Insider threat has been one of cybersecurity’s most inconvenient problem for two decades—widely acknowledged, chronically underfunded, and operationally practical only for the largest regulated enterprises. Against that backdrop, Aviv Nahum, Co-Founder and CEO of Above Security, arrived at an RSAC briefing with a striking set of numbers: 10 enterprise customers and $50 million in total funding—all within eight months of founding. Investors include Merlin Ventures, Norwest, Ballistic Ventures, and Jump Capital, with Phil Venables, Google’s former CISO, on the board. The trajectory commands attention, but the more important story is the architectural argument behind the platform.

The Problem: Insider Risk Has Never Been Operationally Tractable

For years, the standard insider threat workflow consumed two weeks of a CISO’s time: manually correlating SIEM logs, assembling a narrative, then convening a cross-functional tribunal of HR, Legal, and Security to act on it. That investigation cycle was so labor-intensive that most organizations applied it only to employees already flagged as high-risk—leaving the rest of the workforce in an effective blind spot. Tools like ObserveIT, later acquired by Proofpoint, improved on raw log analysis by introducing screen-capture recording, but created different constraints: someone still had to process the recordings. Continuous monitoring of an entire employee population remained economically indefensible.

The SIEM, meanwhile, earned its reputation as what Nahum calls “a dumpster”—garbage in, garbage out—because the behavioral signals most indicative of insider risk rarely traverse the enterprise perimeter at all. An account executive who updates his LinkedIn profile an hour after a disappointing promotion decision, visits competitor product pages, asks ChatGPT how to frame his work in an interview, and then manually types a plan to steal customer accounts into a personal Google Slides deck on a company device generates no SIEM alert, no DLP trigger, and no UEBA anomaly. Every event is individually benign; only the narrative connecting them reveals the threat. The Agentic AI era adds structural urgency: AI agents now operate inside enterprise environments with access levels comparable to senior employees while existing insider risk programs have no concept of a machine actor whatsoever.

The Solution: An Agentic Investigation Fleet, Not Another Alert Queue

Above Security replaces the rule-based alerting model entirely. There are no thresholds to configure, no policies to write, and no watch lists to maintain—deployment takes five minutes. A fleet of AI investigators then monitors every employee continuously because the cost of investigation no longer requires human labor at each step. Critically, instead of relying on the SIEM, the AI investigators connect directly to authoritative sources at runtime: endpoint agents, browser plugins, identity providers (Okta, Microsoft Entra, Google Workspace), HR systems (Workday), and EDR platforms. Investigators query source systems when they need specific data rather than pre-ingesting everything into a central security data lake, which controls cost and preserves behavioral context the SIEM never captures.

When the system identifies a pattern of concern, it produces a complete investigation timeline—motive, means, preparation, infringement, and anti-forensic activity—assembled without a human analyst in the loop, and calibrated to business impact. In the demo Nahum presented, the platform caught a departing sales rep’s full campaign to steal ten enterprise accounts, estimating $5 million in revenue at risk, based entirely on behavioral continuity across disparate systems over several days. No single event would have triggered a conventional alert. Privacy is preserved by design: no human sees any employee’s activity data until an incident crosses the investigation threshold, at which point the complete evidence chain becomes available to Security, HR, and Legal—with the CISO controlling what each stakeholder sees.

Pricing is modest; however, Nahum notes that Above runs as the second or third most expensive cybersecurity tool in several customer environments, with one 1,000-employee deployment investing significantly more in their Above Security deployment than their CrowdStrike deployment. The value framing is deliberate: insider risk investigation delivers risk reduction that endpoint protection, DLP, and productivity SaaS tools do not. This drives value for the SOC, where the solution displaces manual investigation effort and replaces or consolidates DLP and UEBA.

Why This Matters

Above Security is deliberately targeting the market segment that legacy insider risk vendors never reached: small and medium enterprises with 1,000+ employees that lack the budget and investigator headcount to run a traditional insider risk program. Nahum notes that Above resonates well with SaaS-forward companies and technically fluent CISOs, and deployment friction is close to zero.

Above is not chasing the Fortune 500 – yet. This means the window is open for the SME and mid-market enterprises to engage early—and potentially shape the product roadmap. If you’re a CISO, CHRO, or General Counsel at an organization with 1,000 or more employees operating in SaaS-heavy environments—financial services, healthcare, technology, or any sector managing sensitive intellectual property or regulated data—Above Security warrants a serious evaluation.