RunSybil raises $40M to automate offensive security, founded by OpenAI's first security hire

Have a good one. Let me tell you about Reream. One live stream, 30 plus destinations. If you want a multiream, go to reream.com and we will continue our lambda lightning round with Ari from run civil who's in the reream waiting room. Let's bring Ari in. How are you doing?

Howdy. Good to meet you.

Hey, good to meet you. What's happening?

Uh, please introduce yourself and the company.

Yeah, happy to. All right, so I am a man on a mission where we're trying to automate hacker intuition. Um, I guess I can start with a brief intro to myself. So I was titled the first security hire at OpenAI

uh back in 2019. Um I was a grad student at Harvard doing my machine learning PhD and I saw GPD2 come out and I was like wow um this would have been really useful back when I was a miscreant teenager doing insane operations on the internet.

Um so uh I ended up bundling up a couple of demos of things that I would have made as a miscreant and I sent them to Sam Alman and I sent them to Jack Clark who was the head of comms at the time.

Um and then kind of the rest is history. they liked it enough that they invited me to come join and so I was there for 3 years. Um I was a core researcher on GP3 and on the codeex model. Um I also built our first monitoring system for when we started offering the API as a thing that customers were then using um to make sure the customers were following our terms of service.

Um and I left the company in part because we just didn't have a good answer for when the bad guys have access to everything.

Um black pill moment for me was uh when we were doing this anonymized review of model outputs. I saw somebody uh trying to lock a file system and that could be totally benign, you know, educational like how does encryption work? Or it could be somebody, you know, futing around with malware and uh ransomware specifically. And there's really no way of telling that particular intentionality. And at the time, like our thought was, well, what if um what if we focus on the monitoring, we just block people that are doing bad stuff. But realistically, when you have something that's as explosive as language models have become, uh you're not going to be able to like play whack-a-ole. You kind of have to get um offensive with it. So, uh I started this company. Um I have very blessed to work with my co-founder Vladescu who uh built the red team at Meta. Um and then I have a team of really strong engineers that we've pulled from some of the top security engineering teams um in the industry and we're focused on building something that will make the internet uh just broadly more safe and it's just really rewarding to see it payoff. Are you seeing more uh more danger and risk from like largecale state actors or like the script kitties who are just trying to like wreak havoc or is it both? Because I feel like some of the some of the like like some of the the problems with like the new AI security threats like there's new capabilities but there's also like a lot more cost than just like running some PHP script that like guesses WordPress passwords like back in the old days. Yeah, I'd say it's actually kind of a combination of the two. I'd say like you have two types of of threats and often times it also depends on the type of uh organization that you are too. Uh so for our customers that are smaller startups like they're not really seeing any of this kind of stuff, but for our larger enterprises uh we've been asked by a lot of them if they they basically want to replace us with their bug bounty or they want to replace their bug bounty with us.

Oh, they want you to win all of the bug bounties. That's great.

Just don't make mistakes.

That's your that's your immediate TAM. And I'm sure I'm sure much further. uh talk to me about uh model distillation. There's been a lot of news about uh it's not as as serious of a threat. It feels more like a business threat, but uh I've always been I've always been shocked by, you know, the stories about different open source companies where it feels like they trained on an American lab and that seems like something that the lab should be able to detect. Is that hard? Is that something you can help with?

Yes. Yeah. So, that's not what we do, but it is something that I've dealt with previously. Um, and it is something that everybody does and everybody kind of knows about as sort of a bit of a dirty secret. Um, but I'll also say that when you do distillation, the model that you get out of it is going to be like a net less good than the model that you're distilling off of. Like that's just information theory 101.

So it it's something that is somewhat of a business threat, but it's not as big of a business threat as say like stealing the actual model itself.

Yeah. Just actually breaking into the system. Can you give us your pitch to like a startup or a scaleup on the customer side and then all the way up to a lab like how how you how you sell the product right now because I understand like the opportunity at a high level you know basically every all these companies are distributing intelligence it's hard to understand how it's going to be used a lot of people are going to use it for things that they shouldn't

you want to stop that but like what is the specific pitch in this moment in time

yeah I'd say like for one thing focusing on like security means a bunch of different things to different people and right now what we're seeing is that smaller teams need different things from larger teams and the benefit in of the way that we've built our product is that if you have more attack surface it's just much more interesting for the type of things that we can find for you. So we've been moving up into enterprises and we have a lot of strong response from enterprise teams that are large. Uh they have a lot of old code bases that go back 40 years. There's a lot of cursed things in their environments. Trying to get like additional coding tools in is is kind of tricky.

Um

and I actually have kind of an interesting hot take for you if you'll take it.

Please love it.

Okay. So um obviously there's a lot of movement in security in terms of like the markets um especially when Anthropic dropped some of their news about some of their vulnerability discovery stuff. Um, so I think a lot of people are concerned about whether or not um like are are language model labs just going to solve security. Uh and what I think is interesting is if code gets so much better in terms of security, the main question is like does that mean that hacking gets harder?

And my answer is no because I think that speed that's what's going to kill us.

So the space of these large possible attack vectors requires a lot more data than simply the code. Yeah.

So if you look at the code um I like to kind of think about it as you're looking at the code of uh or looking at the bones of a dinosaur. Um, it's you're going to find a lot of interesting things about structure, but you're going to miss a ton about things like muscles and whether or not they have feathers and also like path behavior and like broader things like that, which are also very important for understanding the ecosystem. And that's true of code as well and it's true of computers.

Um, it's easier to find bugs with the code. You know, having the bones is very helpful for us even knowing that these dinosaurs exist, but you miss so much other stuff and that is where the real delta lies here. Um, authentication, for example, is famously difficult to sus out. like there are not very many I don't think there are any good um authentication scanners out there but the way in which we've built our product it's very good at finding off bugs and in fact um one of our strengths that we've heard continuously is that like we're very good at finding these weird esoteric things that have existed in bug bounties for like the last 10 years um and we we get like pretty nice payouts from that which is always fun

that's really cool uh talk to me about your take on the forward deployed engineer pattern model trend boom whatever you want to call that uh are you in favor of that? Are you employing that at this time?

That's a good question. I think that for deploy is important if you're working with enterprise because a lot of them there's a lot of a human factor like at least in in startups what we've learned is that people just want to solve the problem like the CTO comes to us and is like hey I have this deal blocked by sock 2 I really need to get a pentest and we're like on it got you fam and we we get them

they're on their merry way but with these enterprise companies it's a lot more of a political process. Um security in general is kind of it's it's partly the people um and it's also of course the software too and what you can do with a forward deploy engineer is you can provide more of that layer of trust. You can communicate a lot more with the proper stakeholders so they don't feel like their jobs are going to be taken away. There's a lot more um of the human factor that you're able to introduce when you have that and I think that's why it's so popular. We do something somewhat similar there and we find it to be particularly helpful with bringing people on board and being able to serve them faster faster. I'm looking at some of the customers here. Cursor, Turbo, Puffer, Notion, B 10. Thank you, machines. Uh, congratulations. Uh, the business sounds great and makes a ton of sense and obviously you're raising money. Uh, but I'm I'm curious if there's a almost like direct to consumer play at some point because everyone is going to be vibe coding like we are a 10erson team. We have like three systems and uh, you know, we're sort of you know, security maybe, maybe we're working on that. I have a black pill for you then. So tell me.

Yeah, I don't think so.

I don't so because people don't like paying for security.

Okay.

But but isn't there another way that you can make it so cheap or bake it in or partner with a lab where you know I'm bi coding something and I and I you know get runible installed or it it it's it's modeled into the system.

Yeah, the sock 2 example is relevant because that's somebody that's like I have to do this

because I'm selling software.

It's hurting my revenue.

But we've heard so many things about somebody's using openclaw. They're vibe coding something. They're running their business on it and increasingly it's turning into a system and at some point they need to think about security. What's

but think of think about it. We we we we bought

hundreds of thousands of dollars versus of like camera equipment before we bought cameras to secure you know

office.

And even when we were doing that we're like h like

I think there's there's some truth to that. But let's also think about like the economics of who buys these tools too. So, if you're paying like 20 bucks, 200 bucks for like a month-long subscription, how much you going to pay for like additional security on top of that? That's something that you're going to have to sell direct to that company. And there's not a lot of companies that really offer code security related stuff. So, I think for companies that are making the bet in that space, they're focused a bit more on like the ecosystem, um, which is we're we're focusing a bit more on like the the overall ecosystem within an enterprise that has a ton of ancient code that is going to require a lot more in order to fix and they also have just these enormous attack services that need some help.

Yeah. Yeah, that makes a ton of sense. Uh well, uh how much did you actually raise? Tell me about the funding round. We want to ring the golf.

Oh yeah. So we raised 40 million. Um which we love.

You came in. Congratulations.

Uh so Coastal led the round. We had participation from S32. Um Conviction Gill. We also had a bunch of angels as well. So Nasa Aurora who I know is on the show.

Yeah.

Friday. Jeff Dean Goodell.

Wow. Ian Goodfellow too.

It was pretty good. That's incredible. Congratulations. Thank you so much for taking the time to come break it down for us.

I can visualize the Coachella.

Thank you for securing the American software ecosystem. We appreciate that as well. Get every bug bounty that is out there. You deserve it.

We'll talk to you.