them.
Three reasons this gap keeps widening:
- Companies are moving to the cloud faster than ever
- AI agents are everywhere
- Attackers are using AI to get smarter
The security architectures most companies rely on were built for a different era: on-prem environments, human users, and slower-moving threats. They weren’t designed for what’s coming next.
But there are companies working to close this gap, solving for runtime visibility, autonomous remediation, and agentic identity management — categories where legacy vendors are too slow or too locked into old architectures to lead.
At Salesforce Ventures, we’ve backed some of the leading platforms across these layers of the security stack: software supply chain security, cloud and SaaS security posture, vulnerability intelligence, runtime defense, identity and access governance, compliance and trust, third-party risk, and AI security.
Here’s how we see the landscape, and where we’ve invested.
20 Companies Building Next-Generation Enterprise Security
Our investments touch every part of the enterprise; from how code is written to how AI systems are governed. Each company solves a problem that legacy security tools aren’t equipped to handle.

Software Supply Chain Security
- Leadership: Dan Lorenc, Matt Moore, Ville Aikas
- Stage: Series D
- Location: Kirkland, WA
What they do: Chainguard provides hardened, secure, and production-ready builds of open source artifacts, including containers, language libraries, and VM images that are verified and traceable. Their platform enables engineering teams to ship code with a “secure-by-default” foundation, eliminating vulnerabilities and ensuring compliance across the software development lifecycle.
- Leadership: Varun Badhwar
- Stage: Series B
- Location: Palo Alto, CA
What they do: Endor Labs is an AI-native application security platform that helps teams identify, prioritize, and fix vulnerabilities in both open source and AI-generated code. It uses deep program analysis and agentic reasoning to surface risks that actually matter, allowing developers to ship secure code without compromising on speed.
- Leadership: Guy Podjarny, Danny Grander, Assaf Hefetz
- Stage: Series G
- Location: Boston, MA
What they do: Snyk is an AI-native developer security platform that enables organizations to find and fix security vulnerabilities in their custom code, open-source dependencies, containers, and cloud infrastructure. Its mission is to empower businesses to build fast and stay secure by integrating autonomous defense and intelligent protection directly into the software development lifecycle.
Cloud & SaaS Security Posture
- Wiz (exited)
- Leadership: Assaf Rappaport, Ami Luttwak, Yinon Costica, Roy Reznik
- Stage: Acquired by Alphabet for $32B in 2025
- Location: New York, NY
What they do: Wiz connects code, cloud, and runtime into a single security graph that provides the end-to-end context required to automate risk reduction and threat response. By creating a normalizing layer between cloud environments, the platform enables organizations to rapidly identify and remove critical risks at AI speed.
- Leadership: Brendan O’Connor, Brian Soby
- Stage: Series C
- Location: San Francisco, CA
What they do: AppOmni delivers continuous SaaS and AI security posture management, threat detection, and vital security insights into SaaS applications. The platform provides security teams with visibility into posture, access, third-party connections, and AI-related activity to prevent data exposure and identify unsanctioned shadow tools.
Vulnerability Intelligence & Security Validation
- Leadership: Sunil Gottumukkala, Vishal Agarwal
- Stage: Series A
- Location: Palo Alto, CA
What they do: Averlon is an agentic Remediation Operations (RemOps) platform that identifies materially exploitable vulnerabilities and delivers safe, context-aware fixes directly into developer workflows. It uses AI to prioritize risks that break attack chains and applies the same reasoning pre-merge to prevent new exposure before it reaches production.
- Leadership: Brett Galloway, Stephan Chenette, Rajesh Sharma
- Stage: Series D
- Location: San Francisco, CA
What they do: AttackIQ provides an Adversarial Exposure Validation (AEV) platform that runs Continuous Threat Exposure Management (CTEM) end-to-end to map adversary paths, reveal what leads to real attacks, and prove that security defenses work as intended. By emulating real-world adversary behavior aligned with the MITRE ATT&CK framework, the platform helps organizations prioritize exposures and validate safeguards at scale.
- Leadership: Casey Ellis, Chris Raethke, Sergei Belokamen
- Stage: Series E
- Location: San Francisco, CA
What they do: Bugcrowd provides an AI-powered crowdsourced cybersecurity platform that connects organizations with a global community of trusted hackers and pentesters to identify and fix hidden vulnerabilities. Their platform enables proactive risk reduction through services such as Bug Bounty programs, Penetration Testing as a Service (PTaaS), and Vulnerability Disclosure.
Runtime Defense & Endpoint Security
- Leadership: Amiram Shachar, Lavi Ferdman, Tal Zuri, Liran Polak
- Stage: Series B
- Location: San Francisco, CA
What they do: Upwind secures cloud deployments, configurations, and applications through a runtime fabric that provides real-time visibility from the inside out. The platform provides a live map of network and application topology, prioritizes security fixes based on real-time usage, and detects threats as they occur.
- Leadership: David Hindawi, Orion Hindawi, Dan Streetman
- Stage: Late Stage
- Location: Kirkland, WA
What they do: Tanium delivers Autonomous IT with real-time endpoint intelligence and control, empowering organizations to manage and secure their endpoints at scale. Its unified platform integrates workflows across IT, risk, compliance, and security to provide comprehensive visibility and real-time remediation.
- Leadership: Yoav Levy, Yonatan Appel
- Stage: Series C
- Location: Herzliya, Israel
What they do: Upstream provides a cloud-based, agentless platform purpose-built for the mobility and transportation ecosystem to secure connected vehicles and IoT devices. By leveraging AI and machine learning to analyze real-time data from telematics and APIs, the platform delivers proactive threat detection, cybersecurity response (XDR), and quality monitoring to mitigate cyber risks and operational disruptions.
Identity & Access Governance
- Leadership: David Faugno, Dave Teare, Roustem Karimov, Natalia Karimov, Sara Teare
- Stage: Series C
- Location: Toronto, Canada
What they do: 1Password provides control and governance for passwords, secrets, apps, and access, allowing teams to work securely. It offers visibility and control for both humans and AI agents through a trusted vault for identities, credentials, and secrets.
- Leadership: Jim Alkove, Jagadeesh Kunda
- Stage: Series B
- Location: Seattle, WA
What they do: Oleria unifies fragmented identity and access data across SaaS, cloud, and on-prem systems to provide a single, consistent view of access and activity. Their AI-driven Trustfusion platform delivers fine-grained visibility and autonomous control to help organizations continuously enforce least-privileged access for human, non-human, and AI identities.
- Leadership: Bel Lepe, Fernando Hernandez
- Stage: Series A
- Location: San Francisco, CA
What they do: Cerby is an identity automation platform purpose-built to secure “disconnected” applications — those that fall outside the reach of traditional identity security tools. It integrates with existing IAM, IGA, and PAM systems to bring centralized access controls, automate manual security tasks, and extend governance across the entire application ecosystem.
Compliance, Trust, and Data Privacy
- Leadership: Adam Markowitz, Daniel Marashlian, Troy Markowitz
- Stage: Series C
- Location: San Diego, CA
What they do: Drata provides an agentic trust management platform that leverages autonomous AI agents to automate compliance, manage internal and third-party risk, and continuously prove a company’s security posture. It streamlines the audit-ready journey for frameworks such as SOC 2, ISO 27001, and HIPAA through continuous control monitoring and automated evidence collection.
- Leadership: Tyler Sweatt
- Stage: Series C
- Location: Wilmington, DE
What they do: Second Front accelerates government access to emerging technologies by simplifying the software development, compliance, and delivery process for mission-critical applications. Their fully accredited DevSecOps platform, Game Warden, enables software providers to rapidly achieve security authorizations (like ATO) and deploy to regulated government networks.
- Leadership: Dimitri Sirota, Nimrod Vax
- Stage: Series E
- Location: New York, NY
What they do: BigID helps organizations find, understand, manage, and protect high-risk and high-value data wherever it lives. Their unified platform delivers data security posture management (DSPM), risk remediation, and AI governance to ensure data is secure, compliant, and private across cloud, on-prem, and AI systems.
- Leadership: Devin Redmond, Rich Sutton
- Stage: Series B
- Location: Santa Barbara, CA
What they do: Theta Lake provides a cloud and AI native Digital Communications Governance and Archiving (DCGA) platform that captures, archives, and detects risks across video, voice, chat, and AI-generated content. Their solution enables organizations to use modern collaboration tools and AI safely by reducing compliance, conduct, and data protection risks.
Third-Party Risk
- Leadership: Eddie Dovzhik, Omer Yehudai, Tomer Roizman
- Stage: Series A
- Location: New York, NY / Tel Aviv, Israel
What they do: Lema AI has built the world’s first “Agentic Risk Engineer”, an AI that doesn’t just read documents, but investigates like an elite security researcher to uncover the material risks that traditional compliance checklists miss. The platform continuously monitors how third parties interface with an enterprise’s systems and artifacts to provide real-time risk mitigation and actionable intelligence.
AI Security
- Protect AI (exited)
- Leadership: Ian Swanson, Daryan Dehghanpisheh, Badar Ahmed
- Stage: Acquired by Palo Alto Networks in 2025
- Location: Seattle, WA
What they do: Protect AI is a comprehensive AI security solution that secures AI applications from model selection and testing to runtime and beyond. Their platform provides tools for model scanning, AI red teaming, and runtime protection to ensure a formidable security posture across the entire AI lifecycle.
What’s driving enterprise security spending in 2026
1. Cloud security is moving from scanning to real-time defense.
We’re still in the early innings of cloud migration. The industry is expected to grow by nearly 28% annually to over $70B by 2030. But even as enterprise workflows increasingly move to the cloud, security tools have lagged behind.
Cloud environments introduce new problems like leaked credentials, misconfigured storage, and exposed APIs that traditional security tools weren’t designed to catch.The next wave of tools work from inside production systems in real time, filtering out 95%+ of alert noise by showing which vulnerabilities can actually be exploited.
Recent studies estimate the cloud security platform market at roughly $5–10 billion, with most forecasts calling for around 20–30% annual growth through the next decade
2. AI-powered attacks require automated defense.
Attackers are already using AI to scan networks, find weaknesses, and launch attacks at machine speed — and frontier models like Mythos are only accelerating that capability. Human security teams can’t match that pace.
The response has to be automated. Companies are building AI agents that continuously probe for weaknesses, and AI-powered platforms that can detect, investigate, and respond to threats without waiting for a human.
3. AI agents need their own identity and access controls.
AI agents have moved beyond answering questions. They now query databases, run code, call APIs, and modify records.
Traditional identity and access management (IAM) was designed for people clicking through apps, not autonomous systems making thousands of requests per minute. The protocols these agents use are still new, and most lack the controls to tell the difference between a legitimate request and a malicious one.
4. AI systems need their own security layer.
When companies connect AI models to internal data, they face risks on both sides: corrupted training data going in, and leaked company data, hallucinations, or harmful outputs coming out.
Despite the urgency, dedicated AI security startups have raised only a small fraction of total cybersecurity funding relative to the threat.
5. Social engineering and deepfakes are outpacing detection.
Generative AI has made it cheap and easy to create convincing fake voices, images, and messages at scale. According to IRONSCALES Fall 2025 Threat Report, 85% of organizations experienced deepfake incidents in the past year, and 61% of those lost over $100,000.
Meanwhile, detection accuracy has fallen to barely better than a coin flip. The response is shifting from annual security awareness training to continuous, AI-powered simulations that train employees to recognize and report attacks in real time.
The new security stack starts here
Legacy security vendors were built for a world of on-premises infrastructure and human identities. But that world is gone.
Now, every enterprise is managing three transitions at once: moving workloads to the cloud, putting AI into production, and governing a growing number of autonomous agents. Each one creates attack surfaces that older architectures don’t cover.
We’re looking for founders building the next wave of real-time security, identity systems designed for AI agents, and AI security infrastructure that doesn’t exist yet. If you’re building in any of these categories, we want to hear from you.