Armadin, an AI-native cybersecurity company building autonomous red-team agents, opens June at the top of the our Market Momentum leaderboard. The placement is the reason to look, but the company behind it is the reason to keep reading: a founding team that has run the breach investigations most architecture leaders have only read about, now betting that continuous offensive testing belongs in software rather than a quarterly engagement.

A record raise from a team that has seen the worst breaches firsthand

Armadin launched quietly in September 2025 and went public in March 2026 with $189.9 million in combined seed and Series A funding, a figure the company describes as the largest combined early-stage raise in cybersecurity history. Accel led the Series A and Ballistic Ventures led the seed, with participation from GV, Kleiner Perkins, Menlo Ventures, 8VC, and the CIA's venture arm, In-Q-Tel. The company is based in San Francisco and has not disclosed a valuation.

The credibility signal is the leadership. CEO Kevin Mandia founded Mandiant in 2004 and sold it to Google for $5.4 billion in 2022, after his team led the investigations into the Target, Sony Pictures, and SolarWinds breaches. He is joined by three co-founders drawn from the same world: Travis Lanham (CTO), a former Google Cloud Security principal engineer; Evan Peña (Chief Offensive Security Officer), a former Mandiant executive; and David Slater (Chief Architect), a former Google SecOps engineer. The company reports more than 60 employees within months of launch, and the Capability Exchange profile estimates headcount above 80 and climbing. For a company this young, the activity behind the ranking is unusually concrete.

What the platform does

The platform is built around one idea: an autonomous, continuous red team that reasons rather than scans. Armadin describes specialized AI agents trained on human-led offensive security data that simulate real-world attacks against an organization's full attack surface, then reason, plan, and adapt the way a human adversary would. The company positions this as a move beyond traditional vulnerability scanning toward validating which weaknesses are actually exploitable.

The capabilities group into three connected layers. The first is discovery and simulation: comprehensive attack surface mapping into a real-time knowledge graph, AI-powered attack simulation, and continuous automated red teaming that runs against the environment rather than on a schedule. The second is validation and response: real-time vulnerability validation to confirm exploitable paths, and actionable remediation guidance contextualized to the findings. The third is the operating envelope: safe and controlled execution through purpose-built guardrails, enterprise-grade scalability across global environments, and adaptive learning that refines attack strategies after each probe. Armadin lists nine capabilities in total against its single platform product.

The full capability list and product detail are on Armadin's Capability Exchange profile.

How they're planning to disrupt the market

The problem Armadin is built against is time. Manual red teams and scheduled penetration tests produce a point-in-time picture, and the company argues that picture is already stale against adversaries experimenting with AI agents that operate at machine speed. Armadin's term for the threat is the "hyperattack": a multi-vector campaign that moves faster than a human-in-the-loop defense can answer. The mechanism of its response is to put a continuous offensive capability inside the network permanently, rather than renting one for two weeks a quarter.

Our team at ESProfiler categorizes Armadin under Breach and Attack Simulation, and that is the line item where the pitch lands for a consolidation-minded architecture leader. The relevant question is not whether autonomous red teaming is impressive. It is whether it consolidates existing spend or adds to it. Most enterprises running 75-plus tools already fund some combination of BAS platforms, scheduled external pentests, and attack surface management. Armadin's claim is, in effect, that a single continuous capability can absorb several of those functions.

To dive deeper, the concrete questions to put to any vendor making this pitch: which of those existing line items does the platform actually retire, and which does it run alongside? What is generally available today versus on the roadmap, given a public launch only months old? And because an autonomous attacker operating in production is the core mechanism, what governs its blast radius: what authorization model, scoping controls, and safe-execution guarantees sit around the agents before they touch a live system?

Armadin names safe and controlled execution as a built-in capability, which is the right place to start the diligence rather than the place to end it. The decisive question for this category is consolidation versus accretion, and that measures only against your current testing stack.

The platform behind the ranking

Capability Exchange is an independent registry of security vendors and products, operated by ESProfiler, that maps what tools actually do against recognized security frameworks. Market Momentum is a correlative signal within it that surfaces comparative growth across vendors, drawn from observable market and digital activity rather than any vendor's self-report.

The registry lets you:

• Map products to NIST 800-53, ISO 27001, and SOC 2 controls to evidence coverage

• Identify capability gaps across endpoint, cloud, application, and other domains

• Compare vendors and products to find overlap and consolidation opportunities

Sign up to the Capability Exchange for free and map your own stack against the frameworks that matter to you in minutes.