iCOUNTER: Cyber Risk Intelligence Breakdown
iCOUNTER builds threat intelligence around one customer at a time. How the cyber risk intelligence model works and why its direction is third-party risk.
iCOUNTER tops the worldwide Market Momentum ranking for July 2026, twelve months after emerging from stealth. The Dallas-based company spun out of Apollo Information Systems in July 2025 with a $30 million Series A led by SYN Ventures, and has spent the year since shipping a platform, acquiring a collection capability, building out an executive team, and collecting industry recognition. The placement reflects that arc. What makes the company worth understanding, though, is the argument underneath it: that threat intelligence as a category has been answering the wrong question.
What iCOUNTER does
iCOUNTER is a cyber risk intelligence platform designed to detect targeted operations against a specific organisation and its third-party ecosystem before an attack is executed. That single-customer focus is the inversion at the centre of the product. Traditional threat intelligence reports on what has been observed across the landscape: campaigns, actors, indicators seen elsewhere. iCOUNTER starts from one customer's profile and correlates its collection against it, looking for reconnaissance, campaign staging, and capability development aimed at that organisation specifically.
The company's argument for why this matters rests on what CEO John Watters calls the patient zero problem. In his framing, AI lets adversaries profile a target and generate novel TTPs built for that target's specific gaps, which means a growing number of victims are hit by attacks nothing in the historical record would have flagged. Watters has said AI compresses reconnaissance that once took months into days. Both claims are the company's own, but they explain the design choice: if the attack aimed at you has never been seen before, intelligence about what has been seen before is of limited use.
On Capability Exchange, the platform is listed under Threat Intelligence Platforms within Security Operations and Monitoring, delivered as SaaS with five documented capabilities. The categorisation is accurate and slightly ironic, since the product is in effect a case against how that category has usually worked.
iCOUNTER profile on Capability Exchange
An operator returning to the field
Watters is not a first-time founder. He led iDEFENSE, sold to Verisign in 2005, then founded iSIGHT Partners, acquired by FireEye for a reported $200 million and merged into Mandiant, where he served as president and COO through the sale to Google. His stated reason for returning is that the AI shift invalidated his belief that what was built at iSIGHT, Mandiant, and Google could not be replicated.
The pattern will be familiar to readers of this series. Armadin, a previous leader on the ranking, was founded by Kevin Mandia, who built Mandiant itself. The vendors currently drawing the most capital and momentum are not newcomers with novel ideas so much as operators from the last generation of threat intelligence coming back because they believe the ground has moved.
Twelve months of dated moves
The momentum behind the July placement is unusually easy to document, because nearly every beat came with a date attached.
In March 2026, the company announced general availability of its Counter Threat Operating System (CTOS), launching with a dedicated third-party risk module, CTOS-TPR, that monitors for adversary reconnaissance and campaign staging directed at vendors, suppliers, and technology partners. In April, it acquired the team and technologies of ParseIntel to expand its global collection footprint. It added a CFO in February and a CMO in May, then a COO and, in June, a CISO, Ali Waezzadah, previously CISO at Frontier Communications through its acquisition by Verizon. Also in June, it won Best Third-Party Risk Management Platform in The Hacker News' 2026 Cybersecurity Stars Awards.
The customer model is deliberately narrow. Apollo, the parent that incubated iCOUNTER, operates as an MSSP serving the mid-market. iCOUNTER's customers are intelligence-only: large enterprises with high-value assets and complex digital ecosystems that consume its risk intelligence directly.
The direction of travel is third-party
Read the year's announcements in sequence and a repositioning becomes visible. At launch, the company described itself as cyber risk intelligence. By 2026, its language had shifted toward compromise intelligence and third-party risk intelligence. The first module it shipped was third-party risk. The award it won was for TPRM.
That drift is worth more attention than the launch story. Verizon's 2025 Data Breach Investigations Report found third-party involvement in breaches doubled in a year to 30%, and for security leaders managing large multi-vendor portfolios, the vendor ecosystem is often the largest attack surface they cannot directly instrument. iCOUNTER's bet, judged by where it is shipping rather than what it says, is that the next intelligence battleground is the supply chain rather than the perimeter.
Whether a single-customer intelligence model scales to that ambition is the open question, and it is one the company's twelve-month record does not yet answer. What the record does show is a vendor moving quickly, in one consistent direction, with an operator at the helm who has taken this category to market three times before. Where it goes from here is the part worth watching.
