The Agent Needs a Badge: Security's New Cycle Is About Governing Machines, Not Patching Code

The wave right now

Security budgets never shrink, but they do re-allocate — and the 2023–2026 cohort tells you exactly where the money is moving. AI didn't just give defenders new tools; it created an entirely new class of *actor* inside the enterprise: agents holding credentials, calling APIs, and clicking through browsers with no badge, no manager, and no audit trail. The center of gravity in this cohort has shifted from protecting code to governing action — what a machine identity is allowed to do, and who can prove it afterward. If you're deciding what to build this quarter, the single most important fact in this dataset is that the agent-identity race is already four batches deep, while the defense-against-AI-attackers side is nearly empty.

The landscape today

Identity and authorization for agents — the land grab

This is the most crowded and fastest-forming sub-pattern, and the naming says it all: Agentic Fabriq literally pitches itself as "Okta for Agents," while Clawvisor sits between agent and model to inspect, approve, and audit every tool call. What should make you pay attention is the pivot traffic into this space: Alter renamed its way here to become an OAuth-and-policy vault for agents, and Unbound pivoted from generic data-leakage prevention into an "AI coding agent security broker." When multiple funded teams independently steer into the same wedge, the market is pulling, not the founders pushing.

W26

Agentic Fabriq

Okta for Agents.

ActiveAgent Data Permissioning2 ppl

P26

Clawvisor

The Authorization Layer for AI Agents

ActiveAgent Authorization Layer1 ppl

S25

Alter

Secure access control and authorization platform for agent workflows

ActiveB2B2 ppl

F25

Multifactor

Zero-trust authentication, authorization, and auditing for AI agents

ActiveB2B6 ppl

Autonomous offense — the pentest factory

The second pattern is AI doing the attacking, for good: continuous, autonomous penetration testing replacing the annual checkbox engagement. Hex Security runs 24/7 agentic offense against web apps and infrastructure, Casco extends autonomous testing to AI systems themselves, and ZeroPath attacks the same budget from the AppSec side with AI-native SAST-to-DAST and auto-fix. The thesis is sound — scarce pentesters, rising breach costs — but the supply of startups here has outrun the differentiation between them.

W26

Hex Security

Agentic Offensive Security at Scale

ActiveContinuous Penetration Testing3 ppl

P25

Casco

Autonomous security testing for web apps, APIs, cloud, and AI systems

ActiveB2B10 ppl

S24

ZeroPath

Automatically find and fix your software vulnerabilities

ActiveB2B4 ppl

F25

Veria Labs

Continuous AI pentesting that finds and fixes vulnerabilities

ActiveB2B3 ppl

Defending humans from AI attackers — conspicuously underbuilt

Here's the asymmetry worth exploiting: everyone is building AI offense, almost no one is building defense against *AI-powered offense*. BeeSafe AI is nearly alone in applying frontier models to social engineering defense, with a proprietary attacker-simulation dataset as its moat. GhostEye frames the same territory as "vulnerability management for the human layer," Candor covers the insider variant, and Cotool — another rename-pivot — arms the SOC team that has to absorb all of it. Four companies against an attack wave that legacy email filters demonstrably cannot handle. That ratio is an opening.

W26

BeeSafe AI

Frontier AI Defenses for Social Engineering Attacks

ActiveAI Social Engineering Defense3 ppl

S25

GhostEye

Vulnerability Management for the Human Layer

ActiveB2B5 ppl

W25

Candor

Insider Threat for the Modern Enterprise

ActiveB2B3 ppl

P25

Cotool

AI Agents for Security Operations Teams

ActiveB2B4 ppl

Verifiable privacy and open-source wedges against incumbents

The quietest but most defensible pattern: hard-tech privacy infrastructure and open-source distribution plays. Tinfoil runs AI in secure enclaves with a verifiable open-source stack; Confident Security productizes Private-Cloud-Compute-grade infrastructure for any cloud. Meanwhile SubImage goes after Wiz with an open-core CNAPP, and Better Auth shows the distribution model working — an open-source TypeScript auth framework as the wedge. Open source is this cohort's answer to incumbent gravity, and it's the only credible go-to-market against platforms with thousand-person sales teams.

P25

Tinfoil

Encrypted AI with verifiable privacy

ActiveB2B5 ppl

Confident Security

CONFSEC is an enterprise-grade version of Private Cloud Comute – thoroughly tested, externally audited, secure, production-ready, and deployable on any cloud or your own bare-metal.

ActiveSecurity

W25

SubImage

Software that maps your infrastructure. Open core alternative to Wiz

ActiveB2B5 ppl

P25

Better Auth

The authentication framework for TypeScript

ActiveB2B4 ppl

The cohort signal

This is a deliberate, accelerating program bet — you can read it batch by batch. Agent authorization: Alter in Summer 2025, Multifactor in Fall 2025, Agentic Fabriq in Winter 2026, Clawvisor in Spring 2026 — at least one per batch for four consecutive batches. Autonomous pentesting shows the same drumbeat from Gecko Security in Fall 2024 through Hex Security in Winter 2026. And the cycle is compressing: BitPatrol, a Spring 2025 code-security company, is *already acquired* — proof of real demand for AI-native security tooling, but also a warning that point solutions here get absorbed before they get big.

Lessons from the last cycle

The prior cohort's outcomes rhyme uncomfortably well. Sqreen, Templarbit, and Foxpass all built genuinely useful security layers — and all exited via acquisition into bigger platforms rather than becoming platforms themselves. SafeBase rode the compliance-trust wave to the same destination. The harsher lesson comes from Datree and ThinAir, both now inactive: solving a real problem is not enough if no CISO owns a budget line for it. The last cycle's verdict: in security, you either map to an existing budget line, create a compliance mandate, or become someone's feature.

If you're building here

Three openings worth your quarter:

• Runtime behavior control for browser and desktop agents. The auth-layer fight is about *credentials*; almost nobody owns *behavior* once the agent is acting. ContextFort is close to alone on browser-agent visibility. You'd have to believe enterprises will deploy agents that touch the open web — every signal in this cohort says they will.
• AI-vs-AI defense for the human layer. BeeSafe AI has the lane nearly to itself while deepfake and social-engineering tooling compounds on the attacker side. You'd have to believe the adversarial dataset, not the model, is the moat — and that incumbent email security can't retrofit fast enough.
• Verifiable confidential AI for regulated buyers. Tinfoil and Confident Security make up the entire enclave-grade cohort here. Hard tech, slow sales, real moat. You'd have to believe "provable" beats "promised" once regulators catch up to AI data flows — a bet with asymmetric upside.

The tarpits, by name: another autonomous pentester — you'd enter behind Hex Security, Veria Labs, and three more from the last eighteen months of batches, with no obvious axis of differentiation left. And a *generic* agent-auth gateway: four consecutive batches of funded competition means the window for an undifferentiated entry closed sometime around Fall 2025. If you go into agent identity now, you need a wedge the incumbents-in-waiting don't have — a specific runtime, a specific vertical, or open-source distribution à la Better Auth. Otherwise you're not early to the wave; you're the fifth surfer on it.