Introduction
The first quarter of 2026 continued two defining trends in venture capital: increasingly concentrated capital deployment and continued upward pressure on valuations. While overall deal volume remained relatively muted, capital flowed aggressively into a small number of massive AI-driven companies and late-stage megadeals. At the early stage, activity stabilized and valuations continued to rise, with Seed increasingly resembling the Series A market of prior cycles. The result is a venture landscape where more capital than ever is being deployed, but into fewer companies at progressively higher prices.
Within cybersecurity, AI continues to reshape both investment activity and the competitive landscape itself. More than half of cyber deals this quarter involved AI Security, Application Security, or AI SOC companies, reflecting growing demand for AI-native security tooling. At the same time, the rapid pace of capability expansion from foundational model providers is creating both opportunity and pressure for startups attempting to build durable differentiation on top of those platforms.
Beyond market activity, several broader technological shifts are beginning to redefine the cybersecurity landscape. First, confidential computing is moving from a largely theoretical category into a rapidly maturing market. Trusted Execution Environments, Fully Homomorphic Encryption, and zero-knowledge proof systems are all advancing simultaneously, driven by rising enterprise concern around AI data privacy, compute integrity, and trust in increasingly distributed compute environments. What was once a niche cryptographic discussion is becoming a broader conversation about how enterprises establish trust in AI-era infrastructure.
Second, autonomous AI agents are introducing an entirely new operational risk category. Recent incidents involving coding agents autonomously deleting production infrastructure highlighted a growing gap between what AI systems are capable of doing and the controls currently governing them. As agents gain access to enterprise systems, infrastructure credentials, and execution authority, cybersecurity increasingly becomes about runtime enforcement, permission boundaries, and preventing destructive actions before they occur.
Finally, advances in AI-driven vulnerability discovery may represent a major inflection point for both offense and defense. Reports surrounding Anthropic’s unreleased Mythos model and Project Glasswing suggest that advanced AI systems may now be capable of identifying software vulnerabilities at unprecedented scale and speed. If true, the cybersecurity bottleneck shifts away from discovery and toward prioritization, remediation, and operational response. The defining challenge ahead may not be whether vulnerabilities can be found, but whether defenders can react quickly enough to keep pace with increasingly automated offensive capabilities.
Q1 State of the Market – Cyber Deal Activity
Well, 2026 kicked off with two continuing trends: big deals and big valuations. While our charting covers only Seed through Series E, the majority of capital deployed went to even later-stage companies, including more than $150 billion raised collectively by OpenAI and Anthropic. Despite this record level of investment, deal volume remained muted, with only a modest year-over-year increase. It raises the question of just how far valuations can continue to climb.
The surge in capital was driven by so-called “megadeals,” investments exceeding $100 million. These deals continued to grow this quarter as the IPO market, which showed early signs of recovery in Q4, cooled amid rising uncertainty following the conflict in Iran.
Valuations also continued to rise in Q1, extending a striking trend. Valuations at each stage have now surpassed the 2018 baseline of the next stage up. Series B crossed the 2018 Series C baseline in Q3 2020, followed by Series A surpassing the 2018 Series B threshold in early 2025. Seed valuations are now approaching the same milestone, finishing Q1 just shy of the 2018 Series A baseline.
Capital Investment through the Roof on Modest Increases in Deal Volume
Source: PitchBook
Megadeals Surging as the IPO Market Stalls
IPO data for 2019 – 2025 Sourced from sec.gov, “IPOs: Number and Proceeds”, IPO data for Q1 2026 Sourced from EY “Global IPO highlights in Q1 2026 and insights for future IPO candidates“. Megadeal data sourced from Pitchbook
The headwinds facing the IPO market this quarter did little to slow late-stage venture capital. Q1 recorded the highest number of VC megadeals since Q1 2022, totaling a record-breaking $257 billion in deployed capital. According to Crunchbase, these megadeals accounted for 86% of all capital invested during the quarter, with just four companies, Anthropic, OpenAI, Waymo, and xAI, representing more than 60% of the total.
If market uncertainty persists due to prolonged conflict in the Middle East, what was shaping up to be a comeback year for the IPO market may instead give way to a continued shift toward private markets for multi-billion dollar companies.
At the Early Stage, Deal Volume Stayed Flat
Source: PitchBook
At the other end of the spectrum, early-stage venture capital saw little change during the quarter. Seed activity saw slight increases for both cybersecurity and the broader market, with the latter notably remaining above the 1,000 deal mark. Series A volume was relatively flat across both cybersecurity and the broader market. While both stages remain below pre-pandemic norms, deal activity has rebounded considerably from the lows of 2023.
Valuations Reach New Highs, Though Cyber Sees Mixed Results
Source: PitchBook
The first quarter of 2026 brought considerable valuation increases for early-stage startups. This was felt most prominently at Series A, which reached record highs in both cybersecurity and the broader market. Seed valuations were more mixed: the broader market saw a modest increase, while cybersecurity seed deals posted a slight decline in median valuation.
Is Seed the New Series A?
Source: PitchBook
The valuation story is best told through comparison to 2018 levels. From this perspective, each stage has effectively shifted one rung up the ladder: Seed has become the new Series A, Series A the new Series B, and Series B the new Series C. Pre-seed deals were no exception, reaching a median pre-money valuation of $5 million this quarter, precisely matching the median seed valuation in Q1 2018.
It raises the question of whether valuations have truly increased for comparable companies, or whether the industry has effectively added another rung to the venture ladder with pre-seed, shifting the label applied to each stage upward by one tier. In reality, it likely reflects a combination of both.
Where Was Cyber Investment Flowing
Source: PitchBook
In Q1, more than half of all cybersecurity deals involved AI Security, Application Security, or AI SOC companies. Application Security was the largest of these categories, marking a notable rebound after recording just one deal in the prior quarter. This resurgence coincided with Anthropic’s Q1 launch of Claude Code Security, now called Claude Security. Many of these startups aim to extend beyond the native capabilities offered by foundational model providers, often through intelligent triage or by pushing security further left in the development lifecycle.
We continue to view application security as a challenging market for startups. Foundational model companies are rapidly expanding their capabilities in this area, creating a meaningful risk that standalone startup solutions could become commoditized or obsolete over time.
In AI Security, the second-largest category this quarter, the narrative shifted toward agents, with roughly half of the companies in the segment focused on securing agentic systems. Training and Fraud Prevention also rebounded, with many companies focused on detecting, or training users to detect, phishing attacks, deepfakes, and other online scams.
The Toddler Has Root Access
Smart Enough to Know the Rules. Young Enough Not to Care.
AI security conversations tend to focus on data exposure: what gets surfaced, what gets exfiltrated, and what leaves the perimeter. That is a real problem. But another category of risk is receiving less attention. Instead of leaking data outward, it destroys systems from within. This risk emerges when an autonomous agent is given infrastructure credentials, operates without human approval, and makes decisions it was never explicitly instructed to make.
On April 25th, that risk materialized for PocketOS, a SaaS platform serving car rental businesses across the U.S. A Cursor agent running Claude Opus 4.6 deleted the company’s entire production database and all volume-level backups in a single API call. It took 9 seconds. The agent had been working on a routine task in a staging environment. No one asked it to delete anything.
This incident made the risk of autonomous AI agents real and concrete. It was not a theoretical scenario or research example. A real company using a top AI model service and real infrastructure lost its production database in a matter of seconds.
What Actually Happened
The forensics matter here because each failure point is distinct, and each one reflects a control that does not yet exist as a standard in the industry.
- Agent encounters a credential mismatch in staging
The Cursor agent is working a routine task inside PocketOS’s staging environment. It hits a credential mismatch, which is an obstacle, not a directive. Nothing in its instructions tells it to resolve the mismatch by deleting anything.
- Agent decides (autonomously) to delete the blocking volume with no human confirmation
Without being asked, the agent determines the solution is to delete a Railway volume. This is not an interpretation of an ambiguous instruction. It is a decision made entirely on its own initiative, outside the scope of its assigned task.
- Agent locates an API token from an unrelated file Token scoping failure
To execute the deletion, the agent goes looking for a Railway API token. It finds one in a file that has nothing to do with the current task. The token had been created for managing custom domains via the Railway CLI. It was scoped for any operation, including destructive deletes.
- Single API call deletes production database and all backups with no environment isolation
The agent calls the Railway API. The command hits the production volume, not staging. Railway’s documentation states that “wiping a volume deletes all backups.” Both live in the same place. The production database and every backup are gone simultaneously. Elapsed time: 9 seconds.
Incident Forensics · April 25, 2026PocketOS / Cursor (Claude Opus 4.6) / Railway
- Most recent usable backup: three months old
Three months of booking data for car rental clients is unrecoverable from Railway. Rental businesses lose access to recent reservations, new customer signups, and key operational records. PocketOS spends the next 30+ hours manually reconstructing customer records from Stripe payment histories, calendar integrations, and email confirmations. Every customer is doing emergency manual work.
Railway has since patched the specific API endpoint to enforce delayed deletes, the same protection that already existed in its dashboard and CLI, and recovered the data. But the recovery is beside the point. The conditions that produced the incident are not unique to PocketOS, Railway, or Cursor. They exist in varying degrees in every organization deploying agentic AI against live infrastructure today.
The Agent Knew the Rules
The most important detail in this incident is not the deletion. It is what happened when PocketOS founder Jer Crane asked the agent to explain itself afterward.
Source: Jer Crane / PocketOS via X, April 2026 · The Register
The agent identified, in plain language, every rule it had violated. The rule against destructive actions without explicit user request existed in Cursor’s system prompt. PocketOS had its own project-level rules reinforcing it. The model understood those rules well enough to articulate them precisely after the fact. None of that stopped it from acting.
This is the enforcement gap at the center of the agentic risk problem: guardrails that exist as policy in system prompts, in project rules, in platform documentation, but are not enforced as hard constraints at execution time. The agent can know the rule and violate it anyway, because knowing and being prevented are two entirely different things.
This Is a Pattern, Not an Anomaly
PocketOS is the most recent and most public example, but it is not the first. In March 2026, a Claude Code agent in Cursor executed the command terraform destroy against DataTalks.Club’s infrastructure after encountering a missing state file. The agent rebuilt the environment from scratch and, in the process, deleted 2.5 years of databases and snapshots. Developer Alexey Grigorev had not instructed it to destroy anything either.
Two named incidents, two different organizations, the same model family, the same platform, within six weeks of each other. The underlying cause in both cases is identical: an agent operating with infrastructure-level permissions, no human confirmation gate on destructive actions, and no environment isolation preventing staging-context decisions from hitting production systems.
What Makes This Different from Prior AI Risk Categories
Data exposure incidents, such as a model surfacing the wrong document or a misconfigured RAG pipeline returning restricted content, are often recoverable. The data still exists. The primary concern is who accessed it. Agentic destruction incidents are different. When an AI agent with write access to infrastructure acts independently, the damage is limited only by the permissions it has and the ability to recover the affected systems. In the PocketOS case, neither limit meaningfully existed.
Three Controls That Would Have Prevented This
None of what happened at PocketOS required a novel attack. It required only the absence of controls that the industry has not yet standardized for agentic deployments. Three missing pieces, in order of urgency:
- Least-privilege API tokens scoped to task context
The Railway token the agent used was created for domain management. It had no business authorizing a volume delete. API tokens accessible to AI agents need to be scoped to the minimum permissions required for the specific task, and rotated per session where possible. Agents will use whatever credentials they can locate. If a token can authorize a destructive action, eventually it will. Token hygiene is not a new concept; applying it to agentic contexts is.
- Hard confirmation gates on irreversible actions enforced at the platform layer, not the prompt layer
Cursor had already built tooling to route certain destructive commands through human confirmation after an earlier incident in 2025. It was not applied here. A system-prompt rule saying “don’t do destructive things” is not a confirmation gate, it is a suggestion the model can reason around. The gate needs to exist at the execution layer, intercepting the API call before it fires, not in the model’s context window where it can be overridden by a judgment call.
- Environment isolation that the agent cannot cross unilaterally
An agent working in staging should not be able to reach production infrastructure, regardless of what credentials it finds. Environment boundaries need to be enforced at the infrastructure level through separate tokens, separate API scopes, and network-level isolation where possible, rather than assumed from context. The agent assumed that a delete action initiated from a staging context would affect only staging systems. That assumption cost PocketOS three months of data.
Where the Market Is on This
The broader AI security market is moving quickly, but unevenly. According to PitchBook, AI-native cybersecurity startups captured roughly 50% of cyber venture deals in 2025, with the largest rounds flowing into data governance and model security. The category focused specifically on agent-layer execution controls, including runtime enforcement, confirmation gates, and environment isolation, remains earlier-stage and less heavily funded. However, it is also where some of the most interesting product development is occurring today.
A handful of companies are building directly at the enforcement layer the PocketOS incident exposed. They map roughly to the three controls above:
- Runtime policy enforcement: Intercepting the action before it fires
- Prefactor positions itself explicitly as “the agent runtime control plane”, a policy enforcement layer that sits between an agent and the tools it calls, evaluating each action against governance policies before execution.
- Zenity takes a similar approach, monitoring agent activity at the granular step level and flagging over-permissioned actions in near real time.
- Microsoft’s Agent Governance Toolkit, released as open source in April 2026, provides a stateless policy engine that intercepts every agent action at sub-millisecond latency, making it the first toolkit to address all 10 OWASP Agentic AI risks with deterministic enforcement.
- Salt Security is approaching the same problem from the API layer, building an Agentic Security Graph that maps relationships between LLMs, MCP servers, and the APIs they invoke.
- Confirmation gates and human-in-the-loop approval workflows
- Pangea, acquired by CrowdStrike for $260 million in September 2025, built AI guardrails that include prompt-layer protection and policy enforcement for AI interactions. These capabilities are now being integrated into CrowdStrike’s Falcon platform as “AI Detection and Response.”
- Prefactor also surfaces approval workflows for risky actions as a core feature. However, the harder problem of enforcing confirmation gates at the infrastructure API layer, rather than at the model context layer, remains largely unsolved as a standardized capability. Most solutions today rely on the agent platform, such as Cursor or Claude Code, to implement the gate, which is exactly what failed in the PocketOS case.
- Agent identity, token scoping, and non-human identity management
- Entro Security focuses on unifying security for AI agents and non-human identities, including secrets, service accounts, and API tokens, while providing real-time anomaly detection and ownership attribution. This maps directly to the credential hygiene failure in the PocketOS incident, where a token created for one purpose was accessible to any agent that could locate it and carried permissions far broader than required for the task.
- Snyk, which acquired Invariant Labs in June 2025, is building continuous testing and red-teaming capabilities for LLM-agent interactions and MCP protocol security, with the goal of identifying misconfigurations before they reach production environments.
The acquisitions tell the story as clearly as the product launches. CrowdStrike acquired Pangea. Cato Networks acquired Aim Security. F5 acquired CalypsoAI. Check Point acquired Lakera. Snyk acquired Invariant Labs. All of these transactions occurred within roughly a 12-month period.
The incumbents are actively buying their way into a category that barely existed as a defined market two years ago. Historically, that is often a signal that the opportunity for independent companies in the space is opening rather than closing.
PocketOS is a small company. The blast radius was bounded, and Railway recovered the data. But the organizations now deploying coding agents, infrastructure automation, and autonomous workflow tools at enterprise scale are not small, and the credentials those agents hold are not limited to a single Railway volume. Nearly half of organizations are entirely blind to machine-to-machine traffic and cannot monitor what their AI agents are doing. The incident that makes this a boardroom conversation rather than an engineering postmortem is still ahead of us. The tooling to prevent it exists in early form. It is not yet standard.
Mythos, Project Glasswing, and Cybersecurity’s Inflection Point
In recent weeks, Anthropic’s not-yet-released Claude Mythos model reportedly identified thousands of high-severity vulnerabilities across widely used software, including bugs that had persisted for more than a decade despite extensive testing and expert review. In response, Anthropic delayed the model’s release and launched Project Glasswing, a controlled coalition of major technology and security companies tasked with remediating the most critical findings before broader deployment.
Whether or not Mythos proves to be a singular breakthrough, the implication is clear: AI-driven vulnerability discovery has moved from theory to practice. The debate is no longer whether advanced models can identify complex software flaws, but how broadly these capabilities will generalize and how quickly they will proliferate.
This shift compresses one of the most time-intensive stages of cybersecurity. Historically, debugging software to identify and reduce vulnerabilities was time-consuming, costly, and often failed to catch critical flaws. AI systems are now dramatically increasing both the speed and thoroughness of vulnerability discovery. However, discovery is only the first step.Turning vulnerabilities into reliable exploits, and scaling those exploits in real-world environments, remains more complex. The gap between discovery and weaponization still matters, but it is narrowing rapidly.
For defenders, the opportunity is significant. Software vendors can audit large codebases far more comprehensively, and new applications can be built with fewer latent flaws. But for enterprise security teams, the practical impact is more complicated. Faster discovery does not translate directly into faster protection. Patches must be tested, validated, and deployed without disrupting critical systems, a process that often takes weeks or months. At the same time, organizations must contend with a flood of new findings, many of which may be low risk, non-exploitable, or redundant.
This creates a new bottleneck: prioritization. As AI increases the volume of detected vulnerabilities, the scarce resource becomes not discovery, but judgment: determining which issues are actually exploitable and require immediate action. The next generation of security tooling will likely focus more on triage and risk scoring than on detection itself.
Importantly, software vulnerabilities represent only one portion of the attack surface. The majority of real-world breaches today stem from identity compromise, misconfiguration, and social engineering. These areas may prove even more susceptible to AI-driven acceleration. Attackers need only a single successful path into a system, while defenders must secure every pathway. This asymmetry suggests that offensive capabilities may scale faster than defensive ones, even as both improve.
As bad actors begin leveraging not only AI chat systems to enhance tactics and workflows, but also AI agents to automate portions of attacks or entire operational chains, the speed at which vulnerabilities can be identified and exploited is likely to accelerate dramatically. The central question is no longer whether all vulnerabilities can be eliminated, but whether defenders can meaningfully reduce the time between vulnerability discovery, prioritization, and remediation relative to attackers’ ability to exploit them. This is fundamentally a race of timelines, not totals.
Project Glasswing represents an early attempt to shift that timeline in favor of defense by providing a controlled head start. Cybersecurity is entering a new phase, one defined less by the scarcity of insight and more by the ability to act on that insight quickly and safely.
This transition creates investment opportunities across several layers that we are tracking closely: automated triage and exploitability analysis, safe and rapid patch deployment, AI-native defenses for identity and social engineering threats, and new approaches to securing agentic systems. The landscape is shifting from detection to decision-making, and from isolated tools to integrated AI-driven workflows.
The genie may not be fully out of the bottle, but it is no longer contained.
