Fig Security Just Raised $38 Million: Why AI-Powered Cybersecurity Is Where the Smart Money Is Going

Cybersecurity has always been a growth market. Threats evolve, defenses evolve, and the economics of attack versus defense create a permanent commercial opportunity for companies that can shift the balance toward defenders. What is different in 2025 is the degree to which AI has simultaneously created new attack vectors and new defensive capabilities, generating a wave of AI-native cybersecurity investment that dwarfs previous cycles.

Thank you for reading this post, don't forget to subscribe!

Fig Security’s $38 million raise is one of the more notable data points in this wave: a specific bet on AI-powered security tooling at a moment when both the threat landscape and the defensive toolset are being transformed by the same technology.

What Fig Security Does

Fig Security builds AI-powered security tooling focused on the application layer: the code, APIs, and software development pipelines where modern security vulnerabilities originate and where traditional security tools have been least effective. The company’s platform uses AI to identify security vulnerabilities during the development process rather than after deployment, which changes the economics of application security fundamentally.

Finding and fixing a security vulnerability in production code costs orders of magnitude more than finding and fixing the same vulnerability during development. The shift-left security approach, catching vulnerabilities earlier in the development lifecycle, is not new as a concept. What is new is the AI capability to identify complex vulnerability patterns in large codebases at a speed and accuracy that human security reviewers cannot match.

The Core Product: AI Code Security Review

Fig’s primary product is an AI security review system that integrates into software development workflows, analyzing code commits, pull requests, and application logic for security vulnerabilities including injection attacks, authentication weaknesses, insecure API designs, dependency vulnerabilities, and logic errors that create exploitable conditions.

Unlike rule-based static analysis tools that produce high volumes of false positives and miss contextual vulnerabilities, Fig’s AI system understands code semantics and application context well enough to identify genuine security risks with substantially lower false positive rates. This accuracy improvement is the key commercial differentiator: security teams have limited capacity, and tools that waste that capacity on false positives undermine their own value proposition.

The False Positive Problem: Traditional static analysis security tools can generate hundreds of low-confidence alerts for every genuine vulnerability. Security teams overwhelmed by false positives develop alert fatigue and begin ignoring or deprioritizing the tool’s output. AI-powered security tools that dramatically reduce false positive rates while maintaining or improving true positive detection are solving a real operational problem that has limited the value of previous generations of security tooling.

Why $38 Million and Why Now

The funding round size and timing reflect several converging factors in the cybersecurity market. First, the volume and sophistication of AI-assisted attacks has increased substantially, creating demand for defensive tools that can keep pace with AI-augmented attackers. Traditional signature-based and rule-based security tools are structurally limited in their ability to detect novel attack patterns that AI can generate faster than human analysts can characterize.

Second, the regulatory environment for software security is tightening. The SEC’s cybersecurity disclosure rules for public companies, the EU’s NIS2 directive, and CISA’s secure by design guidance are all creating compliance pressure that makes proactive application security investment more commercially justified than it was under previous regulatory frameworks.

Third, the developer tooling market is in a moment of significant transition as AI coding assistants become standard. AI-generated code introduces new security patterns that traditional security tools were not trained to recognize, creating demand for AI-native security review tools that understand the specific vulnerability patterns associated with AI-generated code.

The AI Security Investment Landscape

Fig Security’s raise is part of a broader wave of AI-native cybersecurity investment that has been building through 2024 and accelerating in 2025. The category spans several sub-sectors:

• AI application security: Fig Security, Snyk AI, Veracode AI and others addressing code and application vulnerability detection
• AI threat detection: Darktrace, CrowdStrike AI, and newer entrants using AI to identify behavioral anomalies indicating active attacks
• AI identity security: Companies using AI to detect credential theft, account takeover, and identity-based attacks at the speed and scale AI-enabled attackers operate
• AI security operations: Tools that automate security analyst tasks including alert triage, incident response, and threat hunting
• AI prompt injection and model security: A new category addressing the specific security vulnerabilities of AI systems themselves

The total venture investment into AI-native cybersecurity in 2024 and early 2025 represents one of the largest deployment cycles in the history of enterprise security investment, driven by genuine threat escalation and real product differentiation rather than purely speculative enthusiasm.

What Enterprise Buyers Should Know

For enterprise security and engineering leaders evaluating AI security tools, the Fig Security funding round and the broader AI security investment wave provide useful signals. The product category is real and the differentiation from legacy tools is genuine, but the evaluation criteria need to be updated for AI-native tools.

The key metrics to evaluate are true positive rate on your specific codebase and technology stack, false positive rate and how it affects developer workflow friction, integration quality with your existing CI/CD pipeline, and the vendor’s approach to keeping the AI model current with emerging vulnerability patterns and AI-generated code patterns.

Bottom Line: Fig Security’s $38 million raise reflects genuine commercial momentum in AI-native application security. The combination of increasing regulatory pressure, AI-augmented attackers, and AI-generated code creating new vulnerability patterns makes this category one of the most commercially durable in enterprise security. The buying cycle for AI security tools is accelerating.

Related: LeakBase FBI Europol Shutdown | iPhone Hacking Tools in Criminal Hands | Smart Glasses Privacy Alert App

Fig Security official site

CISA secure by design guidelines

Gartner application security magic quadrant