Why Guardz Raised $84M to Defend the Businesses Enterprise Security Forgot
Cybersecurity spending has poured into the enterprise for two decades, yet the small and mid-sized b 2026-7-2 13:45:11 Author: hackernoon.com(查看原文) 阅读量:5 收藏

Cybersecurity spending has poured into the enterprise for two decades, yet the small and mid-sized businesses that make up most of the economy have been left defending themselves with tools that were never built for them. That gap is exactly where Dor Eisner has placed his bet: after two decades that began in Israel's Unit 8200 and ran through a front-row seat to the dark-web threat economy at IntSights, he co-founded Guardz to arm the managed service providers who have quietly become the only line of defence for millions of SMBs.

In this conversation we get into why identity has become the new perimeter, what "AI-native" actually means once the marketing is stripped away, and the hard trade-offs of building a unified platform in a best-of-breed world.

Ishan Pandey: Hi Dor, welcome to our "Behind the Startup" series. Please tell us about yourself and what inspired you to build Guardz?

Dor Eisner: I spent the first part of my career in intelligence, then helped build IntSights, where we watched the criminal economy from the inside. By the time I left, one thing was obvious: attackers had scaled, and the businesses most exposed to them, the small and mid-sized ones, had almost nothing built for them.

Ishan Pandey's image-8ddd28

So they leaned on their MSP, who was stitching together five or six tools that were never meant to work together. Guardz came out of that gap. I wanted to give MSPs one place to actually defend their clients, instead of a stack they spend their nights babysitting.

Ishan Pandey: Your path runs from an intelligence role in Unit 8200 to a founding executive seat at IntSights, where you saw the rise of "attack-as-a-service" tooling on the dark web up close. How did watching threats get commoditized and sold at scale shape the original thesis behind Guardz?

Dor Eisner: What stayed with me from IntSights wasn't any single attack. It was the industrialization. You could rent infrastructure, buy stolen credentials by the batch, and subscribe to phishing kits with better onboarding than most legitimate software. Cybercrime became a supply chain.

That changes the math for defenders. When attacks are artisanal, you defend a few high-value targets by hand. When they're mass-produced and cheap, every business is a target, including the 20-person firm that thinks it's too small to matter. It isn't too small. It's just unprotected and easy.

Ishan Pandey's image-3fed2

So the thesis was simple: the attack side had industrialized all the way down to the smallest victim, and the defense side hadn't. You can't fight an automated, commoditized threat with a defense that needs a scarce human expert per customer, because the economics never work. That's why we built a platform that automates the routine and routes the hard parts to experts, delivered through the channel that already serves these businesses at scale: the MSP.

Cheap to wage, ruinous to absorb. A log-log scatter plotting the underground price of an attack capability against the typical loss to the small-business victim.Cheap to wage, ruinous to absorb. A log-log scatter plotting the underground price of an attack capability against the typical loss to the small-business victim.

The asymmetry Eisner is describing, in one picture: a phishing kit sells for under $25-50, a 24-hour DDoS-for-hire for about $45, and verified corporate access for an average of roughly $2,700, while the resulting incident can cost a small business anywhere from $120,000 to $3.31m. Every dollar of attack buys orders of magnitude more damage.

Ishan Pandey: You have argued that SMBs are the backbone of the economy yet remain structurally underserved by the security industry. Can you unpack the real reason enterprise-grade security never trickled down to smaller businesses, and how routing protection through the MSP channel changes that economics?

Dor Eisner: The honest answer is that enterprise security was never priced or designed to come downmarket. Its cost structure assumes a security team to run it, a budget line for tooling, and someone whose full-time job is tuning alerts. SMBs have none of those. So "trickle down" usually meant a stripped-down version of an enterprise product sold to a buyer with no one to operate it. That doesn't protect anyone. It just checks a box.

The MSP channel changes the unit economics because the MSP amortizes expertise across hundreds of clients. One skilled technician, backed by the right platform, can defend dozens of businesses that could never each afford their own analyst.

Ishan Pandey's image-d53868

But it only works if the platform is built for that reality. Multi-tenant by default, automated where it can be, and simple enough that a technician can act on day one without a specialist standing behind them. If you hand an MSP an enterprise console and tell them to figure out the multi-tenancy, you've recreated the original problem with extra steps. The channel is the distribution. The product still has to earn it.

Ishan Pandey: "AI-native" has become one of the most overused phrases in security. Stripped of the marketing, what does building detection and response on top of large language models and your own data pipelines actually let Guardz do that a bolt-on AI feature cannot? And just as importantly, where does AI still fall short, making human-led MDR non-negotiable?

Dor Eisner: Strip the marketing and "AI-native" comes down to one question: is the intelligence sitting on top of your data, or is your product built around the data in the first place? A bolt-on AI feature reads whatever a single tool already decided was worth logging. It inherits that tool's blind spots.

Built right, Agentic security is an architecture, not a feature: the intelligence connects signals across identity, email, endpoint and data, triages at machine speed, and keeps humans on the calls that matter. That's what lets it do two things a bolt-on can't. It connects the dots, so a suspicious login, a new inbox rule, a download and a file share read as one incident, not three alerts in three consoles. And it automates the work that used to eat an analyst's day, clearing the false positives so humans only spend attention on the threats that are real.

Where AI still falls short is judgment under ambiguity and accountability. It's not the one you want making the call when the cost of being wrong is high, or standing behind a decision to a client at 2 a.m. So we keep humans firmly in the loop. The AI makes our experts dramatically faster, it doesn't replace them.

Drowning in alerts. A funnel showing a typical SOC's daily alert load and how little reaches human attention, with the AI and human split annotated.Drowning in alerts. A funnel showing a typical SOC's daily alert load and how little reaches human attention, with the AI and human split annotated.

Why the automation argument is not marketing: a typical SOC now fields about 2,992 alerts a day, of which 63% go unaddressed, and 46% of all alerts prove to be false positives. The routine triage is precisely the work AI absorbs, leaving the genuine incidents for a human to own.

Ishan Pandey: Your recent threat research frames the shift bluntly: attackers are no longer breaking in, they are logging in. Why has identity become the primary battleground, and what does an identity-centric architecture demand technically that an endpoint-first stack tends to miss?

Dor Eisner: Attackers stopped breaking in because they don't have to. Why burn an exploit when you can buy a valid credential or phish an MFA code and just log in? Once they're authenticated, they look like a legitimate user. An endpoint-first stack is watching the doors and windows while the intruder walked in through the front with a real key.

Ishan Pandey's image-80f3c

Identity is where the modern attack actually lives, so it has to be the center of the model. Technically that demands a few things an endpoint-first design tends to miss. You have to treat the user as the primary object and tie everything else to them: their devices, their mailbox, their cloud activity, their permissions. You need behavioral baselines per identity, because "anomalous" only means something relative to that specific user's normal. And your response has to operate at the identity layer, suspending a user, revoking active sessions and tokens, not just isolating a laptop. If you only quarantine the device, the attacker still holds the credential and walks to the next one.

Endpoint still matters. But if identity isn't the spine of the architecture, you're investigating yesterday's attack.

Attackers don't break in. They log in. A bar chart of the share of breach activity involving stolen or abused credentials, from the Verizon 2025 DBIR.Attackers don't break in. They log in. A bar chart of the share of breach activity involving stolen or abused credentials, from the Verizon 2025 DBIR.

The data behind the slogan: stolen credentials appear in 88% of basic web-application attacks, credential stuffing makes up 19% of all SSO login attempts on a median day, and 54% of ransomware victims had their credentials exposed in infostealer logs before the attack.

Ishan Pandey: The market constantly swings between unified platforms and best-of-breed point tools. Guardz builds many controls natively but partners with SentinelOne for EDR. How do you decide what to build versus integrate, and what is the genuine risk to customers of over-consolidating their security stack under one vendor?

Dor Eisner: Our rule is to build what has to be native and partner where someone has genuinely earned best-of-breed. The data layer, identity, the correlation and response logic, the MSP workflow, those we build, because the value depends on them being one coherent system. For endpoint we partner with SentinelOne, because EDR is a mature, fiercely contested category and pretending we'd out-engineer a leader there would be ego, not strategy. The customer wins when we integrate the best EDR and Email security (Check Point) deeply, not when we ship a mediocre homegrown one to claim we own the box.

I'd actually challenge the premise that consolidation is the risk. There's always a trade-off. Platformization buys you operational efficiency, correlation, and one coherent system. Building your own stack buys you choice, but you pay the siloed price: tools that don't talk to each other, integrations you maintain yourself, and signals that never get connected. The entire enterprise industry consolidated over the last decade, and it didn't do that by accident. It did it because the siloed price and operational costs got too high.

Our build-versus-partner decisions are exactly how we keep the platform from being all in one basket. We don't own every box, but RMM/PSA integrations, federated search, open APIs and MCP let us integrate and connect in the ways that actually matter. That's the point: you get the efficiency of a platform without giving up the openness of a stack.

Ishan Pandey: What is the biggest misconception MSPs and the SMBs they serve still hold about what AI can and cannot do for security today, and how does that gap between expectation and reality affect how you build and position the product?

Dor Eisner: The biggest one is that AI removes the need for humans. It doesn't. It changes what the humans spend their time on. The MSPs who expect to fire their analyst and let the AI run the day to day are going to get hurt, and the ones who think AI is all hype and ignore it will get out-paced. Both extremes are wrong.

What AI actually does well today is absorb tasks that are time consuming. Triage, enrichment, correlation, the first 80% of an investigation that used to eat an analyst's whole day. What it does not do is own the judgment call or the accountability. A confident, fluent, wrong answer is more dangerous in security than in almost any other field, because someone acts on it.

That gap shapes how we build and how we talk about it. We use AI aggressively where it's strong and we keep humans firmly in the loop where it's weak, and we don't dress that up. Overpromising on AI isn't just bad marketing in this category. It's a security risk.

Ishan Pandey: You have raised 84 million dollars in just over two years and have spoken about becoming "the Palo Alto for MSPs." For founders trying to navigate the tension between aggressive growth, technical defensibility, and the temptation to overpromise on AI, what have you learned about balancing innovation, go-to-market, and funding?

Dor Eisner: The "Palo Alto for MSPs" line is about ambition and shape, not arrogance. Palo Alto became a platform the enterprise consolidates on. We want to be the platform the MSP channel consolidates on. Different customer, different economics, same idea of being the place where it all comes together.

Ishan Pandey's image-d9d248

On the tension between growth, defensibility, and the temptation to overpromise, a few things I've learned. First, raising money is fuel, not proof. Capital lets you go faster in the direction you've already validated. It does not tell you the direction is right, and it punishes you harder when it's wrong. Second, in security specifically, defensibility has to be technical, not just narrative. The hard, unglamorous work, like the data layer for us, is the part competitors can't copy from your website. Invest there even when it's invisible to the market for a while.

And on AI, the discipline is to under-claim relative to the hype and over-deliver relative to the claim. The founders who win the next few years won't be the loudest about AI. They'll be the ones whose customers reap the operations benefits day to day and quietly stopped getting breached.

From stealth to $84m in 28 months. A step-line of Guardz's cumulative funding by round, from the January 2023 seed to the June 2025 Series B.From stealth to $84m in 28 months. A step-line of Guardz's cumulative funding by round, from the January 2023 seed to the June 2025 Series B.

The capital behind the ambition: a $10m seed in January 2023, an $18m Series A that December, and a $56m Series B led by ClearSky in June 2025, bringing the total to $84m.

The honest risks

The thesis is clean, but the bet carries real exposure, and it is worth stating plainly.

The channel is also the dependency. Routing everything through MSPs solves the unit economics, but it means Guardz grows only as fast as MSPs adopt and retain it, and more than three-quarters of MSPs already report being overwhelmed by too many tools. Winning that buyer means displacing incumbents, not just out-arguing them.

Partnering on endpoint is a strategic concession with a counterparty. SentinelOne is both a supplier and an investor, which aligns incentives today but deepens a dependency on the most contested layer of the stack. Guardz manages that through deep integration rather than ownership, which keeps it open but makes the relationship one to watch.

The AI discipline is a promise that has to hold under pressure. Eisner's "under-claim, over-deliver" line is the right posture, yet the commercial gravity in this category pulls the other way, and a single confident, wrong automated action against a client at scale is the kind of event that resets trust across a channel.

The crowded middle is filling fast. The SMB-via-MSP wedge is no longer lonely, with larger players and direct competitors circling the same segment, so the defensibility has to keep coming from the unglamorous data layer rather than the narrative.

None of this invalidates the bet. It simply means the company is wagering that depth of integration, discipline on AI, and the MSP relationship compound faster than the competition and the threat landscape can erode them.

Don't forget to like and share the story!

Vested Interest Disclosure: HackerNoon has reviewed the report for quality, but the claims herein belong to the author. #DYOR.


文章来源: https://hackernoon.com/why-guardz-raised-$84m-to-defend-the-businesses-enterprise-security-forgot?source=rss
如有侵权请联系:admin#unsafe.sh