Announcing our Investment in Nebulock

Damien is one of those founders you drop everything and chase after, and I certainly did.

We had heard great things about Nebulock and shot him a few notes to very little avail. Our good friend Dan at Decibel (thank you, Dan) eventually made the introduction, and we came in prepared, but what we weren't ready for was how clarifying that 45-minute Zoom would be. Damien is the epitome of founder-market fit. So we did what any self-respecting investors would do:

We booked a trip to Boston and told him we just so happened to be in town that week, and that we should get dinner.

Luckily for us, that was that. And today, we're so excited to announce we are leading Nebulock's Series A, just 9 months after they launched out of stealth.

Why Damien?

Damien spent more than a decade inside the organizations that shaped modern cybersecurity: at CrowdStrike from Series C through the IPO, at Arctic Wolf leading AI detections, at Palo Alto Networks, and in DoD cyber operations at Northrop Grumman. Before any of that, he was a professional athlete in Germany. After it, he was doing graduate research at MIT CSAIL, one year before ChatGPT launched. He has seen the attacker playbook evolve from every angle that matters, and he understands what methods have consistently been getting through. From our first meeting with Damien, we knew he had an incredibly special mix of deep security experience, technical chops, and a contagious energy.

AI Has Rewritten the Attacker Playbook

AI has caused the complexity & velocity of cyber attacks to grow exponentially. The distance between a novice and a nation-state actor has collapsed, enabling attackers to target every organization, faster, better and more iteratively than ever. Earlier this month, Anthropic analyzed over 800 banned accounts and concluded a) AI effectively ~2xs the risk profiles of bad actors and b) the old ways of differentiating high- from low-risk actors are no longer effective.

This perfect storm has led to new security breaches hitting the headlines seemingly every week. Today, the most dangerous attacks don't look like attacks at all. The Salesloft Drift breach last year saw a threat actor use compromised OAuth tokens to quietly access more than 700 Salesforce environments. The trojanized LiteLLM library exfiltrated terabytes from Mercor and thousands of other companies without triggering a single conventional alert. The activity looked legitimate because it was, in every way, at least by how existing security tools currently measure legitimacy.

Traditional detection tools flag indicators such as known-bad IP addresses, recognizable file hashes, and malicious binaries, which change too quickly in an AI-driven world. While indicators can change, behaviors remain constant. Whether it's a service account that suddenly runs admin commands, a credential read from a place it never has been, or a session moving laterally in a way the real user never would, these are all tells that survive after traditional signals have been engineered away. Catching them requires hunting for how an adversary operates rather than waiting for a rule to fire on whatever they brought with them. That is what elite threat hunting teams have always done, and what almost no organization has been able to afford.

Nebulock: Agentic Threat Hunting for All

Nebulock changes that equation. It works continuously across identity, endpoint, and cloud telemetry, generating hunting hypotheses, investigating them autonomously, and writing behavioral detections around the clock. Rather than adding to the wall of alerts burying most security teams, it tracks global threat intel, interrogates the data companies already collect, and surfaces only the findings that warrant a response.

The results have been striking. Vespyr, Nebulock's autonomous threat hunting agent, has run over 300 million agentic investigations and surfaced more than 4,000 high-confidence findings that existing tooling missed entirely. It has surfaced legitimate results (from insiders copying source files onto USBs to malicious actors operating undetected) in every environment it has touched - often within four hours (!) - including environments already running CrowdStrike, Okta, Netskope, and Palo Alto.

With a quick implementation and universal value proposition, the team has been off to the races. Every customer to date has come through referrals and inbound alone, and the team has been pulled organically into companies ranging from the mid-market to the Fortune 500.

Nine years into security investing, this is by far the most exciting time in my career in this category. A big part of that is watching how Damien builds. The team has grown from 10 to 35 people in roughly a year, and they are building a roster of security Avengers: Suzannah Cooke (Sales, ex-Snyk) has sold exactly this kind of category-defining product before, Ian McShane (Product, ex-CrowdStrike and Arctic Wolf) didn't just study the market Nebulock is disrupting, he lived inside it, Emily Dann (Engineering, ex-Expanse), Christine Huynh (Marketing, ex-Sublime) and Kevin Menezes (Customer Success, ex-Protect AI / Palo Alto) round out a bench that would be wildly impressive at three times the company size; and then there's Sydney Marrone, a former Principal Threat Hunter at Splunk, who drives the RLHF training of Nebulock's agents. Vespyr gets better by learning from the best human hunters alive, which means model improvements across the ecosystem make Nebulock stronger, not more vulnerable.

We see Nebulock as an "n of one" company: an A+ team, a combination of domain depth and proprietary training data that cannot be replicated, and a growing library of detections that accrues to every next customer over time.

What's Next: Hunt-First Contextual Security

As we've continued to spend time with the team, it's clear that their proactive method of contextual security analytics will extend beyond the traditional scope of threat hunting. Once you have a behavioral baseline of every identity, endpoint, and cloud resource, the same data you already send to your SIEM becomes a far richer picture that can actually catch the credentialed attacks that make up the majority of breaches today. When you add in agentic threat hunting capabilities that get stronger as the collective intelligence grows, the products that were once SIEM add-ons (UEBA, Insider Risk, detection engineering) are collapsed into the same loop.

The next iteration of SIEM won't only be more efficient and autonomous, it will catch an entirely new class of threats and we believe the Nebulock team is building the foundational security analytics stack. We could not be more excited to partner with Damien and the entire team as they usher in hunt-first security operations. Join the hunt!