Partnering with Prelude: Advanced Security, Accessible to All
By Bill Coughran
Published April 12, 2022
It is as true in cybersecurity as it is on the football field: no team has ever won through defense alone. With my security experience at Google, I saw firsthand the value of investing in not only a “blue team” to design the systems that protected our organization and customers, but also a “red team” to test those defenses and find vulnerabilities we might otherwise have missed. Countless governments and companies before and since have learned this same lesson—too often the hard way, and at a high cost.
Truly effective red-teaming isn’t an annual or even quarterly affair. In the face of an ever-evolving stream of devastating attacks—and with President Biden recently reiterating a call for hardened defenses in the private sector given the risk of malicious cyber activity by Russia—continuous testing is key to success. But as partners who often invest at the seed, we at Sequoia know how out-of-reach that level of protection can be for a fledgling team. And we know that without it, one small misconfiguration in the introduction of a new service or system can create an opportunity for bad actors to exploit, which the company may not discover until it’s too late.
This is the problem Prelude co-founder and CEO Spencer Thompson and the entire team are determined to solve—by making robust, continuous security testing accessible to everyone. Built by and for security engineers, the Operator platform uses automated agents to safely mimic real attacks, so companies don’t need an expensive, largely manual red team to identify and address vulnerabilities. Prelude is also the first to take offensive security down to the endpoint, protecting the individual servers, containers, and workstations that make up a network.
Even better, their model avoids some of the pitfalls of handling offensive security internally. At Google, various red team efforts included some newer employees, to minimize the chance that the experience of more tenured team members would create blind spots. As a third party, Prelude is naturally less susceptible to these assumptions. And because they’re specifically focused on offensive security, they’re not subject to the competing incentives a provider of both red and blue services might face.
Spencer and founding team members David Hunt (Co-Founder and CTO) and Alex Manners (Principal Cyber Security Engineer) are experts in this space; they hail from the highly respected cybersecurity organization at MITRE, where they led development of the pioneering automated adversary emulation project CALDERA. But we were drawn to not just their sterling credentials, but also their vision. They are incredibly thoughtful about the steps required to build and commercialize what we believe can ultimately become a very powerful product.
In particular, we’re excited to see how Prelude evolves to address weaknesses in user behavior as well as infrastructure—an area ripe for innovation. As any cybersecurity veteran will tell you, most successful attacks are unwittingly aided by a person. Yet in many organizations, efforts to prevent such human errors are typically limited to occasionally distributing a list of things employees shouldn’t click. An automated platform like Operator, on the other hand, could potentially give people the experience they need to help avoid attacks—without actually creating the risk.
Realizing that vision, of course, will require growing the Prelude team, and we are pleased to support that effort by leading the Series A round announced today. For those with offensive cybersecurity backgrounds, a role with Prelude is an opportunity to apply those skills and expertise directly to the defensive space. And for everyone who joins, it’s a chance to help raise the bar for the advanced security of the future—and to make sure that future is accessible to all.