Enterprise Security in the Agentic AI Era

Agentic AI Security Seed Funding — May 2025 to May 2026

8 min read

Agentic AI Security Seed Funding — May 2025 to May 2026

Overview

Eight verifiable seed rounds in agentic-AI-security from May 2025 through April 2026, totaling ~$85M of seed capital. The wave concentrates around four functional categories — MCP egress / gateway, runtime guardrails, agent identity, and cross-plane “Guardian Agent” control planes — and one architectural fault line: inline gateway vs. runtime instrumentation.

This page ranks the eight by seed amount, maps each to the RA planes and CMM domains, and lays out implications for the wiki’s two load-bearing artifacts.

Ranked: Top 8 Seed Rounds (Largest First)

#StartupSeedDateLead investor(s)Founders / pedigreePrimary RA planePrimary CMM domain
1Lumia Security$18M2025-12-04Team8, New EraOmri Iluz (PerimeterX CEO) + Bobi Gilburd (Unit 8200 CTO); Adm. Mike Rogers advisoryObservability / ControlD1, D7, D9
2Trent AI$13M (€11M)2026-04-07LocalGlobe, Cambridge Innovation CapitalEno Thereska + ex-AWS engineering leaders; OpenAI/Spotify/Databricks/AWS angelsCross-plane (Guardian Agent)D1, D4, D7, D8
3Runlayer$11M2025-11-17Khosla Ventures, FelicisAndrew Berman (3rd-time founder, Nanit + Vowel→Zapier); David Soria Parra (MCP creator) advisorEgress (MCP gateway)D5, D7, D2
4General Analysis$10M2026-04-29Altos Ventures, 645, Menlo, YCRez Havaei (Cohere/NVIDIA) + Caltech/Harvard team; produced the Claude→Stripe coupons exploitCross-cutting (red-team)D7 (continuous CART)
5Helmet Security$9M2025-12-04SYN Ventures, WhiteRabbitFred Kneip (CyberGRX founder) + Kaushik ShanadiEgress + AI-BOM (MCP discovery)D5, D7, D8
6Keycard**38M total with Series A)2025-10-21 (launch)a16z, boldstart (seed); Acrew (Series A)Ian Livingstone + Matt Creager (Manifold→Snyk); Jared Hanson (Passport.js, ex-Auth0 Chief Architect)IdentityD2, D3
7Capsule Security$7M2026-04-15Lama Partners, Forgepoint Capital IntlNaor Paz (F5, Unit 8200) + Lidan Hazout (Securedtouch, Transmit Security); ClawGuard OSSRuntime (no proxy / no SDK)D4, D7
8SplxAI (acq. Zscaler)$7M2025-03-26LAUNCHub Ventures, Rain Capital, InovoAI red-team CTF winners (Wiz CTF, Black Hat)Cross-cutting (red-team)D7 (continuous CART)

Honorable mentions (smaller seed or vertical scope, included for completeness, not synthesized below):

  • Geordie AI — $6.5M seed, agentic AI governance platform (D1)
  • t54 Labs — $5M seed (Anagram + PL Capital + Franklin Templeton + Ripple), trust layer for agentic finance (vertical: D2/D3 in financial services)
  • Unosecur — $5M seed (Apr 2025, Germany), NHI / ITDR with AI capabilities (D2)

Key insight

**The eight headline seed rounds total 120M Series B, Onyx $100M). The category is demand-led — at-launch customer rosters from Runlayer (8 unicorns in 4 months) and Capsule (Cursor / Claude Code / Microsoft / ServiceNow / Salesforce integrations) suggest enterprise pull is well ahead of the supply side.

Mapping: Each Startup to the RA + CMM

By RA plane

Identity        Control       Runtime       Egress        Data        Observability
[[keycard]]     [[keycard]]   [[capsule-    [[runlayer]]   —          [[lumia-security]]
                              security]]                              [[trent-ai]]
                [[lumia-      [[trent-ai]]  [[helmet-                 [[runlayer]]
                security]]                  security]]                [[helmet-security]]
                [[trent-ai]]                                          [[capsule-security]]
                                                                      [[general-analysis]]
                                                                      [[splx-ai]]

Concentration: Egress (MCP) and Observability are the most-funded planes. Identity has one pure-play seed (Keycard). Data plane (D6) has zero seed-stage entrants — see Gaps below.

By CMM domain

DomainFunded by
D1 Governance & AccountabilityLumia, Trent AI (cross-plane), Geordie AI
D2 Identity & AuthorizationKeycard (primary), Runlayer (Okta/Entra integration), Unosecur
D3 Control & Least-AgencyKeycard (real-time contextual guardrails), Lumia
D4 Runtime & GuardrailsCapsule (primary), Trent AI, partial Lakera alignment
D5 Egress & NetworkRunlayer (gateway), Helmet (discovery+monitoring)
D6 Data, Memory & RAGnone in this seed cohort
D7 Observability & DetectionGeneral Analysis (CART), SplxAI (CART), Lumia, Trent AI, Runlayer, Helmet, Capsule (all cross-cutting)
D8 Supply Chain & AI-BOMHelmet (MCP discovery), Trent AI (dependency scanning)
D9 Operations & Human FactorsLumia

Where the Funding Fits the RA + CMM (and Where It Doesn’t)

Fit (the RA holds up)

Every funded startup maps cleanly onto one or two RA planes. No funded company proposes a plane the RA missed. The 6-plane structure validates against real money — Identity / Control / Runtime / Egress / Data / Observability is the working market segmentation.

Doesn’t fit (the gaps)

1. The Data plane (D6) has no seed-stage agentic-AI-security entrants. This is striking. Either:

  • D6 is being absorbed by adjacent DSPM / AI-SPM / oversharing-control vendors (Knostic, Wiz AI-SPM, Glean) without an agentic-specific layer, or
  • D6 is a structural gap waiting for a seed-stage entrant, or
  • The data side of agentic AI is dominated by memory-poisoning research that hasn’t productized yet. The wiki should not silently treat D6 as solved by adjacency. Track this as an open design question.

2. Operations & Human Factors (D9) is governance work, not venture-fundable. Only Lumia touches D9 explicitly. The CMM should be reaffirmed as the governance scaffold here — not expect a seed startup to fill it.

3. The Guardian Agent / cross-plane category is now overcrowded. Three vendors at three funding stages — Onyx (later), Lumia (13M seed) — plus Wiz AI-SPM, Prisma AIRS, and the still-unfunded ambition of CSPM-incumbents. The CMM should not name any one of these as canonical L5 evidence — the category is too crowded and unproven.

The Architectural Headline: Gateway vs. Runtime Instrumentation

The seed cohort divides into two architectural camps with the same security goals and incompatible deployment models:

Inline gateway / proxy: Runlayer (9M), plus AgentGateway OSS, plus Onyx. Claim: visibility and control require sitting in the data path. ~$20M of seed capital here.

Runtime instrumentation: Capsule (13M), partial Miggo (later stage). Claim: gateways are too heavy / too late / too easy to bypass; instrument inside the agent runtime. ~$7M of seed capital, plus higher-stage Miggo.

This split is documented in detail at Inline Gateway vs Runtime Instrumentation. Historical analog: the API-gateway-vs-APM fork from a decade ago. Both categories survived; both are likely to here too.

Implications

For the wiki’s RA

  1. The 6 planes hold. No revision needed.
  2. Add Lumia, Trent AI, Runlayer, Helmet, Keycard, Capsule, General Analysis as commercial reference implementations in the appropriate plane tables of the RA page.
  3. Egress plane needs a sub-split: gateway-style enforcement vs. runtime-instrumentation enforcement (cross-link the new concept).

For the wiki’s CMM

  1. D2 (Identity) commercial column should add Keycard alongside Okta / Entra / CyberArk.
  2. D4 (Runtime) commercial column should add Capsule alongside Lakera Guard and Miggo.
  3. D5 (Egress) commercial column should add Runlayer (gateway) and Helmet (discovery+monitoring).
  4. D7 (Observability) continuous-CART row should add General Analysis alongside Mindgard CART and Promptfoo; mark SplxAI as acquired to flag category consolidation.
  5. L4/L5 cross-plane “Guardian Agent” evidence: keep Onyx non-canonical; cite Lumia and Trent AI as additional examples but not as the L5 canonical pattern.

For investor and architecture-decision-maker readers

  1. Seed-stage agentic AI security is currently demand-led, not supply-led. Customer rosters at launch (Runlayer’s 8 unicorns, Capsule’s 5 named platform integrations) suggest enterprise pull is ahead of vendor capacity.
  2. Pure-play CART consolidates into platforms quickly. SplxAI → Zscaler, Promptfoo → OpenAI. Either pattern means buying CART standalone has a short independent runway. General Analysis is the likely next acquisition target if this pattern holds.
  3. The gateway-vs-instrumentation choice is unsettled. Buyers should plan for both to coexist, just as their predecessors did with API gateways and APM.
  4. The Israeli + ex-FAANG + ex-AI-lab founder pool is consistent with prior security waves. Pattern matches Wiz / Orca / Lacework cohort behavior — expect at least one of the eight to reach $1B+ valuation in 24-36 months on platform consolidation; expect at least three to be acquired into incumbents (CrowdStrike, Palo Alto, Microsoft, Wiz, CyberArk).

For the wiki’s broader thesis

The seed-stage funding wave is consistent with the wiki’s existing thesis that platform-level controls beat prompt-level controls (Bullen / Lidzborski). Every well-funded startup in this cohort is platform-shaped: gateway, runtime, identity, control plane, AI-BOM, CART. None is selling a “smarter prompt filter” or an “LLM-as-a-judge” guardrail. The investor base is voting with the platform-not-prompt thesis.

Open Questions (file as gaps)

Gap

Why no D6 entrant? Is the agentic-data-plane being solved by DSPM adjacency, or is there a real seed-stage opportunity that hasn’t been claimed? Re-validate the agentic-RAG-hardening market by Q4 2026.

Gap

Will the gateway camp absorb the runtime camp, or vice versa? History (API gateway + APM) suggests both survive. But the agentic-AI runtime is much more homogeneous (a few LLM hosts) than the cloud-native runtime was (every microservice everywhere) — the case for instrumentation-only is therefore stronger than the cloud-native analog. Watch Capsule’s production deployments specifically.

Gap

Where does capability-based authorization (Tenuo Warrant model) fit relative to Keycard’s IAM model? Both could fill the D2/D3 slot; they imply very different control flows. Re-validate when Keycard publishes their access-control model.

Gap

Methodology limitation — search-then-include, not enumerate-then-filter. This synthesis ranked 8 verifiable seed rounds + 3 honorable mentions, but the candidate pool was not enumerated. A rigorous pool-then-filter pass (Crunchbase + PitchBook + Insight Partners’ AI Agents Security Market Map + Menlo / a16z / Forgepoint thesis posts) would produce a 50–80-row landscape view spanning all funding stages, not just seed. Filed for execution as comprehensive landscape pass (~Q3 2026 trigger).

Sources (primary, by startup)

  • Lumia: BusinessWire 2025-12-04, Lumia blog, SiliconAngle, Team8 thesis, CTech (Iluz/Gilburd profile)
  • Trent AI: BusinessWire 2026-04-07, SecurityWeek, EU-Startups, Tech.eu
  • Runlayer: TechCrunch 2025-11-17, Runlayer blog, The AI Insider
  • General Analysis: BusinessWire 2026-04-29, Axios Pro, Tech Startups
  • Helmet Security: BusinessWire 2025-12-04, helmet.sh, SiliconAngle, SecurityWeek, Fintech Global
  • Keycard: GlobeNewswire 2025-10-21, SiliconAngle, boldstart blog, Upstarts Media
  • Capsule Security: CTech 2026-04-15
  • SplxAI: BusinessWire 2025-03-26, Help Net Security, The Recursive (Zscaler acquisition)
  • Aggregators: softwarestrategiesblog 2026 RSAC roundup, softwarestrategiesblog 2025 funding data

Graph View

Backlinks