Despite employers requiring their employees to complete yearly cybersecurity training courses, human-driven cybersecurity breaches still happen. The problem could even get substantially worse as generative AI increases the scale and personalization of social engineering campaigns.
Anagram, formerly known as Cipher, is taking a new approach to employee cybersecurity training that the company hopes can keep up with the changing nature of these campaigns.
The New York-based company built a platform that contains hands-on security training for enterprises. The training includes bite-sized videos and personalized interactive puzzles to teach employees how to spot suspicious emails and communication. These trainings are designed to be more frequent, and more engaging, than the current standard of a once yearly, lengthy training session.
Harley Sugarman, the co-founder and CEO of Anagram, told TechCrunch that these activities include tasks like having employees create their own personalized phishing emails to teach them how to spot sophisticated campaigns against themselves.
“We took very little, in fact, basically no inspiration from the existing stuff out there,” Sugarman said regarding existing cybersecurity training. “What we really took was lessons from TikTok, and lessons from Duolingo and Khan Academy. We looked at these platforms that have done really, really well engaging and changing user behavior outside of the security space and we said, OK, how can we apply those lessons within security?”
Building gamified cybersecurity training wasn’t what Sugarman, a former VC at Bloomberg Beta, set out to do when he initially launched the company.
Sugarman’s first idea was a way to take the cybersecurity industry’s “capture the flag” training approach to upskill enterprise cybersecurity employees. This training approach involves building software with vulnerabilities and having security researchers go into the software to find the bugs and figure out how to write code without falling into the same traps.
That company launched as Cipher in 2022 and gained some traction. But chief information science officers (CISOs) started telling Sugarman that their businesses actually had a bigger security issue they were looking to tackle: their non-security employees. Sugarman said that CISOs describe their employees as their weakest cybersecurity link.
“What sort of surprised me was actually just the amount of hopelessness that I heard in their voices,” Sugarman said. “This was an unsolvable problem for them.”
Cipher then pivoted in January 2024 to focus on solving that problem. Now the startup is changing its name to Anagram to reflect its new focus and is in the process of winding down its original product. Anagram has seen strong growth since its pivot and landed customers including Thomson Reuters, MassMutual, and Disney, among others.
Anagram recently raised a $10 million Series A round led by Madrona with participation from General Catalyst, Bloomberg Beta, and Operator Partners, among others. The company plans to use the funds to build out its sales team and continue to improve the product. Sugarman said that so far they have been able to bring company’s phishing failure rates from 20% down to 6%, but he thinks they can continue to get closer to zero.
Sugarman said Anagram launched its product at a really interesting inflection point for the cybersecurity industry. With the advancements of generative AI, social engineering campaigns can be more personalized than ever, which will make it increasingly hard for people to tell what is real and what isn’t.
“I think the sort of side effect of that is that traditional email security platforms are actually going to have a much harder time detecting these AI-generated phishes,” Sugerman said. “That ability to generate and randomize is just so strong, and it’s really, really difficult, from an engineering perspective, to defend against that.”
Anagram is also working to develop an AI agent that will sit in enterprise employees’ emails and will be trained to flag potential cybersecurity slip-ups before they happen. Sugarman said the agent would do things like pop up to ask someone if they really want to send their credit card information over email and other similar safeguards.
In the meantime, Anagram hopes its puzzles and TikTok-like training videos will continue to move the needle.
“Humans are not dumb, we built skyscrapers we can do space travel,” Sugarman said. “We can figure out how to not click on a suspicious link in an email.”
