Capsule Security, a Tel Aviv-based cybersecurity startup, exited stealth on April 14, 2026 with a $7 million seed round led by Lama Partners and Forgepoint Capital International, according to Calcalistech. The company builds what it calls a “runtime trust layer” for enterprise AI agents. It is one of at least 10 startups that have collectively raised $3.6 billion to solve some version of the same problem: AI agents have privileged access to enterprise systems, and nobody is watching what they do with it.

The timing of Capsule’s launch is instructive. On the same day its funding was reported, SecurityOnline published analysis of three vulnerabilities in Paperclip, a Node.js-based AI agent orchestration platform, including a CVSS 9.8 OS command injection that allowed unauthenticated remote code execution. One week earlier, Cisco entered talks to acquire Astrix Security, another agent security startup, for $250 million to $350 million according to The Information via SiliconANGLE. Capital is chasing this category because the attack surface is expanding faster than governance can follow.

The Funding Landscape

The numbers have escalated quickly. Software Strategies Blog aggregated Crunchbase data across the top 10 agentic AI security startups and arrived at $3.6 billion in combined funding. The distribution is concentrated at the top: Cyera accounts for $1.7 billion of that figure after a $400 million Series F in January 2026 at a $9 billion valuation, per Fortune. Saviynt raised $700 million in a Series B Growth round in December 2025 at a $3 billion valuation, according to Reuters. Remove those two and the remaining eight startups split roughly $830 million.

But the velocity at the seed and Series A level tells the more interesting story. In the two weeks surrounding RSAC 2026, six companies announced $392 million in new funding, per Software Strategies Blog. 7AI raised the largest cybersecurity Series A in history: $130 million at a $700 million valuation, as reported by The Wall Street Journal. Torq hit unicorn status in January with a $140 million Series D. WitnessAI closed $58 million backed by Sound Ventures, Qualcomm Ventures, and Samsung Ventures.

Then there is the acquisition side. Palo Alto Networks spent roughly $29 billion across CyberArk, Chronosphere, and Protect AI. ServiceNow spent $11.6 billion on Armis, Moveworks, and Veza. Alphabet closed the $32 billion Wiz acquisition in March 2026. The combined M&A in cybersecurity reached $96 billion across 400 transactions in 2025, according to Momentum Cyber’s 2025 Cybersecurity Almanac as cited by Software Strategies Blog. Each of these acquirers explicitly cited agent security as a strategic rationale.

What Capsule Actually Does

Capsule’s approach targets the execution path itself. Rather than scanning agent code before deployment or filtering prompts at the API gateway, the platform operates at runtime, intercepting agent actions as they happen, according to ITTech-Pulse and Calcalistech.

The technical architecture has three layers. First, ClawGuard, an open-source pre-invocation checkpoint that evaluates an agent’s intent before tool calls execute. Second, a set of fine-tuned Small Language Models that Capsule calls “Guardian Agents,” which perform both posture management and low-latency runtime protection. Third, an auditable telemetry pipeline that routes signals into existing enterprise security workflows.

The company integrates with Cursor, Claude Code, Microsoft Copilot Studio, ServiceNow, and Salesforce Agentforce without requiring proxies, gateways, SDKs, or browser extensions. That deployment model matters for procurement. Security teams that cannot tolerate added infrastructure get a lighter integration path, which ITTech-Pulse noted as a competitive advantage against proxy-based competitors like Prompt Security and gateway-based approaches.

Capsule also demonstrated its credibility by disclosing two vulnerabilities before launch: ShareLeak in Microsoft Copilot Studio (assigned CVE-2026-21520, now patched) and PipeLeak in Salesforce Agentforce (confirmed addressed by Salesforce), according to Calcalistech. Publishing offensive research alongside a defensive product is a common playbook in enterprise security, but the specific targets, two of the largest enterprise agent platforms, signal where Capsule sees the highest-value attack surface.

The founding team comes from the Israeli security establishment. CEO Naor Paz is ex-F5 and Unit 8200. CTO Lidan Hazout previously worked at Transmit Security. The company already employs roughly 70 people across Israel and the United States, a large headcount for a seed-stage startup that suggests the stealth period involved significant product development before the public announcement.

The Vulnerability Evidence

The funding thesis rests on a premise: enterprise AI agents are vulnerable. The evidence supports it.

Paperclip’s disclosure, published April 21 by SecurityOnline, exposed three vulnerabilities in its agent orchestration platform. The most severe is an OS command injection (CVSS 9.8) in the cleanupCommand field, where the server executes workspace archival commands via child_process.spawn(shell, ["-c", cleanupCommand]) without any input validation. In the default local_trusted mode for desktop installations, this requires zero authentication. Researchers demonstrated arbitrary file writing, system information exfiltration, and application launch.

The second and third vulnerabilities are cross-tenant: a full cross-tenant compromise (CVSS 10) that lets any authenticated user mint API keys for agents in a separate company’s tenant, and a listing leak (CVSS 10) that exposes agent metadata, including UUIDs needed to exploit the first flaw, across all tenants on the same instance. All versions through 2026.410.0-canary.1 are affected. The fix is in v2026.416.0.

Paperclip is not an outlier. In the past 30 days, NCT has covered critical vulnerabilities in FastGPT (CVE-2026-40351 and CVE-2026-40352, NoSQL injection enabling admin takeover), a Vercel breach traced to a compromised third-party AI tool’s OAuth credentials, OX Security’s disclosure of a systemic MCP stdio vulnerability affecting 200,000+ servers, and prompt injection attacks against Claude Code, Gemini CLI, and GitHub Copilot in GitHub Actions. The pattern is consistent: agent platforms are being deployed faster than they are being hardened.

The Competitive Map

The category is fragmenting into distinct layers. Based on the funding data from Software Strategies Blog and recent launches, at least four approaches are competing for the same enterprise budget:

Runtime enforcement is where Capsule sits. The platform intercepts agent actions during execution and blocks unauthorized behavior in real time. Competitors at this layer include 7AI ($130M Series A, autonomous security agents) and Dropzone AI ($57M total, agentic SOC automation).

Identity and posture management focuses on discovering agents in a network, mapping their access permissions, and flagging misconfigurations. Astrix Security, the Cisco acquisition target at $250M+ per SiliconANGLE, operates here. Astrix automatically identifies MCP servers, non-human identities, and overprivileged agent accounts, then provides just-in-time access controls.

Vulnerability scanning treats agents and their generated code as attack surfaces to probe before deployment. Trent AI launched on April 7 with $13 million in seed funding led by LocalGlobe and Cambridge Innovation Capital. Founded by former AWS engineers including Cambridge machine learning professor Neil Lawrence, Trent deploys four groups of AI agents that scan customer agents’ code, third-party tools, and infrastructure for vulnerabilities, then simulate attack paths and generate remediation suggestions.

Protocol-level security focuses on MCP and other agent communication standards. Runlayer ($11M seed) and Helmet Security ($9M seed) both target MCP infrastructure specifically, securing the transport and authentication layers that agents use to connect to enterprise systems.

The Procurement Shift

According to Calcalistech, Microsoft reports that more than 80% of Fortune 500 companies now use active AI agents built with low-code and no-code tools. That statistic explains why a category that barely existed 18 months ago has attracted $3.6 billion in startup funding and $96 billion in adjacent M&A.

The CrowdStrike, AWS, and NVIDIA Startup Accelerator at RSA Conference selected Capsule as one of six finalists from nearly 1,000 applicants, per ITTech-Pulse. That accelerator has historically funneled finalists into distribution partnerships with its sponsors. If Capsule’s proxy-free deployment model holds up at scale, the CrowdStrike and AWS channels could compress its enterprise sales cycle significantly.

The question is whether runtime enforcement, posture management, vulnerability scanning, and protocol security converge into a single platform or remain separate procurement decisions. The M&A evidence suggests consolidation. Palo Alto Networks assembled identity, observability, and model security through three acquisitions. ServiceNow built what CEO Bill McDermott called an “AI control tower” through Armis, Moveworks, and Veza. Cisco is adding Astrix and Galileo Technologies (a hallucination firewall acquired on April 9) to its agent security stack.

For security teams evaluating agent deployments today, the practical implication is that the tooling exists but is fragmented. Runtime protection, identity governance, code scanning, and protocol hardening each require separate vendor relationships. The $3.6 billion in funding suggests the market believes these will consolidate. The Paperclip disclosure suggests they need to.