Riot prepares your team against highly sophisticated cyberattacks

French startup Riot has raised a $12 million Series A round to iterate on its all-in-one cybersecurity awareness platform for businesses and their employees. The startup originally focused on fake phishing campaigns. It now also offers customized educational content that can help grow the cybersecurity culture in your team.

While it is still quite difficult to raise a funding round in the current economic environment, Riot managed to put together an interesting list of investors. Base10, a San Francisco-based VC firm that previously invested in flagship startup names like Figma, Notion and CircleCI, led today’s funding round.

Some angels with a technical and operational background also invested in the round, such as Snyk’s founder Guy Podjarny, Duolingo’s co-founder Severin Hacker, Supercell’s co-founder Ilkka Paananen, Deel’s co-founder Alex Bouaziz and Slack’s CPO Tamar Yehoshua. Some of Riot’s existing investors also put more money on the table, such as Y Combinator, Funders Club and Founders Future.

And the reason why these investors lined up to participate in the round is that cybersecurity has never been such a topical issue. At TechCrunch, we cover a fair share of ransomware campaigns, SIM swaps to access user accounts and database leaks with sensitive data like credit card information.

But it feels like things are accelerating. Attacks are becoming more sophisticated and more prevalent. A couple of years ago, CEO fraud was still relatively new. Now, even small companies are targeted with elaborate campaigns.

For instance, I recently heard about a chief accountant who received an email from an important supplier saying that the bank account had changed. The email looked real because it was real — the supplier’s email account had been compromised and there were some outstanding invoices. The bank account didn’t belong to the supplier though.

As I wrote in my first article on Riot, your company’s security is as strong as your least careful employee. A data breach usually starts with a poorly secured internal account with two-factor authentication turned off. Everybody could now potentially receive phony emails, phones calls, text messages and administrative letters that look just like the real thing.

Building a modern educational product

If you work for a big company with important regulatory requirements, chances are you regularly receive mandatory training videos with quick quizzes at the end. Many people play these videos in the background and do something else. They barely pay attention to the content of the videos.

Riot’s main interface is a chatbot called Albert. It is available on Slack, Microsoft Teams or through a web interface. Each course is interactive and the content changes dynamically depending on each employee’s cybersecurity knowledge.

“I read a study from the 1980s and they were looking at the effectiveness of each teaching method,” Riot founder and CEO Benjamin Netter told me. “With one-to-one relationships, when you teach someone individually, the student is better than a student who attends normal classes in 98% of cases. We can’t have a teacher per student at scale, but we try to create these one-to-one relationships.”

For example, instead of giving a general definition of a data breach, Riot starts by telling you that your email address can be found in five different data breaches. When the company then tells you what it means, you are more likely to pay attention and reach the end of the training. Admins can then track the progress of their teams.

This is just one example, but Riot could also encourage employees to activate two-factor authentication on important services. Many hackers also rely on LinkedIn data to find out who you are working with and send a message using some co-worker’s name.

That’s why Riot can encourage your team members to change their privacy settings in order to proactively prevent cybersecurity threats. And many companies have already realized that LinkedIn profiles are used in social engineering attacks. In the company’s handbook for new employees, cryptocurrency exchange Kraken tells their employees that they shouldn’t update their LinkedIn profile to say that they work for Kraken.

Using AI to fight AI

Riot recently passed the $2 million milestone in annual recurring revenue. Overall, Riot reaches 100,000 employees across its clients, like Y Combinator, Deel, Intercom and Le Monde. But the startup thinks cybersecurity is going to change drastically in the coming years and modern attacks are just getting started.

“This year, our big move will be AI. When I say that, I’m a bit annoyed as people think we are following trends. But we’ve been tracking AI for a while,” Netter said.

Large language models like GPT-3 or speech recognition models like Whisper are going to change the nature of cybersecurity threats. “AI is going to have a huge impact on hacking and social engineering. Tone has always been the issue with phishing emails. But AI is going to solve these tone issues,” Netter said.

Even beyond classic phishing emails, it’s going to become easier to conduct sophisticated campaigns at scale. For instance, with speech-to-text, GPT-3 and text-to-speech APIs, hackers could greatly increase the number and quality of phone-based attacks. Or maybe they could use voice messages so that their messages are more credible.

As hackers are upping their game, Riot also wants to improve its product. Dialogue-based language models like ChatGPT unlock new opportunities. That’s why Riot is already testing free-form courses with Albert, its virtual cybersecurity pal. Instead of selecting answers in a drop-down menu or sending simple queries, Riot users will soon write long messages to Albert directly.

Recently, the startup created a fun internal experiment that it doesn’t plan to release publicly. “It’s a training that asks you to put yourself in the shoes of a hacker and you have to get Albert’s credit card information,” Netter said. While that might be a bit too controversial for Riot’s customers, the same technology will make the company’s simulated attacks a lot more sophisticated — and it’s a promising roadmap.