Tenet Security raises $6M to catch AI agents behaving badly

A new security startup founded by the researchers who built Cisco's AI Defense product came out of stealth on Wednesday with $6 million in seed funding and a single sharp claim: most enterprises have no idea how many AI agents are running on their networks, and the ones that do know lack the visibility to stop a runaway agent from doing real damage before it is too late.

The company is called Tenet Security. Its founders, CEO Barak Sternberg and CTO Nevo Poran, spent years inside Cisco building the company's AI Defense research team, a group whose job was to study the new attack surface that large language model tools were carving into enterprise systems. The pair are also Unit 8200 alumni, the Israeli military intelligence unit that has produced a long list of cybersecurity founders.

Tenet, which is headquartered in the US but was started in Tel Aviv, raised the seed round from the Westly Group, a firm whose earlier bets include Tesla, SentinelOne, and Lumina. The funding is small by current AI security standards. What is interesting is what Tenet says it built, and the problem it is claiming to have found.

The product is a runtime sensor that sits inside an enterprise environment and watches AI agents as they act. It does not just look at prompts leaving a model, and it does not just look at API calls heading to a SaaS system. It correlates the operating system behavior of the host, the network calls, the API calls, and the agent's own chain-of-thought reasoning at the same time, then flags actions that look suspicious before the agent can carry them out.

What Tenet's runtime sensor actually watches

The pitch is built around a number that the team says most security leaders would find uncomfortable. Tenet believes that organizations may have up to five times more AI agents running than their security teams realize. The reasoning is straightforward: agents get spun up by individual employees, by line-of-business tools, by embedded SaaS features, and by integration platforms, and very few of those deployments go through any change control or identity workflow that the security team can see.

Once those agents are live, their behavior becomes largely invisible until something goes wrong. Traditional endpoint tools see process activity and network calls, but they do not understand intent. Identity tools see who is calling what, but they treat an agent acting on behalf of a human as the same actor as the human, which understates the blast radius. Prompt-monitoring tools see what the user typed, but they do not see what the model is doing at the system layer.

Tenet is betting that the only place left to catch the kind of attacks that are starting to show up in production is at the runtime layer, in the moment an agent decides to act. The sensor simulates and predicts an agent's next step. If the predicted action is harmful, the sensor can stop it before the agent actually executes it. The company calls this approach environment provoked reaction, meaning the system responds to what the agent appears to be about to do, not to a static rule that someone wrote last quarter.

The result is something closer to an XDR (extended detection and response) layer for agents than to a traditional prompt filter or API gateway. It is also the kind of capability that the broader agent governance market is just starting to demand. Tools like the enterprise AI governance checklist for 2026 on this site already call for runtime controls as a separate layer from prompt filtering, and Tenet is one of the first vendors to ship that layer as a standalone product.

The agentjacking problem Tenet thinks it discovered

The other half of the story is the threat research. Tenet's Threat Labs has been running the same kind of red team work its founders did at Cisco, and the team says it has validated a new attack class against AI agents in more than 100 enterprise environments. The attack is called agentjacking, and the name is doing a lot of work.

Agentjacking is what happens when an attacker can poison or manipulate the data that an AI agent is using to make decisions, in a way that the agent's authorized permissions do not catch. Because the agent is acting within its normal scope, traditional security tools see nothing wrong. The attack does not require a stolen credential or a new vulnerability in the model. It only requires control over some piece of context the agent relies on, and that context can be a knowledge base, a tool's response, a calendar event, a CRM record, or a document that has been quietly edited.

Once the agent is steered, it acts on behalf of the attacker using its own legitimate access. In the research Tenet has run so far, the team says it has found thousands of organizations potentially exposed through publicly accessible attack paths, which is the kind of claim that tends to land hard with CISO audiences.

The mechanism is similar in spirit to prompt injection, but the practical impact is different. Prompt injection usually targets the model's output. Agentjacking targets the agent's actions. That distinction matters because the actions are what touch real systems. An agent that is steered into calling a particular API, opening a particular file, or initiating a particular workflow is doing real things to real infrastructure, all while appearing to be a normal user request.

This is why Tenet's runtime sensor exists in the form it does. Static analysis of prompts will not catch a poisoned tool response. Network monitoring will not flag an agent that is making API calls it was always authorized to make. The only signal that is left is the agent's actual behavior, observed as it happens, in the context of the OS, the network, and the agent's own reasoning.

Where Tenet fits in the broader agent security stack

The interesting question for the broader market is why Tenet is a company at all, and not a feature inside CrowdStrike, Palo Alto, Zscaler, or one of the big cloud platforms. CrowdStrike in particular has been pushing hard into agent identity with its Continuous Identity for AI Agents announcement earlier in June, and Beyond Identity just launched a product called Ceros to handle identity and access for agents as well.

The honest answer is that those vendors are coming at the problem from the identity side. They want to know who is calling, and whether that caller is allowed to call. Tenet is coming at it from the runtime side. The recent AppViewX launch of Agent Identity Security for enterprise agents covered that side of the stack, and Tenet sits below it in the runtime. It wants to know what the agent is about to do, and whether that action would cause harm even if the agent is technically authorized to do it. The two approaches are complementary, and in most enterprise security stacks they will end up being layered on top of each other, with identity vendors controlling who gets in and runtime vendors like Tenet deciding what they are allowed to do once they are inside.

The other reason this is a startup story is that the deployment numbers are still small. Tenet has shared two reference deployments, including a $1 billion ARR legal-sector enterprise that grew from two AI agent deployments to more than twenty in six months while running Tenet, and a Fortune 1000 company where Tenet caught a runaway agent that was burning through tens of thousands of dollars in unnecessary token consumption over a single weekend. The first story is the more interesting one for the security market, because it shows an enterprise that wanted to scale agent adoption but would not do it without runtime controls in place. That is the kind of gating dependency that turns a niche product into a category.

The second story is the more interesting one for the operations market, because it suggests that the cost of an unsecured agent is not just data exfiltration or privilege abuse, it is also raw compute spend. AI agents that loop, that call too many tools, or that fail to terminate cleanly are already a meaningful line item for some enterprises, and that line item is going to grow as agent deployments scale.

For the broader market, Tenet is not the only startup chasing this category, but it is the first to come out of the gate with a named attack class, a working sensor, and a public deployment record. That combination is what the early agent security market will reward.

For enterprises that are already deploying agents, the practical takeaway is that prompt filtering and identity controls are no longer enough. The next layer to evaluate is runtime behavior, and the next vendor conversation to have is the one about what the agent was about to do, not just who the agent claims to be.