Cybereason
Cybereason Inc. is a cybersecurity company founded in 2012 by Lior Div, a former nation-state hacker with experience in Israeli military intelligence, and headquartered in Boston, Massachusetts.[1][2] The firm specializes in developing AI-driven extended detection and response (XDR) platforms, including endpoint detection and response (EDR) solutions, to prevent, detect, and remediate advanced cyber threats by identifying complete malicious operations across IT environments.[3][4][5] Cybereason's core offering, the Cybereason Defense Platform, employs a unified lightweight agent for scalable deployment, focusing on operation-centric analysis that correlates behaviors into holistic threat narratives rather than siloed alerts, supplemented by managed detection and response (MDR) services.[6][7] The company has served over 1,300 customers in 50 countries, emphasizing protection for enterprises against sophisticated adversaries.[1] Following rapid growth and a peak valuation exceeding $3 billion after raising over $800 million in funding, including a $325 million round in 2021, Cybereason encountered financial headwinds, workforce reductions, and internal conflicts.[8][1] These challenges culminated in the 2025 resignation of CEO Eric Gan after lawsuits against key investors like Steven Mnuchin and SoftBank Vision Fund over stalled financing, leading to an announced acquisition by LevelBlue on October 23, 2025, to bolster its managed services capabilities.[9][10][11]Founding and Technology
Founders and Israeli Intelligence Roots
Cybereason was founded in 2012 by Lior Div, Yonatan Striem-Amit, and Yossi Naar, all Israeli nationals with prior experience in cybersecurity and software development.[4] Lior Div served as the initial CEO, Yonatan Striem-Amit as CTO, and Yossi Naar as Chief Visionary Officer, roles that reflected their respective expertise in hacking operations, machine learning, big data analytics, and system architecture.[2] [12] The trio established the company initially in Israel before relocating its headquarters to Boston, Massachusetts, to expand into the U.S. market.[13] The founders' professional foundations trace to service in Israel's elite military intelligence units, particularly Unit 8200, the Israel Defense Forces' signals intelligence (SIGINT) branch responsible for cyber operations, code-breaking, and threat detection.[14] Lior Div, a veteran of Unit 8200, gained expertise in malware analysis, reverse engineering, and nation-state hacking during his military tenure, which informed Cybereason's focus on advanced persistent threat (APT) detection.[13] [15] Yonatan Striem-Amit and Yossi Naar similarly drew from Unit 8200 experience in cyber defense and data analytics, enabling the development of behavioral analytics platforms modeled on military-grade threat hunting techniques.[16] This shared background in handling sophisticated, state-sponsored cyber intrusions positioned Cybereason to differentiate from traditional antivirus solutions by emphasizing holistic operation-centric security.[14] Unit 8200's rigorous training in real-time SIGINT collection and cyber warfare has produced numerous cybersecurity entrepreneurs, with Cybereason exemplifying how such alumni leverage classified operational insights for commercial innovation, though the company's platform adapts these for enterprise use without direct military tooling.[17] By 2023, Div and Striem-Amit had departed Cybereason to launch 7AI, a new AI-focused cybersecurity venture, while Naar remained in his visionary role amid the company's restructuring.[18] [19]Core Technology and Approach
Cybereason's core technology centers on the MalOp™ Detection Engine, which employs an operation-centric approach to cybersecurity by identifying and correlating malicious behaviors across endpoints and networks, rather than relying solely on isolated indicators of compromise (IoCs). This engine leverages advanced behavioral analytics to detect subtle chains of attacker activities, known as Indicators of Behavior (IoBs), which manifest as coordinated operations spanning multiple machines and stages of an attack lifecycle, from initial access to lateral movement and exfiltration. By analyzing process behaviors, user contexts, network connections, and system events in real-time, the technology aggregates disparate alerts into a unified "MalOp" representation, reducing alert fatigue and enabling faster triage.[20][21] At the heart of this system is the Cross-Machine Correlation Engine, a data analytics platform that processes vast telemetry data to reconstruct attacker operations holistically. Unlike traditional signature-based or rule-matching detection methods, which often miss novel threats, Cybereason's approach uses machine learning to model normal versus anomalous behavioral patterns, flagging deviations that indicate ongoing malicious operations even if individual actions appear benign. For instance, it detects tactics such as privilege escalation or credential dumping by linking them to broader intent, providing security teams with a severity score (MalOp Severity Score) for prioritization and automated remediation workflows. This method has demonstrated effectiveness in evaluations, including high scores in MITRE ATT&CK assessments for prevention and detection coverage.[20][22][23] The platform integrates prevention, detection, and response capabilities into a single agent architecture, supporting extended detection and response (XDR) through AI-driven enrichment of raw data. Key features include real-time behavioral blocking to halt threats at inception, machine-assisted investigations via visual timelines of operations, and integration with managed detection and response (MDR) services for outsourced threat hunting. This holistic methodology aims to address the limitations of siloed tools like endpoint detection and response (EDR) by emphasizing causal chains of attacker intent over volume-based alerting.[24][7]Historical Development
Inception and Early Milestones (2012-2017)
Cybereason was founded in 2012 by Lior Div, Yonatan Striem-Amit, and Yossi Naar, all former members of Israel's elite Unit 8200 cyber intelligence unit.[2][13][25] The company's inception stemmed from the founders' experiences combating advanced persistent threats during their military service, leading them to develop an endpoint detection and response (EDR) platform aimed at behavioral analysis of malicious operations rather than signature-based detection.[13][26] In May 2013, Cybereason secured its initial funding round, raising approximately $4.62 million in a Series A led by early-stage investors, which supported the refinement of its core technology for enterprise endpoint protection.[27][28] By 2015, the company raised $25 million in a subsequent round from investors including CRV and Spark Capital, enabling expansion of its real-time detection capabilities and initial market penetration in the U.S. and Europe.[25] Key early milestones included recognition in the Big 50-2016 Startup Report for its innovative platform and the 2016 launch of a Japan-focused subsidiary in partnership with SoftBank to adapt its EDR solutions for the Asian market.[29][2] In 2017, Cybereason introduced Ransom Free, a consumer-oriented anti-ransomware tool, alongside its Total Endpoint Protection Platform, which integrated EDR with next-generation antivirus features.[30] That same year, it closed a $100 million Series D round led by SoftBank, bringing total funding to $189 million and fueling aggressive go-to-market strategies.[31]Growth Phase and Peak Valuation (2018-2021)
During this period, Cybereason experienced significant revenue acceleration, with annual recurring revenue exceeding $120 million by the end of 2020 and reported year-over-year growth rates approaching 200% into 2021, driven by demand for its extended detection and response (XDR) platform amid rising cyber threats.[2] Customer acquisition also surged, particularly in EMEA where new customers increased by over 200% in the 12 months prior to June 2018, reflecting adoption by enterprises seeking advanced endpoint protection.[32] This growth was supported by strategic partnerships and product enhancements, positioning Cybereason as a leader in proactive threat hunting. Geographic expansion bolstered operations, including the opening of a Sydney office in January 2018 and a distribution agreement for Australia and New Zealand to penetrate the Asia-Pacific market.[33] Further North American scaling involved key hires in sales and marketing leadership to capitalize on U.S. enterprise demand.[34] These moves aligned with broader global ambitions, enhancing service delivery and local support for international clients. The phase culminated in substantial funding, with a $275 million Series F round in July 2021 led by Liberty Strategic Capital, which valued the company at approximately $3 billion post-money and added former U.S. Treasury Secretary Steven Mnuchin to its board.[35][36] This infusion, described as crossover financing to fuel XDR innovation and potential IPO preparations, marked Cybereason's peak valuation amid a buoyant cybersecurity investment climate, following earlier rounds that had cumulatively built momentum since inception.[37] The company confidentially filed for an initial public offering around this time, signaling confidence in sustained scalability.[8]Challenges, Layoffs, and Restructuring (2022-2025)
In 2022, Cybereason encountered significant headwinds amid a broader contraction in the cybersecurity sector, including the closure of the technology IPO market and shifting economic conditions that curtailed venture funding and public listings.[38] The company, which had expanded rapidly during the prior growth phase, acknowledged over-hiring at elevated wage levels, contributing to operational inefficiencies as revenue growth slowed.[2] These pressures prompted initial cost-control measures, with Cybereason announcing in June 2022 the layoff of approximately 100 employees, representing 10% of its global workforce across Israel, the United States, and Europe.[39] [40] The downsizing intensified later that year, as Cybereason executed a second round of layoffs in October 2022, eliminating 200 positions or 17% of its remaining staff, including 50 roles in Israel and 150 in the U.S.[41] [42] This brought total job cuts in 2022 to over 300 employees, roughly 25% of the workforce at the start of the year, as the firm sought to streamline operations and extend its cash runway amid rumors of potential acquisition talks, which management denied pursuing at the time.[43] [39] Valuation pressures compounded these challenges; after peaking at $3.3 billion in July 2021, Cybereason's implied valuation eroded sharply, dropping to an estimated $300 million by April 2024 due to investor markdowns and a funding environment skeptical of high-burn-rate startups.[44] By 2023 and into 2024, Cybereason continued restructuring efforts with a third round of layoffs announced in March 2024, targeting dozens of senior employees to further reduce overhead and refocus on core endpoint detection and response offerings.[38] [45] Cumulative reductions from 2022 to 2024 shrank the workforce from around 1,500 to approximately 680 employees, reflecting a deliberate pivot toward efficiency in a market where cybersecurity demand persisted but investor capital tightened.[46] [44] Leadership turbulence marked 2025, as CEO Eric Gan resigned in March amid disputes with investors over additional funding needs, having been appointed during the prior year's cost-cutting phase.[10] [47] The board subsequently secured $120 million in new capital shortly after, signaling efforts to stabilize finances despite reputational strains from earlier aggressive expansion backed by SoftBank.[48] These measures culminated in October 2025 with Cybereason's acquisition by LevelBlue, a move framed as a strategic consolidation rather than a distress sale, effectively ending its independent operations after years of valuation volatility and workforce contraction.[46]Products and Services
Endpoint and Extended Detection Capabilities
Cybereason's Endpoint Detection and Response (EDR) solution integrates behavioral analysis, machine learning, and cross-machine correlation to identify subtle malicious activities across endpoints, distinguishing it from signature-based antivirus by focusing on real-time threat behaviors rather than known indicators.[49][50] The platform deploys a lightweight agent that collects telemetry from endpoints, enabling detection of invasive threats through continuous monitoring and aggregation of data sources.[49] Central to its EDR is the MalOp™ detection engine, which groups related suspicious operations—such as process injections, lateral movements, and persistence mechanisms—into unified "Malicious Operations" (MalOps), providing a complete narrative of attacks with contextual enrichment from threat intelligence and MITRE ATT&CK mappings.[49][50] This approach facilitates investigation via an intuitive user interface that correlates events enterprise-wide, reportedly achieving a 1:200,000 analyst-to-endpoint efficiency ratio and shortening response times through automated timelines.[49] Response actions include one-click remediation options like killing processes, quarantining files, removing persistence, and isolating machines, with independent studies citing up to 93% efficiency gains in incident handling.[49][50] Extending EDR, Cybereason's XDR platform ingests and fuses telemetry from diverse sources beyond endpoints—such as networks and cloud environments—to generate comprehensive MalOps visualizations, enabling early detection of cross-layer threats and reducing mean time to response (MTTR).[51] It maintains a single lightweight agent for deployment while providing operation-centric visibility, with validations in MITRE ATT&CK evaluations demonstrating strong detection coverage.[51][49] The system supports predictive elements through ML-driven ranking of threats and integrates with external feeds for enriched analysis, though efficacy depends on data quality and configuration.[49] Forrester's 2020 Wave report rated Cybereason highest for current EDR offerings, underscoring its prevention, detection, and remediation strengths.[49]Threat Hunting and Prevention Features
Cybereason's threat hunting capabilities center on its proprietary Malicious Operations (MalOps) detection engine, which identifies interconnected behaviors indicative of advanced persistent threats (APTs) across endpoints, networks, and cloud environments, enabling proactive hunting for unknown attacks that evade traditional signature-based tools.[52] The platform's Hunting Engine correlates activity across machines to reconstruct full attack timelines, allowing analysts to query historical data via a unified interface with contextualized visualizations and API support for custom investigations.[53] This approach supports hypothesis-driven hunts, reducing mean time to detect (MTTD) by surfacing hidden threats tied to MalOps severity scores that prioritize high-impact operations.[54] Integration with the Cybereason XDR platform accelerates hunting by up to 10 times through retroactive threat intelligence matching against stored data, minimizing coverage gaps in real-time ingestion.[55] The company's prevention features employ a multi-layered strategy combining behavioral analysis, machine learning, and intelligence-driven blocking to preempt executions rather than merely detecting post-breach activity. Behavioral Execution Prevention (BEP), a core next-generation antivirus (NGAV) evolution, halts phishing, zero-day exploits, and ransomware at the execution stage by monitoring process behaviors and anomalous code injections.[56] Device controls further mitigate risks by enforcing policies on USBs, peripherals, and removable media to curb lateral movement vectors.[57] For ransomware specifically, predictive protection layers deception techniques with behavioral safeguards, preventing encryption escalation and enabling file restoration to pre-encrypted states as a fail-safe.[58] In MITRE ATT&CK Evaluations, Cybereason achieved 100% prevention scores across tested scenarios, demonstrating efficacy against simulated enterprise attacks without configuration tuning.[23] These features are bolstered by the Nocturnus threat intelligence team, which disseminates research-driven insights to refine hunting queries and prevention rules, ensuring defenses adapt to emerging tactics from nation-state actors and cybercriminals.[6] Managed Detection and Response (MDR) services extend these capabilities operationally, providing expert-led hunting and prevention without in-house expertise requirements.[7] Overall, the integration of MalOps-centric hunting with layered prevention aims to shift from reactive remediation to preemptive disruption, though effectiveness depends on deployment scope and environmental tuning as noted in independent evaluations.[59]Funding and Financial Trajectory
Major Investment Rounds
Cybereason, founded in 2012, has raised approximately $938 million across 10 funding rounds from inception through 2025.[27] The company's early rounds were modest, starting with a $4.63 million seed investment, followed by progressively larger series funding from venture firms including CRV, Samsung NEXT, and Blumberg Capital, culminating in over $400 million prior to 2021.[27] The most significant investment came on July 14, 2021, when Cybereason announced a $275 million crossover financing round led by Liberty Strategic Capital, which committed $200 million.[60] [61] This round valued the company at $3.2 billion post-money and included participation from existing investors such as SoftBank Vision Fund 1 and Altimeter Capital, positioning Cybereason for expanded operations in extended detection and response (XDR) technologies amid rising demand for advanced cybersecurity platforms.[62] Subsequent major rounds focused on sustaining growth during market challenges. On April 3, 2023, Cybereason raised $100 million in a Series G extension led by SoftBank Corp., aimed at accelerating global expansion and innovation in its XDR offerings.[63] In March 2025, the company secured an additional $120 million from SoftBank Corp., SoftBank Vision Fund 2, and Liberty Strategic Capital to bolster endpoint detection and response (EDR) solutions and support operational scaling.[64]| Date | Amount | Stage | Lead Investor(s) | Key Purpose |
|---|---|---|---|---|
| July 14, 2021 | $275 million | Crossover | Liberty Strategic Capital | Fuel XDR platform growth and international expansion[60] |
| April 3, 2023 | $100 million | Series G | SoftBank Corp. | Advance global innovation and market penetration[63] |
| March 10, 2025 | $120 million | Undisclosed extension | SoftBank Corp., SoftBank Vision Fund 2, Liberty Strategic Capital | Enhance EDR capabilities and operational resilience[64] |