A few minutes into his first customer meeting as a security industry entrepreneur, Abnormal Security co-founder Evan Reiser knew he had a problem.
“This person kept mentioning socks and I had no idea what he was talking about,” says Reiser, who had spent his entire career until then in online advertising. “It turns out he was talking about SOCs, as in the security operations center, which is like the most frequently used acronym in security.” Not surprisingly, the meeting didn’t last long. “He said, ‘No disrespect, but it feels like your plans are a little immature. Sorry, but I gotta run. Good luck’,” Reiser recalls.
Five years later, Reiser and co-founder Sanjay Jeyakumar have gone from jargon-challenged outsiders to leaders of one of the most influential and fastest-growing companies in the more than $200 billion security industry. More than 17% of Fortune 500 companies now trust Abnormal’s cloud email security solution to prevent phishing attacks, socially-engineered threats, and cloud account takeovers that are the cause of the vast majority of successful intrusions.
Their secret — as with many other influential outsiders, like Elon Musk taking on gasoline-powered cars or Jeff Bezos taking on brick-and-mortar retail — was a willingness to try something radically different. Since the 1980s, thousands of companies built products to secure various types of corporate technology infrastructure: their networks, data centers and cloud environments, email servers, and employees’ PCs and smartphones. Abnormal instead chose to focus on the biggest vulnerability companies face: human behavior itself.
Antisocial Engineering
“A vast majority of the breaches you read about happen because someone was tricked into doing something they shouldn’t have done, not because the attacker hacked a satellite or broke into a misconfigured server,” says Reiser. For example, a 2021 attack on EA Games using Slack took the form of a request to reset a user’s multifactor authentication, while a recent infiltration by a Russian-backed group into Microsoft relied on “spraying” passwords across multiple accounts.
The approach of securing human behavior may sound simple, but the technology to make it work is anything but. As one of the first security companies built with AI from the very beginning, the Abnormal platform works by understanding each and every employee’s normal patterns of behavior so that it can spot even tiny anomalies. Perhaps an email ostensibly from your CEO starts with “hello” rather than the usual “hiya.” Perhaps the attacker using a compromised email account sends a phishing email during hours when that employee is typically offline. By ingesting 43,000-plus behavioral signals, Abnormal’s platform monitors these and other, far subtler signals of malicious activity to stop attackers before threats can hit the inbox.
So far, the results are stunning. Customers see an order of magnitude decrease in the number of attacks reaching end users, especially when compared to the legacy products originally designed to stop email attacks via the on-premises gateway. No wonder the company enjoys a 99% recommendation rate on Gartner Peer Insights, the Yelp-like review site for enterprise software.
From Targeting Ads to Protecting Civilization
The Abnormal story began at Twitter, which Reiser and Jeyakumar had joined as part of the social media company’s 2015 acquisition of TellApart, an ad network incubated at Greylock. With Jeyakumar in charge of architecture and Reiser managing Twitter’s behavioral ad targeting efforts, the company’s monetization per user doubled. In 2018, the pair decided to focus their behavioral targeting expertise beyond just selling ads.
The first plan was to create a hugely ambitious platform for the AI era, one that would churn out apps for everything from improving sales pitches to spotting potential sexual harassment. They believed the time was right for two reasons.
The first was the rapid development of AI from a highly academic domain into an ecosystem flush with development tools, open source libraries and endless potential use cases. They could build a platform of unprecedented power without having to hire dozens of PhDs. The second was the final victory of cloud software over PC apps. This meant Abnormal would be able to tap into unprecedented amounts of data from a relatively short list of cloud environments — not just email systems like Gmail and Outlook, but potentially Slack, Salesforce, Azure, Workday and other critical systems — rather than have to build bespoke data feeds with every customer’s IT department. “We’d be able to pretty much understand everything going on inside a company — who’s yelling at who, which sales rep isn’t delivering the right message, who’s your best and worst customer,” Reiser says.
To get started, they spoke to 100 security leaders to understand how Abnormal’s behavioral AI expertise could best help them. “We asked, what is your biggest problem right now that you need to solve? What can we build for you in the next six months that you’d pay $250,000 for? The answer was nearly unanimous. Almost everyone said, ‘help us with email security.’”
Initially, this seemed like an uninspiring mission. “Who even uses email anymore,” Reiser remembers thinking. The mood quickly changed, as the team realized just how ripe for disruption this massive market was. Although companies set new spending records on security technology every year, the volume and severity of attacks were rising even faster. Business email compromise was one of the hot new categories, with losses ballooning from $700 million to more than $2 billion in just a few years, a result of threat actors realizing the potential of targeting human behavior rather than attacking the technology itself. No longer were there amateurish and fake “princes” asking for money. Now employees were being bombarded with personalized emails from coworkers asking if they could buy them a gift card, or emails sent from real vendor accounts asking for payment of an overdue invoice, which, of course, looked entirely legitimate. With their backgrounds in AI, Reiser and Jeyakumar realized that this problem would only get worse as generative AI became mainstream.
Before long, the Abnormal team saw security as a mission of the highest importance. “The current paradigm of cybersecurity is totally unsustainable. The fact is that cybercriminals are now using AI to create extremely sophisticated attacks that are hard to detect and even harder to stop,” says Reiser. Without a radical new approach that also relies on the power of AI, he believes humanity is headed for a nightmarish future of chronic cybercrime and state-sponsored cyber warfare.
“This isn’t just a technology or a business issue, it’s a civilizational issue,” he says. “I want my daughter to grow up in a world where it’s safe to use an ATM, buy something with a credit card, or even have a self-driving car. But to have a future world where she is safe to live her everyday life, we have to change the curve of rising cybercrime.”
To make this happen, security companies need to prove that software really can do the job — if it’s the right type of software. “As a civilization, we’ve given up on software being able to do this job, but I refute that idea,” he says. That’s why companies spend so much time and money on mandatory anti-phishing programs, which never solve the problem. “We believe that AI can achieve what conventional software failed to do in the past, at much greater efficacy than anything we’ve experienced before. It’s not that these problems are unsolvable or that software can’t solve them, but that we haven’t used the right approach. We’re challenging that assumption by showcasing the power of defensive AI.”
Scaling Despite the Odds
As with the “socks” meeting, Reiser struggled to win the confidence of customers at first. Not only was the “protect the people, not the infrastructure” approach novel, but it also required customers to believe that AI would outperform traditional threat intelligence-based approaches. “Some people laughed at us. When we said we were going to use AI to analyze behavior more effectively than humans, no one believed that was possible,” he says. To help overcome this objection, the team added a free evaluation that included a retrospective report consisting of the actual attacks that had bypassed their current solutions and were still sitting in inboxes. “When people saw the volume and types of attacks that had bypassed their current solution, it really opened their eyes and their minds to the power of AI. Most of our customers now realize that AI is not only helpful, but it is absolutely required to stop the next generation of attacks.”
When the first customer purchased Abnormal in December 2018, the company had around a dozen employees who worked out of Greylock’s San Francisco office. By early 2020, the company had a Series B round in the bank and a new hire onboarding every week.
Then COVID hit, and the mass movement to remote work resulted in massive growth for Abnormal. With most companies embracing a hybrid work force, email became even more critical, and bad actors raced to target the millions of corporate workers who were now working on their home PCs, with none of the security infrastructure used in the office. This is when growth really took off. Abnormal raised another round of funding in mid-2022, and hasn’t looked back since.
By mid-2023, the company had passed $100 million in annual recurring revenue, and only a year later, crossed the $200 million mark. Abnormal recently announced its Series D round of funding, and has grown to more than 800 employees and now serves more than 2,400 customers—making it one of the fastest-growing cybersecurity companies in the world. Internal studies and customer results show that Abnormal’s AI is more effective at detecting attacks than a dedicated email security analyst with a year of training.
Reiser and Jeyakumar are now laying the groundwork for growth in many dimensions. New company president Michael DeCesare is overseeing a push into international markets and into the U.S. federal government. And while most observers still think of Abnormal as an email security company, Reiser and Jeyakumar are thinking beyond that.
“We started with email, because that’s where humans are most targeted, but we’re expanding far beyond that to integrate with Slack, Workday, Dropbox, AWS and dozens of other platforms,” he says. “We’re building one unified behavioral model that will allow us to address many different aspects of cybersecurity in the next three to five years and protect humans across all of their everyday applications.”
“Evan and Sanjay have pioneered the first truly AI-native cybersecurity company — one that uses AI to fight AI,” says Greylock partner Saam Motamedi. “Their platform has already proven to be the most effective way to fight advanced email attacks, and email is just the beginning. Abnormal is poised to revolutionize the cybersecurity landscape across multiple fronts with its AI-native approach.”
Reiser agrees that Abnormal has plenty of runway for growth as the platform expands in both breadth and depth. In addition to preventing advanced email attacks and detecting compromised accounts across platforms, the Abnormal platform is also using AI to solve for the growing cybersecurity skills shortage.
Companies are desperate for technology that can reduce the need to hire security experts. There’s currently around 3 million unfilled security jobs because of a lack of qualified candidates, and that number is growing rapidly. If AI systems end up doing the work of half those unavailable workers, that’s well over $200 billion in labor savings. And it isn’t theoretical. Forrester recently found that the average enterprise saves 95% of analysts’ time on email after implementing Abnormal.
“When I talk about the company with investors, I talk about creating a $100 billion company because that’s understandable, but the real opportunity is even larger,” he says. “Organizations spend more than $1 trillion annually on security analysts, and demand still outpaces supply. Our AI can already provide superhuman detection at superhuman speeds, so we feel like we are just getting started in creating incredible value for our customers, our company, and the world.”
Abnormal has grown tremendously fast in the last six years, and is still expanding its platform to reach the vision of fully AI-automated cybersecurity. As Reiser says, “We have so much left to do to help protect our customers and prove that AI is so much more than hype. For me, one thing is certain: the best from Abnormal is still to come.”