Ent: Endpoint Security for the AI Era

We are excited to announce our investment in Ent, a new endpoint security platform built for the era of AI-powered attacks. For more than a decade, endpoint detection and response (EDR) has been the front line of enterprise defense, designed for a world where adversaries created malware that attacked kernels, processes, and system level software. Today's attackers don't use traditional malware - they use the power of LLMs such as Anthropic’s Mythos to create novel attacks that "live off the land" by compromising the same legitimate software used by employees every day. Ent is the first company to reimagine endpoint protection by understanding the intent of users and AI tools, leveraging locally run computer vision and small specialized AI models to detect and prevent risky activity before it becomes an incident. This is the “self-driving” moment for the cybersecurity industry and finally changes the game for defenders.

Ent was founded by Lou Manousos and Brandon Dixon, who previously built RiskIQ together before it was acquired by Microsoft, where they went on to build Microsoft Security Copilot. We talked to Lou and Brandon about their vision for protecting the human and AI-driven workforce in our founder Q&A:

Where did you both grow up and what inspired you to become founders?

Brandon: I grew up in Baltimore and Lou grew up in Chicago. Neither of us have “traditional” backgrounds - we have both grown up in the cybersecurity industry and have started numerous companies. We both share excitement for building tools the security community uses every day - there is nothing like watching thousands of analysts pick up something you built because it makes their job easier. My last company PassiveTotal started first as a tool for threat researchers and it ultimately became a platform for in threat intelligence when Lou acquired my company into RiskIQ. For both of us, creating new startups is the fastest way to get great products in the hands of defenders and is the reason we do what we do every day.

You both partnered in a prior successful startup — what were the major takeaways from that experience?

Lou: At RiskIQ we learned that data and community compound. We built a platform that mapped the internet from the attacker's perspective, and our community had grown to more than 100,000 security professionals from several hundred of the Global 2000. Microsoft acquired us in 2021 and we rapidly grew the quality and quantity of our data due to the flywheel we had created early on. While at Microsoft we learned another lesson: platform transitions come faster than ever and you need to move quickly to redefine your category. We had the privilege of launching Microsoft Security Copilot which was the first AI-powered security product from a major platform vendor in the era of LLMs. With Ent, it was clear that advancements in adversarial AI would require a new paradigm for the endpoint. We knew from experience that you don't wait for the market to ask for something - you build it as soon as you can.  

What was the inspiration for starting Ent?

Lou: Every company I've founded has started with the same observation: the way an enterprise operates changes rapidly but security can’t always keep up. In 2009 the change was the recognition that enterprise security needed to move beyond your firewall and traverse the internet in the era of cloud. Today it's the AI transformation: employees are being asked to use AI to do their jobs, but attackers are leveraging frontier LLMs to engineer new forms of attacks at machine speed. The endpoint is becoming the place where humans and AI hand work back and forth, and that's where the AI security battle will be won or lost.

Brandon: There is a new reality with AI-driven attacks - the adversaries have moved out of the traditional control points where EDR is strong and are now compromising legitimate tools like Zoom, Microsoft Office, and anything touching the browser. They do a great job looking like an employee to evade your traditional security software. An EDR can tell you Zoom is running but it cannot tell you that a user just handed the remote control of their machine to someone outside the business, or why. It can’t really tell you whether the files being accessed are a part of normal course or something suspicious. The missing piece is a behavioral layer that understands intent at machine speed. This is the core IP that we have built since inception at Ent.

What were the technical breakthroughs that were required to build a new endpoint product?

Lou: We took a lesson from self-driving cars. Early systems tried to hard-code a rule for every situation such as reading a stop sign - these systems could never really scale. The breakthrough came from building a “world model” that understood the driver’s environment and could predict using computer vision what would happen next. Ent does the same thing for the enterprise: we build an organizational “work model”, a living understanding of how your people and agents actually operate. This enables us to discern normal work from real risk instead of relying on brittle rules.

Brandon: In order to make this work, three things had to come together. First, small, highly optimized defensive models have to run locally on the endpoint without latency (you cannot backhaul everything to the cloud). Second, these models must create a semantic understanding of what the user sees and does without having to pre-define what “good” and “bad” actions look like on a device. Finally, these products touch tens of thousands of users in real time and therefore requires a user-friendly enforcement model. Instead of creating mountains of alerts, we need to politely intervene so that employees can do their part to reduce risk in the moments that matter. I should add that Ent also runs locally and deploys entirely within the customer's environment so data never leaves their premise.

What is the long term vision for the company?

Lou: There is a once-in-a-generation platform shift underway in how security vendors need to protect endpoints. We all know we have fallen behind and need to advance beyond traditional EDR and find a new approach to defend against LLM-based attacks. At the same time, we can’t stop enterprises from deploying AI - we need to embrace a world where every machine has traditional human facing software and agents that are working around the clock on our behalf. The solutions that can properly monitor this new endpoint behavior will be the ones that can see the intent of everything in the user space autonomously without compromising on employee experience or IT security. We want Ent to be the leader in this next era: protecting your workspace and workplace by finally giving defenders an AI advantage that keeps pace with the speed of AI.