Fig Security has exited stealth with $38 million in funding and a focused mission: help security teams cope with nonstop change by mapping, monitoring, and stress-testing the data that powers detections and response. The company’s platform builds live “data lineage” across the security stack—spanning sources, pipelines, data lakes, SIEM and SOAR—so that when something upstream shifts, teams know immediately what breaks downstream.
Why Change Is Breaking Modern Security Operations
Enterprises are shipping code faster, adopting AI, and swapping tools at a record clip. That dynamism is colliding with sprawling security stacks, where a subtle schema tweak or normalization change can silently blind critical detections. The Ponemon Institute has reported that large organizations run, on average, dozens of overlapping security tools, often north of 40. With every new control comes yet another data feed to maintain.
It’s not just complexity; it’s fragility. The Verizon Data Breach Investigations Report has consistently found that the human element factors into roughly 74% of breaches, and configuration drift is a frequent culprit. Gartner has long warned that most cloud security failures trace back to customer-side misconfigurations. In practice, that means even well-resourced teams can lose visibility when a new agent version lands or a logging pipeline reroutes events.
How Fig’s Platform Works Across Security Data
Fig samples security-relevant data as it moves through the stack and learns how that data changes across tools and transformations. From there, it constructs a real-time lineage graph—from source systems and collectors, through brokers and data lakes, into SIEM and SOAR—that ties detections and playbooks back to the upstream fields and formats they depend on.
When a field drops, a parser shifts, or a pipeline bottlenecks, the platform alerts security engineering and operations that specific detections, correlations, or response automations are at risk. Teams can also run “what-if” simulations before deploying patches or new tooling, so they can see, for example, whether a planned EDR agent upgrade will break lateral movement rules or mute high-fidelity alerts.
Consider a common failure mode: an endpoint vendor renames an event_id or changes timestamp precision. That tiny change cascades—parsers misfire, SIEM rules fail to match, and SOAR enrichments never trigger. Fig’s approach spots the upstream deviation and flags which downstream detections and dashboards are impacted, offering a guided fix before coverage gaps show up in an incident.
The company says it connects into data lakes and leading SIEM platforms to support heterogeneous environments, allowing teams to validate detections across cloud, endpoint, identity, and network telemetry without swapping existing investments.
Founders And Backers With SecOps Pedigree
Fig Security was founded by Shafir, who previously led global architecture for Google Cloud Security, alongside co-founders Nir Loya Dahan as CPO and Roy Haimof as CTO. The founding team built the company after hearing a recurring concern from CISOs: if detection data can’t be trusted minute to minute, AI-assisted security won’t inspire confidence either.
The $38 million raise includes backing from Team8 and Ten Eleven Ventures, with participation from seasoned security operators and executives such as Doug Merritt, former CEO of Splunk; Rene Bonvanie, former CMO of Palo Alto Networks; and the founders of Demisto and Siemplify. Fig reports enterprise customers in the low double-digits after eight months in market and aims to scale to 50–100 customers, with plans to expand across North America and triple headcount in engineering and go-to-market.
A New Layer In The Security Stack For Change
Fig is not a SIEM, SOAR, or XDR replacement; it’s a change-intelligence layer focused on the security data plane. If observability vendors like Monte Carlo brought lineage and data health to analytics, Fig is applying that discipline to detections and incident response. It’s also complementary to log routing and optimization tools that teams use to manage cost and scale, helping ensure that content built on top of those pipelines remains trustworthy as environments evolve.
There’s a practicality to the pitch. Consolidation remains a buyer theme, but ripping and replacing core security platforms is slow and risky. A system that stabilizes what organizations already run—Splunk or Chronicle for analytics, Snowflake for security data lakes, and a mix of cloud-native and third-party controls—can reduce risk without wholesale change. For compliance-driven teams, automated lineage and impact analysis also offer defensible evidence when auditors ask how detection coverage is maintained through change.
What To Watch Next As Fig Scales Its Platform
Adoption will hinge on integration breadth and measurable outcomes. Metrics like mean time to detect broken detections, time to remediate pipeline regressions, and the % of changes safely simulated before production will indicate whether Fig turns “unknown unknowns” into managed maintenance. Forrester has noted that buyers favor tools that reduce operational toil and risk; change-aware security data lineage fits squarely in that value proposition.
If Fig can sustain real-time lineage at enterprise scale and prove it prevents silent coverage gaps, it will carve out a durable niche: making security programs resilient to the one constant defenders can’t control—change.
