Israel's Red Teams Hit You Before the Hackers Do
Continuous validation is the fastest-growing line item in Fortune 500 cyber spend. Pentera, Cymulate, SafeBreach, XM Cyber — the category is dominated by Israeli vendors exporting offensive military doctrine.
The American Fortune 500 is widely estimated to spend roughly $200 billion a year on cybersecurity. Among the categories buying the fastest growth inside that spend, per Gartner and other industry analysts, is offensive validation — software that attacks your own network on a schedule, continuously, to prove what is actually exploitable.
That category is reported to be dominated by Israeli companies.
The category, defined
Offensive validation — also known as breach and attack simulation (BAS) or continuous threat exposure management (CTEM) — replaces the annual third-party penetration test. Instead of one human pen-test team for two weeks a year, an automated platform runs thousands of attack chains against the live production environment, every day, with safe payloads.
Gartner has publicly forecast strong growth in the CTEM category through 2027. Most of that spend is reported to be going to Israeli vendors.
The leaders
Pentera — One of the largest pure-play continuous-validation companies. Founded in 2015 in Petah Tikva (originally as Pcysys) by Arik Faingold and Arik Liberzon. Reported to have raised approximately $190 million across rounds, including a publicly reported $150 million Series D in 2022 at a $1 billion valuation led by K1 Investment Management. Pentera runs autonomous penetration tests against the live network — credentials, segmentation, lateral movement, ransomware paths — and produces a prioritized remediation list ranked by exploitability.
Cymulate — Breach and attack simulation founded in 2016 in Rishon LeZion by Avihai Ben-Yossef and Eyal Wachsman. Reported to have raised a $141 million Series D in 2022 at a publicly cited valuation of more than $500 million, led by One Peak. Cymulate tests security control efficacy across email gateways, endpoints, web gateways, and SIEM.
SafeBreach — Founded in 2014 by Guy Bejerano and Itzik Kotler. Backers publicly reported include Sequoia Capital, Deutsche Telekom Capital Partners, and Israel Growth Partners. SafeBreach competes head-to-head with Cymulate on BAS but skews heavier into Fortune 100 deployments.
XM Cyber — Attack-path management, founded in 2016 by ex-Mossad chiefs Tamir Pardo, Boaz Gorodissky, and Noam Erez. Acquired by Germany's Schwarz Group in 2021 in a transaction reported at approximately $700 million. XM Cyber's attack graphs map every viable lateral-movement path between any low-privilege foothold and the company's crown-jewel assets.
Coro — Modular cybersecurity for the mid-market with embedded validation. Reported $175 million Series D in 2024.
What just changed
Three structural moves in 2025 and 2026 explain why this category is now central.
One — regulators moved. The SEC's 2023 cyber-disclosure rule and the EU's NIS2 directive both pushed Fortune 500 boards to require quantified, defensible evidence of control efficacy. Annual pen tests do not produce that evidence. Continuous validation does.
Two — the insurance market moved. Cyber-insurance underwriters are reported to price premiums against continuous-validation telemetry. Companies with Pentera or Cymulate deployments have been publicly reported to see premium reductions in the 10-30% range.
Three — AI-driven attack automation arrived. Offensive AI tooling — capable of generating novel attack chains faster than human red teams can document them — has been widely cited as forcing the defensive side to automate validation at equivalent speed. Israeli vendors are reported to have built that automation first.
Why these companies, in this country
Three of the four leaders — Pentera, XM Cyber, and SafeBreach — were founded by either Unit 8200 alumni or former heads of Israeli intelligence services, per public reporting. The product category is, structurally, the commercial export of offensive military doctrine: attack continuously, validate against the actual environment, prioritize by exploitability, retest.
That doctrine is widely reported to be taught inside Unit 8200, Talpiot, and the Mossad cyber unit before any of these founders incorporate a company. By the time they raise a seed round, they have already run the equivalent of years of engagement at national scale.
The buyer pipeline
The next consolidation in this category is visible. Splunk (Cisco), CrowdStrike, Palo Alto Networks, and Tenable all have product gaps Pentera or Cymulate fills directly. Industry reporting suggests at least one nine-figure acquisition in this cohort is plausible before the end of 2026.
The Israeli red team will keep hitting first. The American Fortune 500 will keep paying for it.
Related on Olam — Israeli Cybersecurity
- The Israeli Cyber 50: Q1 2026 Ranking
- Israel Just Cashed $57 Billion in Cyber. What Comes Next?
- Unit 8200: The $50 Billion Founder Factory
- Check Point: The Longest-Tenured Israeli Nasdaq Listing
- America's Login Screen Is an Israeli Product
- Israeli Code Locks America's Cloud and AI Stack
- When Your SOC Sleeps, Israelis Are Hunting
- Spyware Pays in Billions — and Israel Owns the Market
- The Mossad Cyber Pipeline: Operator-to-Founder Pathways
