The origin story that money follows: why ‘reformed hacker’ founders are having a moment
Shay Shwartz made money hacking as a teenager. At 16, he got caught. Most narratives treat that moment as the cautionary part of the story — the brush with consequence that scared him straight. The smarter read is different: getting caught confirmed he was good enough to get noticed.
That pivot point sent Shwartz into a decade of elite defense work in Israel, including projects tied to the Iron Dome missile defense system, before he moved into the private sector at Axis, which was later acquired by HPE. Two years ago he founded Ocean, an agentic email security platform built to counter AI-powered phishing attacks. Lightspeed Venture Partners led the round. Total funding: $28 million.
The through-line from teenage hacker to $28M raise is not incidental to the story — it is the story. Investors backing cybersecurity companies are increasingly skeptical of founders who understand threats only from the defensive side of the wall. A founder who has actually run phishing-style schemes, however briefly and however long ago, carries a different kind of threat-model fluency. They know what the attacker is optimizing for because they were the attacker. That knowledge does not come from a certification program or a corporate SOC rotation.
Getting caught, counterintuitively, functions as a credentialing event in this world. It confirms technical capability at an age when most people are still figuring out how to write a passable essay. Employers in elite intelligence and defense units understood that when they hired Shwartz. Lightspeed understood it when they led his round.
The poacher-turned-gamekeeper dynamic is showing up across cybersecurity fundraising right now because the threat environment demands it. AI is enabling phishing attacks with a degree of personalization and volume that rule-based detection systems cannot absorb. Defending against that requires founders who think like the people building the attack tooling — not founders who learned about those people secondhand. Shwartz’s origin story is not a PR frame dressed up as a background check. It is the actual qualification.
From Iron Dome to inbox: the decade of elite hardening that shaped Shwartz’s approach
Shay Shwartz spent roughly a decade inside Israeli defense and intelligence cybersecurity before he ever thought about pitch decks. That included work connected to the Iron Dome missile defense project — an environment where a miscalculation doesn’t trigger a compliance audit; it costs lives. That distinction matters more than most coverage acknowledges.
Iron Dome-adjacent cyber work means operating against nation-state adversaries: well-resourced, patient, and motivated by geopolitical objectives rather than financial ones. The threat models Shwartz worked inside are orders of magnitude more sophisticated than the credential-harvesting campaigns that keep enterprise security teams busy. Defenders in those environments don’t get to patch and move on. They have to anticipate attack vectors that don’t exist yet, because the consequences of being wrong are physical and permanent.
That decade of operating under genuine adversarial pressure produces a specific kind of threat intuition — one that commercial security products rarely reflect, because most are built by engineers who learned their craft in environments where the worst outcome is a breach notification letter and some regulatory friction.
What makes Shwartz’s background unusual isn’t just the military pedigree. It’s what he did after it. He joined Axis, a cybersecurity startup that was later acquired by HPE, where he had to translate elite threat knowledge into products that work at commercial scale, ship on a roadmap, and survive contact with enterprise procurement. That transition is where many defense-to-civilian founders stall. The skills that make someone effective inside an intelligence unit — operating in small teams, working with classified constraints, optimizing for zero failure — can actively work against building a scalable product company.
Shwartz did both. By the time he founded Ocean two years ago, he carried military-grade threat intuition and product discipline earned in a real commercial exit. For investors evaluating a $28 million bet on an AI email security platform, that combination — not just one half of it — is the actual signal.
Why AI phishing is the threat that finally justifies a $28M bet
Phishing is not a new problem. Security teams have fought it for thirty years, and defenders built entire product categories around its most predictable weaknesses: mangled grammar, generic “Dear Customer” salutations, sender addresses that didn’t survive a second glance. Those signals are gone. Any attacker with access to a large language model API can generate a perfectly composed, contextually accurate, personalized email in milliseconds at near-zero marginal cost. The attack surface didn’t shift incrementally — it broke.
That break is the direct reason Shay Shwartz chose this moment to raise at scale. Ocean, his agentic email security platform, closed $28 million in total funding led by Lightspeed Venture Partners, emerging from stealth into a market where the legacy email security stack is structurally exposed. The implicit argument embedded in that raise is straightforward: the tooling defenders built against human-crafted phishing cannot detect AI-crafted phishing, because AI-crafted phishing doesn’t carry the artifacts those tools were trained to flag.
Investors are making a timing bet as much as a technology bet. The $28 million reflects a consensus that the window to establish durable competitive position in AI-native email security is open right now. Waiting two years means competing against entrenched players who will have used that time to accumulate training data, enterprise contracts, and integration depth. First-mover advantages in security infrastructure compound fast once a vendor is embedded in a customer’s email stack.
The scale of the raise also signals that this is not a feature waiting to be absorbed by Microsoft or Google. Lightspeed and its co-investors are pricing in a standalone market — one where the sophistication of AI-generated attacks justifies dedicated, purpose-built defense rather than a checkbox inside an existing productivity suite. Shwartz built Ocean specifically to match the attack model: an agentic architecture designed to analyze behavioral and contextual signals that survive the collapse of the old grammatical and structural tells. The $28 million is the cost of moving fast enough to matter before the category consolidates around someone else.
What the funding round signals about where enterprise security spending is going
Lightspeed Venture Partners led Ocean’s $28 million raise into a market that, on paper, looks crowded to the point of being closed. Microsoft Defender and Google Workspace’s built-in protections ship automatically to hundreds of millions of enterprise inboxes. The conventional VC calculus says you don’t build a standalone email security company in 2024 and expect to win.
That calculus misreads what enterprises are actually buying. Bundled security tools optimize for breadth — catching the known, the generic, the high-volume. They are built to protect everyone adequately, not to stop a targeted, AI-generated spear-phishing campaign crafted specifically around a CFO’s communication patterns and calendar context. As AI lowers the cost of that kind of precision attack to near zero, the gap between “adequate” and “sufficient” becomes a liability enterprises can measure in dollar terms. Ocean is betting that gap is wide enough to sustain a premium, specialized product alongside whatever Microsoft or Google already licenses.
Shwartz’s time at Axis — the security startup that HPE acquired — matters here in a way that goes beyond résumé credibility. Axis operated inside the enterprise procurement cycle. Shwartz watched firsthand how large organizations evaluate, integrate, and operationalize security tooling, which means Ocean enters the market with a founder who already understands that the hardest problem in enterprise security is rarely the technology. It’s navigating the security operations team, the CISO’s existing vendor relationships, and the integration requirements that determine whether a new tool gets deployed or sits in a proof-of-concept purgatory for eighteen months.
That distribution knowledge is a durable advantage. A lot of technically strong security startups stall at the enterprise threshold because the founder optimized for the product and underestimated the sale. Shwartz’s HPE-acquisition background signals to Lightspeed that Ocean’s go-to-market assumptions are grounded in how large security budgets actually move — not how founders wish they did.
The broader pattern: Israel’s cyber-military pipeline as a startup factory
Shay Shwartz’s career arc — teenage hacker, elite military cyber researcher, commercial startup operator, VC-backed founder — is not a quirky origin story. It is a repeatable industrial process. Israel has been running this pipeline for decades, cycling talent from units like 8200 and the broader defense intelligence apparatus into the commercial sector, producing companies like Check Point, CyberArk, and Wiz along the way. Shwartz’s decade inside Israel’s defense and intelligence units, including work tied to the Iron Dome project, placed him squarely inside that tradition.
The Iron Dome reference deserves more weight than most coverage gives it. It is not resume decoration. Iron Dome was engineered to solve an impossible problem under real-time existential pressure — intercept incoming threats faster than any human operator could react, with near-zero tolerance for failure. Building systems inside that environment produces engineers and product thinkers who treat latency and error rates as matters of life and death, not acceptable trade-offs. That risk philosophy travels with founders when they leave. It shows up in architecture decisions, in how they frame threat models, and in what they are willing to ship versus what they refuse to release until it holds.
That engineering culture is now colliding with a specific market moment. AI has dissolved the skill barrier that once kept sophisticated phishing attacks inside the budgets and capabilities of nation-state actors. Any moderately resourced criminal group can now generate contextually accurate, grammatically flawless, behaviorally targeted email attacks at scale. The defenders who built systems against nation-state adversaries are, suddenly, the most relevant people in the room for enterprises trying to protect against threats that look increasingly like nation-state attacks.
That dynamic accelerates demand for exactly the profile Shwartz represents. The $28 million Lightspeed-led round Ocean closed is partly a bet on the product and partly a bet on the founder’s formation. As the threat level facing commercial organizations converges with what Israel’s defense sector has been engineering against for years, the military-cyber-to-startup pipeline stops being an Israeli story and starts being the global template for who gets funded next.
