You get an email message from your CFO.
Short. Direct. The kind they usually send.
“Can you share the vendor summary sheet? Need it for the audit.”
The only problem? Your CFO never sent it.
And that’s not even the scary part.
The scary part is:
It matched their tone.
It referenced actual files your team worked on last week.
It landed right when you usually get a message like that.
This phishing is AI-powered precision trained on your data, your team’s behavior, and your internal language.
And here’s the twist: the same tools being used to craft these attacks are also being built into enterprise-grade defenses.
It’s not attacker vs. defender anymore.
AI Is Powering the Next-Gen Security Stack
Let’s start with the upside.
AI is finally doing what security teams have always needed. Cutting through noise. Prioritizing real threats. Acting before humans can.
And the shift is in intent analysis. Understanding why something looks suspicious, not just that it does.
Here’s where we’re seeing that play out in the stack:
Anomaly-based NDR establishes behavioral baselines by monitoring packet flows, protocols, connections, and data movement across your infrastructure, then flags deviations that matter. It catches threats signature-based systems miss, like an employee account that normally touches three databases suddenly querying twenty at 3 AM, or data exfiltration disguised as backup traffic. This becomes essential as networks grow more dynamic. With containerized workloads spinning up every few minutes, static rules can’t keep pace, so ML models continuously adapt to distinguish legitimate admin activity from attackers moving laterally through microservices or pivoting between containers.
AI-powered CSPM maps risk posture, prioritizes exposure, and auto-remediates based on policy. CNAPPs extend security across the entire application lifecycle, automating threat detection and response from development through production to catch vulnerabilities before they reach live environments. With 75% of enterprises expected to adopt CSPM by 2025, this is foundational infrastructure for cloud security.
- Modular XDR platforms that correlate signals across endpoint, identity, and network layers surfacing meaningful threats, not just piling on alerts. This matters when ransomware attacks are up 53% YoY and alert fatigue remains one of the biggest failure points in the SOC
- PETs (Privacy-Enhancing Technologies) like synthetic data, homomorphic encryption, and differential privacy, which allow teams to extract value from sensitive data without putting it at risk. With India’s DPDP Act accelerating enforcement, privacy-by-design is quickly becoming a dealbreaker in enterprise sales
- Agentless detection in OT/IoT, where patching simply isn’t an option enabling passive, protocol-aware visibility in sectors like manufacturing and energy. With India expected to surpass 2 billion IoT connections, this is urgent
As investors, we’re seeing the most potential in platforms that triage intent.
Because when everything looks like a threat, knowing what to ignore becomes a competitive advantage.
AI for Offense: Scalable, Targeted, and Hard to Trace
Today’s threats are personalized, synthetically generated, and infinitely scalable and they don’t break the system. They blend into it.
So how are attackers using AI?
LLM-powered spear phishing that clones employee writing styles and communication patterns. These systems analyze email history, Slack messages, and public posts to generate phishing emails indistinguishable from legitimate internal communications. They match tone, vocabulary, even punctuation quirks, and reference real projects, deadlines, and org structure pulled from scraped data.
Deepfake audio and video for executive impersonation and business email compromise. Attackers can synthesize a CFO’s voice for wire transfer approval calls or create video of a CEO announcing fake policy changes. The quality has reached the point where verification through traditional means like recognizing someone’s voice or face is no longer reliable.
IoT and IIoT as expanding attack surfaces with limited security controls. Every connected device from smart building systems to industrial sensors creates an entry point. Once compromised, these devices enable lateral movement into corporate networks, data exfiltration, or direct manipulation of operational technology. The attack surface grows with each deployment, and most IoT devices lack the capability for endpoint security tools.
Blockchain networks exploited for anonymity and untraceable ransomware payments. While blockchain technology itself is secure by design, attackers leverage its decentralized nature to obscure payment trails and launder proceeds. We’re also seeing smart contract exploits where vulnerabilities in code are used to drain funds or execute unauthorized transactions without detection.
5G networks amplifying attack speed and scale across exponentially more connected devices. The increased bandwidth and reduced latency of 5G allow attackers to exfiltrate larger datasets faster, coordinate distributed attacks more efficiently, and compromise more devices simultaneously. As 5G adoption accelerates, the number of vulnerable endpoints multiplies while detection windows shrink.
AI-assisted supply chain attacks where malicious code is embedded upstream in third-party dependencies. Attackers seed vulnerabilities in widely used SDKs, libraries, or configuration files that then propagate to thousands of downstream applications. These attacks are nearly impossible to detect until they activate because the compromised code passes through standard security reviews as legitimate vendor updates.
Most of this doesn’t look malicious until the damage is done.
Traditional security was built to stop what’s already happened but AI doesn’t repeat. It improvises.
For enterprise buyers, this changes the economics of security. It’s about investing in systems that can adapt dynamically.
The cost of failure isn’t a missed alert. It’s a breach that looks legitimate right up until it empties the vault.
For founders, this is the new design brief:
Build for variability, not predictability. Assume adversaries can learn. So your system should too.
What India’s Security Startups Are Getting Right
There’s a reason we’re bullish on India as a cybersecurity builder market.
Founders here are building from first principles, shaped by India’s messy, hybrid, fast-moving digital environment. That’s a design edge.
Here’s what we’re seeing from the best security teams coming out of India:
1. Vertical AI > Generic AI
Instead of building general-purpose detection engines, Indian startups are going deep on domain-specific models tuned for BFSI fraud patterns, telecom network attacks, and industrial OT security.
In banking, this means models trained specifically on UPI transaction fraud, account takeover patterns unique to Indian digital banking apps, and insider threat behaviors in loan approval workflows. One team we spoke with built a fraud detection system that understands regional transaction patterns during festival seasons, distinguishing between legitimate high-volume spending and coordinated account compromise.
For telecom, startups are building models that detect SIM swap fraud by analyzing behavioral deviations in call patterns, location changes, and device switching that are specific to how Indian subscribers use multiple SIMs and family plans.
In industrial settings, security tools are being trained on SCADA protocols and OT network behavior in manufacturing plants, learning to spot data exfiltration or operational interference that generic security tools would miss because they don’t understand the specific logic of production line communications.
2. Agentless and Passive by Design
Most legacy infra in India can’t be patched or instrumented. That’s why we’re seeing a strong shift toward agentless security, such as passive, protocol-aware tools that deliver visibility without disruption.
This is especially critical in OT-heavy sectors like manufacturing, energy, and logistics where uptime isn’t optional, and security can’t get in the way.
3. Cloud-Native, Compliance-Ready Architecture
With DPDP rolling out and financial regulators tightening audit windows, startups aren’t waiting for buyers to ask the tough questions.
They’re shipping:
- Explainable AI models
- Granular, auditable access logs
- Role-based controls mapped to enterprise policy
4. Zero Trust Built for Real Workflows
Instead of just enforcing perimeter rules, smart teams are embedding security into everyday usage:
- Context-aware access tied to behavior, location, and device posture
- Just-in-time permissions that self-expire
- Dev-first IAM APIs that plug straight into internal tools
They’re building security as a product.
We believe this pressure, India’s regulatory complexity, infrastructure sprawl, and demand for scale, is forcing founders to build systems that are years ahead of global counterparts.
And when you build for the hardest environments first, you don’t just solve for India.
You set the blueprint for what secure, adaptive, real-world-ready platforms should look like everywhere.
AI-First, Not AI-Only
At Pentathlon Ventures, we’re excited about AI because when used well, it solves problems faster incident response, fewer false positives, smarter decision-making under pressure.
But we don’t invest in AI for AI’s sake.
We invest in teams that know when to use it, when not to, and how to make it trustworthy from the start.
That means:
- Tools that can explain their decisions
- Models that are trained on the right data
- Platforms where AI makes humans better
We look for founders who treat AI as a means to an end and who build with guardrails, context, and real-world edge cases in mind.
Because in cybersecurity, the hard part isn’t adding intelligence, it’s adding trust.
And we believe the next generation of AI-first security platforms will be shaped right here in India.
