Announcing Our Investment in Maze's Seed; and their Series A led by Theory Ventures
9 months since Tapestry VC’s Seed investment, we’re delighted to announce Maze’s $25M Series A led by our friends at Theory Ventures.
In a few months, Maze has already been deployed across the Fortune 500 and some of the world’s most sophisticated security teams. But, as Harry Wetherald (Maze’s CEO) likes to remind me, these are but the early innings.
Read the announcement from Harry at Maze here and take Maze for a spin here.
Congratulations Harry, Santiago, Adrian and the Maze team on bringing a bit of “magic” back to the cybersecurity industry.
Why does the world need another vulnerability management product?
CVE publish rates continue to increase at an alarming pace. Concurrently, the average “time-to-exploit” (TTE) vulnerabilities has decreased from 207 days in 2021 to a jarring 8 days in 2023.
This rapid increase barely accounts for advancements in AI. As Josh Bressers points out in “Why are vulnerabilities out of control in 2024?”: hundreds of millions of pieces of open source software have been released, yet there have been ~250k CVE IDs ever created (?!). There are likely millions of vulnerabilities that can now, or very soon, be discovered at scale with AI. In fact, my friend Sean Heelan recently did just this: https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/. The times they are a changin’.
Furthermore, whilst a meaningful percentage of CVEs flagged currently are benign due to poor PoC exploit code, this example code may be all an LLM needs to accurately reproduce the vulnerability. Auto-exploitation needs to be countered with auto-remediation.
Whilst (or perhaps because) there are more vulnerabilities than ever, the amount of data describing these vulnerabilities fell off of a cliff since February 12, 2024 as NIST almost completely halted enriching the world’s most widely used software vulnerability database (the “National Vulnerability Database”).
Attempts like Vulnrichment have been made to plug this gap but there is equally an opportunity for private threat intel (e.g. Filigran) and/or vulnerability management (e.g. Maze) players to help fill this void. Regardless, we suspect this event will encourage security practitioners to seek out new sources of vulnerability data, fostering new conversations.
