Search
Close this search box.

Phishing For AI Winners In Cyber – Takeaways From The 2024 Montgomery Summit

At March Capital, we have been investing in cybersecurity for 10 years, yielding many successful exits, such as the IPOs of CrowdStrike and KnowBe4. We have seen first-hand what it takes to achieve success and then to scale-up and become a market leader.

So, what’s different with GenAI? At this year’s Montgomery Summit, we heard from 30+ CISOs and cybersecurity CEOs across panels, roundtables, presentations, and our annual cybersecurity dinner.

One universal thread – AI has been jokingly labelled “Already Implemented” in cyber – with CISOs ranging from cautiously optimistic to downright skeptical about the widespread impact of GenAI. In this uncertainty, lies opportunities for startups.

We heard general agreement from Summit presenters about GenAI aiding the following – making attackers more effective, automating common tasks, and leveraging natural language interfaces (e.g., to assist with basic security operations).

Yet, CISOs are skeptical by nature, and they already use machine learning to identify anomalies in some domains. Enterprise technology stacks are also complex – multiple clouds, legacy technologies, and third-party risks abound. Security teams are dealing with (i) billions of signals living across disparate systems and (ii) workflows across 75+ security tools.

Many experts believe new companies are needed to secure the attack surface of AI (from training to production) and to govern the safety and privacy of the models themselves.

However, we heard widespread disagreement on whether GenAI can greatly reduce software vulnerabilities, improve penetration testing, classify sensitive data correctly, and automate the more difficult parts of incident analysis and response.

Dave Merkel, CEO/cofounder of Expel, expects that GenAI is “going to require a different set of detection technologies, mitigation technologies to be effective…”

This is one of many interesting perspectives we heard when Jed Leidheiser, Partner of March Capital, moderated a session on “How AI is Changing the Game for Cyber and Fraud” with:

1. Rinki Sethi – CISO of BILL.com
2. Noam Schwartz – Founder & CEO of ActiveFence
3. Jon Miller – Founder & CEO of Halcyon
4. Dave Merkel – Co-Founder & CEO of Expel (and March Capital portfolio company)

You can watch a recording of that conversation here (YouTube). We’re sharing a few more perspectives from that discussion below; we hope that these resonate with you as much they did with us.

REFLECTIONS FROM THE 2024 MONTGOMERY SUMMIT

1. “GenAI is democratizing access to sophisticated attacks.” – Noam Schwartz, CEO of ActiveFence

  • Insight: The threat vectors that improve the most with GenAI are those that benefit from increased volume and scale: phishing, business email compromise, and social engineering attacks (which now represent one in five phishing attempts). The success rate of phishing attempts is increasing with AI as well. Cofense reports a 104% increase in the number of attacks bypassing detection in 2024. This illustrates how attackers are becoming better, faster, and stronger with AI… and how CISOs will need to leverage AI to keep pace.
  • Opportunity Areas: AI-powered Security Operations, Email Security

2. “Everyone has been using AI… The bigger concern today… is about covering new bases in safety, legal, and privacy.” – Rinki Sethi, CISO at Bill.com

  • Insight: Hallucinations and data leakage concerns with LLMs have renewed our need for trust. Three of the top barriers to AI adoption are inaccuracy, IP concerns, and regulatory compliance (McKinsey). Within the enterprise, individual teams are consuming AI-driven software or their own models, often without effective oversight. Meanwhile, executives and regulators are increasingly concerned with the potential operational, regulatory, and reputational impacts of AI. We think the Governance market is overdue for a refresh, and AI may be the push it needs to finally transform.
  • Opportunity Areas: AI Governance, Data Security, AI Firewalls, Software Supply Chain

3. “[Sometimes in building an AI product], you are so focused on becoming an ‘AI company’ that you fail to consider the other intel at your disposal: signatures, heuristics, etc.” – Jon Miller, CEO/Cofounder of Halcyon.ai

  • Insight: Jon said this in reference to his time at Cylance when he was building the world’s first ML-powered antivirus solution. It highlights the simple fact that AI is a means to an end. The best security startups will figure out how to utilize GenAI in combination with other technologies and techniques.
  • Opportunity Areas: Application Security, Software Supply Chain, Cloud Detection & Response

4. “If someone can figure out how to make money taking your stuff [with Ransomware], they are going to scale it the same way a legitimate business would: with a SaaS model.” – Dave Merkel, CEO/cofounder of Expel

  • Insight: Total ransomware damages are estimated at $42B in 2024 (KnowBe4), and most of the perpetrators simply license their “Ransomware-aaS kits” from a handful of expert providers. The most common revenue model for RaaS is affiliate programs where RaaS developers take a 20-30% commission (Palo Alto Networks). That’s roughly a $8-12B potential TAM for the ransomware business, whether that’s for white hat (or black hat) hackers.
  • Opportunity Areas: Ransomware protection, Data Security, Data Backup

If you are building or investing in any of the above areas, we are eager to hear from you!

Topics Covered