In this edition of the Market Momentum Spotlight we take a look at Artemis, a New York security startup building an AI-native replacement for the traditional SIEM. For a company that was still in stealth at the start of the year, that placement is reason enough to look closely at what it has shipped.

A six-month company with a heavyweight start

Artemis was founded in late 2025 and spent its first months inside the CrowdStrike, AWS, and NVIDIA Cybersecurity Startup Accelerator. It emerged from stealth in April 2026 with $70 million in combined seed and Series A funding, a $55 million Series A led by Felicis alongside a $15 million seed co-led by First Round Capital and Brightmind. Theory VC, Two Sigma, and Lockstep also took part.

The cap table is unusual for a company this young. Backers include the founders of Demisto and Abnormal AI, the former CEO and CTO of Splunk, and senior executives from CrowdStrike, Palo Alto Networks, Microsoft, and Okta. The founders match that weight. CEO Shachar Hirshberg led AWS GuardDuty and worked at Demisto before its acquisition by Palo Alto Networks. CTO Dan Shiebler led machine learning at Abnormal AI and holds a PhD in machine learning from Oxford.

Recent signals point to a company scaling quickly. Artemis employs around 30 people in New York and has said it plans to roughly double headcount to 65 by the end of 2026, with open roles across engineering, go-to-market, and security. The funding, the operator roster, and the hiring pace together describe a company moving from launch into commercial expansion.

What Artemis's platform does

From our research at ESProfiler, we identified seven capabilities, which fall into a clear arc from data access through to automated response.

At the base is federated data access. Rather than ingesting and storing telemetry upfront, the platform queries data on demand from where it already lives, including existing SIEMs, data lakes, and cloud-native log stores. On top of that data, Artemis builds a dynamic model of the environment enriched with business context, so detections are tuned to a specific organization rather than applied as generic rules.

Detection runs on that model. AI-native threat detection and correlation continuously monitors telemetry across identity, cloud, endpoint, network, and SaaS, fusing signals to surface multi-stage attacks that single-source tools tend to miss. Adaptive threat intelligence integration keeps detection current against emerging threats.

The analyst-facing layer is where daily work changes most. Natural-language threat hunting lets analysts query the environment in plain language instead of writing complex searches. Automated investigation and case management traces activity across log sources, assembles a timeline with an evidence chain, and recommends response actions. Artemis reports a 94 percent reduction in mean time to detect and respond among early customers, and says one regulated customer now completes investigations in under five minutes.

The action layer closes the loop. Automated threat response can take direct action such as isolating a compromised identity, while security posture hygiene flags issues like over-privileged accounts and undocumented integrations. Artemis says a first scan at one technology customer surfaced multimillion-dollar cloud spend savings alongside that shadow activity.

The full capability profile, including the detail behind each of the seven, is available on the Artemis page on Capability Exchange.

Artemis page on Capability Exchange

The bet against SIEM economics

Artemis is built against a specific cost problem. The traditional SIEM charges by volume: organizations pay for what they ingest and store, so the cost of visibility scales with the telemetry an environment produces. At a large enterprise running dozens of security tools, that model creates an incentive to drop data to control the bill, and dropped data is where attackers operate unseen.

The federated query model is the company's answer. By retrieving data on demand instead of ingesting everything, Artemis says it decouples detection quality from ingestion volume and delivers full visibility at roughly a fifth of traditional SIEM cost. The company has positioned the product as a next-generation alternative to volume-priced incumbents, most directly Splunk, which Cisco acquired in 2024 for $28 billion.

For a consolidation-minded security architecture team, the architecture is the part that warrants scrutiny. A federated model moves the hard questions to query performance against cold storage, to data residency and access control across sources, and to detection coverage when an underlying store is slow or unavailable. The cost figure is the company's own and is stated against an unnamed baseline. The decisive question is whether the platform retires a SIEM line item outright or sits alongside one and adds to the stack. That distinction separates genuine consolidation from another tool in a crowded environment, and it is the question to put to any vendor making this pitch.

Learn more about vendors at Capability Exchange

Capability Exchange is ESProfiler's independent registry for cyber capability. It is built to search vendors, discover emerging products, and map a security stack against a range of frameworks. The Market Momentum ranking that placed Artemis at the top is one signal inside it, a correlative measure that surfaces comparative growth across over 13,000  vendors.

The registry includes more than the leaderboard:

The Artemis profile sits within that catalog, and the same momentum signal that surfaced it is available for every vendor tracked. 

Sign up to the Capability Exchange for free and you can map your own stack against the frameworks that matter to you in minutes.

Explore Capability Exchange