1. Headline & intro
Security teams have spent a decade instrumenting everything except the thing that matters most: whether their own defenses actually still work. Configs drift, data schemas change, tools get swapped, and yet most CISOs only discover broken detections when it is embarrassingly late.
Fig Security, fresh out of stealth with a sizeable war chest, is betting that "detection health" becomes a must‑have category in enterprise security. This piece looks at why that bet makes sense, how it fits into broader trends like AI‑driven security and data observability, and what it means for European organisations that are already drowning in regulation and tooling complexity.
2. The news in brief
According to TechCrunch, Israel‑based Fig Security has emerged from stealth with a total of $38 million in seed and Series A funding. The company was founded by veterans of Israeli cyber and data intelligence units 8200 and Mamram, including CEO Gal Shafir, who previously led Google Cloud Security’s global architecture team.
Fig’s platform monitors an organisation’s security stack end‑to‑end. It traces how security‑relevant data flows from sources, through pipelines and data lakes, into SIEM and response systems. Instead of just watching logs, it focuses on whether detection rules and response playbooks are actually firing as intended, and flags when upstream changes degrade or break them. It can also simulate the impact of planned patches or configuration changes before they go live.
The company says it has accrued a "low double‑digit" number of large enterprise customers in roughly eight months and aims to reach 50–100 by year‑end. The new capital will fund expansion in North America and a tripling of headcount. Investors include Team8, Ten Eleven Ventures and several well‑known security executives.
3. Why this matters
Fig is attacking one of the most awkward truths in cybersecurity: most organisations have very little continuous assurance that their carefully built defenses still function as designed.
Security stacks are increasingly brittle. A minor change in a data pipeline, a new log format from a cloud provider, or a misconfigured integration in a SOAR platform can silently neutralise a whole class of detections. The tools keep running, dashboards stay green, but the system has gone effectively blind in one area. This "fail‑quiet" behaviour is far more dangerous than a noisy outage.
Who wins if Fig’s vision takes off?
- CISOs and security operations teams, who gain a way to measure the health of their detections in near real time, rather than relying on periodic audits, red‑team exercises, or post‑incident forensics.
- Boards and regulators, who finally get a more concrete answer to the question: "How do you know your controls actually work today, not six months ago?"
Potential losers include:
- Monolithic security platforms that have sold the dream of a single pane of glass where everything is magically consistent. Fig’s very existence is a reminder that even the biggest platforms can be undermined by data quality and integration drift.
- Traditional consulting‑heavy assurance models. If detection health can be instrumented like application performance, recurring and highly manual control testing becomes harder to justify at the same scale and price.
In the short term, Fig doesn’t simplify anyone’s stack; it adds yet another layer. But strategically it addresses the real bottleneck: not a shortage of tools, but a shortage of confidence in how those tools behave as systems evolve.
4. The bigger picture
Fig sits at the intersection of three major trends.
1. Data observability comes to security.
In the data engineering world, companies like Monte Carlo and Bigeye built businesses around "data observability": tracking freshness, schema changes and lineage to avoid broken dashboards and ML models. Fig extends that logic to the security domain: instead of worrying about a CFO seeing wrong numbers, it worries about a SOC analyst never seeing an attack at all.
2. From point tools to meta‑platforms.
Security has moved from buying one big suite to stitching together best‑of‑breed EDR, cloud security, identity, email, and more. That sprawl has created a market for meta‑layers: XDR, attack‑path management, exposure management, and now detection‑health monitoring. Fig is effectively a reliability layer on top of existing tools, similar to how Datadog or New Relic sit above microservices.
3. Continuous validation of controls.
Vendors like AttackIQ, Cymulate and others have pushed breach‑and‑attack simulation (BAS), firing test attacks through an environment to see what triggers. Fig approaches the same problem from the data side rather than the attacker side. It cares less about the specific exploit and more about whether the plumbing from log source to playbook is intact.
Historically, similar "meta" layers have either become essential (think observability in DevOps) or been absorbed into the platforms they monitor. If Fig and its peers demonstrate that detection health materially reduces mean time to detect and respond – or prevents headline breaches – expect SIEM and XDR vendors to copy, partner or acquire.
The founding team’s background (Unit 8200, Mamram, Google Cloud) is also part of a familiar pattern: Israeli cyber talent building highly technical products aimed squarely at Fortune 500 security teams, with North America as the first commercial beachhead.
5. The European / regional angle
For European organisations, Fig’s pitch lands at a particularly sensitive moment.
The regulatory stack – GDPR, NIS2, DORA for financial services, the upcoming EU AI Act – increasingly demands demonstrable, ongoing effectiveness of security controls and incident detection. It’s no longer sufficient to show that a SIEM exists; regulators and auditors want evidence that it actually sees what it is supposed to see.
That creates an interesting alignment: tools like Fig provide exactly the telemetry a CISO needs to answer tough questions from supervisory authorities and internal audit: when did a key detection go dark, why, and how quickly was it fixed?
But there are also uniquely European constraints:
- Data sovereignty and localisation: continuously sampling security‑relevant telemetry and sending it to a third‑country vendor can trigger GDPR and data transfer concerns, especially in critical infrastructure and public sector. Fig will need strong answers on regional data hosting and minimisation.
- Heterogeneous environments: many European enterprises run hybrid estates with local data centres, EU‑hosted clouds, and US hyperscalers. That actually strengthens the case for a neutral detection‑health layer, but also raises integration complexity.
European security vendors – from Elastic’s SIEM capabilities in the EU to smaller observability and SOAR players – may see this as both a competitive threat and a partnership opportunity. There is room for a European champion in this space, particularly one that bakes compliance narratives (e.g., DORA reporting) directly into the product.
6. Looking ahead
The obvious question is whether "detection health" becomes a standalone category or a feature inside bigger platforms.
Over the next 12–24 months, watch for three signals:
- Incident post‑mortems: When the next big breach hits, will we learn that a detection quietly broke months earlier due to a schema change or pipeline misconfiguration? If so, Fig’s narrative gains powerful real‑world validation.
- Platform response: If major SIEM/XDR vendors launch native lineage‑tracking and detection‑health dashboards, that both validates the idea and puts pressure on independents to differentiate on depth and neutrality.
- AI integration: As security copilots proliferate, their reliability depends entirely on the quality and continuity of the underlying data. Vendors like Fig are well positioned to become the "safety belt" for AI‑driven security operations, flagging when the copilot is steering based on incomplete or distorted telemetry.
There are risks. Another dashboard can increase cognitive overload in already stretched SOCs. If detection‑health tools are poorly tuned, they risk becoming the new source of false positives. And if enterprises treat them as a silver bullet instead of as part of a broader engineering‑centric security culture, the value will be limited.
Still, the direction of travel is clear: cybersecurity is absorbing ideas from SRE and data engineering. We will talk less about "tools" and more about reliability of controls – measured, instrumented and continuously tested.
7. The bottom line
Fig Security is riding a timely insight: in a world of AI‑augmented attacks and sprawling security stacks, the silent failure of a single detection can be as damaging as an unpatched vulnerability. Whether Fig remains an independent category leader or is subsumed into larger platforms, the idea of continuously monitoring the health of detections and response flows is here to stay. The real question for security leaders is simple: if an attacker walked in today, how confident are you that your alarms would actually go off?
