Cymulate's $137.5 Million Bet Anchors a Continuous Cyber Attack Simulator

The Israeli-founded security validation platform, backed by One Peak and Susquehanna, has landed over 400 enterprise customers for its exposure management suite.

By

About Cymulate

Published

Cymulate’s platform runs a perpetual, automated red team. From a Tel Aviv command center, its software simulates thousands of attack vectors against a client’s live network, probing for weak points that a human pen tester might miss in an annual audit. The pitch is straightforward: continuous validation beats periodic checkups. With a reported $137.5 million in venture funding behind it, the company is betting that this automated, always-on approach is the new standard for enterprise security posture [ZoomInfo].

The Breach and Attack Simulation Wedge

Cymulate launched in 2016 with a focus on breach and attack simulation (BAS). The core product automates the process of emulating real-world attacks, from initial access to lateral movement and data exfiltration. This allowed security teams to test their defenses without hiring expensive external consultants or pausing operations for a manual test. The initial wedge was cost and frequency, replacing a $250,000 annual pen test with a $50,000 SaaS subscription that could run weekly [Cymulate website].

Over time, the platform expanded into what the company now calls its Exposure Management Platform. It layers on continuous automated red teaming (CART), control assessment tools, and vulnerability management, aiming to provide a unified view of risk [CB Insights, 202x]. The differentiation, according to company materials, is a move beyond point-in-time tools to a holistic, integrated view that connects with existing security stacks [Cymulate media kit].

The Team and the Tel Aviv Connection

The founding team carries a distinct pedigree. Co-founders Avihai Ben-Yossef, Eyal Wachsman, and Eyal Gruner are all former Israeli Defense Forces intelligence officers and cyber researchers [Cymulate about us]. This background is a common, though potent, credential in the Israeli cybersecurity scene, signaling deep technical familiarity with offensive security tactics.

Ben-Yossef, the CTO, has built a public profile as a technical evangelist. He is a member of the Forbes Technology Council, authoring posts on continuous security validation and CISO strategy, and has been featured on Cybercrime Magazine podcasts discussing MITRE ATT&CK frameworks [Forbes, 2022] [Cybercrime Magazine]. He was also named to the Forbes Israel 30 Under 30 list in 2020 [PR Newswire, 2020].

Role Name Background Note
Co-Founder & CEO Eyal Wachsman Former IDF intelligence.
Co-Founder & CTO Avihai Ben-Yossef Former IDF intelligence; Forbes Israel 30 Under 30 (2020).
Co-Founder Eyal Gruner Serial cybersecurity entrepreneur.

Capital and Customer Traction

Cymulate has raised capital in steady, growing increments, a sign of investor confidence in its expansion from a BAS tool to a broader exposure management platform. A $45 million Series C in May 2021 was led by growth investor One Peak [TechCrunch, May 2021]. This was followed by a $70 million Series D in 2022, which brought total disclosed funding to approximately $137.5 million [ZoomInfo] [PRNewswire, Sep 2022].

2021 Series C | 45 | M USD
2022 Series D | 70 | M USD
Total Disclosed | 137.5 | M USD

The company reports traction with over 400 customers across 32 countries, targeting mid-market and enterprise clients [Cymulate media kit]. ZoomInfo estimates its annual revenue at $42 million, though this figure is not independently verified [ZoomInfo]. The customer base is global, with offices cited in the U.S., U.K., Spain, Israel, India, Singapore, and Mexico to support sales and implementation.

Where the Competition is Heating Up

The market Cymulate helped define is now crowded. The company lists direct competitors like Pentera, AttackIQ, SafeBreach, and Picus Security [Cymulate website]. The competitive pressure comes on two fronts.

  • Feature convergence. Rivals are rapidly adding their own continuous testing and exposure analytics modules, blurring the lines that once separated BAS vendors from broader security posture management players.
  • Platform competition. Larger endpoint detection and response (EDR) or extended detection and response (XDR) vendors could potentially bundle similar validation capabilities, making a standalone tool harder to justify for some buyers.

Cymulate’s answer is its integrated suite and emphasis on being platform-agnostic. The company stresses its wide range of integrations with other security tools, arguing that a best-of-breed, independent validation layer provides a more objective assessment than a tool from a vendor auditing its own defenses [Cymulate media kit].

The Next Twelve Months

For a company with nine years of operation and nine-figure funding, the next phase is about scaling the enterprise footprint and proving the platform’s stickiness. The recent capital infusion suggests ambitions beyond organic growth, potentially for strategic acquisitions to bolster its technology stack, similar to its 2023 purchase of cloud security posture management firm CYNC Secure.

The key metric to watch is customer expansion within the existing base. Can Cymulate move from being a tactical BAS tool to the central exposure management dashboard for a global enterprise? The bet from investors like One Peak, Susquehanna Growth Equity, and Vertex Ventures is that it can. The $70 million Series D, closed in a tougher 2022 funding environment, indicates those backers see a path to a standalone outcome. The question for the next year is whether the platform’s integrated view can command the premium seat required to justify its valuation.

Sources

  1. [Cymulate] Exposure Management Platform | https://cymulate.com/
  2. [Cymulate] About Us | https://cymulate.com/about-us/
  3. [TechCrunch, May 2021] Cymulate nabs $45M to test and improve cybersecurity defenses via attack simulations | https://techcrunch.com/2021/05/05/cymulate-nabs-45m-to-test-and-improve-cybersecurity-defenses-via-attack-simulations/
  4. [ZoomInfo] Cymulate Company Profile | (Source: ZoomInfo)
  5. [PRNewswire, Sep 2022] Cymulate Announces $70 Million Series D Funding | https://www.prnewswire.com/news-releases/cymulate-announces-70-million-series-d-funding-301624146.html
  6. [Cymulate media kit] Company Overview | (Source: Cymulate media kit)
  7. [CB Insights, 202x] Cymulate Company Profile | https://www.cbinsights.com/company/cymulate
  8. [Forbes, 2022] Council Post: Seeing The Unseen: The Core Merit Of Continuous Security Validation | https://www.forbes.com/councils/forbestechcouncil/2022/02/04/seeing-the-unseen-the-core-merit-of-continuous-security-validation/
  9. [Cybercrime Magazine] Cymulate BreachCast Podcast | https://soundcloud.com/cybercrimemagazine/cymulate-breachcast-what-is-mitre-attack-avihai-ben-yossef-cymulate
  10. [PR Newswire, 2020] Cymulate Co-founder and CTO Avihai Ben-Yossef Selected for Forbes Israel 30 Under 30 2020 | https://www.prnewswire.com/news-releases/cymulate-co-founder-and-cto-avihai-ben-yossef-selected-for-forbes-israel-30-under-30-2020-300994353.html

Read on Startuply.vc