Cotool AI, scaling defensive security with tokens, led by Max Pollard, Logan Carmody, Eddie Conk, and Josh Pachter, has announced a $7.4 Million Seed round, led by Andreessen Horowitz with participation from WndrCo and an exceptional group of angel investors.

Advances in AI are rapidly scaling cyber offense. Research from Anthropic revealed that a state-sponsored group used its model Claude to support cyber-intrusion operations such as reconnaissance, scripting, and planning.

Attacks now function like just-in-time software, models generate variations, probe systems, and iterate automatically, allowing small groups to run campaigns that once required large teams. As model capabilities improve, offensive operations increasingly scale with compute and tokens rather than headcount, while many defense teams remain limited to basic AI tools.

The cybersecurity industry’s initial response to the AI shift has largely involved adding large language models to existing security operations center workflows, such as chat interfaces on SIEM platforms and automated triage, while keeping the same human-tier structure. These changes offer incremental efficiency but leave the underlying model largely unchanged.

The situation resembles early factory electrification, when manufacturers replaced central steam engines with electric motors yet retained the same belt-driven layouts, limiting productivity gains. Only later, when power was distributed to individual machines and factory floors were redesigned around that model, did true transformation occur. Similarly, layering AI onto traditional SOC structures risks repeating the same limitation.

Cotool is building a “distributed factory” for cybersecurity, where AI agents handle detection and response across the entire security lifecycle.

Security teams deploy agents that continuously monitor systems, detect anomalies, and investigate incidents automatically. For example, when a suspicious alert occurs, a Response Agent can investigate logs, access history, and activity in seconds, work that typically takes analysts much longer.

Detection Agents sit on live log streams and look for unusual behaviors, such as abnormal data access or suspicious credential activity, using natural-language intent instead of static rules. They dynamically analyze real data, adapt over time, and surface the incidents that actually matter.

Because detection and response operate in the same system, insights from investigations continuously improve future detections, reducing false positives and strengthening security coverage.

Cotool is already in production with companies including Ramp and EliseAI, where its agents have completed 50,000+ runs across detection, triage, investigation, and response.

According to Antoinette Stevens, Head of Detection and Response at Ramp, the platform allows teams to onboard new log sources and create detection rules without causing alert fatigue for security analysts.

Cotool built and published its own benchmarks at research.cotool.ai to evaluate how AI models perform on defensive security tasks, since most existing benchmarks focus on offensive capabilities.

The goal is to identify which models and architectures perform best for tasks like triage and complex investigations, and make those findings publicly available.

Cotool raised a seed round backed by Andreessen Horowitz, Y Combinator, WndrCo, Homebrew, and angels from Okta, Ramp, Cloudflare, Amplitude, and Sumo Logic.

As AI models and attack tools rapidly improve, defending at human speed is no longer viable. Cotool aims to provide the infrastructure that enables security teams to defend at machine speed.