For twenty years the security industry operated on a quiet assumption: finding vulnerabilities was the hard part, and fixing them would sort itself out once you knew where to look. That assumption was wrong but survivable.
Discovery was slow enough that human teams, working tickets by hand, could mostly keep the backlog from becoming too big. The economics of the industry followed the assumption. Capital, talent, and product innovation poured into detection, because detection is what got funded and what got bought.
That era is over, and the thing that ended it is AI.
A Cyentia study commissioned by Cisco found that organizations fix roughly 1 in 10 of the vulnerabilities they identify. Not because teams are careless or under-resourced in some fixable way, but because remediation is structurally hard: it's slow, it's manual, and it's split across security and IT teams with different incentives and no shared ownership of the outcome.
Worse, a large share of the backlog can't be patched at all. Misconfigurations, hardening gaps, end-of-life systems with no vendor fix coming. None of that gets a patch. It gets risk-accepted and forgotten, and it accumulates.
Now put AI on both sides of that equation. Mythos and Fable-class models are surfacing vulnerabilities faster than any human team can triage, including findings that no patch will ever close. On the offensive side, the window from disclosure to a working exploit has collapsed from years to hours, and it's still shrinking.
So discovery just got automated and accelerated — on the attacker's side too — while remediation stayed exactly where it was: a person, a ticket, and a queue that's already too long. The gap between what gets found and what gets fixed was always the real exposure. AI didn't create that gap. It made it the most important risk surface in the enterprise.
This is the problem Furl was built to solve, and it's why the shape of the solution matters. You can't close a backlog this size by hiring more people to work tickets faster; the volume defeats that approach before you start.
The only thing that scales against automated discovery is automated remediation — an agent that investigates a finding, engineers a fix for the specific environment it's looking at, and executes it, continuously, with humans deciding the rules rather than performing every step.
That's continuous autonomous remediation, and it's a different category from the detection-and-ticketing tools that define the market today. We work alongside the scanners and patch managers you already run. We close what they leave open.
The hard part isn't the autonomy. It's earning the right to use it.
Any system asking for the access required to change production endpoints has to prove it won't become the next cautionary tale — recent incidents are in the back of every security team's mind. That's why autonomy in Furl is earned, not granted on day one: it runs inside scopes you define, validates before and after every change, rolls back when something doesn't land, and logs all of it. Trust is built one successful execution at a time, which is exactly how a security team would want it built.
Which brings me to why I'm actually writing this. Three people are joining Furl who have spent their careers inside the problem I just described.
Julian Waits is joining our board. He's spent more than thirty years in security, most recently as SVP at Rapid7, and has taken multiple companies from concept through exit. He's also Chairman Emeritus of Cyversity, which does real work on who gets into this field in the first place. Julian has watched the remediation gap stay open and get more expensive for three decades, which means I didn't have to convince him the problem was real — he's been describing it longer than I have.
Joe Moles is our CTO. He was one of the earliest people at Red Canary, now a Zscaler company, where he helped build an MDR platform that automates the vast majority of security investigations. That track record is the reason he's here. Joe has already proven, in production and at scale, that work everyone assumed required a human analyst can be automated safely — which is the entire thesis of Furl, applied to detection instead of remediation. He's done the hardest version of this before.
Nick Levy is joining as Enterprise Account Director after more than a decade selling across vulnerability management, threat intelligence, and security training, including roles at Tenable, Qualys, and ZeroFox. He has spent years in rooms with enterprises that bought tool after tool to find their problems and still couldn't close them. He understands the buyer's frustration because he's watched it from across the table.
None of these three needed the problem explained to them, which is the point. The remediation gap isn't a thesis we're trying to sell the industry on — it's something experienced people recognize the moment they see it, because they've lived it.
Detection has never been faster. Remediation hasn't kept pace. Closing that distance is the work, and now we have the team to do it at the scale enterprises actually need.