Some startups throw darts at the board and call it AI. Others? They build something that actually knows what’s coming before it hits. Empirical Security just raised $12 million in seed funding to do exactly that, make cybersecurity predictive, personalized, and finally, worth the hype. And this isn’t some fresh-out-of-bootcamp crew learning threat models on the fly. This is a veteran trio who built the foundation most of the industry now stands on.
Let’s rewind. Empirical Security, out of Chicago, is the brainchild of Ed Bellis (CEO), Michael Roytman (CTO), and Jay Jacobs (Chief Data Scientist). If those names sound familiar, they should. Ed Bellis co-founded Kenna Security and basically created risk-based vulnerability management before Cisco snapped it up. Michael Roytman, Forbes 30 Under 30, Distinguished Engineer at Cisco, co-founder of Dharma Platform. Jay Jacobs? Co-founder of Cyentia Institute, co-creator of EPSS, and the guy behind Data-Driven Security. These aren’t founders trying to break into the game, they wrote the opening chapter.
Empirical isn’t building another “security dashboard with AI” to slap onto your SIEM like an afterthought. They’re engineering dual-model architecture that combines global threat telemetry, think two million daily exploitation events, with local models tailored to a company’s actual infrastructure. Real, context-rich data. Real predictions. Real prioritization. No copy-paste scoring systems from 2013.
The $12 million seed was led by Costanoa Ventures, with John Cowgill putting conviction behind what he calls the future of AI-native cybersecurity. DNX Ventures, Sixty Degree Capital, and HPA joined the party, alongside some high-IQ strategic angels: Jonathan Cran (founder of Intrigue), Wade Baker (creator of Verizon DBIR), and Gerhard Eschelbeck (former CTO of Qualys and ex-CISO of Google). If you know this space, you know that bench doesn’t miss.
And let’s talk credibility. EPSS, still the most widely adopted predictive vulnerability scoring system in the world, is being advanced under Empirical’s roof. More than 120 vendors tap into it today, with over 271,000 CVEs scored. Their global models cover 16,000+ known exploited vulns, 12 times more than CISA’s KEV catalog. This isn’t smoke and mirrors. It’s validated, high-signal, enterprise-ready security intelligence.
What sets Empirical apart isn’t just the tech, it’s the mentality. Security has been reactive for too long. These guys are flipping it forward. They’re hiring. They’re expanding. They’re giving CISOs something more useful than fear-based dashboards and generic CVSS numbers: evidence-backed, customer-specific insights.
