Are we really spending billions on cybersecurity only to be blindsided by failures within the security itself? That’s the question Fig Security’s $38 million funding round forces us to confront. The real story here isn't just another cybersecurity startup getting a check – it’s the unsettling realization that the complex web of security tools organizations rely on are often quietly, and unknowingly, broken. We’ve become obsessed with building higher walls, while ignoring the cracks forming in the foundation.
Gal Shafir, CEO and cofounder of Fig, previously navigated the labyrinthine world of Google Cloud security, and she’s seen this firsthand. As she told Business Insider, “Nobody really knows if their detection rules are silent because they were secure or because something got broken in the data plumbing a couple of months ago.” This isn’t a hypothetical problem; it’s a systemic one. Companies are drowning in alerts from dozens of disparate security tools – a situation that’s only worsened with the explosion of cloud services and remote work. The average large enterprise now employs over 75 security tools, according to a recent report by Cybersecurity Ventures, yet breach rates continue to climb. In 2023, data breaches exposed 446 million records globally, a 15% increase from the previous year. More tools don’t automatically equal more security; they often equal more complexity, and more opportunities for things to go wrong unnoticed.
Drawn from Business Insider.
Fig’s approach, born from the experiences of Shafir and her cofounders – Nir Loya Dahan (chief product officer) and Roy Haimof (CTO) – is to map the entire flow of security alerts, from data creation to response. Think of it like a plumbing system for threat detection. You can install the fanciest fixtures (the security tools), but if there’s a leak in the pipes (a broken integration or misconfigured rule), the whole system fails. Fig identifies those leaks, allowing security teams to test fixes before a real attack exploits the vulnerability. This is a crucial shift from reactive incident response to proactive system validation. The company, which also counts veterans from the $500 million acquisition of Siemplify by Google, secured seed funding in April 2025 and a preemptive Series A just eight months later, led by Team8 and Ten Eleven Ventures. That speed of funding speaks volumes about the perceived urgency of this problem.
But let’s be clear: this isn’t about blaming security teams. They’re already stretched thin, battling a constant barrage of threats and a critical skills shortage. The cybersecurity workforce faces a projected gap of 3.4 million professionals globally by 2025, according to (ISC)². Fig isn’t trying to replace security analysts; it’s trying to give them superpowers. It’s about automating the tedious, often manual, process of verifying that all the pieces are working together as intended. This is particularly relevant for larger enterprises, which are Fig’s initial target customers. These organizations have the most complex security stacks and the most to lose from a successful breach. Currently operating with 25 employees across New York and Tel Aviv, Fig plans to triple its headcount this year, signaling a rapid push for market penetration.
The implications extend far beyond the CISO’s office. Consider the average consumer. Every time a company suffers a data breach, your personal information is at risk. The Equifax breach in 2017 exposed the sensitive data of nearly 150 million Americans. The recent MOVEit Transfer hack impacted millions more. These aren’t abstract events; they lead to identity theft, financial loss, and a pervasive sense of insecurity. Fixing the “silent failures” in enterprise security isn’t just about protecting corporate assets – it’s about protecting you.
Looking ahead, I predict we’ll see a surge in demand for “security validation” tools like Fig. The industry is already starting to recognize that simply having security isn’t enough; you need to prove it’s working. The question isn’t whether another major breach will occur, but where it will occur, and whether the organization had the tools in place to detect its own vulnerabilities before an attacker did. Watch for a shift in security budgets, with a growing percentage allocated to proactive testing and validation, rather than simply adding more layers of defense. The next wave of cybersecurity innovation won’t be about building bigger walls, but about ensuring the walls we already have aren’t crumbling from within.
