Fig Security: RSAC 2026 Innovation Sandbox Profile
This profile was compiled in March 2026 using AI tooling guided by security product strategy guidance from Lenny Zeltser's MCP server. The analysis was performed by AI without direct human validation, to demonstrate the capabilities of AI agents guided by an expert framework. Outside this demo, a human analyst would conduct iterative conversations with the AI agent to arrive at more accurate conclusions.
Executive Summary
Fig Security defines a new product category it calls Security Operations Resilience. The company emerged from stealth in March 2026 with $38 million in seed and Series A funding. Its platform maps, monitors, and validates detection and response flows across the entire SecOps stack, catching silent breakdowns before they create blind spots. Founded by veterans of Siemplify (acquired by Google for $500M) and Cymulate, Fig targets a real and underserved problem: most enterprises cannot tell whether their security tooling still works as intended after infrastructure changes.
Company Overview
| Field | Detail | Evidence |
|---|---|---|
| Founded | March 2025 | TechCrunch, Calcalist |
| Headquarters | New York, NY and Tel Aviv, Israel | TechCrunch |
| Funding | $38M total: $8M seed (Team8) + $30M Series A (Ten Eleven Ventures) | Calcalist, SecurityWeek |
| Stage | Series A | Calcalist |
| Employees | ~25 (mostly Israel-based) | Calcalist (Confirmed, company claim) |
| Key Investors | Team8 (seed lead): $1B+ AUM, built Claroty (unicorn), exits include Dig Security and Talon to Palo Alto for ~$1B combined. Ten Eleven Ventures (Series A lead): $1B+ AUM, 62 cybersecurity investments, 7 unicorns, exits include KnowBe4, Darktrace, Twistlock, Verodin, Cylance. | Team8, Ten Eleven Ventures, PR Newswire |
| Notable Angels | Doug Merritt (former Splunk CEO), Rene Bonvanie (former Palo Alto Networks CMO), Daniel Bernard (CrowdStrike CBO), founders of Demisto and Siemplify (Amos Stern confirmed as seed investor) | SiliconANGLE, LinkedIn |
Problem Definition and Market Opportunity
SOC teams depend on layered stacks of SIEMs, SOAR platforms, data pipelines, and AI agents. Changes to any component can silently break detection rules, response playbooks, and data flows. These failures produce no alerts. The team that believes it is protected may simply be blind.
This problem worsens as environments grow. Cloud migrations, SaaS integrations, vendor updates, and internal configuration changes all introduce drift. According to Fig’s CEO Gal Shafir: “The most dangerous failures in security are the ones you do not know about” (Help Net Security). Grace Cassy of Ten Eleven Ventures described this as “what’s fueling the need for a new category focused on security operations resilience” (SiliconANGLE).
The market opportunity sits at the intersection of several large segments: SIEM ($6B+), SOAR, and the broader SecOps tooling market. Fig does not compete with these tools. It adds a resilience layer across them. Every enterprise that operates a multi-vendor SOC is a potential customer. The category is new, with no established incumbent offering end-to-end SecOps resilience validation.
Product Capabilities
Fig’s platform performs four core functions:
1. Autonomous Discovery and Mapping. Fig integrates across any tech stack and autonomously discovers the organization’s complete detection and response flows. It traces data lineage end-to-end from sources through pipelines, SIEMs, data lakes, SOAR platforms, and SOC AI agents (Help Net Security).
2. Continuous Monitoring for Drift. The platform detects when upstream changes silently break detection rules or automation. It monitors configuration changes, structural changes, and data pipeline health across the stack (SiliconANGLE).
3. Root Cause Analysis and Alerting. When changes threaten detection or response capabilities, Fig alerts teams with root cause identification and impact analysis. Teams understand what broke, why, and what is affected (Team8 blog).
4. Change Simulation. Before pushing changes to production, teams can simulate how proposed modifications would affect the entire system. This prevents new failures during planned infrastructure updates (SiliconANGLE).
Shafir frames this as “DevOps for SecOps,” positioning Fig as the place “where SOC engineers come to run their complex infra, ensure it’s resilient through change, expand coverage and deploy to production with confidence” (fig.security).
The platform claims frictionless integration with any tech stack. Specific supported integrations are not publicly detailed. Evidence tier: Product capabilities are confirmed company claims, verifiable through demos but not independently tested.
Competitive Positioning
Fig defines its own category: Security Operations Resilience. No direct competitor offers the same combination of end-to-end SecOps data lineage mapping, drift detection, and change simulation. The company explicitly does not replace SIEMs, SOARs, or SOC AI systems. It sits across them as a validation and resilience layer.
Adjacent competitors include:
- Detection engineering tools (e.g., Anvilogic, CardinalOps): Focus on detection rule quality and coverage gaps within SIEMs. Fig goes broader, covering the full data flow from source to response.
- SOAR/automation platforms (e.g., Torq, Tines): Automate response workflows but do not validate that those workflows still function after infrastructure changes.
- Security posture management (e.g., Cymulate, SafeBreach): Validate security control effectiveness through attack simulation. Fig validates the operational plumbing rather than the control layer.
- Agentic SOC platforms (e.g., Seven AI, Akira AI): Automate SOC analyst tasks. These depend on functional detection pipelines, which is what Fig protects.
Fig’s strongest positioning argument: it is complementary to all of these. Every SOC tool works better when the underlying data flows and detection logic remain intact. Evidence tier: Category definition is a company claim. Competitor differentiation is inferred from product descriptions across sources.
Go-to-Market and Traction
- Fortune 100 customers: Fig claims its platform is already deployed with “multiple large enterprises, including Fortune 100 organizations” (TechCrunch). Customer names are not disclosed. Evidence tier: Company claim, unverifiable.
- Target market: Large enterprises with multivendor security environments combining cloud services, on-premises systems, and managed security tools (SiliconANGLE).
- Growth plans: Fig plans to triple headcount by end of 2026, with a strong focus on expanding go-to-market presence in North America (TechCrunch).
- Pricing: Not publicly disclosed.
- Revenue/ARR: Not publicly disclosed.
- RSAC Innovation Sandbox: Selected as one of 10 finalists. Awarded $5M investment as part of finalist selection (PR Newswire).
Team and Credibility
Gal Shafir, CEO and Co-Founder. Served as Director of Global Sales Engineering at Siemplify (2018-2022), through the company’s growth and $500M acquisition by Google. Then served as Head of Global Security Architects for Google SecOps (2022-2025). Prior: Head of Global Sales Engineering at Votiro; IDF Mamram veteran; cybersecurity lecturer at Technion. LinkedIn profile confirms ~14 years of experience. (LinkedIn)
Nir Loya Dahan, CPO and Co-Founder. VP Product at Cymulate (2021-2025). Product Manager at Siemplify (2017-2021). Director of Product at Unit 8200 (2015-2017). Cyber Security Analyst at Unit 8200 (2010-2013). B.A. in Economics and Data Science from Reichman University; exchange at UC Berkeley. ~15 years of experience. (LinkedIn)
Roy Haimof, CTO and Co-Founder. Director of Engineering at Cymulate (2022-2025), where he “spearheaded the creation of a new product offering, assembling a talented team and overseeing the project from inception to its seamless integration into the Cymulate platform.” Security Research Team Lead and Security Researcher at Cymulate (2020-2022). Cyber Security Specialist and Intelligence Analyst at Unit 8200 (2015-2020). Started cybersecurity at age 16. ~11 years of experience. (LinkedIn)
Team assessment: The founding team combines deep SecOps domain expertise across the full value chain. Shafir brings GTM and enterprise sales experience from Siemplify’s growth phase and Google-scale operations. Loya Dahan brings product leadership from both SOAR (Siemplify) and security validation (Cymulate). Haimof brings engineering and security research from Cymulate’s platform. All three served in elite Israeli intelligence units. The Siemplify-to-Google pipeline gives them firsthand experience with the exact problem Fig solves: what happens to SOC infrastructure during and after major platform transitions. Evidence tier: LinkedIn profiles confirm roles. Siemplify acquisition price confirmed by multiple sources.
Trust Readiness
- SOC 2 / ISO certifications: Not publicly disclosed.
- Security page / trust center: The company website (fig.security) does not surface a dedicated trust or security page based on available navigation.
- Data handling: Fig integrates across the SecOps stack, which means it likely has access to security telemetry metadata. How it handles this data is not publicly documented.
- Enterprise readiness signals: Fortune 100 deployment claims suggest the platform passes enterprise procurement requirements, but specifics are not available. Evidence tier: Trust readiness is largely not publicly disclosed.
RSAC Judging Criteria
RSAC does not publish an official judging rubric. The five criteria below are extrapolated from press descriptions of what judges evaluate: the problem a company addresses, the originality of its technology, its go-to-market strategy and team, market validation, and product demonstration.
| Criterion | Score (1-5) | Assessment |
|---|---|---|
| Problem/Market | 5 | Every enterprise SOC faces silent detection drift. The problem is real, widespread, and underserved. The market intersects SIEM, SOAR, and SecOps broadly. |
| IP Originality | 4 | End-to-end data lineage mapping across heterogeneous SecOps stacks, combined with change simulation, is novel. No incumbent offers this exact capability. Technical depth is hard to verify pre-demo. |
| GTM/Team | 5 | Founders built and sold into SOCs at Siemplify ($500M acquisition) and Cymulate. Angel investors include former Splunk CEO, Palo Alto Networks CMO, and CrowdStrike CBO. Team8 and Ten Eleven are top-tier cybersecurity VCs. |
| Validation/Revenue | 3 | Fortune 100 customer claims are strong but unverifiable. No disclosed revenue, ARR, or named customers. The company is less than one year old. |
| Product/Demo | 4 | Platform is in production with enterprise customers. Mapping and visualization of detection flows should demo well. Change simulation is a compelling live demo feature. |
Overall RSAC Fit: 21/25. Fig Security defines a new category with a real, underserved problem and a founding team that has built and exited in this exact domain. The main gap is thin public validation for a company less than one year old.
Startup Readiness Assessment
This eight-dimension assessment appears in the comparison matrix on the main page. It evaluates broader startup readiness using dimensions from the security product analysis framework. Five dimensions overlap with the RSAC criteria above. Three are added: funding efficiency, category clarity, and incumbent defensibility.
| Dimension | Score (1-5) | Assessment |
|---|---|---|
| Problem Clarity | 5 | Every enterprise SOC faces silent detection drift. The problem is real, widespread, and underserved. No existing tool category addresses end-to-end SecOps resilience validation. |
| Capability Depth | 4 | End-to-end data lineage mapping, drift detection, and change simulation across heterogeneous SecOps stacks is novel. No incumbent offers this exact combination. Technical depth is hard to verify pre-demo. |
| Market Timing | 4 | SOC complexity is accelerating with cloud migrations, AI agent adoption, and multi-vendor stacks. Silent breakdowns become more frequent and more dangerous as environments grow. |
| Team Credibility | 5 | Founders from Siemplify ($500M exit to Google) and Cymulate bring direct domain expertise. Angel investors include former Splunk CEO, Palo Alto Networks CMO, and CrowdStrike CBO. Team8 and Ten Eleven Ventures are top-tier cybersecurity investors. |
| GTM Proof | 3 | No named customers disclosed publicly. Team8’s venture creation model and senior angel investors (former Splunk CEO, Palo Alto Networks CMO, CrowdStrike CBO) suggest enterprise engagement not yet announced. Score reflects a small upward adjustment for inferred traction. |
| Funding Efficiency | 5 | $38M total funding for approximately 25 employees with Fortune 100 customer claims. Strong capital backing relative to team size, with plans to triple headcount by end of 2026. |
| Category Clarity | 3 | ”Security Operations Resilience” is Fig’s own term. Buyers may not yet recognize this as a budget line item, which means Fig must educate the market while simultaneously selling. |
| Incumbent Defensibility | 3 | SIEM vendors (Splunk/Cisco, Microsoft Sentinel) could build similar monitoring into their platforms. SOAR vendors could extend into pipeline validation. Fig’s cross-stack positioning offers some protection, but the risk is real. |
Overall: 32/40.
Key Risks
- Category creation risk. “Security Operations Resilience” is Fig’s term. Buyers may not yet recognize this as a budget line item. Fig must educate the market while simultaneously selling.
- Thin public validation. No named customers, no disclosed revenue, no third-party analyst coverage yet. Fortune 100 claims are unverifiable.
- Early stage. Founded March 2025, ~25 employees, emerged from stealth March 2026. The product has limited production history.
- Incumbent response. SIEM vendors (Splunk/Cisco, Microsoft Sentinel, Google SecOps) could build similar monitoring into their platforms. SOAR vendors could extend into pipeline validation.
- Integration surface area. Claiming to work across “any tech stack” is ambitious. Depth of integration across every SIEM, SOAR, data lake, and pipeline variant will be tested as the customer base grows.
- Founder profile gap. Shafir’s background is sales engineering and architecture, not founding or general management. This is his first CEO role. Strong operational support from Team8 mitigates this partially.
Sources
- Fig Security website
- Fig Security About page
- TechCrunch: Fig Security emerges from stealth with $38M
- SecurityWeek: Fig Security Launches With $38 Million
- SiliconANGLE: Fig Security launches with $38M
- Help Net Security: Fig Security $38 million
- Calcalist: Fig Security raises $30 million Series A
- Team8 blog: Why We Invested in Fig
- PR Newswire: RSAC Innovation Sandbox Finalists 2026
- Fintech Global: Enterprise security firm Fig Security secures $38m
- TechStartups: Fig Security emerges from stealth
- Ventureburn: Fig Security Secures $38M
- Gal Shafir LinkedIn
- Nir Loya Dahan LinkedIn
- Roy Haimof LinkedIn
- Amos Stern (Siemplify founder, Fig seed investor) LinkedIn