French startup Riot has raised a $12 million Series A round to iterate on its all-in-one cybersecurity awareness platform for businesses and their employees. The startup originally focused on fake phishing campaigns. It now also offers customized educational content that can help grow the cybersecurity culture in your team.
While it is still quite difficult to raise a funding round in the current economic environment, Riot managed to put together an interesting list of investors. Base10, a San Francisco-based VC firm that previously invested in flagship startup names like Figma, Notion and CircleCI, led todays funding round.
Some angels with a technical and operational background also invested in the round, such as Snyks founder Guy Podjarny, Duolingos co-founder Severin Hacker, Supercells co-founder Ilkka Paananen, Deels co-founder Alex Bouaziz and Slacks CPO Tamar Yehoshua. Some of Riots existing investors also put more money on the table, such as Y Combinator, Funders Club and Founders Future.
And the reason why these investors lined up to participate in the round is that cybersecurity has never been such a topical issue. At TechCrunch, we cover a fair share of ransomware campaigns, SIM swaps to access user accounts, and database leaks with sensitive data like credit card information.
But it feels like things are accelerating. Attacks are becoming more sophisticated and more prevalent. A couple of years ago, CEO fraud was still relatively new. Now, even small companies are targeted with elaborate campaigns.
For instance, I recently heard about a chief accountant who received an email from an important supplier saying that the bank account had changed. The email looked real because it was real the suppliers email account had been compromised and there were some outstanding invoices. The bank account didnt belong to the supplier though.
As I wrote in my first article on Riot, your companys security is as strong as your least careful employee. A data breach usually starts with a poorly secured internal account with two-factor authentication turned off. Everybody could now potentially receive phony emails, phones calls, text messages and administrative letters that look just like the real thing.
Building a modern educational product
If you work for a big company with important regulatory requirements, chances are you regularly receive mandatory training videos with quick quizzes at the end. Many people play these videos in the background and do something else. They barely pay attention to the content of the videos.
Riots main interface is a chatbot called Albert. It is available on Slack, Microsoft Teams or through a web interface. Each course is interactive and the content changes dynamically depending on each employees cybersecurity knowledge.
I read a study from the 1980s and they were looking at the effectiveness of each teaching method, Riot founder and CEO Benjamin Netter told me. With one-to-one relationships, when you teach someone individually, the student is better than a student who attends normal classes in 98% of cases. We cant have a teacher per student at scale, but we try to create these one-to-one relationships.
For example, instead of giving a general definition of a data breach, Riot starts by telling you that your email address can be found in five different data breaches. When the company then tells you what it means, you are more likely to pay attention and reach the end of the training. Admins can then track the progress of their teams.
This is just one example, but Riot could also encourage employees to activate two-factor authentication on important services. Many hackers also rely on LinkedIn data to find out who you are working with and send a message using some coworkers name.
Thats why Riot can encourage your team members to change their privacy settings in order to proactively prevent cybersecurity threats. And many companies have already realized that LinkedIn profiles are used in social engineering attacks. In the companys handbook for new employees, cryptocurrency exchange Kraken tells their employees that they shouldnt update their LinkedIn profile to say that they work for Kraken.
Using AI to fight AI
Riot recently passed the $2 million milestone in annual recurring revenue. Overall, Riot reaches 100,000 employees across its clients like Y Combinator, Deel, Intercom and Le Monde. But the startup thinks cybersecurity is going to change drastically in the coming years and modern attacks are just getting started.
This year, our big move will be AI. When I say that, Im a bit annoyed as people think we are following trends. But weve been tracking AI for a while, Netter said.
Large language models like GPT-3 or speech recognition models like Whisper are going to change the nature of cybersecurity threats. AI is going to have a huge impact on hacking and social engineering. Tone has always been the issue with phishing emails. But AI is going to solve these tone issues, Netter said.
Even beyond classic phishing emails, its going to become easier to conduct sophisticated campaigns at scale. For instance, with speech-to-text, GPT-3 and text-to-speech APIs, hackers could greatly increase the number and quality of phone-based attacks. Or maybe they could use voice messages so that their messages are more credible.
As hackers are upping their game, Riot also wants to improve its product. Dialogue-based language models like ChatGPT unlock new opportunities. Thats why Riot is already testing free-form courses with Albert, its virtual cybersecurity pal. Instead of selecting answers in a dropdown menu or sending simple queries, Riot users will soon write long messages to Albert directly.
Recently, the startup created a fun internal experiment that it doesnt plan to release publicly. Its a training that asks you to put yourself in the shoes of a hacker and you have to get Alberts credit card information, Netter said. While that might be a bit too controversial for Riots customers, the same technology will make the companys simulated attacks a lot more sophisticated and its a promising roadmap.