Venture Bytes #130: AI-Powered Cyber Attacks are Reshaping the Threat Landscape

 AI-Powered Cyber Attacks are Reshaping the Threat Landscape

In March 2026, Anthropic restricted access to its most capable new model Mythos to a handpicked group of technology and cybersecurity companies. Days later, OpenAI did the same with GPT-5.3-Codex through its invite-only Trusted Access for Cyber program. Two of the most sophisticated AI labs in the world had decided their own models were too dangerous to release freely. These restricted releases are an acknowledgement that the threat level had permanently shifted higher. And the investment implication follows directly: If AI-powered attacks are now inevitable, the only viable defense operates at the same speed as the threat.

The obvious threats such as faster phishing, AI-generated malware, deepfake fraud, are extensions of known problems. The attack surfaces keeping CISOs awake at night are structurally different, and most enterprises have no defense against them.

Google DeepMind's AI Agent Traps research provided a systematic mapping of this new attack surface. Content injection attacks, hidden commands embedded in HTML and CSS that are invisible to human reviewers, achieved up to an 86% agent hijack rate in testing. Behavioral control attacks, which trick agents into exfiltrating data through their own authorized tool access, succeeded in over 80% of cases across tested agents. Sub-agent spawning attacks, which hijack an orchestrator to generate rogue child agents, succeeded at rates between 58% and 90%.

What makes these attack categories structurally dangerous is a single admission from OpenAI in December 2025. The company said that prompt injection, the foundational mechanism behind most agent attacks, is unlikely to ever be fully solved. This is not a gap that will be closed by a software patch or a model update. It is a permanent feature of how language models process instructions, which means the defense cannot be built into the model. It has to be built around it.

Three attack vectors illustrate why existing security tools are structurally blind to this threat. Memory poisoning plants a malicious instruction in an agent's long-term storage, where it sits dormant for weeks and executes only when a triggering condition is met. Researchers demonstrated this in production systems in late 2025. Agents developed persistent false beliefs about security policies and vendor relationships, defended those beliefs as correct when questioned, and executed the planted instructions days later.

The scale of unpreparedness is significant. The Kiteworks’ State of AI Cybersecurity 2026 report, drawing on 1,800 security professionals, found that 46% of defenders do not believe they are adequately prepared for AI-powered threats. Gartner projects that 50% of all enterprise cybersecurity incident response efforts will focus on incidents involving custom-built AI-driven applications by 2028. The gap is not a skills problem or a budget problem but a speed problem.

The AI cybersecurity market stood at $10.8 billion in 2024 and reached $26 billion in 2025. Gartner projects it will reach $172 billion by 2029 at a 73.9% CAGR, among the fastest-growing categories in enterprise software.

Securing the Agent Layer

The most urgent and least defended area is the agent layer itself. Gartner projects 40% of enterprise applications will embed task-specific AI agents by end of 2026, up from less than 5% in 2025. Each agent carries broad system access, persistent memory, and the ability to act across tools and APIs autonomously. OWASP published its first formal taxonomy of agentic AI risks in December 2025, covering goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, and rogue agents. None of these are detectable by legacy security tools built for static applications. A recent research analyzing 31,132 agent skills found that 26% of them contained at least one vulnerability. Cisco's State of AI Security 2025 Report found that over 50% of respondents expressed concern about model manipulation, poisoning, or behavioral drift over time.

Securing the future will require more than incremental upgrades. In a world of autonomous threats, security systems must become equally autonomous, continuously adaptive, and uncompromising in their resilience.

That shift is already underway, with a distinct category of AI-native security beginning to take shape. Noma Security is a clear signal that this category has moved from theory to production. Founded in 2023 and backed by Evolution Equity Partners, Ballistic Ventures, and Glilot Capital, Noma provides comprehensive AI security across the full lifecycle, from model development through agent deployment and runtime operation. Its ARR increased by over 1,300% in the past year, with dozens of Fortune 500 customers. That growth rate reflects something specific: enterprises that have already deployed AI agents are discovering, often painfully, that they have no visibility into what those agents are doing. Noma provides the control plane they need.

Autonomous Threat Detection and Response

The second area addresses the speed problem at its root. The average SOC analyst today triages alerts manually and operates with rule-based tools that pattern-match against known threats. AI-powered attacks operate continuously, adapt in real time, and generate novel attack paths with no prior signature. Stacking more analysts on the problem does not solve it. The only viable response is an AI system that investigates at the same speed as the threat.

Torq demonstrates what this looks like at scale. Founded in 2020, Torq has evolved from a specialized security automation tool to a comprehensive SOC platform managing millions of security tasks autonomously for multinational enterprises including LEGO, Marriott, and Prudential.

Torq reported 300% revenue growth in 2025, scaling from $24 million ARR in 2024 to a projected $100 million by 2026, driven by widespread adoption of its AI agents across Fortune 500 security operations centers. The data moat argument applies directly here. Every alert investigated by Torq's agents makes the system more calibrated to that organization’s specific environment, threat profile, and normal behavior. The longer the deployment is, the harder it is to replace.

Offensive AI forLegitimate Defense

The third area is the most contrarian and the most consequential. The same capabilities that made Mythos and Codex too dangerous to release freely are precisely what legitimate security teams need to find their own vulnerabilities before attackers do. Annual penetration tests produce a point-in-time snapshot. AI-powered attacks are continuous. The only viable response to continuous offensive AI is continuous defensive AI that thinks like an attacker.

Novee, founded in May 2025 by IDF veterans, deploys purpose-trained AI agents that reason like expert penetration testers, discover novel attack paths continuously, and deliver exploitable proof rather than theoretical risk scores.

In months under stealth, it had already attracted dozens of enterprise customers across financial services, healthcare, technology, and manufacturing. The Mythos and Codex restricted release model is itself the commercial blueprint. Controlled access to offensive AI capability for the organizations that need it most is not a niche product but a category.

The AI-native cybersecurity category is moving from embryonic to crowded very quickly. Every enterprise that has deployed AI agents has unknowingly created an attack surface that their existing security stack cannot see. Palo Alto Networks acquired Protect AI, Zscaler acquired SPLX, CrowdStrike acquired Pangea, SentinelOne acquired Prompt Security, and Check Point acquired Lakera, all in 2025. Platform consolidation is already underway, and the companies that establish category leadership soon will either be acquired at significant premiums or become the platforms that do the acquiring.

Enterprise AI Start-ups Offer Superior Value Proposition

In just three years, nearly one-third of the Fortune 500 has become a paying customer of an AI startup. In any previous technology cycle, that level of enterprise penetration would have taken the better part of a decade. At the same time, consumer AI, despite massive scale, converts only a single-digit percentage of users into revenue (3%, per Menlo Ventures’ 2025: The State of Consumer AI report).

The implication is structural. Enterprise AI is moving into budgeted, ROI-driven workflows where spend expands with impact while consumer AI is still searching for durable monetization. That divergence will determine where long-term value accrues, not just how much, but how defensibly. In this article, we examine where within enterprise AI that compounding is most likely to occur.

What makes this adoption wave structurally different is who is moving first. Large enterprises have historically been the last to commit, waiting for SaaS and cloud to prove out over years before signing. These same companies have been comparatively quicker on AI adoption. Enterprises are signing top-down contracts and going live before the technology has fully matured, betting on AI's trajectory rather than waiting for certainty.

The data also contradicts early predictions that the ‘app apocalypse’ would lead to purely in-house builds. Instead, enterprises are increasingly migrating from DIY LLM implementations to packaged third-party applications.

Enterprise AI does not behave like consumer software because the product is not the interface, it is the integration. Once deployed, these systems are embedded across CRM, ERP, HRIS, and internal APIs. Over time, they begin to absorb organizational context: workflows, decision logic, historical patterns, and edge cases. This creates a different kind of lock-in.

The shift is clearly visible at the big AI labs. OpenAI’s recalibration around Sora suggests that while consumer use cases attract attention, the enduring value sits in enterprise deployments. Anthropic, which never meaningfully pursued a consumer phase, has grown from $1B in annualized revenue run rate in December 2024 to $30B by April 2026, largely on enterprise contracts.

So, the direction is clear. What is less clear, and more investible, is which pockets within enterprise AI generate revenue that compounds rather than churns.

The Investible Pockets

Vertical AI Agents with Proprietary Data Moats

Foundation models are commoditizing rapidly. The application layer is where value concentrates, and within it, proprietary data is what separates a durable business from a well-timed product.

Vertical AI companies with strong workflow integration achieve customer retention rates 30 to 50% higher than their horizontal counterparts, according to a16z. The reason is structural: a model trained on domain-specific data improves with every customer interaction, creating a flywheel that generic competitors cannot replicate from the outside.

Harvey is the clearest proof point. It built proprietary legal databases spanning 60 jurisdictions, assembled a corpus no new entrant can replicate by buying access to the same foundation model, and reached approximately $200M ARR within three years in a market historically resistant to software.

Abridge has done the same in healthcare, turning doctor-patient conversations into structured clinical notes with accuracy that improves as it processes more institutional data. The key diagnostic is simple. Does the model know something after six months of deployment that it could not have known on day one? If the answer is yes, a moat is forming.

Multi-Agent Orchestration Infrastructure

Most enterprise AI today operates as single-agent systems. One model handles one workflow, one task at a time. This is already stickier than consumer AI by a significant margin, but it understates where the category is heading.

Glean illustrates how durable this category becomes when built on the right foundation. It started as an enterprise search company, indexing documents across an organisation's SaaS stack. What looked like a search product was actually something more defensible: a permissions-aware knowledge graph mapping how information, people, and workflows relate across the entire enterprise.

That graph is what makes Glean's move into orchestration structurally different from competitors building agents without it. In 2025, it launched Glean Agents and Agentic Engine 2, enabling parallel sub-agent orchestration grounded in each company's unique context. It now powers over 100 million agent actions annually and doubled its ARR to $200M in nine months.

The reason this compounds is structural. When a customer service agent, a compliance agent, and a billing agent all operate inside a single orchestrated flow built on a shared knowledge graph, removing one agent requires revalidating every handoff it touched. At scale that is not a migration cost. It is an infrastructure rebuild. IBM research shows that multi-agent orchestration reduces handoffs by 45% and improves decision speed by 3x in production deployments.

The market data reflects this. Gartner reported a 1,445% surge in multi-agent system enquiries from Q1 2024 to Q2 2025, and projects that 90% of B2B buying will be intermediated by AI agents by 2028, with over $15 trillion in spend flowing through agent exchanges.

The agent market is growing from $7.8 billion today to over $52 billion by 2030. Deloitte estimates that better orchestration adds 15 to 30% to the overall market projection. Anthropic's Model Context Protocol, which crossed 97 million installs in March 2026, is already becoming the connective tissue of this ecosystem. The picks-and-shovels bet here is the coordination layer itself, capturing value across every vertical simultaneously without needing domain expertise in any one of them.

Physical World Automation

Physical world automation is a broad category. Humanoid robots, purpose-built machinery, and full hardware stacks get most of the attention. This pocket is about something more precise: software-led physical AI. AI that gives existing industrial equipment, vehicles, and infrastructure capabilities it never had, without replacing the hardware.

The hardware-heavy version of this bet takes years to prove out. The software-led version is live on day one. No new machines. No multi-year manufacturing ramp. Same-day installation, immediate deployment, and a data moat that compounds from the first hour of operation because the sensor data, equipment telemetry, site conditions, failure patterns, operational rhythms, is proprietary, has never been digitised, and cannot be replicated by a competitor buying the same foundation model.

Bedrock Robotics is the clearest illustration of this thesis. Founded in 2024 by former Waymo engineers, Bedrock retrofits existing construction equipment such as excavators, bulldozers, graders with lidar, GPS, and motion sensors that enable fully autonomous operation.

It is autonomy software that runs on the $13 trillion global construction industry's existing fleet. The company emerged from stealth in July 2025 with $80M in seed and Series A funding, completed a large-scale supervised autonomy deployment on a 130-acre manufacturing site in November, and raised a $270M Series B in February 2026 at a $1.75B valuation, co-led by CapitalG and Valor, with participation from NVIDIA's venture arm, 8VC, and Eclipse.

The structural case behind Bedrock is not specific to construction, it is the template for the category. Manufacturing, logistics, agriculture, and infrastructure collectively represent roughly 40% of global GDP, and enterprise software penetration across these sectors is a fraction of what it is in finance, legal, or technology.

Expansion-Play Agents

The most underappreciated pocket in enterprise AI is not the replacement of existing headcount. It is the automation of work that was never economically viable to staff with humans in the first place. Enterprises are not just using AI to do existing things more cheaply. The more interesting dynamic is that AI is creating entirely new categories of work that simply could not exist before.

This unlocks continuous competitive intelligence monitored across thousands of sources in real time. Compliance documentation reviewed at granular frequency across every jurisdiction a company operates in. Financial scenario analysis run across every business unit simultaneously rather than quarterly by a small team. Customer outreach personalised at a scale no human sales organisation could reach. Monday.com replaced 100 SDRs with AI agents at 90% lower cost, but that is the smaller story. Eran Zinman, its CEO, has argued the TAM will ultimately be 100x current software spend when this class of workflow is fully automated. The logic is straightforward. Labor costs are roughly 10x larger than software budgets in most industries. AI platforms that automate work, rather than just digitise it, are competing for a far larger pool of spend.

The business model implication is significant. Expansion-play agents grow with the customer's ambition rather than their org chart. There is no ceiling defined by headcount. NRR in this category should structurally exceed seat-replacement models because usage expands as the organisation finds new workflows to automate, not just as it grows.**

‍

‍