Coalition

1.1 Identity & Business Model

Coalition is a San Francisco-based cybersecurity and insurtech company founded in 2017 with the mission to solve cyber risk and create a safer digital economy. The company operates as the world's first Active Insurance provider—a model that integrates traditional cyber insurance underwriting with proactive, technology-driven risk management. Unlike conventional carriers that price and pay claims reactively, Coalition combines continuous attack-surface monitoring, automated vulnerability alerts, and around-the-clock digital forensics and incident response (DFIR) into a single policy offering. Coalition is simultaneously a licensed cyber insurance carrier—through its subsidiary Coalition Insurance Company (CIC), which holds an A- AM Best rating—and a technology risk management platform. It serves businesses across sectors including healthcare, retail, information technology, legal, financial services, and energy, spanning SMBs to large enterprises. The Active Insurance model assesses an organization's risk at policy inception, monitors the insured's external attack surface throughout the policy term, proactively alerts policyholders when new vulnerabilities emerge, and provides rapid incident response when a cyber event occurs. Coalition operates in seven countries: the United States, Canada, the United Kingdom, Australia, Germany, Denmark, and Sweden. In May 2026, Coalition and Allianz Commercial announced a transformative 10-year agreement under which Allianz transitions its entire standalone commercial cyber portfolio to Coalition, establishing Coalition as Allianz's exclusive global cyber insurance partner across all commercial segments. [CO001, CO002, CO003, CO004, CO005, CO006]

1.2 Founders & Leadership Team

Coalition was co-founded in 2017 by Joshua Motta, who serves as CEO and co-founder. Motta brings a distinctive cross-disciplinary background spanning national security, technology, and finance: he was CXO and Head of Special Projects at Cloudflare (NYSE: NET, a $25B web infrastructure company), held positions at Goldman Sachs and the Central Intelligence Agency, and gained engineering experience at Microsoft—a rare combination of first-hand cyber threat intelligence and capital markets expertise that is central to the Active Insurance proposition. The company's leadership team is broad for a growth-stage private company. Jim Young serves as CFO overseeing financial operations and capital allocation. Shawn Ram leads as CRO responsible for broker distribution and GTM execution. Frank Fumarola serves as CPO driving product strategy. Maha Virudhagiri serves as CTO overseeing engineering and platform infrastructure. Tiago Henriques serves as Chief Underwriting Officer leading pricing, risk selection, and loss control. David Lynders leads insurance operations as Head of Insurance; John Littzi serves as General Counsel; Dylan Steele leads marketing as CMO; and Sisi Liu serves as Chief of Staff and Head of Strategy and Corporate Development. The leadership team reflects deep functional coverage across insurance operations, cybersecurity, technology, and capital markets. Allianz CEO Oliver Bäte currently sits as an independent Coalition board member and is expected to transition to a nominated director seat upon closing of the May 2026 Allianz partnership. Key-person risk around Joshua Motta is material—he is the public face and strategic architect of Active Insurance, and any CEO succession would carry disproportionate strategic risk for investors and partners alike. [CO009, CO010, CO011, CO012, CO013, CO014]

1.3 Funding History & Capital Structure

Coalition has raised approximately $800M in venture equity across multiple rounds, achieving unicorn status with its June 2022 Series F. That round raised $250M led by Allianz X, with participation from Valor Equity Partners and Kinetic Partners alongside existing investors including Index Ventures, Ribbit Capital, T. Rowe Price, Durable Capital Partners, and Whale Rock Capital; the round increased Coalition's valuation from $3.5B to $5B. In October 2022, Coalition formed Ferian Re, an independent Bermuda-based Class 3B reinsurer capitalized with approximately $300M from BDT Capital Partners (with The Pritzker Organization as minority investor), providing dedicated reinsurance capacity alongside established program partners Allianz Group, Arch Insurance North America, and Swiss Re Corporate Solutions. In March 2025, Coalition received a $30M corporate minority equity investment from Mitsui Sumitomo Insurance Co. (MS&AD Insurance Group), deepening a global strategic partnership and reaffirming the $5B post-money valuation. The investor base spans fintech-focused VCs (Ribbit Capital, Index Ventures), growth equity firms (Valor Equity, T. Rowe Price, Durable Capital), and strategic corporate investors from global insurance (Allianz X, Mitsui Sumitomo)—providing patient capital, distribution network access, and industry validation across multiple continents. Ferian Re is treated as a separate reinsurance entity and is not included in the ~$800M equity raise figure. [CO017, CO018, CO019, CO020, CO021, CO022]

1.4 Scale Metrics & Milestones

Coalition has achieved significant operational scale across policyholder count, premium volume, and geographic reach. By year-end 2022, the company protected 160,000+ policyholders with Active Insurance. Annualized gross written premium (GWP) exceeded $775M as of the June 2022 fundraise, with a reported nearly 200% year-over-year revenue growth rate at that time. Coalition's Active Insurance model delivers measurable policyholder outcomes: customers experience 73% fewer claims than industry average, the company has recovered $158M in stolen funds on behalf of policyholders, and 64% of closed claims are resolved with no out-of-pocket loss. Employee count stood at approximately 700–767 as of 2024 by third-party estimates. Key milestones include: the 2021 acquisition of Attune (an MGA and commercial insurance broker platform); the January 2023 launch of Coalition Insurance Company as a full-stack admitted carrier with an A- AM Best rating; the April 2025 launch of the redesigned Coalition Active Cyber Policy for US surplus lines; the November 2025 acquisition of Wirespeed (an automated managed detection and response platform using AI to triage threats in milliseconds); and the May 2026 announcement of the Allianz global commercial cyber portfolio transfer. As of 2025–2026, Coalition is cash-flow positive but has not yet achieved sustained net profitability, consistent with its aggressive international expansion posture. [CO026, CO027, CO028, CO029, CO030, CO031]

1.5 Adverse Considerations & Risk Signals

Despite Coalition's strong market position and growth trajectory, diligence scrutiny surfaces several risk factors that merit close monitoring. The company has not achieved sustained profitability despite approximately $800M raised; while cash-flow positive status has been reported as of 2025, the combination of aggressive international expansion, significant R&D investment, and capital-intensive insurance underwriting creates persistent questions about the timeline to net income. Employee reviews on platforms such as Blind cite concerns about management clarity, career progression, executive direction, and high turnover—potential signals of organizational scaling friction during rapid growth. Cyber losses among policyholders remain elevated: Coalition's own 2025 Cyber Claims Report found that 60% of 2024 claims stemmed from business email compromise (BEC) or funds transfer fraud, and average ransomware demands remained at approximately $1.1M despite a 22% year-over-year decline. This data illustrates the fundamental limitation of Active Insurance in fully preventing sophisticated, fast-moving cyber attacks—the model reduces frequency and severity but cannot eliminate them. The business model also carries inherent key-person dependency on Joshua Motta as founder-CEO and strategic architect of the Active Insurance concept. Finally, the May 2026 Allianz partnership, while transformative in long-term market potential, introduces significant execution risk: integrating a major incumbent insurer's global commercial cyber book while simultaneously expanding into new markets could strain management bandwidth and operational capacity. [CO016, CO033, CO040, CO041, CO042]

1.6 Exhibits

2.1 Market Boundary & Scope

The cyber insurance market is a sub-segment of commercial property and casualty (P&C) insurance covering organizations against the financial consequences of cyberattacks, data breaches, ransomware, business email compromise (BEC), privacy liability, and related digital risks. The market encompasses two forms of coverage: standalone cyber policies, which exclusively cover cyber risk and represent 72% of all cyber premiums by 2025 (AM Best), and packaged cyber endorsements bundled into general liability, professional liability, or technology E&O policies (28%). The spend included in market sizing calculations is gross written premium (GWP) or direct written premium (DWP) from commercial cyber insurance policies—covering first-party losses (business interruption, extortion, data restoration, crisis management) and third-party liability (privacy liability, regulatory fines, lawsuits from affected parties). Excluded from market boundary: personal/consumer cyber coverage products, general P&C insurance that silently covers cyber risk (so-called "silent cyber"), cybersecurity technology spend (SIEM, EDR, SOC/MDR services), cyber warranties from technology vendors, and parametric cyber products. Status-quo substitutes include self-insurance (large enterprises accepting cyber losses from corporate balance sheets), captive insurance programs, managed detection and response (MDR) services (which address frequency but not financial magnitude), and zero cyber insurance coverage (prevalent among ~90% of global SMEs). The most important adjacency is the active/proactive risk management market—services like Coalition Control that occupy the space between traditional cybersecurity and passive insurance, blurring the market boundary that Coalition pioneered. [CM001, CM002, CM003, CM004, CM005]

2.2 Market Sizing — TAM, SAM, SOM

Multiple authoritative sources triangulate the global commercial cyber insurance market at $15.3–16.6 billion in gross written premium (GWP) for 2024–2025, with material variation in forward projections depending on methodology and assumption horizon. The US National Association of Insurance Commissioners (NAIC) 2025 Cybersecurity Insurance Report—the most authoritative regulatory source—places the US market at $9.14 billion in direct written premium (DWP) in 2024 (including alien surplus lines). This represents a 7% contraction from $9.84 billion in 2023—the first recorded decline in US cyber insurance DWP. Munich Re, the largest global reinsurer, estimates global GWP at $15.3 billion in 2024 and $16.3 billion in 2025, with $10.6 billion (69%) attributable to North America. Swiss Re's Cyber Data Lake—covering approximately 70% of the global market—estimates $16.6 billion for 2025, implying 8% growth from 2024. Gallagher Re's proprietary Cyber Industry Database projects $14.8 billion (2024), $16.9 billion (2025), and $19.6 billion (2026) on a global basis. The TAM for Coalition is the global commercial cyber insurance addressable spend—approximately $15–17 billion in 2025 on a GWP basis. The SAM is North America commercial cyber (Coalition's established market)—approximately $10–11 billion based on North America's ~67–70% share of global premiums. The SOM (Coalition's current obtainable market) is US commercial SMB and mid-market cyber in the surplus lines and admitted markets, where Coalition competes most directly. Based on Coalition's $775M+ GWP run rate (2022) and North America market of ~$10B, Coalition represented approximately 7–8% of the North America commercial cyber market as of mid-2022 on a run-rate basis. Critically, only 10% of global SMEs (companies with revenue below $100M) carry any cyber insurance, compared to approximately 80% of large corporates (Swiss Re). This creates a persistent organic growth opportunity that Coalition's digital-first model is specifically designed to capture. [CM006, CM007, CM008, CM009, CM010, CM011]

2.3 Buyer & Payer Segmentation

The commercial cyber insurance buyer landscape segments into four primary tiers by company size and risk profile, each with distinct budget ownership, adoption dynamics, and purchase triggers. Large enterprises (annual revenue above $1 billion) are the most thoroughly insured, with approximately 80% carrying cyber coverage (Swiss Re). Purchasing decisions are owned by the CISO and CFO jointly, with budget approved at the board level; the primary adoption triggers are regulatory mandate compliance, SEC cyber disclosure requirements (effective December 2023 for public companies), audit committee scrutiny, and contractual obligations from enterprise customers. Coverage is typically layered, with primary policies from a lead insurer and excess capacity from multiple carriers, totaling $50–150M+ in coverage limits for the largest firms. The mid-market segment ($50M–$1B revenue) represents the fastest-growing buyer class; cyber insurance penetration in this segment is estimated at 40–60%, with budget ownership residing with the CFO or VP of Finance. Adoption is driven by cyber-specific contract requirements, broker recommendations at renewal, and post-breach anxiety after prominent industry incidents. SMB/small businesses (below $50M revenue) are the most underpenetrated segment globally, with adoption estimated at below 30% in the US and below 10% in Europe and Asia (Howden). Budget ownership rests with the owner-operator or controller; adoption friction includes price sensitivity and limited cybersecurity expertise to complete underwriting applications. Coalition targets SMBs in US surplus lines, where median annual premiums for sub-250-employee businesses stand at $1,740 in 2026 (Coalition data). Specialty verticals—particularly healthcare, financial services, and education—exhibit higher-than-median cyber risk and therefore higher adoption propensity, but also higher premiums (healthcare pays 42% premium above median per Gallagher) driven by HIPAA, SOX, and privacy liability exposure. Broker/agent channel is the dominant distribution mechanism for all commercial tiers; Coalition distributes through independent insurance brokers who can access Coalition's digital quoting platform. [CM016, CM017, CM018, CM019, CM020, CM021]

2.4 Growth Drivers & Adoption Catalysts

The primary engine of cyber insurance demand growth is the underlying threat environment. Ransomware remains the most costly category of cyber events; Munich Re's 2025 Cyber Insurance Risks and Trends report identifies ransomware as the leading cause of cyber insurance losses, present in 44% of all breaches (Verizon DBIR 2025). Business email compromise (BEC) and funds transfer fraud (FTF) represent the highest-frequency claim type, with FBI data showing $17 billion+ in reported US BEC losses over the past decade. The IBM Cost of a Data Breach Report 2025 estimates the global average cost of a data breach at $4.4 million—still a level that meaningfully threatens mid-market and SMB business continuity without insurance. Regulatory drivers are increasingly material. In July 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring public companies to disclose material cybersecurity incidents within four business days on Form 8-K and to provide annual governance disclosures on Form 10-K. This materially elevated board-level awareness of cyber liability for public companies. The European Union's NIS2 Directive (effective October 2024) requires essential and important entities across 18 sectors to adopt risk management measures and incident reporting, directly increasing cyber insurance demand across Europe—with Howden estimating 28% year-over-year European cyber insurance premium growth in 2025. State-level privacy laws (led by CCPA in California, with over 20 US states having enacted privacy legislation) increase liability exposure for organizations handling personal data. Digital transformation drivers include cloud migration, remote work normalization, and IoT proliferation—all of which expand attack surface and correlate with higher cyber insurance demand. Munich Re's survey found 87% of C-level executives consider their organization's cyber protection to be inadequate, suggesting sustained demand growth even without new regulatory catalysts. [CM025, CM026, CM027, CM028, CM029, CM030]

2.5 Adoption Constraints & Adverse Evidence

Despite the growth narrative, the cyber insurance market faces material structural constraints that affect addressable market realization and Coalition's TAM capture. The most significant constraint in 2024–2026 is rate softening: global cyber insurance rates declined 22% from their mid-2022 peak (Howden), and US rates fell 5% on average in Q4 2024 (Marsh)—the first quarterly rate decrease after seven consecutive years of increases. Increased insurer and reinsurer capacity from new market entrants has driven this correction, compressing premium revenue per policy and reducing the financial attractiveness of cyber underwriting at current loss ratios. Systemic and correlated risk remains the market's existential threat. The July 2024 CrowdStrike software update outage—a non-malicious event that cascaded across millions of businesses globally—illustrated the catastrophic potential of systemic cyber events. Munich Re estimates the modeled accumulation potential for a 200-year return period event at $20–46 billion, which could exceed the entire current global cyber insurance market. The reinsurance market is highly concentrated: Howden Re's cyber risk report shows the top five reinsurers hold 62% of market share and the top ten account for 87% (NAIC 2025 report). A reinsurance withdrawal by one or two major players could significantly constrain primary market capacity. Actuarial data gaps also hinder market growth: cyber is a young line of business with limited historical claims data for accurate loss modeling, making it difficult for insurers to price coverage accurately—a challenge that, paradoxically, makes Coalition's Active Insurance approach (which generates continuous risk telemetry) a potential underwriting advantage. Finally, application denial rates are high: 41% of cyber insurance applications are rejected on first submission (Marsh McLennan)—a friction point that suppresses SMB adoption even among motivated buyers. The contradiction between stable combined ratios (averaging ~65–70% in 2024–2025) and rate softening raises the question of whether the market is under-pricing systemic risk, which could lead to a sudden reversal in market conditions if a major catastrophic cyber event occurs. [CM034, CM035, CM036, CM037, CM038, CM039]

2.6 Exhibits

3.1 Cyber Insurance Competitive Landscape Overview

The US commercial cyber insurance market is contested by two structurally distinct competitor tiers: technology-native InsurTech MGAs that bundle active risk monitoring with insurance coverage, and incumbent specialty carriers that rely on financial strength, broker relationships, and post-breach services. Coalition pioneered the integrated Active Insurance model in 2017 and, as of 2025, remains the largest tech-native cyber insurer by policyholder count at approximately 110,000 active policyholders and ~$775M annualized GWP. The InsurTech MGA segment includes At-Bay ($295.75M raised, 40,000+ policyholders, InsurSec platform), Cowbell ($208.3M raised, SME AI underwriting, Zurich partnership), Corvus (acquired by Travelers January 2024, AI underwriting integrated), and Resilience ($217M raised, enterprise CISO focus). The most strategically significant competitive event was Travelers' ~$435M acquisition of Corvus, validating the InsurTech model while arming an incumbent with AI underwriting capability and global distribution. The incumbent carrier tier is dominated by Beazley (Lloyd's specialty, Beazley Breach Response), Chubb (world's largest publicly traded P&C insurer, enterprise cyber ERM), AXA XL (AXA Group P&C division), and Zurich (partnered with Cowbell for Zurich Select Plus in 2025). Incumbents' primary advantages are financial strength ratings, global broker distribution, multi-line cross-sell, and established reinsurance relationships -- but they have materially less pre-breach technology investment than Coalition. The competitive risk for Coalition is convergence: as Travelers/Corvus demonstrates, the gap narrows when incumbents acquire or build comparable underwriting and monitoring technology. [CP001, CP002, CP003, CP004, CP005, CP006]

3.2 Direct InsurTech and MGA Peers

Coalition's most direct competitors are At-Bay, Cowbell, Corvus/Travelers, and Resilience -- each targeting overlapping customer segments with technology-enabled underwriting and, in At-Bay's case, near-identical InsurSec positioning. At-Bay (Mountain View, CA; founded 2016; CEO Rotem Iram) raised $295.75M across 8 rounds including a $185M Series D at $1.35B valuation (July 2021). Its InsurSec model pairs cyber insurance with the Stance platform (MDR, vulnerability scanning, dark web monitoring, vCISO advisory), achieving 40,000+ policyholders and $60 billion in risk under management as of 2025. At-Bay's 15-minute mean time to remediate via Stance MDR is a differentiating capability vs. Coalition's Wirespeed ADR. At-Bay acquired At-Bay Specialty Insurance Company (an E&S P&C carrier) in January 2023, giving it admitted-equivalent paper capability. At-Bay currently trails Coalition by approximately 2.5-3x in policyholder count. Cowbell (Pleasanton, CA; founded 2019) raised $208.3M from 16 investors and targets SMEs with AI-driven risk scoring via its Cowbell Factor methodology. Cowbell does not operate a proprietary insurance carrier -- depending on Zurich North America and Swiss Re for capacity. The June 2025 launch of Zurich Select Plus (modular multi-line E&S product) marks a strategic evolution to a multi-line specialty platform. The November 2025 brand refresh formalized this expansion beyond pure cyber. Cowbell's absence of a proprietary carrier constrains its actuarial data advantage relative to Coalition (CIC) and At-Bay. Corvus/Travelers: Corvus (Boston, MA; founded 2017) was acquired by Travelers in January 2024. Corvus had raised $160.8M pre-acquisition and developed an AI-driven Smart Cyber underwriting platform. Post-acquisition, Corvus expanded its Tech E&O product and now operates as Travelers' AI-enabled cyber underwriting capability. Travelers' global distribution, financial strength (Aa2/AA), and admitted carrier paper represent the most formidable incumbent threat to Coalition's growth. Resilience (New York, NY; founded 2016) raised $217M across 4 rounds (Series D $100M, July 2023) and differentiates through quantitative cyber risk modeling and enterprise CISO engagement. Resilience targets mid-market and enterprise accounts -- a segment adjacent to but less SMB-focused than Coalition's core market. [CP009, CP010, CP011, CP012, CP013, CP014]

3.3 Incumbent Specialty Carriers

Incumbent carriers compete on financial strength, breadth of coverage, global distribution, and brand reputation rather than technology differentiation. Their cyber products are largely reactive (post-breach response) rather than proactive (pre-breach prevention). Beazley PLC is a leading Lloyd's-based specialty insurer. Its Beazley Breach Response (BBR) product provides post-incident services (legal, forensic, PR, notification) and Beazley has an established position in professional liability, healthcare, and financial institutions cyber. Unlike Coalition, Beazley does not offer continuous pre-breach monitoring. Beazley's strength lies in its Lloyd's syndicate structure (global paper, flexible capacity), deep broker relationships, and recognized brand in specialty markets. Chubb Limited, the world's largest publicly traded P&C insurer with global operations across 54 countries, offers Cyber Enterprise Risk Management targeting medium-to-large enterprises. Chubb's competitive advantage is its Chubb Studio embedded distribution and white-glove enterprise client relationships -- it lacks Coalition's active monitoring stack. AXA XL, the P&C and specialty risk division of AXA Group, provides cyber liability coverage for large enterprises leveraging AXA's global balance sheet. AXA XL competes at the enterprise tier where Coalition is expanding via the Allianz partnership. Zurich North America distributes modular multi-line coverage via the Cowbell Select Plus partnership (launched June 2025), signaling that even traditional multi-line carriers see value in the InsurTech distribution layer. [CP017, CP018, CP019, CP020, CP021, CP022]

3.4 Feature and Pricing Comparison

Coalition's pricing and feature differentiation rests on three claims: (1) lower loss ratio from active monitoring enables competitive pricing for well-screened accounts, (2) Coalition Control is included at no additional cost (saving policyholders an estimated $20,000-$50,000 in standalone security tools), and (3) integrated DFIR capability and FTF recovery ($158M cumulatively) reduce total incident cost. The critical pricing dynamic is rate softening: median US SMB cyber premiums declined from ~$2,100 in 2024 to ~$1,740 in 2026 (per Marsh US cyber market data). As rates fall, the technology premium Coalition can command narrows. Feature differentiation: Coalition Control's combination of attack surface monitoring, zero-day alerts, TPRM, security checklists, and optional Wirespeed ADR is the most feature-rich integrated platform in the market. At-Bay Stance is directly comparable for core monitoring and MDR but lacks Coalition's data advantage (8+ years of claims data from 160k+ policyholders). Cowbell Factor provides AI-driven risk scoring but does not offer continuous monitoring depth comparable to Coalition Control or At-Bay Stance. Carrier model differentiation: Coalition's admitted paper (CIC, A- AM Best) available in 50 states, combined with surplus lines access via CIS, gives brokers maximum placement flexibility. At-Bay's E&S carrier covers non-admitted placements. Cowbell must route through partner carriers, limiting policy customization. This carrier ownership distinction is material for large broker clients who require admitted paper and rating consistency. [CP024, CP025, CP026, CP029, CP030, CP031]

3.5 Moat Durability and Competitive Risk

Coalition's most durable moats are its proprietary actuarial dataset (8+ years, 160k+ policyholders, 5M+ internet-exposed assets continuously monitored) and integrated carrier ownership (CIC admitted + FIC surplus lines). These two advantages compound: owning the carrier provides pricing control and loss feedback loops that pure MGAs (Cowbell) and E&S-only carriers cannot replicate as quickly. The most material competitive risk is At-Bay's sustained investment in the InsurSec model with growing scale. If At-Bay closes the policyholder count gap to within 2x of Coalition over the next 3 years, the data moat advantage narrows. A secondary risk is technology commoditization: Microsoft Defender, CrowdStrike Falcon, and SentinelOne are all expanding into SMB monitoring at low price points, potentially commoditizing Coalition Control's free platform differentiator. The Allianz partnership (May 2026, 10-year global distribution agreement) is Coalition's most significant de-risking move against scale disadvantage -- but creates strategic dependency on Allianz's sales priorities. Adverse evidence: Coalition's policyholder count declined from ~160,000 (2022) to ~110,000 active policyholders in 2025 -- a 31% reduction that management has not publicly explained. As of May 2026, no US state insurance department has publicly issued a ruling or regulatory challenge to the bundled monitoring + insurance model operated by Coalition, At-Bay, or similar InsurTech cyber insurers, though the regulatory landscape could evolve as the model scales. [CP033, CP034, CP035, CP036, CP037]

3.6 Exhibits

4.1 Revenue Model and Streams

Coalition's primary revenue is gross written premium (GWP) from annual commercial cyber insurance policies. Policies are distributed exclusively through licensed insurance brokers and are underwritten either on an admitted basis through Coalition Insurance Company (CIC, NAIC #29530, A- AM Best, all 50 states + DC since 2023) or on a surplus lines basis through Coalition Insurance Solutions (CIS, CA license #0L76155). GWP is estimated at approximately $775M annualized in 2025, based on the 160,000+ policyholder count and ~$4,844 implied average GWP/policyholder disclosed at the Series F in July 2022, adjusted for the subsequent policyholder decline to approximately 100,000 policyholders and market premium changes. A material portion of GWP is ceded to Ferian Re (Coalition's Bermuda Class 3B captive reinsurer, capitalized with ~$300M by BDT Capital Partners in October 2022) and to program reinsurance partners including Allianz, Arch, Swiss Re Corp Solutions, Ascot Group, and Vantage. Retained net written premium (NWP) through CIC and CIS is not publicly disclosed; the cession percentage is a primary diligence unknown. Coalition Control, the cyber risk management platform providing AI-driven alerts, vulnerability scanning, and monitoring, is provided free-of-charge to all policyholders as part of their bundled premium — there is no standalone SaaS revenue stream. Coalition Incident Response (CIR), operating as Coalition Security, provides fee-based DFIR and claims-adjacent services, but CIR revenue is not separately disclosed and some costs are likely recognized as Loss Adjustment Expense (LAE) within the insurance operation rather than as standalone service revenue. [CI001, CI002, CI003, CI004, CI005, CI006]

4.2 Pricing and Monetization

Coalition's cyber insurance pricing is risk-adjusted and underwritten using its Active Data Graph, which integrates external threat intelligence with policyholder-specific technology signals. The median US SMB cyber insurance premium was approximately $1,740 in 2026 per Marsh market data, reflecting softening conditions from the 2021–2022 hard market peak. Coalition's bundled active monitoring model enables it to offer competitive pricing relative to traditional carriers while maintaining a lower expected loss ratio. Broker commissions are the primary channel cost, typically running 10–15% of GWP for US commercial cyber insurance; Coalition does not publicly disclose its specific commission rates or whether it offers volume overrides or contingent commissions. The Allianz May 2026 exclusive 10-year partnership is structured with Coalition receiving upfront consideration through increased equity, performance-based elements linked to growth and profitability of the cyber business, and a commitment from Allianz to further equity investment. This arrangement is financially unusual: it combines channel economics (Allianz as capacity and distribution anchor) with an equity partnership, blurring the line between reinsurance program costs and strategic investor returns. Coalition does not charge separately for Coalition Control (the risk platform) or for routine security alert notifications. CIR fee-based engagements represent an incremental monetization stream for incident-level services, but this revenue is not separately disclosed and is unlikely to be material relative to GWP-based premium income. [CI007, CI008, CI009, CI010]

4.3 Unit Economics and Sales Efficiency

Coalition's unit economics are anchored by strong claims performance relative to peers. In 2024, Coalition policyholders experienced 73% fewer claims than the industry average, with claims frequency declining an additional 7% year-over-year. These figures, while self-reported and not independently audited, are directionally corroborated by AM Best's A- financial strength rating, which evaluates the insurer's loss experience. The 56% rate of claims resolved without any policyholder out-of-pocket expense reflects effective LAE management and Coalition Incident Response capabilities. Customer acquisition is exclusively broker-mediated; Coalition does not sell directly to end customers at scale. CAC is therefore primarily the cost of broker relationship investment, commission payments (captured in TI002), and marketing/brand spend to generate broker pipeline. The approximate 89% renewal rate (cited by industry analysts) implies strong policyholder retention and a favorable customer lifetime value relative to acquisition cost. Policyholder count declined from 160,000+ in 2022 to approximately 100,000 as of mid-2026, a ~37% reduction that represents either intentional repricing, stricter underwriting, or competitive losses — the explanation has not been officially disclosed by Coalition. Coalition Incident Response negotiated ransomware payments down by an average of 60% in 2024, enabling policyholders to resolve claims at lower total cost; this is a measurable CIR operational outcome that supports the retention value proposition even where it does not directly appear as top-line revenue. Coalition's recovery of $31M for policyholders via law enforcement cooperation in 2024 is a meaningful claims mitigation outcome. [CI011, CI012, CI013, CI014, CI015, CI016]

4.4 Cost Structure and Capital Adequacy

Coalition's primary operating cost drivers are: (1) broker commissions (~10–15% of GWP), (2) reinsurance cession premiums to Ferian Re and program partners, (3) technology platform and infrastructure costs for Coalition Control and the Active Data Graph, (4) Coalition Incident Response labor and subcontractor costs, and (5) overhead for approximately 726 employees as of March 2026. Unlike software companies or hardware-intensive businesses, Coalition carries minimal physical capex and no inventory, making its capital intensity relatively low by technology standards — though the regulatory capital requirements for CIC (as an admitted insurance carrier) represent a distinct form of capital commitment. Coalition has raised approximately $800M in total equity across nine disclosed funding rounds from 2017 through March 2025. The most recent was a $30M strategic investment from Mitsui Sumitomo Insurance, which reaffirmed the $5B post-money valuation. Ferian Re (~$300M, BDT Capital-backed) is a separately capitalized entity not consolidated on Coalition Inc.'s balance sheet. The July 2022 Series F ($250M, led by Allianz X) and the May 2026 Allianz partnership (upfront equity + performance-based compensation + further equity investment commitment) represent deep Allianz financial alignment that reduces near-term independent financing risk but creates strategic dependency concentration. The Wirespeed acquisition (November 2025) represents a technology capital expenditure; acquisition cost was not publicly disclosed. Coalition has not disclosed a burn rate, cash balance, or runway. The combination of confirmed 2023–2024 workforce reductions, the push toward cost discipline, and the favorable claims performance (73% fewer claims) suggests the company may be approaching operational breakeven or profitability — but no financial filing or management disclosure confirms this. [CI018, CI019, CI020, CI021, CI022, CI023]

4.5 Financial Gaps and Verdict

Coalition is a private company with no SEC-registered securities, no publicly available GAAP financial statements, and no statutory annual statement accessible via standard public registries. The highest-reliability substitute for financial diligence is Coalition Insurance Company's (CIC) annual statutory financial statement filed with state insurance departments (California, New York, and all admitted-state DOIs), which is publicly accessible via NAIC CIS filings or state DOI portals — but has not been retrieved in this research cycle due to dynamic-lookup URL limitations. The primary financial gaps are: (1) NWP after reinsurance cessions — the retained premium revenue after ceding to Ferian Re and program partners is the single most important undisclosed financial metric, as it determines the true scale of Coalition's underwriting operation; (2) GAAP/statutory net income or EBITDA — no profitability data is available; (3) the financial magnitude of the Allianz portfolio transition — adding Allianz's commercial cyber book could increase GWP by hundreds of millions but the volume is undisclosed; (4) CIR standalone revenue and margin — it is unclear whether CIR is a meaningful revenue contributor or primarily a LAE-offset function. Financial verdict: Coalition's revenue quality is high on the dimensions that can be assessed — contractual premium, recurring annual policies, favorable claims performance, and institutional reinsurance backing from Allianz, Arch, and Swiss Re Corp Solutions. The A- AM Best rating independently validates CIC's financial strength. The principal risk is not revenue quality but revenue opacity: without statutory financials, underwriting diligence requires accessing CIC's annual statement data from state insurance department filings. The Allianz 10-year exclusive partnership is transformationally significant and, if the portfolio transition performs as implied, Coalition's GWP could approximately double within 2–3 years — but the diligence investor cannot yet verify this projection. [CI028, CI029, CI030, CI031, CI032, CI033]

5.1 Product Modules & Active Insurance Platform

Coalition delivers what it calls Active Insurance — an integrated platform that bundles cyber insurance coverage with continuous security tooling, incident response, and threat intelligence. This stands in contrast to traditional cyber insurers who issue policies without real-time security engagement. The commercial proposition centers on a feedback loop: security data improves underwriting precision, lower-risk policyholders pay less, and claims data sharpens security alerting. The flagship non-insurance module, Coalition Control, is a SaaS security platform provided to all policyholders at no additional charge. Control performs continuous external attack surface monitoring, generates a dynamic Cyber Health Rating, manages third-party vendor risk, provides compliance evidence collection (mapped to NIST SP 800-53, SOC 2 Type II, CIS v8.1), and issues zero-day vulnerability alerts with remediation guidance. Premium Control features include Wirespeed Automated Detection and Response (ADR), Employee Security Awareness Training, and Managed Email Security. The insurance product has evolved significantly. As of April 2025, Coalition launched the Active Cyber Policy, a redesigned surplus-lines cyber offering with eleven previously endorsement-only coverages now embedded as base Insuring Agreements. The policy includes Vanishing Retention (claim-free year incentive), reduced retention for early Funds Transfer Fraud reporting, Affirmative AI Coverage (including deepfake fraud), and Any One Claim Coverage. Available to organizations with up to $5 billion in annual revenue, with limits up to $15 million. Coalition Incident Response (CIR), operating as Coalition Security (a separate Coalition affiliate), provides Digital Forensics and Incident Response (DFIR) services. Post-acquisition of Wirespeed, CIR now offers Automated Detection and Response (ADR) with a median time to verdict of 1,801 milliseconds, leveraging probabilistic AI and ISO 2859 quality standards. [CE001, CE002, CE003, CE004, CE005, CE006]

5.2 Technology Architecture & Active Data Graph

Coalition's technology architecture revolves around what the company calls the Active Data Graph — a proprietary data layer that combines external attack surface telemetry, cyber claims outcomes, and threat intelligence signals. This unified data model is used for three purposes: (1) dynamic risk scoring for insurance underwriting, (2) real-time alerting delivered through Coalition Control, and (3) model calibration for Wirespeed's automated threat detection. The attack surface monitoring engine performs continuous external scanning of policyholder domains, IP ranges, and cloud assets, identifying exposed services, misconfigured systems, and known-vulnerable software versions. This scanning capability underpins the Cyber Health Rating score visible to policyholders in Control. The Wirespeed ADR engine uses a conditional logic algorithm with probabilistic AI to triage threat detections. The platform operates at millisecond resolution, achieving a median time to verdict of 1,801 milliseconds and delivering decisions through ChatOps integrations — Slack, Microsoft Teams, email, and SMS. The 99.99% noise reduction in alerts is attributed to automated triage eliminating false positives and reducing analyst fatigue. Wirespeed's architecture adheres to ISO 2859, the internationally recognized Acceptable Quality Limit standard. Control integrates with existing security tooling via documented integration connectors, including Microsoft Defender and SentinelOne, enabling visibility into security posture from within Coalition's platform without requiring tool replacement. Coalition's technology organization is led by Chief Technology Officer Maha Virudhagiri and Chief Product Officer Frank Fumarola. The engineering team is augmented by Wirespeed co-founders Tim MalcomVetter (GM, Coalition Security) and Jake Reynolds (Head of Engineering, Coalition Security). [CE011, CE012, CE013, CE014, CE015, CE016]

5.3 Trust, Security & Compliance

Coalition's product carries multiple layers of trust and compliance requirements. As a licensed insurer across eight countries, Coalition Insurance Company (CIC) is subject to state and national insurance regulatory oversight, which imposes solvency, reserving, and consumer protection requirements. Coalition Control's security features include compliance checklist generation mapped to major frameworks — NIST SP 800-53, SOC 2 Type II, and CIS v8.1 — allowing policyholders to use Control for dual-purpose risk management and compliance evidence collection. This reduces the cost of compliance for SMBs, a meaningful differentiator for the target market. The Wirespeed platform's ISO 2859 adherence provides a process-level quality standard for threat detection consistency, though this is an internal quality standard, not an independent security audit. Coalition has not publicly disclosed SOC 2 attestation for its own platform, third-party penetration test results, or bug bounty program details. For an enterprise selling security products, the absence of public third-party security attestation is a notable gap. Coalition Control processes sensitive customer security posture data, which creates privacy and data custody obligations — privacy policy and data processing agreements exist but are not published in full. Coalition's Active Cyber Policy includes Affirmative AI Coverage, covering AI-related threats including deepfake-enabled fraud, which is a leading-edge coverage feature that few market peers match as of 2026. [CE018, CE019, CE020, CE021, CE026, CE030]

5.4 Roadmap & Development Pipeline

Coalition's publicly disclosed product roadmap is sparse — consistent with its private company status and competitive positioning. However, observable signals indicate several active development threads. The Wirespeed integration (acquired November 2025) represents the most significant near-term engineering initiative: merging Wirespeed's ADR into the Active Data Graph, enabling automated threat containment to inform real-time coverage decisions. This integration is described as live at launch, suggesting initial integration is complete but deeper fusion is ongoing. The Active Cyber Policy launch (April 2025) demonstrates cadenced insurance product development. The addition of Affirmative AI Coverage and Any One Claim Coverage suggests an underwriting team actively tracking emerging threat vectors and policy design. Coalition's April 2026 blog update on Enhanced Business Recovery announced a suite of endorsements designed to protect revenue, speed up settlements, and keep businesses running during claims. This indicates post-claims product expansion beyond pure prevention. The Risky Tech Ranking Q1 2026 update shows continued investment in threat intelligence publishing, which serves as both a marketing signal and a data-collection mechanism. The international expansion trajectory (8 markets) suggests continued geographic distribution investment. Coalition has not disclosed plans for consumer lines, D&O/E&O expansion, or vertically specialized cyber products. [CE022, CE023, CE024, CE025, CE033]

5.5 Product & Technical Risk Assessment

Coalition's product and technical model carries several structural risks that merit focused diligence. First, the security tooling depends on continuous data quality and coverage breadth. The Active Data Graph is only as accurate as Coalition's telemetry coverage of attack surfaces. If a material portion of policyholder assets fall outside automated scanning coverage — e.g., air-gapped systems, OT environments, non-standard cloud deployments — the Cyber Health Rating will misrepresent risk, potentially leading to underpriced policies and unexpected claims. Second, the Wirespeed integration introduces engineering execution risk. Merging a recently acquired automated MDR platform with an established insurance data lake is non-trivial. Integration failures could degrade detection performance, introduce false positives at scale, or create liability exposure if automated containment actions disrupt policyholder operations. Third, Coalition's AI and ML models are proprietary and unaudited. The conditional logic algorithm used by Wirespeed and the risk scoring models in Coalition Control are not subject to any disclosed independent audit, algorithmic fairness review, or model risk management governance disclosure. As AI-assisted underwriting and automated containment become mainstream, regulatory scrutiny of these models is increasing. Fourth, Coalition does not disclose technology partnerships beyond named integrations (Microsoft Defender, SentinelOne). Dependency on major vendors for security telemetry creates supplier concentration risk. Cloud infrastructure provider is not disclosed. [CE029, CE032, CE034, CE035, CE036]

6.1 Customer Segmentation and Target Market

Coalition's target market is small-to-medium-sized businesses (SMBs) across the United States and seven additional markets: United Kingdom, Canada, Australia, Germany, Denmark, Sweden, and France. The core product — the Active Cyber Policy — is designed for organizations with up to $5 billion in annual revenue. This revenue ceiling positions Coalition's primary TAM below large enterprise accounts historically served by incumbent carriers such as Chubb, AXA XL, and Beazley. The buyer persona is primarily the Chief Financial Officer or Chief Operating Officer (budget authority), with IT security teams as users of the Coalition Control platform. In smaller SMBs, the broker often drives product selection. The payer is the business itself, through its commercial insurance budget. Coalition distributes exclusively through licensed insurance brokers, not through a direct-to-customer sales channel. In non-admitted (surplus lines) U.S. states, Coalition works with wholesale E&S brokers; in admitted-market states where the Coalition Insurance Company (CIC) is licensed, it works with retail agents as well as wholesale brokers. This channel model leverages broker relationships and avoids the cost of building a direct sales team, but creates dependency on intermediary relationships for customer acquisition. The Allianz partnership (May 2026) introduces a new customer segment: Allianz's existing global commercial cyber policyholders transitioning to Coalition's platform. This segment is enterprise-grade — larger organizations with more complex coverage needs — and represents a strategic expansion beyond Coalition's core SMB focus. Integration of enterprise accounts requires product-level adjustments to Coalition's coverage design and platform capacity. Across verticals, Coalition's claims data suggests concentration in professional services, technology, retail, and financial services — sectors with high BEC/FTF exposure. Healthcare is also a notable segment given high ransomware targeting. Vertical-specific product customization has not been publicly announced. [CU001, CU002, CU003, CU004, CU005, CU006]

6.2 Adoption Trajectory and Scale

Coalition's publicly disclosed policyholder count has grown from an implied base at its 2022 Series F ($5 billion valuation) to 100,000+ policyholders contributing to the Active Data Graph as of the 2025 Claims Report, to 160,000+ businesses protected as of the May 2026 Allianz portfolio transfer announcement. This represents implied multi-year growth, though Coalition has not disclosed year-over-year new policyholder acquisition rates or renewal volumes. The 2022 Series F press release by GlobeNewswire describes Coalition as a market leader in cyber insurance for SMBs with operations across five countries at that time, indicating international expansion has continued since. The $250 million Series F, led by Allianz X, was raised to fund customer acquisition globally, underwriting technology, and the expansion of Coalition's admitted carrier. Coalition's claims data provides the most direct observable proxy for customer engagement and platform utilization. The 2025 Cyber Claims Report showed that BEC (Business Email Compromise) and FTF (Funds Transfer Fraud) together accounted for 60% of all claims, consistent with prior years. Coalition's proactive CIR response to FTF events — including real-time government and financial institution outreach — appears to have contributed to the $158 million in stolen funds recovered. The Allianz partnership materially changes the customer count trajectory. Allianz's commercial cyber insurance book globally represents a large, established enterprise customer base that will transfer to Coalition's platform. The scale of this transfer is not publicly quantified, but Allianz's commercial cyber portfolio is among the largest globally, suggesting this could represent tens of thousands of additional policy relationships. Coalition's Control platform, free with every policy, has 100% enrollment by all active policyholders as a condition of coverage. This ensures platform utilization data is co-extensive with the policyholder count, a structural advantage over SaaS businesses where free-tier activation lags paid conversion. [CU008, CU009, CU010, CU011, CU012, CU013]

6.3 Named Customer Evidence and Proof

Coalition does not publicly disclose named individual customer accounts. This is consistent with its SMB customer base, where individual policyholder identification would create privacy and competitive concerns for customers. As a result, traditional enterprise customer reference diligence paths — named case studies, customer-quoted press releases, and conference testimonials — are largely unavailable for Coalition. The primary publicly available customer proof takes the form of aggregate outcome statistics from Coalition's annual Cyber Claims Report, which is authored by Coalition and not independently audited. Key metrics include the 73% fewer claims figure, 64% zero out-of-pocket closed claims, and $158 million in recovered funds. These metrics are compelling but are company-reported and would benefit from independent verification. Coalition's case studies page (coalitioninc.com/case-studies) provides access to anonymized customer stories organized by industry and claim type, which serve as proxy proof of deployment and outcomes. These case studies describe real scenarios but do not identify customers by name. Coalition also publishes its Active Insurance in Action book, which describes twenty representative incident scenarios across ten industries. These materials demonstrate use-case breadth but are not equivalent to named customer references. G2 reviews for Coalition were sparse as of the available data (the 2021 archive showed no reviews on G2), indicating that buyer community review coverage is limited. This may reflect the SMB broker-mediated distribution model, where individual buyers are less likely to publish software reviews, compared to SaaS products sold to IT buyers. The Allianz partnership represents the most visible named customer relationship: Allianz Commercial is itself a customer-as-partner, distributing Coalition policies to its commercial cyber clients. This relationship provides indirect validation of Coalition's product quality by a sophisticated insurance buyer. No verified evidence of major customer complaints, churn events, disputed claims, or class action litigation was found in the research trail. Reddit MSP community discussions about Coalition cyber insurance were blocked by the platform, preventing direct community sentiment analysis. [CU015, CU016, CU017, CU018, CU019, CU020]

6.4 Retention, Durability, and Switching Costs

Coalition has not publicly disclosed Net Revenue Retention (NRR), Gross Revenue Retention (GRR), Net Promoter Score (NPS), renewal rates, customer lifetime value, or cohort-level retention data. These are the primary metrics for assessing customer durability in a subscription business. Observable proxy signals suggest strong retention dynamics. First, the bundled Active Insurance model — combining insurance coverage with an always-on security platform — creates meaningful switching costs that pure-play cyber insurance carriers cannot replicate. A policyholder who switches carriers must replace not just their policy but their security monitoring workflow, compliance evidence tooling, and incident response relationship. This increases the friction of churn relative to commodity insurance products. Second, the Vanishing Retention feature embedded in the Active Cyber Policy directly incentivizes renewal: policyholders who make no claims in a policy year receive a retention premium reduction (implied 10-25% range, exact percentage not disclosed). This aligns the financial interest of the policyholder with staying on the Coalition platform and maintaining strong security hygiene. Third, Coalition's reported 73% fewer claims relative to the industry suggests that policyholders experience meaningfully better outcomes on Coalition's platform — a self-reinforcing retention signal. If policyholders experience fewer incidents and fewer out-of-pocket losses, the value proposition for renewal is strong. Industry-level benchmarks for SMB cyber insurance retention suggest annual renewal rates of 78–85%, with active monitoring platforms achieving higher retention than passive insurers. Coalition's structural advantages suggest it should achieve retention at or above industry median. Coalition's broker-mediated distribution also affects retention: renewals are managed through brokers, who have strong commercial incentives to keep clients with Coalition if claim outcomes are favorable. Broker inertia (avoiding disruption of working relationships) is an additional retention factor. Key retention data gaps: actual GRR and NRR figures are management information and not publicly disclosed. Premium rate changes at renewal — a key retention-impacting factor — are not publicly disclosed. [CU021, CU022, CU023, CU024, CU025, CU026]

6.5 Expansion, Channel Dependency, and Concentration Risk

Coalition's primary growth levers are geographic expansion (8 markets live, with more planned), product expansion (enterprise accounts via Allianz, ADR add-on), and channel expansion (new broker relationships). The Allianz partnership is the single largest near-term expansion initiative, as it adds a ready-made enterprise commercial customer base without new customer acquisition cost. However, the Allianz partnership also introduces a partner channel concentration risk. If the Allianz relationship deteriorates — due to pricing disputes, regulatory changes, performance gaps, or competitive shifts — Coalition would face immediate loss of the enterprise customer segment it gained. The terms of the partnership, including exclusivity arrangements, portfolio transfer mechanics, and exit provisions, are not publicly disclosed. The broker distribution model creates channel concentration risk at a structural level. Coalition's customer acquisition pipeline flows entirely through licensed insurance brokers and agents. If major wholesale brokers shift preferred vendor relationships to competitors — particularly if a CrowdStrike or SentinelOne-backed cyber insurer enters with broker distribution incentives — Coalition's new business pipeline could slow materially. Coalition's geographic expansion across 8 countries introduces regulatory complexity. Insurance licensing, coverage design, and claims handling requirements vary significantly across markets. The UK, Australia, Germany, Denmark, Sweden, and France each have distinct insurance regulatory frameworks. Coalition's ability to deliver a consistent Active Insurance experience globally is not independently verified. Land-and-expand dynamics: existing policyholders can expand their Coalition relationship by adding premium Control features (ADR, email security, training), increasing policy limits, or adding locations. The Active Data Graph compounds in value as policyholder count grows, and the Wirespeed ADR integration creates an upsell lever. However, SMB accounts have limited expansion ceiling compared to enterprise accounts. Customer concentration is structurally mitigated by the SMB focus: no single SMB policyholder likely represents more than 0.1% of total GWP. However, the Allianz partnership and any other enterprise-tier accounts introduced via partner channels could create meaningful revenue concentration. Post-Allianz portfolio transfer, if that transfer includes large enterprise accounts with high premiums, the concentration profile changes significantly. [CU027, CU028, CU029, CU030, CU031, CU032]

7.1 Risk Landscape Overview and Severity Ranking

Coalition's risk profile is shaped by the inherent characteristics of the cyber insurance business: policy risk is correlated (a single attack can trigger hundreds of simultaneous claims), the threat environment is adversarially evolving (attackers adapt specifically to defeat defenses), and the regulatory environment is fragmented across jurisdictions with inconsistent frameworks. These structural features create risks materially different from property-casualty or general liability insurance. The five primary risk vectors in descending severity are: (1) correlated systemic cyber loss event — low-probability, catastrophic-impact; (2) reinsurance market unavailability — medium-probability, high-impact; (3) war exclusion litigation invalidation — low-probability, critical-impact on policy enforceability; (4) underwriting model failure from novel threat patterns — medium-probability, high-impact; (5) Allianz partnership concentration — medium-probability, high revenue impact. All five risks interact: a correlated loss event could simultaneously stress the reinsurance tower, trigger war exclusion litigation if the event has state-actor attribution, and potentially breach the Allianz revenue guarantee. Coalition's risk architecture is therefore not additive but multiplicative under tail scenarios. Investment-implication: the risk profile supports investment if (a) the reinsurance structure is verified as stable and well-capitalized, (b) the underwriting model is validated against out-of-sample threat data, (c) loss ratios demonstrate stability over multiple claim years, and (d) the Allianz partnership terms include sufficient exit protection. Without management data room access, these conditions cannot be fully verified. [CR001, CR002, CR003, CR004, CR005]

7.2 Regulatory and Legal Risks

Coalition operates as a licensed insurance carrier (Coalition Insurance Company, CIC) in admitted US states and as an eligible surplus lines carrier through wholesale brokers in non-admitted states. This dual structure creates regulatory obligations at both the state and federal level that vary by jurisdiction. The most significant US regulatory risk is NYDFS Part 500 cybersecurity regulation, which governs covered entities including insurance companies licensed in New York. Coalition as a NY-licensed insurer must comply with updated Part 500 requirements effective November 2023, including annual certification of compliance, CBO (Chief Information Security Officer) designation, penetration testing, and incident reporting obligations. Failure to comply exposes Coalition to enforcement action including license revocation. The war exclusion is the highest-severity legal risk in Coalition's underwriting model. Following the NotPetya attacks (2017), courts in multiple jurisdictions addressed whether nation-state-attributed cyberattacks are covered under war exclusions. The New Jersey appellate court ruled in Merck v. Ace American Insurance (January 2024 affirmation of trial court) that the war exclusion did not apply to NotPetya because the exclusion language was ambiguous in the cyber context. Lloyd's of London responded by mandating updated war exclusion language for all Lloyd's cyber policies from March 2023, creating a potential split between Lloyd's-backed and non-Lloyd's-backed policies on coverage scope. If future litigation results in courts ruling war exclusions unenforceable in cyber policies, Coalition would face uncapped exposure for state-actor attacks. Data privacy liability is an additional legal vector. Coalition holds sensitive security posture data for 100,000+ businesses, including vulnerability scan results, access credentials, and incident records. A breach of Coalition's own platform would create GDPR, CCPA, and potential negligence liability across all jurisdictions where policyholders operate. The California Insurance Department's oversight (admitted carrier CIC) adds a compliance layer for California policyholders. Internationally, Coalition's 8-country expansion creates regulatory fragmentation. UK insurance regulation (PRA/FCA), Australian APRA requirements, German BaFin oversight, and French ACPR licensing each impose distinct capital, conduct, and reporting requirements. The risk of a regulatory enforcement action in any of the 8 jurisdictions could restrict Coalition's ability to write new business in that market. No public evidence of active regulatory enforcement actions, pending litigation, or material regulatory violations was found against Coalition or CIC in the research trail. [CR006, CR007, CR008, CR009, CR010, CR011]

7.3 Operational and Technology Risks

Coalition's operational model is built on the premise that proactive security monitoring prevents claims. This creates an operational risk that is the inverse of traditional insurers: if the prevention platform fails (Coalition Control data quality degrades, alert thresholds are wrong, or CIR response time is insufficient), claims frequency rises sharply without a corresponding reduction in premium rates until the next renewal cycle. The most severe operational risk is correlated systemic loss. A cyberattack targeting a shared vulnerability across thousands of Coalition's policyholders — analogous to the SolarWinds or Log4Shell events but affecting insured organizations — could trigger simultaneous claims that exceed Coalition's loss reserve and potentially its reinsurance tower. The 2017 NotPetya attack caused $10 billion+ in global losses; a future attack of equivalent or greater scale targeting SMB infrastructure (cloud services, VPN appliances, email platforms) could hit thousands of Coalition policyholders simultaneously. Swiss Re and Munich Re have both publicly warned about the systemic nature of cyber risk and their efforts to limit aggregate cyber exposure. Coalition's own platform security is an operational risk unique to its model. Coalition Control collects external attack surface data, vulnerability scan results, and security configuration information for 100,000+ businesses. If Coalition's platform were breached, attackers would have access to a comprehensive map of security weaknesses for a large fraction of the insured SMB market. This makes Coalition a high-value target for both ransomware (extortion) and intelligence operations. Coalition's own security posture, SOC capabilities, and incident response for internal events are not publicly disclosed. Underwriting model calibration risk: Coalition's automated underwriting uses machine learning to price cyber risk based on external signals (scan data, dark web exposure, industry, revenue). As attackers adapt specifically to evade these signals — for example, adversarially optimizing their infrastructure to pass Coalition's risk scoring — the model's accuracy degrades. Novel attack patterns not in the training data (new ransomware strains, AI-enabled phishing at scale, supply chain attacks) could cause systematic premium inadequacy. CIR response capacity: Coalition's Cyber Incident Response team is available 24/7 to all policyholders. With 160,000+ policyholders post-Allianz, a mass-casualty cyber event could generate hundreds of simultaneous CIR requests, exceeding Coalition's response capacity. The quality and consistency of CIR response at scale has not been independently assessed. Wirespeed integration risk: the November 2025 acquisition of Wirespeed adds ADR capabilities but also integration risk. Wirespeed's technology must be integrated into Coalition's platform without degrading existing detection capabilities; staff integration, customer migration, and liability transfer are all operational variables. [CR014, CR015, CR016, CR017, CR018, CR019]

7.4 Partner and Dependency Risks

Coalition's revenue and customer scale are increasingly dependent on a small number of strategic partnerships and critical infrastructure providers. These dependencies create concentration risks that are materially different from organic SMB distribution. Allianz partnership concentration: following the May 2026 portfolio transfer, Coalition's insured count grew from 100,000 to 160,000+ policyholders. If the Allianz relationship contributes 60,000 policyholders and they represent a disproportionate share of premium (enterprise accounts typically carry higher limits and premiums), Allianz-originated revenue could represent 30-50% of Coalition's total GWP. The partnership terms — exclusivity period, minimum volume commitments, exit provisions — are not publicly disclosed. If Allianz exits or restructures the partnership, Coalition loses both the policyholder count and the distribution channel for future enterprise accounts. Reinsurance market access: Coalition is a primary insurer, not a final risk-bearer. Coalition transfers a significant portion of its premium risk to reinsurers (Swiss Re, Munich Re, Lloyd's syndicates). As the cyber reinsurance market has hardened, capacity is contracting: Lloyd's mandated war exclusion changes in 2023 reflect reinsurers' growing discomfort with uncapped cyber exposure. If reinsurers reduce capacity available to Coalition, Coalition's ability to write new business or renew existing accounts at competitive prices is constrained. A reinsurance treaty repricing at annual renewal could compress Coalition's margins materially without offsetting premium rate increases. Cloud infrastructure dependency: Coalition Control and the underlying ASM data infrastructure are cloud-hosted (likely AWS or GCP). A significant outage or service degradation at the cloud provider would interrupt Coalition's real-time monitoring capabilities, potentially voiding the "active" component of Active Insurance during the outage window and creating policy coverage disputes. Threat intelligence data providers: Coalition's risk scoring depends on third-party data feeds — Shodan and Censys for external attack surface data, VirusTotal/OSINT feeds for dark web exposure, and threat intelligence feeds. If these data providers change their API terms, raise prices, or experience data quality degradation, Coalition's underwriting model accuracy declines. Mitsui Sumitomo Insurance dependency: the $30M strategic investment creates a partnership expectation for Japan/APAC distribution. If the Mitsui relationship does not generate expected business volume, the strategic rationale for the investment weakens, potentially creating tension around the investment terms. [CR021, CR022, CR023, CR024, CR025, CR026]

7.5 Financial and Business Model Risks

Coalition's financial model relies on three core assumptions: (1) its underwriting model accurately prices cyber risk; (2) its Active Insurance model reduces claims frequency sufficiently to support favorable loss ratios; and (3) the reinsurance market remains accessible and affordable. All three assumptions face structural headwinds in 2026. Loss ratio risk: Coalition has reported 73% fewer claims than industry average. However, this metric is company-reported and unaudited. If the differential is partially attributable to favorable self-selection (Coalition's underwriting filter selects lower-risk businesses) rather than platform effects, then as Coalition grows and underwrites less-selective segments (including Allianz enterprise accounts, which may not have gone through Coalition's traditional risk-scoring filter), the loss ratio advantage may narrow. A loss ratio deterioration from 50-60% to 70-80% (industry median) would materially compress margins. Ransomware re-escalation: the 2024 cyber market saw a resurgence in ransomware activity following a brief lull. Verizon DBIR 2025 showed ransomware in 92% of industries. AI-enabled phishing (deepfake audio/video for BEC) is substantially increasing BEC claim frequency. If BEC/FTF (already 60% of Coalition's claims) accelerates in frequency or severity, loss ratios deteriorate without offsetting premium increases. Premium adequacy: cyber insurance premiums softened in 2023-2024 after the 2021-2022 hardening. If premiums remain soft while claims severity increases (ransomware payments growing 50-100% year-over-year in some segments), underwriting profitability at Coalition deteriorates. Coalition has not disclosed its combined ratio or expense ratio, making premium adequacy assessment impossible from public data. Capital adequacy: CIC as an admitted carrier is subject to state minimum capital requirements. As Coalition's GWP grows, so do required surplus levels. If Coalition's growth requires capital injections beyond existing investor capacity, a dilutive capital raise or debt issuance becomes necessary. Coalition's last disclosed raise was the $5B valuation Series F (2022); the post-Series F financial trajectory is not publicly disclosed. Burn rate and profitability: Coalition has not disclosed revenue, EBITDA, net loss, or cash burn in any public filing. The company's financial health — whether it is cash-flow positive, break-even, or burning capital — is unknown. As a private company, this is expected, but it is a diligence-critical gap for any investor. The Mitsui $30M investment (May 2025) and the Allianz partnership (May 2026) are both positive signals, but neither confirms profitability. FX and international capital risk: operating in 8 currencies creates FX exposure in premium collection, claims settlement, and regulatory capital requirements. An adverse USD strengthening could reduce the GBP/EUR/AUD equivalent of international GWP. [CR028, CR029, CR030, CR031, CR032, CR033]

7.6 Mitigations, Kill Criteria, and Diligence Asks

Coalition has structural mitigations for several of its primary risks. The Active Insurance model is itself a mitigation against underwriting model failure: real-time monitoring provides feedback loops that allow Coalition to identify policyholders with degraded security postures and adjust renewal terms before claim events. The Vanishing Retention and CIR capabilities reduce claim frequency even after the initial policy is bound. The NYDFS Part 500 compliance obligation is both a risk and a self-mitigating discipline. By requiring annual cybersecurity certification and CISO designation, it forces organizational security hygiene that reduces Coalition's own platform breach risk. Coalition's trust page and disclosed SOC 2 compliance (if maintained) further attest to internal security controls. The correlated loss risk is managed primarily through reinsurance structuring. Coalition's catastrophic loss exposure is bounded by the height and attachment points of its reinsurance tower. A well-structured reinsurance program with catastrophe cover provides the primary mitigation for systemic cyber events. However, the structure of Coalition's reinsurance program — tower height, attachment points, reinstatement provisions — is not publicly disclosed. The Allianz dependency risk is partially mitigated by Coalition's pre-existing SMB customer base of 100,000+. Even if the Allianz relationship terminated, Coalition would retain its core SMB book. However, the enterprise growth trajectory and reputational impact of a partnership dissolution would be material. Kill criteria represent the specific measurable triggers at which the investment thesis would need to be re-evaluated: 1. **War exclusion void ruling**: A state supreme court or federal circuit ruling that war exclusions are unenforceable in cyber insurance policies would void Coalition's primary carveout for state-actor attacks. Monitoring signal: active appeals in Merck-related or Lloyd's exclusion litigation. 2. **CIR capacity collapse under mass-casualty event**: Coalition's CIR team is unable to respond to a mass cyber event affecting 1,000+ policyholders simultaneously, resulting in bad faith claims or regulatory sanctions. Monitoring signal: service outage reports, regulatory complaints, class action filings. 3. **Reinsurance treaty non-renewal at acceptable terms**: Coalition is unable to renew its primary cyber catastrophe reinsurance treaty at actuarially sound pricing, forcing it to either reduce underwriting capacity or accept uncapped correlated loss exposure. Monitoring signal: Swiss Re/Munich Re cyber reinsurance capacity announcements. 4. **Allianz partnership dissolution**: Allianz exits the exclusive global partnership within 24 months of announcement, removing 60,000+ policyholders and the enterprise channel. Monitoring signal: Allianz annual reports, Insurance Business Magazine coverage. 5. **Regulatory de-licensing in core market**: NYDFS or California DOI revokes or suspends Coalition Insurance Company's license due to compliance failures. Monitoring signal: NAIC RIRS, state DOI enforcement actions. [CR035, CR036, CR037, CR038, CR039, CR040]

8.1 Investment Thesis and Anti-Thesis

The investment thesis for Coalition rests on four mutually reinforcing structural arguments. First, the global cyber insurance market is growing at 10-15% CAGR toward $30B+ by 2030, and Coalition has established itself as the leading technology-differentiated participant in the US SMB segment — the most underserved buyer cohort in the market. Second, Coalition's Active Insurance model creates compounding competitive advantages: more policyholders generate more data, which improves the risk model, which reduces claim frequency, which improves pricing accuracy and retention. Third, the May 2026 Allianz partnership — in which Allianz exclusively transfers its global commercial cyber portfolio to Coalition — is the strongest available third-party validation of Coalition's platform quality, providing 60,000+ enterprise policyholders, a global distribution channel, and a strategic moat in the enterprise segment. Fourth, the acquisition of Wirespeed ADR expands Coalition's value proposition into endpoint detection and response, creating an integration advantage against pure-play insurers. The anti-thesis is anchored by five material concerns. First, Coalition has disclosed no financial performance data post-Series F: revenue, loss ratio, combined ratio, burn rate, and profitability trajectory are all unknown. This creates a diligence leap of faith that is unusual for a company at a $5B valuation. Second, cyber insurance carries unique systemic risk: a single correlated cyber event could exhaust Coalition's reinsurance protection, creating a catastrophic loss scenario that cannot be quantified without reinsurance structure data. Third, the war exclusion legal framework is unsettled — if courts invalidate war exclusions in cyber policies, Coalition's carveout for state-actor attacks disappears. Fourth, AI-enabled BEC is accelerating the frequency and severity of the primary claims category (60% of Coalition's claims are BEC/FTF), threatening the 73% fewer claims advantage. Fifth, the Allianz partnership creates a single-partner concentration risk: if Allianz exits, Coalition loses potentially 30-50% of its GWP growth trajectory. The key question that determines whether the thesis dominates the anti-thesis is financial performance: if Coalition has achieved 80%+ combined ratio on its SMB book and is approaching break-even at scale, the thesis is compelling. If loss ratios are deteriorating and the company is burning capital, the anti-thesis becomes dominant. [CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Recommendation, Confidence, and Risk Rating

Based on the totality of publicly available evidence, the recommendation for Coalition is **conditional proceed with a research-more posture**. This is not equivalent to a buy or hold rating — it means the available evidence supports investment thesis credibility but is insufficient to commit to a specific entry price without data room access. The confidence level is **medium**: the thesis is differentiated and well-supported by structural evidence (market position, Active Insurance model, Allianz partnership), but the anti-thesis risks are material and the absence of financial data creates an unbounded uncertainty range. The risk rating is **medium-high**: the five risk vectors identified in Chapter 7 (correlated loss, war exclusion, reinsurance tightening, AI-BEC escalation, Allianz concentration) are individually manageable but collectively create a tail scenario where multiple risks compound simultaneously. The valuation stance is **fair to stretched at the $5B 2022 mark**, assuming: - GWP estimate of $700M-$1B (based on 100,000-160,000 policyholders at $4,000-$7,000 blended average premium) - Revenue multiple of 5-7x GWP is reasonable for a technology-differentiated insurer at scale - However, the $5B mark was set in the 2021-2022 peak insurtech valuation environment; public insurtech multiples have compressed 40-60% since then - The Allianz partnership and Wirespeed acquisition are positive developments since the 2022 mark, partially offsetting multiple compression If Coalition's actual GWP is at the high end ($1B+) and loss ratio is below 65%, the $5B valuation is fair. If GWP is at $700M and loss ratio is above 75%, the valuation is stretched. Without financial disclosure, this determination cannot be made. Target return/hold framework: a new investment at $5B would require a 3-5 year hold to IPO or strategic acquisition. A bull case IPO or acquisition at $8-12B would generate 60-140% return on a $5B entry. A base case at $5-7B generates 0-40%. A bear case at $2-3B generates a 40-60% loss. [CV007, CV008, CV009, CV010, CV011, CV012]

8.3 Valuation Context and Entry Discipline

Coalition's last disclosed primary financing was the $250 million Series F in February/June 2022 at a $5 billion post-money valuation. The Mitsui Sumitomo Insurance $30 million strategic investment in May 2025 was disclosed as a strategic investment, not a primary equity round, and did not include a valuation mark. No secondary market transactions or new equity rounds have been publicly disclosed since the Series F. The $5 billion valuation context: at the time of the Series F (mid-2022), leading insurtech companies were trading at 5-15x revenue, and private market multiples were at cyclical peaks. The global cyber insurance market was in a hard rate cycle with premiums increasing 50-100% year-over-year. Both factors supported elevated private valuations. Since 2022: (1) interest rates rose materially, compressing growth multiples; (2) public insurtech companies experienced multiple compression of 40-70% (e.g., Lemonade, Hippo); (3) cyber insurance premiums softened 15-25% in 2023-2024; (4) reinsurance costs increased. These factors suggest the $5B 2022 mark carries significant vintage risk. However, three developments since 2022 are positive for Coalition's valuation: (1) the Allianz exclusive global partnership (May 2026) is a major de-risking event that validates the technology platform and provides a clear path to enterprise scale; (2) the Wirespeed ADR acquisition expands the product moat; (3) the 160,000 policyholder count demonstrates continued SMB market growth. Whether these offset the macro multiple compression is the core valuation debate. Dilution and preference overhang: Coalition has raised ~$775M+ in primary equity funding across all rounds. At a $5B valuation, this implies significant dilution from early rounds. Liquidation preferences — common in late-stage VC investments — could create a waterfall structure where investors ahead of common stock receive disproportionate proceeds in sub-$5B exit scenarios. The cap table structure and preference stack are not publicly disclosed. Entry discipline principles for a new investment: (1) require data room access before committing; (2) anchor on current-year GWP multiple, not 2022 mark; (3) stress-test for reinsurance availability and war exclusion scenarios; (4) negotiate liquidation preference parity or cap; (5) require management financial guidance with variance bounds. [CV013, CV014, CV015, CV016, CV017, CV018]

8.4 Bull, Base, and Bear Scenarios

Valuation scenarios are constructed based on GWP estimates, loss ratio assumptions, and applicable valuation multiples for insurance and insurtech companies at analogous scale and stage. **GWP Estimate Basis:** 100,000-160,000 policyholders × blended average premium of $4,000-$7,000 per year = $400M-$1.1B GWP range. The wide range reflects uncertainty about enterprise vs. SMB mix and average premium differences. Base case: $700M GWP. **Bull Case ($8B-$12B valuation, 3-5 year horizon):** - Assumptions: Allianz enterprise book adds $300M+ GWP and proves durable; combined ratio achieves 85%; Coalition achieves $1.2B GWP by year 3; Wirespeed ADR creates $50M+ ARR from premium tier; reinsurance structure stable; IPO window opens at 10x GWP. - Exit path: IPO at 10-12x GWP ($12-14B) or strategic acquisition by a major P&C carrier (Travelers, Chubb, AXA) at 8-10x GWP. - Probability signal: requires all five of Allianz durable, strong financials, favorable reinsurance, war exclusion risk contained, and IPO market opening. **Base Case ($4.5B-$6.5B valuation, 3-5 year horizon):** - Assumptions: Allianz book moderately accretive; combined ratio 90-95%; GWP grows to $850M; premium platform generates moderate upsell; reinsurance mildly tightens; IPO at 6-8x GWP. - Exit path: IPO at 6-8x GWP ($5-7B) or late-stage secondary/structured exit. - Probability signal: requires continued SMB market leadership, stable loss ratio, and stable Allianz relationship. **Bear Case ($1.5B-$3B valuation):** - Assumptions: Allianz exits or underdelivers; loss ratio deteriorates to 75%+; reinsurance costs increase materially; AI-BEC acceleration erodes claims advantage; down-round or distressed sale at 2-3x GWP. - Exit path: strategic acquisition at 2-3x GWP ($1.4B-$2.1B) or IPO at depressed multiples. - Probability signal: triggered by any two of war exclusion ruling, Allianz exit, loss ratio deterioration, and reinsurance non-renewal. The key valuation pivot point is the loss ratio on the Allianz enterprise book: if enterprise accounts have higher loss ratios than the SMB book (as expected, given less precise risk scoring), the combined ratio will rise and multiples will compress accordingly. [CV019, CV020, CV021, CV022, CV023, CV024]

8.5 Comparable Set and Valuation Multiples

Coalition's valuation is best assessed against a hybrid comparable set: technology-enabled cyber insurers (primary comparables), traditional cyber insurance leaders (structural comps), and cybersecurity platform companies (multiple reference). Direct comparables in the private cyber insurer segment: At-Bay raised $200M at a $1.35B valuation in 2022 — approximately 1/4 of Coalition's mark at the time; Cowbell raised $100M Series C at a $1.5B valuation (2023); Resilience raised $100M Series D at an undisclosed valuation (2024). These comps suggest Coalition commands a material premium to direct cyber insurer peers, which is justified by Coalition's scale (10x+ policyholder count vs. At-Bay) and the Allianz validation. Traditional cyber insurance benchmarks: Beazley (LSE: BEZ), a leading global cyber insurer, trades at approximately £4-5B market cap with cyber insurance as a significant portion of its book. Beazley's GWP was approximately £5B in 2024 (all lines), implying a 0.8-1.0x GWP multiple — well below Coalition's implied 5-7x. However, Beazley is a traditional insurer without Coalition's technology platform, commanding lower multiples. Cybersecurity platform comps: CrowdStrike (NASDAQ: CRWD) trades at 15-20x revenue with a $70-80B market cap, reflecting its SaaS-like subscription model and market leadership. While not directly comparable (CrowdStrike is a pure cybersecurity platform without insurance), the premium multiple reflects the value of active protection plus data network effects — the same architectural thesis as Coalition. Coalition's insurance-anchored model limits its addressable multiple vs. pure SaaS but provides revenue predictability via GWP that pure SaaS lacks. M&A reference: Travelers acquired Corvus Insurance (cyber insurtech) in 2024 at an estimated $200-280M — consistent with a 1.5-2.5x GWP multiple for an early-stage cyber insurer without Coalition's scale or platform differentiation. Cross-reference inference: Coalition's defensible premium to direct cyber insurer comps is justified by scale and technology differentiation. A reasonable range for Coalition vs. Cowbell (1.5B at similar stage) is 3-5x premium based on policyholder count difference. Coalition's multiple relative to Beazley is explained by tech platform and growth trajectory. The 5-7x GWP multiple range is supportable as the central case, with risk-adjusted downside to 2-3x GWP. [CV025, CV026, CV027, CV028, CV029, CV030]

8.6 Exit Readiness and Final Diligence Asks

Coalition is exit-ready in a bull scenario but faces several structural prerequisites for a liquidity event. For an IPO, Coalition would need to: (1) demonstrate two or more years of profitable underwriting with a disclosed combined ratio; (2) complete the Allianz enterprise integration and show loss ratio parity with the SMB book; (3) achieve $1B+ GWP run rate for market capitalization support at intended multiples; (4) resolve or hedge the war exclusion litigation risk; (5) establish sustainable reinsurance at defined attachment points. The probability of all five conditions being met within 36 months is moderate. For a strategic acquisition, the most likely acquirers are major P&C insurance companies (Travelers, Chubb, AXA, Zurich, Allianz itself), global reinsurers seeking primary market exposure (Munich Re, Swiss Re), and large cybersecurity platform companies seeking insurance distribution (CrowdStrike, Palo Alto Networks). The Allianz exclusive partnership may reduce the universe of willing acquirers — if the partnership includes exclusivity language that creates acquirer friction. Exit timeline: given the 2022 Series F date and typical VC fund life cycles, the primary Series F investors (including Allianz X as lead) would prefer a liquidity event by 2026-2028. The Allianz partnership, completed May 2026, could accelerate an M&A path with Allianz as acquirer, or serve as a strategic floor value signal to competing acquirers. The final diligence package that must be reviewed before investment commitment consists of six items, in order of criticality: (1) reinsurance treaty structure; (2) loss ratio by cohort (SMB vs. Allianz enterprise); (3) annual renewal rate and GRR; (4) current-year GWP and revenue trajectory; (5) Allianz partnership contractual terms (exclusivity, exit, revenue share); (6) NYDFS Part 500 annual certification filing status. Thesis-break triggers: the five triggers identified in Chapter 7 apply equally here. In addition, if management confirms that the combined ratio has exceeded 100% for any trailing 12-month period, the financial risk profile escalates significantly. Any adverse NYDFS enforcement action or failure to renew the reinsurance treaty at current terms would represent immediate thesis-break events. [CV031, CV032, CV033, CV034, CV035, CV036]