Meet The $580 Million Startup Making AI Models To Fight Artificial Hackers

Andrea Michi spent nearly seven years at Google’s Deepmind developing artificial intelligence models that improved energy performance across windfarms and data centers. He realized that the most efficient way to build AI focused on solving large-scale problems isn’t to start with LLMs, and then adjust them to the task: it’s to build models from the ground up with a specific purpose in mind.

In 2024, Michi quit Deepmind and cofounded Depthfirst to apply that thinking to cybersecurity, making AI models that autonomously find vulnerabilities and suggest fixes. The company is developing what it calls “General Security Intelligence,” a play on general artificial intelligence, which refers to AI that’s just as capable at general tasks as humans. His hope is that Depthfirst will find and fix vulnerabilities in any kind of software before a malicious, superintelligent AI model can exploit them.

“We want to make sure these systems that are complex and fragile can sustain a world where AI hacking capabilities are superhuman and that means always staying one step ahead of the attackers,” Michi, who is Depthfirst’s CTO, tells Forbes.

“The agent tries to figure out the most exploitable vulnerabilities.”

Lofty aims, but investors are bought in. On Tuesday, the two-year-old company announced an $80 million raise at a $580 million valuation, just two months after a $40 million series A. CEO and cofounder Qasim Mithani, former head of infrastructure security at the $134 billion-valued data analytics company Databricks, tells Forbes the company is ramping up fast. Its revenue has grown 300% over the last two quarters and has more than 20 customers, from multinationals to AI startups like the $6.6 billion vibe coding platform Lovable. Alongside Michi and Mithani, the third cofounder is Daniele Perito, an ex-cybersecurity chief at Jack Dorsey’s payments giant Block.

Arsham Memarzadeh, the investor at Meritech leading the Series B round, believes Depthfirst is well-placed to dominate the $18 billion application security market, where companies are focused on protecting apps rather than servers, computers or industrial systems. Just like Wiz quickly outpaced cybersecurity industry giants like Symantec and McAfee to own the cloud security space before Google acquired it for $32 billion, Memarzadeh believes Depthfirst has the leadership talent and technology to replicate that success in its industry niche. “In cybersecurity, I think it’s really hard to become a large enduring business unless you own one of the key threat vectors,” he says. “If you’re not, you end up just being relegated to a feature rather than a product.”

The startup is launching its first in-house model this week, dfs-mini1, aimed at autonomously detecting security weaknesses in crypto smart contracts. As with Depthfirst’s other models, the company trained this AI with reinforcement learning, where agents learn through trial and error, rather than processing masses of labelled data. It did that by putting the agents in virtual environments where they were tasked with finding vulnerabilities in smart contracts. Every time the AI found one, it received a reward. “We started on smart contracts because it’s one place where a vulnerability can be catastrophic, can lead to loss of funds,” says Michi.

More models will follow to cover other verticals, says Mithani. “Our agents go very deep,” he says. “They try to figure out how the application works… and the agent tries to figure out the most exploitable vulnerabilities.”

He claims that building models from scratch rather than adapting existing ones is cheaper because Depthfirst can control the power required to train them. The company also isn’t paying the likes of OpenAI and Anthropic to use their models, even if it does have to pay for the infrastructure to run its own tech.

With its surge in funding this year, Depthfirst plans to build AI that can cover many of the tasks that cybersecurity teams perform today. That doesn’t mean Depthfirst is planning on making security staff redundant though. “The goal is not to replace a very scarce resource,” Michi says. “For me the question is: can we augment these people now to help face a much bigger threat than we have now?”

MORE ON FORBES

ForbesUS Strikes Killed Iranian Cyber Chiefs, But The Hacks ContinuedBy Thomas BrewsterForbesThese Hackers Launched A ‘Nightmare’ Attack On AI DevelopersBy Thomas BrewsterForbesThis Ex-Palantir Exec Built A $900 Million Privacy-First Cell NetworkBy Thomas BrewsterForbesThese 26-Year-Old Founders Quit DHS And Built A $200 Million AI Cyber StartupBy Thomas Brewster