Vulnerability management used to be artisan work; security teams would read every configuration and line of code to find and fix exploitable bugs. In its first year after a 1999 launch, MITRE’s CVE database published 321 vulnerabilities. In January 2026 alone, researchers found and disclosed over 5,000.

What was once artisan has become haphazard. Part of the problem is offensive ingenuity. As software explodes in complexity, new vulnerabilities and kill chains emerge that attackers can successfully exploit in minutes, instead of days. Even if security teams find the right vulnerabilities at the right time, pinpoint exactly what has to change in all the places across the company’s infrastructure, and provide guidance on a patch before an attacker exploits it, their colleagues in engineering must find time to ship the patch without breaking anything else in production.

As a result, security teams have lacked a cogent strategy for dealing with vulnerabilities. That’s why Vineet, Geng, and Thanos teamed up to create Cogent Security, and we are proud to be partnering with them on their Series A financing.

Vineet and Geng were product and engineering leaders, respectively, at Abnormal, where they saw how AI could accelerate both offense and defense. Across hundreds of conversations with security leaders, they learned how to operationalize and contextualize alerts to make them actionable. Thanos, meanwhile, led the infrastructure team at Coinbase after serving as Chief Architect of Blackstone. He jokes that he’s had to patch more than his fair share of vulnerabilities before Cogent.

Over the past few years, we got to know the three of them over walks in NYC and dinners in San Francisco. They operate Cogent unlike any other security company: like an applied AI lab, focused on improving with the models. Cogent’s product marries security-specific embeddings to bleeding-edge models on various points along the Pareto frontier, all operationalized by an agent harness that quickly learns a customer’s business context and becomes the source of truth over time.

Where other products stop after classifying vulnerabilities as ‘Internet-reachable’ or attaching a CVSS score to them, Cogent’s virtual VM engineers ask deeper questions: if there’s an S3 bucket open to the Internet, who accesses it the most? What can we learn from the metadata? Do we know if there are WAF rules that might compensate for trusted access? The product becomes an extension of the security team, and its infrastructure fabric, over time.

Phase 1 is to gather context and prioritize accurately. Cogent’s context agent gathers information across the organization, including who touches what systems, the access rules that govern entities and users, compensating controls, policy definitions, and more. From there, a prioritization agent applies blast radius reasoning to the context graph, estimating P(exploitation), P(lateral movement), Q(Impact), and more, culminating in an explainable and more specific criticality designation that cuts down on manual effort by an order of magnitude. Finally, Cogent’s remediation agents leverage browser use models and various code reasoning models to suggest changes to the right person, issue PRs, and in some cases, even make the requisite configuration changes.

Managing vulnerabilities is no longer possible--scale and complexity have rendered VM obsolete. A more Cogent approach is needed; one that intelligently gleans the right context, identifies the right stakeholders, and most importantly, keeps pace with the evolving adversary.

Congratulations, Team Cogent. We are honored to be your partners.