In the old days of cybersecurity, you could fix every problem and patch every vulnerability. But those days are long gone. AI is accelerating the speed and ability of legitimate developers and bad actors alike, and the number of attacks keeps growing exponentially. Today’s security teams face a never-ending game of whack-a-mole​​—for every threat they mitigate, two more take its place. It’s an asymmetric battle they must keep fighting but can never win.

Part of the challenge is speed: a recent Rapid7 report found most vulnerabilities are exploited within a week, but remediation can take weeks or months—if it’s feasible at all. While a security team may be able to spot a problem and recommend a patch quickly, they’re at the mercy of busy colleagues in Engineering or DevOps to deploy it.

But even if a company had the unlimited resources necessary, patching every one of its thousands or millions of known vulnerabilities simply wouldn’t make sense—because only a fraction of them are actually dangerous. More often, vulnerabilities exist in a function that’s never called by the code, or a server that’s not exposed to the internet. Addressing these non-problems would be a waste of time and money, and it would introduce risk; modifying existing systems is the number one cause of downtime. 

What security teams really need is a way to identify, and quickly defuse, the vulnerabilities that are truly a threat—and that’s why Sanaz Yashar, Ben Seri and Snir Havdala created Zafran. 

Through their work in top security companies and Israeli intelligence, Sanaz, Ben and Snir saw firsthand the frustrations security teams were facing. But they recognized what many others did not: most teams already have more than enough security tooling. What they lack, instead, is better information about how to use it. By connecting to both vulnerability data and an organization’s existing controls, rules and actions, Zafran empowers security teams to identify and defuse threats far more quickly.

The platform correlates control configurations with runtime data, internet exposure, and threat intelligence to pinpoint which vulnerabilities are exploitable—but that’s just the first step. Zafran then adjusts existing security controls, working seamlessly with endpoint detection and response, firewalls, cloud tools and more, to proactively reduce risk and defuse vulnerabilities. It puts companies’ defense on offense—and puts the power to stop attacks and defuse threats in the hands of security teams, freeing them and their teammates up to patch only where it’s really needed.

It’s an innovative product—and we at Sequoia are just as excited about the stellar team. Sanaz is a force of nature, and when Bogomil had the pleasure of spending time with her, Ben, Snir and the rest of Zafran recently in Tel Aviv, he found a group of people with deep experience to match their vision. We are proud to support them and lead their Series A.

No doubt there are plenty of challenges still ahead for companies fighting to reduce risks, adapt to evolving threats and gain the upper hand against attackers. But the work the Zafran team is doing is a critical step toward leveling the playing field and setting security teams up to win.