At three in the morning, somewhere in a security operations center, a SIEM tool is firing its 4,000th alert of the shift. Most are noise. A few are not. The analyst on duty has perhaps eight seconds of attention to spend on each. This is the workflow Priam.ai wants to rewrite, not by replacing the analyst, but by sending an AI agent to do the first pass.
The Cambridge, Massachusetts company, founded in 2020 by Paolo Di Prodi (CTO) and James Ro, is building a product called AVA under CEO Erman Uzgur. It describes AVA as an assisted virtual agent for cyber threat intelligence teams [LinkedIn]. In September it disclosed a $318,000 seed round led by Atlas Ventures, with Türk Telekom Ventures and 21x21 Ventures also on the cap table [Nordic9, September 2025] [PitchBook]. That is a small number by the standards of the cybersecurity category, but it is the kind of capital that funds a focused technical bet rather than a sales build-out, and Priam's bet is technical.
The wedge
What AVA actually does, according to the company, is sit between the SIEM that generates alerts and the threat intelligence sources that contextualize them. The agent "proactively initiates threat hunts, receives alerts from SIEM systems, and enriches them using detailed cyber threat intelligence" [EIN Presswire]. In an October announcement with the threat intelligence vendor RST Cloud, Priam said its AVA agent uses the A2A (agent-to-agent) protocol along with MCP to communicate across specialized security platforms, which the two companies framed as a first for CTI teams [EIN Presswire].
The wedge is narrower than "AI for cybersecurity," which is the right instinct at this stage. CTI enrichment is a real, repetitive job inside large SOCs, and it is one where a wrong answer is recoverable, unlike, say, autonomous response. If AVA can take an alert, pull the relevant indicators, query external intel, and hand the analyst a ranked verdict, it is doing work that today either gets done slowly by humans or does not get done at all.
Why the timing is interesting
Two things make 2025 a plausible year to build this. The first is that the agent protocol layer (A2A, MCP) has matured enough that small teams can wire heterogeneous security tools together without writing a custom integration for every vendor. The second is that SOC budgets are under genuine pressure: enterprises are being asked to cover more telemetry with the same headcount, and the gap is filled today mostly by managed detection and response contracts that get expensive fast.
Back of envelope: a mid-sized SOC fielding roughly 10,000 alerts per day at, say, ten minutes of analyst time per investigated alert (most are auto-closed) burns on the order of 150 to 200 analyst-hours daily on triage and enrichment. At a fully-loaded analyst cost of around $90 per hour, that is roughly $5M to $6M a year in labor on the triage layer alone for one large enterprise SOC (estimated). An agent that absorbs even a quarter of that work, reliably, is a budget line a CISO will defend. That is the math Priam needs to demonstrate, not assert.
The team and the backers
CEO Erman Uzgur, CTO Paolo Di Prodi, and James Ro are building from Cambridge with reported additional presence in The Woodlands, Texas, and London [Dealroom]. Atlas Ventures led the seed; Türk Telekom Ventures is a strategic worth noting, because telecom carriers run some of the largest in-house SOCs on the planet and are natural design partners for CTI tooling. The RST Cloud partnership announced via EIN Presswire suggests Priam is choosing to integrate with established intel providers rather than build its own feed, which is the correct call for a seed-stage team [EIN Presswire].
Seed round disclosed | 0.318 | $M
What the bears say, and what the bulls answer
The honest counterfactual is that the AI-for-SOC category is crowded and the incumbents are not standing still. Microsoft has Security Copilot wired into Sentinel, CrowdStrike has Charlotte AI inside Falcon, and Splunk is shipping its own AI assistant. A startup with $318,000 disclosed [PitchBook] and an agent that talks to other vendors' tools is, on paper, a feature in someone else's roadmap. The bull answer is that the platform vendors are each optimizing for their own telemetry, and large SOCs almost never run on a single stack. An interoperability-first agent that speaks A2A and MCP across multiple SIEMs and intel feeds is exactly what a Fortune 500 CTI team running Splunk, Sentinel, and a third-party intel subscription actually needs. Whether that translates into a defensible business depends on whether Priam can sign two or three reference customers before the platform vendors close the gap.
What to watch
The next twelve months are about proof. Watch for a named enterprise reference customer (the Türk Telekom relationship is the obvious candidate to convert from investor to deployment), watch for benchmark data on AVA's triage accuracy against human baselines, and watch for a Series A in the $5M to $10M range that would let Priam hire a go-to-market team. If the technical claims about A2A-based interoperability hold up in production, this becomes a real conversation. If they do not, the window closes quickly as the platform incumbents ship their own agent layers.
The company Priam has to beat is Microsoft Security Copilot. Not because Copilot is better at CTI enrichment today (it is not, particularly), but because it is already inside the SIEM that half of Priam's target customers are paying for. Priam's argument has to be that an independent agent, fluent across vendors, is worth more than a captive one bundled into a license a CISO is already buying. That is a winnable argument. It is not a free one.