Cyberhaven

1.1 Identity, product scope, and location ambiguity

Cyberhaven presents itself as an AI and data security company whose core differentiator is data lineage: the company says its platform follows how sensitive data originates, moves, and changes across endpoints, cloud, SaaS, on-prem systems, and AI tools. Current product marketing and the February 2026 growth release describe a single architecture spanning DSPM, DLP, insider risk management, and AI security rather than a loose collection of separate point products. That unified positioning matters because later chapters can treat Cyberhaven as a platform company, not just a browser-extension or classic DLP vendor. Identity basics are directionally clear but not perfectly clean. Redpoint and Tracxn both place the company in San Jose and list five founders, while Cyberhaven's own public materials use different Bay Area datelines over time: San Jose in September 2024, Palo Alto in April 2025, and Mountain View in late 2025 and early 2026. The extension privacy policy also lists a Palo Alto mailing address. For diligence purposes, the safest canonical description is that Cyberhaven is a private Bay Area company with strongest non-company support for San Jose, but with headquarters precision still needing direct confirmation. Sector focus is more concrete. Cyberhaven publicly targets technology/SaaS, manufacturing, law firms, investment management, and healthcare, which lines up with its messaging around protecting sensitive intellectual property, regulated data, and AI workflows. The company is best treated as a late-stage private security vendor that reached unicorn status in 2025 but still discloses only selected operating metrics. [CO001, CO002, CO003, CO004, CO005, CO006]

1.2 Founders, leadership bench, and key-person dependence

Redpoint and Tracxn both list five founders for Cyberhaven: Cristian Zamfir, George Candea, Radu Banabic, Vitaly Chipounov, and Volodymyr Kuznetsov. Public founder bios are sparse in currently available sources, but the repeated five-founder listing across investor and data provider surfaces is strong enough to treat that lineup as the company's best-supported founding roster. George Candea also appears in Tracxn as a board observer, indicating at least some founder continuity into governance even after the company became more commercially scaled. Howard Ting appears to have been the executive who turned Cyberhaven from a research-heavy organization into a scaled commercial security vendor. BankInfoSecurity reports that when Ting joined in June 2020 the company had roughly 18 people, versus about 220 by May 2025. Cyberhaven then materially deepened the bench in September 2024 by adding Nishant Doshi, Edward Sharp, Kristin Vines, and Manoj Gupta across product, finance, people, and corporate development. Those hires are important because they show the company institutionalizing for a larger go-to-market and platform roadmap before the Series D. Leadership continuity is still a watch item. Ting resigned as CEO in May 2025, Doshi took over after a three-month transition, and Ting remained on the board. By February 2026, Cyberhaven's own release identified Doshi as CEO and added James McCarthy and Aman Sirohi to the leadership team. That sequence reduces single-executive dependency relative to early 2024, but the company still shows material key-person exposure around CEO succession and the product leadership brought in during the 2024 scale-up. [CO003, CO017, CO018, CO019, CO020, CO021]

1.3 Capital formation, investors, and governance signals

Cyberhaven's public financing history is unusually well disclosed for a private security company. The company announced a $33 million Series B in December 2021 led by Redpoint, followed by an $88 million Series C in June 2024 led by Adams Street Partners and Khosla Ventures, and then a $100 million Series D in April 2025 led by StepStone Group with new investors Schroders and Industry Ventures. The Series D announcement put total funding at $250 million and valuation at $1 billion. That is the strongest primary-source capital stack available and should be the baseline for later chapters. Governance became more visible during the Series C. Cyberhaven disclosed that Adams Street partner Fred Wang joined the board as part of that financing, which is the clearest public board addition in the reviewed materials. Redpoint's company page separately confirms it first partnered with Cyberhaven in the 2021 Series B, highlighting that Redpoint is a longer-tenured stakeholder than the Series C and D entrants. Tracxn adds breadth by listing 23 institutional and 6 angel investors, but that should be treated as directional because public databases often classify rounds and investor types differently from company releases. One important diligence nuance is that total-raised figures do not line up perfectly across sources. Cyberhaven says $250 million after Series D, while Tracxn says $236 million over six rounds as of the same date. The gap likely reflects database treatment of grants, historical rounds, or investor round attribution rather than a substantive capital mismatch, but it is still a reminder that only round-level company announcements should be treated as canonical. [CO011, CO012, CO013, CO014, CO015, CO035]

1.4 Cover metrics, disclosure limits, and public operating signals

Cyberhaven discloses enough to establish maturity, but not enough to underwrite the business without management access. The strongest public cover metrics are the $1 billion Series D valuation, official total funding of $250 million, triple-digit fiscal 2026 revenue growth, and customer growth above 50%. The company also publicly claims penetration into four of the top five Forbes AI 50 companies and the top five North American banks, plus usage by large organizations in finance, law, retail, healthcare, and media. Those claims indicate enterprise relevance and regulated-data exposure even though they stop short of giving customer count, ACV, retention, or logo-level revenue concentration. Public disclosure becomes much weaker on scale metrics that matter most for valuation work. No reviewed public source gave absolute ARR, revenue, or customer count. Headcount is only partially supportable: BankInfoSecurity described Cyberhaven as roughly 220 people by May 2025, while PitchBook's public FAQ lists 282 employees and Tracxn surfaces a different, partially visible employee-count field. Because none of those are official company KPI disclosures, headcount should be treated as a low-confidence range rather than a canonical number. Security posture signals are better than financial transparency. Cyberhaven's Trust Center advertises SOC 2 Type 2, GDPR, CCPA, and PCI DSS v4.0.1 artifacts, along with penetration testing and cyber-insurance materials. The browser extension privacy policy further confirms that employer customers control extension data and that the policy was updated in September 2024. Those are useful diligence breadcrumbs, but the underlying documents remain access gated and should be requested directly. [CO012, CO022, CO023, CO024, CO025, CO033]

1.5 Milestones, adverse events, and what later chapters can reuse

The reusable company chronology is straightforward. Public sources support a 2016 founding, a 2021 Series B, a 2022 insider-threat product launch, a June 2024 Series C that brought in Adams Street and added a board seat, a September 2024 leadership expansion, a December 2024 browser-extension compromise, a unicorn-making Series D in April 2025, a CEO handoff in May 2025, a November 2025 Deloitte Fast 500 ranking, and a February 2026 results release that reported strong growth without giving absolute financials. Those events collectively show a company moving from technical origin story to category-marketing scale in a compressed window. The adverse event is material and should carry forward into the risks chapter. TechCrunch, BleepingComputer, and Nightfall all describe a malicious Chrome extension update published after a company-account compromise in late December 2024. Reported impact included exposure of authenticated sessions and cookies, roughly 400,000 extension users at risk, and linkage to a wider campaign affecting more than 35 extensions and roughly 2.6 million users. That incident does not negate the product thesis, but it is a reputational and operational stress test for a company selling data-protection software. The growth narrative after the incident remained strong. Cyberhaven still closed Series D, changed CEOs without obvious public disruption, ranked #51 on Deloitte's 2025 Technology Fast 500, and then reported triple-digit revenue growth in fiscal 2026. Later chapters can reuse that sequence as the core frame: strong capital and category momentum, paired with disclosure gaps and a meaningful operational blemish. [CO005, CO015, CO019, CO021, CO022, CO026]

1.6 Exhibits

2.1 Market boundary, included spend, and substitutes

The right market boundary for Cyberhaven starts with what the product actually claims to do. Official Cyberhaven materials position the company as an AI and data security platform that unifies DSPM, DLP, insider risk management, and AI security across endpoints, cloud, on-prem, SaaS, and AI tools. That means the included spend is not “all cybersecurity” and not even the full universe of data security. The most relevant pools are enterprise spend on discovering sensitive data, classifying it, monitoring how it moves, preventing unauthorized transfer, and investigating risky user or AI-assisted data handling. Adjacent spend includes native data security suites from Microsoft Purview, cloud-delivered DLP from Zscaler, and CNAPP-integrated DSPM from Palo Alto Networks. Status-quo substitutes are native Microsoft controls, legacy DLP stacks, manual data classification programs, and point products focused only on cloud repositories. Excluded spend should include generic SIEM, firewall, endpoint protection, and broad infrastructure security budgets that do not directly buy data discovery, data classification, exfiltration prevention, or insider-risk response. This boundary matters because Cyberhaven’s public messaging is about data-in-motion context, lineage, and response quality, not about owning the whole security stack.[CM001, CM002, CM003, CM004, CM006, CM007]

2.2 Sizing lenses and why public TAM/SAM/SOM remains constrained

Public market sizing is useful only if the boundary logic is kept explicit. The broadest adjacent lens is DLP: Grand View sizes the global DLP market at $1.87B in 2022 and $9.33B by 2030, with cloud deployment already the largest mode. The next lens is insider risk management, where ResearchAndMarkets puts the market at $2.4B in 2024 growing to $3.7B by 2030, while Verified Market Reports publishes a larger $3.14B in 2024 to $8.23B by 2033 path. The most Cyberhaven-adjacent emerging category is DSPM, but even there public estimates diverge sharply: Growth Market Reports says $1.42B in 2024 to $17.2B by 2033, while DataHorizzon places DSPM tools at $1.8B in 2023 and $5.7B by 2033. Palo Alto’s vendor-authored market guide adds a still different frame, citing $415M-$2B 2025 market valuations and 25%-37% annual growth. Taken together, the evidence supports a meaningful and expanding data-centric security opportunity, but not a clean nested TAM/SAM/SOM pyramid. The categories overlap, the forecast years differ, and some sources count standalone tools while others include integrated platform modules. That is enough to bound the market directionally, but not enough to claim a precise public Cyberhaven SAM or SOM.[CM020, CM021, CM022, CM029, CM030, CM032]

2.3 Buyer segmentation, budget ownership, and adoption path

The public buyer map is more security-and-compliance led than developer led. Cyberhaven’s own marketplace and homepage messaging repeatedly target security teams, IT professionals, CISOs, and regulated-data operators, while Microsoft’s insider-risk documentation shows how purchases often sit inside compliance, security, and tenant-administration workflows with licensing gates and explicit role-group setup. In practice, the economic buyer is usually a CISO, compliance leader, or central security platform owner; the operational users are security analysts, insider-risk investigators, and IT administrators; and the payer is commonly a central security, compliance, or Microsoft/Purview-adjacent platform budget. The adoption path is also visible in public materials: organizations first recognize data-sprawl or insider-risk problems, then evaluate whether legacy or native controls are producing too much noise, then pilot across one or two data channels, then connect the tool into identity, ticketing, DLP, or cloud workflows, and only then scale into a broader data-security program. Because privacy settings, opt-in indicators, connectors, and cross-platform policy enforcement all matter, deployment is not a commodity seat sale. Budget unlocks most plausibly when a buyer can link insider-risk, AI governance, and compliance reporting into one measurable control plane.[CM003, CM005, CM011, CM013, CM014, CM015]

2.4 Growth drivers, adoption constraints, and valuation relevance

The adoption case for Cyberhaven is supported by several durable drivers. First, cloud and multicloud sprawl keep pushing sensitive data across endpoints, SaaS, and cloud repositories, which is exactly the discovery and classification problem highlighted in public DSPM research. Second, AI adoption creates new exfiltration and governance problems: Cyberhaven, Microsoft, and Palo Alto all emphasize protecting data that now moves through AI tools and agents. Third, regulatory and governance pressure is increasing; SEC rules now require more explicit cyber-risk management and governance disclosure by public companies, while Microsoft and CISA materials show how insider-risk controls are becoming formal programs rather than ad hoc investigations. Fourth, breach data keeps the urgency high. HIPAA Journal’s summary of Verizon’s 2024 DBIR shows internal actors causing 70% of healthcare breaches and human error involved in 68% of breaches under Verizon’s methodology. The constraints are equally real: legacy environments are fragmented, alert quality can be poor, licensing and permissions can slow rollout, and public market forecasts disagree about category scope. For valuation, that means Cyberhaven is exposed to a real and growing market, but investors should discount for implementation friction and for the absence of public evidence on contract sizes, win rates, and vertical mix.[CM009, CM014, CM020, CM022, CM023, CM025]

2.5 Exhibits

3.1 Competitive landscape and buyer substitutes

Cyberhaven is not selling into a greenfield category. Public shortlists and vendor-authored comparison pages consistently place it against three different competitor classes at once: incumbent enterprise DLP suites such as Microsoft Purview, Forcepoint, and Symantec DLP; direct insider-risk and response-centric platforms such as Mimecast Incydr and Proofpoint; and adjacent cloud- and AI-oriented DLP vendors such as Nightfall. That pattern matters because the buyer's “alternative” is often not a single like-for-like product. In many enterprises, the practical substitute is to extend an existing Microsoft or legacy DLP estate, add insider-risk workflow tooling on top, and delay any rip-and-replace purchase until a new program owner has budget and executive air cover. Cyberhaven therefore competes as much against the status quo and suite expansion as it does against a single direct peer. The landscape is also heterogeneous by use case. Cyberhaven's lineage-first messaging fits buyers who care about knowledge-flow reconstruction, insider investigations, and stopping risky sharing across endpoints, SaaS, and AI tools. Microsoft competes where M365-native coverage, privacy-by-design workflows, and procurement leverage dominate. Forcepoint and Symantec represent the legacy control-heavy path for large hybrid estates. Mimecast and Proofpoint pitch fast insider-risk response and multichannel evidence. Nightfall attacks the SaaS, browser, and AI-app problem with simpler deployment and public pricing signals. For a diligence view, that means Cyberhaven must win on precision and workflow quality, not merely on having “DLP” in the product name. [CP030, CP031, CP035, CP036, CP038]

3.2 Where Cyberhaven leads and where rivals are strongest

Cyberhaven's clearest public advantage is context. Its own product and comparison pages say the platform combines content analysis with data lineage, follows where data originated and moved, and reconstructs the events leading to a leak or insider-risk incident. Those same materials claim materially fewer false positives and much faster investigations than legacy, content-only DLP. That is a persuasive buying story for R&D-heavy and regulated teams that care less about box-checking compliance and more about determining whether sensitive data was actually exposed, who handled it, and whether the action was malicious or accidental. Rivals, however, each attack a different weak spot in that story. Microsoft's public documentation emphasizes deep content analysis, machine learning, broad policy coverage, and privacy-sensitive insider-risk operations inside an installed M365 estate. Forcepoint and Symantec keep the incumbent posture argument alive for large enterprises that already have mature policy teams and hybrid infrastructure. Proofpoint and Mimecast lean into investigation-centric workflows, multichannel telemetry, and automated response controls. Nightfall's public pages and pricing lean hard into fast rollout and modern SaaS, browser, endpoint, and AI-app coverage. Varonis pushes adjacent platform breadth by pairing DLP with DSPM, UEBA, access governance, and AI security. In other words, Cyberhaven's message is differentiated, but the short list is deep because adjacent vendors can frame the buying decision around bundle leverage, simplicity, or cloud coverage instead of lineage. [CP001, CP002, CP003, CP004, CP011, CP014]

3.3 Moat durability, switching costs, and adverse evidence

The public evidence supports a real but contestable moat. Cyberhaven has traction signals — more than 50% customer growth in FY2026, wins in AI-heavy and regulated accounts, and fresh funding at a $1 billion valuation — that imply meaningful resources to keep extending the platform. Recent launches also show the company broadening from endpoint-centric lineage into cloud connectors, data-at-rest scanning, AI-powered classification, and data cataloging. That expansion is strategically necessary because the strongest adverse evidence does not say Cyberhaven lacks a core idea; it says buyers may still see coverage gaps, deployment burden, and trust risk around the edges. Those edge risks are material. Nightfall's competitor brief attacks Cyberhaven on SaaS visibility, endpoint upload coverage, and remediation speed. SecurityWeek's reporting on the December 2024 malicious Chrome-extension update creates a procurement objection that rivals can use in competitive situations, especially for browser-heavy deployments. Incumbents also retain non-technical switching-cost advantages: Microsoft can bundle DLP and insider-risk capabilities into broader compliance spend, while Forcepoint, Symantec, Proofpoint, and Mimecast can position themselves as extensions of existing control planes rather than net-new security programs. The result is that Cyberhaven's moat appears strongest where the buyer explicitly values context-rich investigation and lower false-positive rates, and weakest where procurement prizes bundled distribution, pre-existing workflows, or publicly provable pricing and compliance coverage. [CP005, CP006, CP007, CP008, CP009, CP010]

3.4 Exhibits

4.1 Revenue model, pricing mechanics, and GTM motion

Cyberhaven's monetization model is easiest to describe as enterprise software subscriptions wrapped around a unified AI and data-security platform. The company's current product pages position one platform spanning DSPM, DLP, insider risk management, and AI security, with data lineage as the common control layer. That architecture matters financially because it supports land-and-expand selling: Cyberhaven can start from data detection and response, then add adjacent modules such as DSPM or AI-security controls as customer requirements broaden. The Microsoft marketplace listing reinforces the same bundle thesis by describing a unified offer that protects data across cloud, endpoints, and removable media while also integrating with tools such as Microsoft Purview and Salesforce. Commercially, Cyberhaven is not running a transparent self-serve SaaS motion. The official website routes buyers to a request-demo path and a free on-demand demo instead of publishing list prices. Third-party pricing pages and AWS private-offer documentation point in the same direction: pricing appears to be subscription based, usually tied to deployment scope such as endpoints or data volume, and then negotiated through enterprise contracts, volume discounts, or marketplace private offers. That means the public record supports pricing mechanics, but not realized pricing, discounting discipline, or module-level revenue mix. GTM breadth is improving. Cyberhaven says it is channel-first, operates reseller / tech / integration partner programs, and as of April 2026 can transact through AWS, Azure, and Google Cloud marketplaces using existing cloud commitments. Those procurement options likely shorten enterprise approvals and expand routes to revenue, especially for buyers already budgeting through hyperscaler commitments. Still, none of the retained sources disclose contract duration, renewal rates, implementation services mix, or how much of bookings come from direct sales versus partners versus marketplaces. [CI001, CI002, CI003, CI004, CI005, CI006]

4.2 Public traction signals and what they imply for unit economics

Public traction signals are directionally strong even though classical SaaS efficiency metrics remain undisclosed. Cyberhaven's June 2024 Series C announcement said the company had 200 percent growth in new bookings, and its February 2026 business-results release said the fiscal year ended January 31, 2026 delivered record growth in revenue, customers, and platform adoption, including triple-digit growth over the prior year and customer growth above 50 percent. The same release also said customers include four of the top five companies on Forbes' AI 50 list and some of the top five North American banks, alongside other regulated institutions and law firms. Those disclosures support the idea that Cyberhaven is moving upmarket into larger, more compliance-sensitive enterprises. Customer proof also suggests the product can generate measurable operational value. Cyberhaven highlights a 200 percent improvement in time-to-resolution and an 80 percent reduction in risky behavior after enabling real-time user coaching. The request-demo and partner materials add management claims that the platform reduces alert noise, lowers program cost, and lowers total cost of ownership by consolidating tools. These are not substitutes for CAC, payback, gross retention, or NRR, but they do suggest why Cyberhaven can pursue a premium enterprise motion rather than a volume-led commodity-security motion. The hardest public-number question is scale. Independent data vendors disagree: Datanyze and ZoomInfo both show roughly $64.9 million of revenue, while Growjo estimates roughly $52.4 million. Those figures are plausible enough to frame a public estimate range, but they are not company-filed and should not be treated as underwriteable revenue. Taken together, the strongest unit-economics read is qualitative: Cyberhaven appears to have strong enterprise demand, rising sales velocity, and meaningful product ROI signals, but the public record still lacks direct evidence on CAC, payback, gross margin, and renewal quality. [CI008, CI009, CI010, CI011, CI012, CI013]

4.3 Capital adequacy, financing dependency, and diligence blockers

The cleanest capital-adequacy fact in the public record is the April 2025 Series D. Cyberhaven said the round brought in $100 million, lifted total funding to $250 million, and valued the company at $1 billion. Management also said the proceeds would support M&A, organic product innovation, and aggressive go-to-market investment. That combination usually implies an offensive use-of-funds plan rather than a defensive bridge round: Cyberhaven appears to be financing platform expansion and distribution growth at the same time. The February 2026 results release, plus marketplace expansion in April 2026, suggests management kept investing after the raise rather than slowing down. That said, the company remains difficult to underwrite from public data alone. No retained public source disclosed cash on hand, monthly burn, runway, debt balances, covenant terms, project-finance obligations, or a next-round trigger. The North Carolina Secretary of State filing page shows regular annual-report compliance, including a 2026 filing tied to fiscal date 2026-01-31, but it does not provide the operating financial statements that a public-company filing would. The SEC EDGAR search page is useful as a filing diligence path, yet no company-specific public financial filing was retained for Cyberhaven because it is still private. The practical verdict is that Cyberhaven likely has meaningful capital support and current demand, but financial quality still hinges on private diligence. The next diligence session should prioritize management-reported ARR or revenue, gross margin, sales efficiency, cash and burn, debt schedule, revenue-recognition policy, and channel / module mix. Without those items, an investor can defend a positive commercial-momentum view, but not a precise view of runway, capital intensity, or margin path. [CI016, CI018, CI019, CI020, CI021, CI022]

4.4 Exhibits

5.1 Product Definition and Platform Overview

Cyberhaven markets a unified AI & Data Security Platform that merges four historically separate product categories: Data Security Posture Management (DSPM), Data Loss Prevention (DLP), Insider Risk Management (IRM), and AI Security. In customer workflow terms, the platform sits between the enterprise data store and every exfiltration vector—email, browser, SaaS applications, removable storage, printing, and cloud—and intercepts risky data movement in real time. The business problem it addresses is that legacy DLP products inspect content at policy checkpoints without understanding data history, producing large volumes of false positives and missing context-dependent threats. Cyberhaven claims to reduce false positive alerts by 95% compared with other tools by adding lineage context to every decision. The product targets enterprises with high concentrations of valuable IP, regulated data, or active insider risk, evidenced by named customers in technology, finance, manufacturing, healthcare, and legal sectors. Pricing is not publicly disclosed and requires a direct sales engagement. Platform availability was expanded to AWS Marketplace, Azure Marketplace, and GCP Marketplace in April 2026, enabling customers to consume spend against existing cloud commitments. [CE001, CE002, CE003, CE004]

5.2 Module Architecture and Product Line Map

The platform comprises five interlinked modules. DSPM discovers and classifies data across cloud and endpoint environments and continuously monitors it as it moves between clouds and devices. DLP enforces real-time blocking and coaching across email, web, cloud, and devices using lineage-enriched policy decisions rather than pure content inspection. IRM combines data-movement signals with behavioral signals to detect insider threats and clarify intent, capturing slow-burn exfiltration patterns legacy tools miss. AI Security monitors shadow AI usage (ChatGPT, Google Gemini, Microsoft Copilot, and other AI tools), assesses AI risk posture, and prevents leaks to AI tools without blocking legitimate usage. Linea AI is the intelligence layer spanning all modules—it includes the Detection Agent (autonomously detecting risky activity using proprietary Large Lineage Models, or LLiM) and the Analyst Agent (launching deep investigations, gathering evidence, and delivering reports with next-steps). Each module is sold as part of the unified platform; individual module pricing or separate SKU availability is not publicly documented. The company announced a "Securing the Agentic AI Era" product launch on May 5, 2026, suggesting continued platform expansion into agentic AI governance, though specifics of that launch were not yet public as of the research date. [CE005, CE006, CE007, CE008, CE009, CE010]

5.3 Technology Architecture and Deployment Model

Cyberhaven uses three deployment modes to instrument data flows. First, an endpoint agent supports Windows, macOS, and Linux operating systems and intercepts file operations, USB transfers, printing, and application-level data movements at the OS level. Second, a browser extension (Chrome primary) monitors web-based data flows, SaaS application uploads, and AI tool interactions in the browser. This extension was the vector for the December 2024 supply-chain incident. Third, cloud API connectors integrate with SaaS platforms (Google Workspace, Microsoft 365) via API to capture cloud-resident data movements without requiring an endpoint. The backend infrastructure runs exclusively on Google Cloud Platform (GCP) in US data centers. Each customer runs a fully isolated instance with dedicated virtual compute, storage, and network resources; no shared processing occurs between customers. Microservices architecture built on least-privilege principles. All in-transit data between endpoint sensors and the backend is encrypted via TLS; inter-container traffic is also TLS over GCP VPN. The public REST API exposes three endpoints: /api/rest/v1/endpoints/list, /api/rest/v1/incidents/list, and /api/rest/v1/audit-log/dataflow/list, all authenticated via temporary bearer tokens derived from an API key. The edm-cli Python CLI on GitHub (CyberhavenInc/edm-cli) allows programmatic management of Exact Data Match (EDM) databases using hashed fingerprints (SpookyHash V2 + SHA256). Cyberhaven also maintains a GitHub organization (CyberhavenInc) with public repos including api2 (Go HTTP API library), cel2sql (CEL-to-SQL converter), and protoc-gen-grpc-gateway-ts (gRPC gateway TypeScript generator), indicating an internal stack using Go, gRPC, and TypeScript. [CE011, CE012, CE013, CE014, CE015, CE016]

5.4 Differentiation and Proprietary Technology

Cyberhaven's stated differentiation is its data lineage engine, which maps the complete journey of data from creation through every copy, transformation, rename, email attachment, upload, and fragmentation event. This lineage graph is what powers context-aware policy decisions: a file that originated as an internal trade secret is treated differently from a publicly sourced file with the same content, enabling accurate blocking with fewer false positives. The Large Lineage Model (LLiM) is described as a purpose-built AI model trained on lineage graph data rather than general text, making it proprietary to the company's specific architecture. The company claims the LLiM enables predictive risk detection (identifying risky patterns before a policy violation occurs). No patent filings for these techniques were confirmed in the public record; the company has not disclosed a patent portfolio. EDM (Exact Data Match) capability allows enterprises to fingerprint specific sensitive datasets (structured data, source code) and track them precisely, reducing false positives from regex-based approaches. Independent review data corroborates differentiation claims: PeerSpot mindshare in DLP grew from 1.5% to 2.3% year-over-year, Gartner Peer Insights showed 4.6/5 from 48 reviews, G2 showed 4.5/5 from 18 reviews, and FeaturedCustomers showed 17 testimonials and 1 case study. Motorola reported 90% reduction in false positives, 98% reduction in investigation time, and 90% reduction in risky events after deploying Cyberhaven. [CE019, CE020, CE021, CE022, CE023, CE024]

5.5 Trust, Security, Compliance, and Quality Controls

Cyberhaven's Trust Center (trust.cyberhaven.com, powered by SafeBase) lists four compliance frameworks: CCPA, GDPR, PCI DSS v4.0.1, and SOC 2 Type 2 (with a SOC-2 Bridge Letter valid through January 2026). Application penetration testing, cyber insurance, and subprocessor listing are available to customers on request. The security policy describes GCP-hosted customer-isolated instances, TLS-encrypted data in transit, at-rest encryption via GCP key management, and 24/7 MDR monitoring with Google Security Command Center for Kubernetes-native security. Authentication options include Google SSO (OAuth2), password with mandatory 2FA, and SAML 2.0. RBAC supports regular users and administrators. Code deployment requires peer review plus security audit by at least one additional engineer. Annual OWASP Top 10 secure code training is required for developers. The company reports an A+ rating on Qualys SSL Labs. The December 2024 Chrome extension incident (malicious version 24.10.4 affecting ~400,000 users) demonstrated that the extension distribution channel carries supply-chain risk independent of the GCP backend. Mandiant was engaged for incident response; federal law enforcement was notified. The company published a clean version (24.10.5) within 24 hours. As of the research date, no litigation, SEC enforcement actions, or regulatory fines arising from the incident had been publicly disclosed. [CE025, CE026, CE027, CE028, CE029, CE030]

5.6 Exhibits

6.1 Customer Base and Segmentation

Cyberhaven serves large enterprises across six industry verticals: Technology/SaaS, Manufacturing, Legal/Professional Services, Financial Services, Healthcare, and Government/Defense. Named customers confirmed via press coverage and case studies include Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, Kirkland & Ellis, Iron Mountain, DARPA, and IDA — 14 organizations in total. All are large enterprises with more than 1,000 employees; there is no evidence of SMB or mid-market customers. The website explicitly segments industry marketing into five named verticals: Technology/SaaS, Manufacturing, Law Firms, Investment Management, and Healthcare, confirming a deliberate vertical go-to-market strategy rather than horizontal generalist positioning. Geography is predominantly US-based (12 of 14 named customers are US-headquartered), with at least one Asian financial institution (DBS, Singapore) demonstrating early international expansion. [CU001, CU002, CU015, CU016, CU029, CU036]

6.2 Named Customer Proof and Outcomes

Motorola is the most detailed public reference. CISO Richard Rushing credits Cyberhaven with a 90% reduction in DLP false positives, a 98% reduction in investigation time per incident, and a 50% increase in actionable security alerts. These metrics reflect the core product claim: that data lineage context radically reduces false positives compared with content-inspection-only DLP tools. Navan (formerly TripActions), the corporate travel and expense SaaS platform, deployed Cyberhaven for financial and employee data protection, with VP of Security PK Karanth as a named reference. Iron Mountain uses Cyberhaven to monitor data flows across its global records management and cloud storage infrastructure. FeaturedCustomers records 17 verified testimonials and one case study, with a 4.8/5 composite score from 953 reference ratings. DARPA and the Institute for Defense Analyses (IDA) are customers cited by FeaturedCustomers, confirming federal government penetration. Approximately 400,000 corporate users were exposed to the December 2024 malicious extension, providing a lower-bound estimate of end-user deployment scale across the enterprise customer base. [CU003, CU004, CU005, CU006, CU007, CU008]

6.3 Customer Satisfaction and Review Scores

Cyberhaven earns consistently high review scores across independent platforms. On Gartner Peer Insights, the platform holds 4.6/5 from 48 verified enterprise reviews, ranking above most legacy DLP vendors (Symantec ~3.8, Forcepoint ~3.9, Microsoft Purview ~4.0). FeaturedCustomers reports a 4.8/5 composite from 953 reference ratings. G2 shows 4.5/5 from 18 reviews (2021 snapshot; likely higher currently). PeerSpot DLP mindshare grew from approximately 1.5% to 2.3% between 2024 and May 2026, reflecting organic review accumulation. Qualitative review themes consistently cite: real-time data flow visibility, reduced false-positive burden, fast deployment via MDM and Google Workspace admin, and improved investigation speed as top strengths. Common criticism points include limited on-premises deployment options and SIEM integration depth. [CU017, CU018, CU019, CU020, CU021, CU030]

6.4 Retention, Expansion, and Concentration Risk

Cyberhaven does not publicly disclose NRR, GRR, or customer churn metrics. No customer churn was publicly reported following the December 2024 Chrome extension incident, despite approximately 400,000 corporate users being affected. Cyberhaven's response — engaging Mandiant, publishing a clean extension within 24 hours, and proactively notifying customers — appears to have contained retention damage. Expansion dynamics follow a land-and-expand model: initial DLP deployments expand to DSPM, Insider Risk Management (IRM), and AI Security modules as security programs mature. Cyberhaven added AWS, Azure, and GCP marketplace availability in April 2026, expanding enterprise procurement channels for cloud-committed buyers. Customer concentration risk is observable: Motorola is the only reference with fully quantified outcomes, and 14 publicly named accounts is a limited disclosure base relative to companies at comparable $1B valuations. Top-customer revenue concentration is unverifiable; typical enterprise security companies at this stage have 100–500 customers. [CU027, CU028, CU032, CU033, CU034, CU038]

6.5 Awards, Analyst Recognition, and Competitive Positioning

Cyberhaven has accumulated meaningful third-party validation. Gartner named it a Cool Vendor in Data Security. The 2025 Deloitte Technology Fast 500 placed it among the fastest-growing technology companies in North America by revenue growth rate. Fortune included Cyberhaven in its 2025 Cyber 60 list. Redpoint Ventures named it to the InfraRed 100 infrastructure security list for three consecutive years. Cyberhaven achieved Black Unicorn status in 2024 and crossed $1B valuation in April 2025. PeerSpot mindshare increased from 1.5% to 2.3% (May 2026), the highest growth rate among emerging DLP vendors tracked. Competitors Symantec, Forcepoint, and Microsoft DLP receive lower Gartner Peer Insights scores (3.8–4.1) than Cyberhaven's 4.6, though each commands a significantly larger installed base. [CU022, CU023, CU024, CU025, CU035, CU040]

6.6 Exhibits

7.1 Regulatory and Legal Risk

Cyberhaven operates in one of the most heavily regulated data-handling categories: software that inspects, intercepts, and logs employee and enterprise data flows across endpoints, cloud services, and network channels. This triggers obligations under GDPR (EU 2016/679), CCPA/CPRA (California), PCI DSS v4.0.1, HIPAA where customers are covered entities, and the FTC broad data-security authority under Section 5 of the FTC Act. The 2023 SEC cybersecurity disclosure rules impose material-incident reporting obligations on Cyberhaven enterprise customers, creating indirect pressure on Cyberhaven to deliver rapid documented breach responses, a capability tested in December 2024. GDPR Article 28 processor obligations and Article 32 security requirements apply wherever Cyberhaven processes personal data of EU data subjects. Customers in regulated industries such as finance, healthcare, and legal pass downstream compliance requirements to Cyberhaven via data processing agreements. Non-compliance by Cyberhaven could expose customers to supervisory authority enforcement, triggering contract terminations and reputational harm extending beyond any direct fine. GDPR Article 83(5) fines can reach the greater of EUR 20M or 4 percent of global annual turnover for the most serious violations. The December 2024 Chrome extension compromise (v24.10.4) triggered at least one class-action lawsuit documented by TopClassActions, citing exposure of OAuth credentials for approximately 400,000 corporate users. The litigation risk is material: settlement costs, litigation expenses, and adverse publicity could impair sales cycles and renewal rates. IP risk is moderate because Cyberhaven holds patents on data-lineage tracking, but the novelty window narrows as incumbents such as Symantec and Microsoft Purview incorporate lineage features. [CR001, CR002, CR003, CR004, CR005, CR006]

7.2 Operational and Security Risk

The primary operational risk is architectural: Cyberhaven endpoint coverage depends on a Chrome browser extension, a distribution channel that bypassed traditional endpoint security controls in December 2024 when attackers compromised a developer OAuth token and pushed a malicious version (v24.10.4) to the Chrome Web Store. The extension was live for roughly 24 hours before Cyberhaven released the clean v24.10.5 and engaged Mandiant for forensic investigation. The episode exposed the fundamental fragility of browser-extension supply chains: a single compromised developer credential can reach every deployed instance without per-customer approval workflows. Google Chrome holds approximately 65 percent global browser market share, making it the rational primary channel for enterprise DLP agents, but creating platform dependency. Chrome Manifest v3 migration changed API availability, and future policy shifts could restrict the depth of network interception available to extensions. Cyberhaven offers a separate network DLP agent installed via MDM that partially mitigates extension-only risk, but this agent is not universally deployed across all customers. GCP single-cloud dependency introduces concentration risk: a regional GCP outage or pricing renegotiation constrains flexibility. Infrastructure is deployed in US GCP regions with per-customer isolated instances, a design that limits blast radius but increases operational overhead. DevOps key-person risk is moderate, as the engineering team of approximately 350 employees carries specialised data-lineage graph expertise that is difficult to replace quickly. Attrition of key data science or infrastructure engineers would slow the roadmap. [CR009, CR010, CR011, CR012, CR013, CR014]

7.3 Partner and Dependency Risk

Cyberhaven go-to-market relies on a direct enterprise sales force with limited channel or partner leverage at current scale. This creates dependency on a small sales team and limits geographic expansion speed. Partnerships with MSSPs and SIs are nascent; competitors Symantec and Forcepoint have decades-old MSSP relationships that drive renewal revenue without direct sales effort. Supply-chain exposure extends beyond the December 2024 extension incident. Cyberhaven relies on third-party OAuth providers, the Chrome Web Store publishing pipeline, and upstream GCP infrastructure. Each represents a distinct failure mode: OAuth token compromise as occurred in 2024, Chrome Web Store review delays blocking emergency patches, or a GCP service disruption degrading product availability. The Chrome extension supply-chain attack affected approximately 35 extensions beyond Cyberhaven, indicating a systemic industry threat rather than a targeted attack, but Cyberhaven bore disproportionate reputational exposure as the largest affected vendor by user count. Capital provider dependency is currently low: the $100M Series D (April 2025) provides approximately 18 to 24 months of runway at assumed burn rates, reducing near-term financing risk. However, StepStone Group and Schroders Capital are financial investors with limited disclosed operational support capability in enterprise SaaS. A down-round scenario triggered by competitive displacement or regulatory sanctions would materially impair employee retention through underwater options and reduce customer confidence. [CR017, CR018, CR019, CR020, CR021, CR022]

7.4 People and Execution Risk

Cyberhaven was founded in 2016 by Howard Hua, Georgy Gritschuk, and Volodymyr Kuznetsov. The data-lineage graph concept is technically differentiated, but execution depends on retaining the core engineering team that built this architecture. A startup at this stage typically sees meaningful churn risk among senior engineers as equity vests; the Series D at a $1B valuation provides some liquidity optionality but also means early-stage option holders face a higher exit bar before meaningful proceeds. Sales execution risk is significant: Cyberhaven total raise of $250M and estimated ARR near $100M implies a capital-efficient growth trajectory, but penetrating Fortune 500 accounts requires experienced enterprise sellers capable of navigating DLP displacement deals. DLP replacement sales are long, typically 12 to 18 months, require legal and security-team sign-off, and face entrenched inertia from incumbents. If Cyberhaven cannot hire and retain quota-carrying enterprise AEs at pace, growth could stall before the company reaches a sustainable scale for an IPO. Executive team depth beyond the founding trio is publicly thin. The CISO role, head of customer success, and CFO function are not prominently disclosed, creating opacity around financial controls and scaling readiness. The December 2024 incident handling, including CEO transparency, rapid patch deployment, and Mandiant engagement, was operationally strong, but repeat incidents without equivalent response quality would be severely damaging to enterprise customer trust and ongoing regulatory posture. [CR025, CR026, CR027, CR028, CR029, CR030]

7.5 Financial Risk and Thesis-Break Triggers

Financial risk centres on burn rate opacity and competitive pricing pressure. Cyberhaven has raised $250M total with approximately $100M ARR estimated from public sources; without audited financials the gross margin, NRR, and LTV/CAC ratios are unverifiable. DLP markets are experiencing price compression from Microsoft Purview bundled with M365 E5 at marginal cost, and from Symantec deeply discounting on renewal. Cyberhaven premium pricing faces displacement if Microsoft embeds comparable data-lineage capabilities into its native tooling. Key mitigations in place include SOC 2 Type 2 certification with a Bridge Letter issued January 2026, PCI DSS v4.0.1 compliance, per-customer isolated GCP instances, Chrome extension code-signing improvements post-December 2024, and a documented incident response playbook. These reduce operational risk but do not eliminate regulatory or litigation exposure from the 2024 incident. Five thesis-break triggers warrant diligence tracking. First, a second material security incident within 18 months would likely trigger enterprise churns and regulatory investigations. Second, Google restricting Manifest v3 APIs in ways that cripple the extension deep content inspection would require a multi-year agent architecture redesign. Third, Microsoft embedding production-grade AI data lineage into Purview E5 would undercut Cyberhaven premium positioning. Fourth, a class-action settlement or regulatory fine exceeding $30M would consume meaningful Series D runway and might necessitate a distressed financing round. Fifth, failure to achieve SOC 2-equivalent EU certification such as ISAE 3000 or BSI C5 would block regulated EU enterprise expansion. [CR031, CR032, CR033, CR034, CR035, CR036]

7.6 Exhibits

8.1 Investment Thesis and Anti-Thesis

The investment thesis rests on three pillars: (1) category leadership in AI-native data lineage DLP, a differentiated approach that incumbents have not yet replicated at production scale; (2) demonstrable enterprise traction with 14+ named Fortune 500 accounts and third-party validation scores (Gartner 4.6/5, FeaturedCustomers 4.8/5); and (3) a $1B valuation entry that represents a reasonable 10x ARR multiple for a company growing at estimated high-double-digit rates with expanding market tailwinds from AI-driven data proliferation and tightening regulatory compliance requirements. The anti-thesis centres on four material risks. First, the December 2024 Chrome extension supply-chain compromise is an unresolved reputational event with ongoing class-action litigation and unknown regulatory investigation status. Second, Microsoft Purview's incumbent position (bundled with M365 E5 at near-zero marginal cost) represents a sustained pricing threat that could commoditise the DLP market. Third, Cyberhaven's financial metrics (NRR, gross margin, churn) are entirely opaque, making it impossible to validate the assumed growth and retention profile from public sources. Fourth, the product's dependency on the Chrome extension architecture introduces a structurally recurring supply-chain attack surface unless Cyberhaven migrates to a kernel-level or MDM-deployed agent model. The thesis is balanced by Cyberhaven's demonstrated incident-response capability in December 2024 (24-hour patch, Mandiant engagement, CEO transparency), its growing mindshare (2.3% on PeerSpot, up from 1.5%), and the April 2025 Series D valuation reset occurring after the incident, suggesting investor confidence absorbed the 2024 event and priced it in. [CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Comparable Valuation Analysis

Cyberhaven's $1B valuation at an estimated $100M ARR implies a 10x ARR multiple and approximately 9-10x NTM revenue multiple (assuming 30-40% growth). This compares favourably to the public comparable set. CrowdStrike (CRWD) reported FY25 ARR of $4.24B growing at 23%, trading at approximately 29x NTM P/S and 12x ARR; its premium reflects its dominant position and multiple-product platform. Palo Alto Networks (PANW) achieved next-generation security ARR of $5.6B growing 32%, trading at approximately 14x NTM P/S with greater scale. Zscaler (ZS) reported Q3 FY25 ARR of approximately $2.9B growing 23%, trading at approximately 9x NTM P/S. Rubrik (RBRK) reported FY25 ARR of $1.09B growing 39%, trading at approximately 9x NTM P/S with a $8B+ market cap. Private market transactions in enterprise security SaaS at Cyberhaven's stage typically carry 8-15x ARR multiples for companies with confirmed ARR above $80M and NRR above 110%. Cyberhaven's 10x ARR multiple sits in the middle of this range, but is only supportable if NRR is confirmed above 100% and gross margin above 70%. Without audited financials, the 10x multiple carries meaningful uncertainty premium; confirmed unit economics could justify expansion to 12-15x ARR in a bull scenario. The DLP market total addressable market is estimated by Grand View Research at $5.7B in 2024 growing to $7.1B by 2030 (CAGR 3.7%) for pure-play DLP, while MarketsAndMarkets projects the broader data security market at $21.1B growing to $34.4B by 2029 (CAGR 10.3%). Cyberhaven's AI-native data lineage approach targets the broader data security market rather than legacy DLP-only, supporting a higher TAM frame. [CV009, CV010, CV011, CV012, CV013, CV014]

8.3 Bull / Base / Bear Scenarios

The bull scenario assumes Cyberhaven continues growing ARR at 50-60% annually through 2028, reaching $400-600M ARR. In this scenario, Microsoft fails to deliver a competitive data-lineage DLP product, no major security incident occurs, NRR stays above 120%, and Cyberhaven expands internationally into EU and APAC regulated enterprises. At 8-12x ARR, this implies a $3.2B-$7.2B valuation in 2028, representing a 3-7x return from the $1B Series D valuation. Exit paths include IPO (if ARR reaches $400M+ with demonstrated margins) or strategic acquisition by Palo Alto Networks, CrowdStrike, or Microsoft. The base scenario assumes 30-40% annual ARR growth to $200-300M by 2028, with NRR around 110%, gross margins around 75%, and a successful but costly resolution of the class-action litigation (below $15M settlement). At 5-7x ARR, this implies a $1B-$2.1B valuation range, representing a 1-2x return from current entry. This scenario requires Microsoft Purview to remain a weaker competitor and no second material security incident. The bear scenario is triggered by a second major Chrome extension compromise, a GDPR/FTC enforcement action, or Microsoft shipping data-lineage features in Purview E5. In this scenario ARR growth stalls at 10-20% annually, reaching only $120-150M by 2028. Enterprise churns begin and NRR drops below 100%. At 3-5x ARR, valuation would be $360M-$750M, well below the $1B Series D entry, implying a down-round and significant capital impairment. [CV017, CV018, CV019, CV020, CV021, CV022]

8.4 Financing Context and Dilution Analysis

Cyberhaven has raised $250M total across multiple rounds, with the April 2025 Series D being $100M at a $1B post-money valuation. This implies the Series D represents approximately 10% dilution (pre-money $900M, round $100M). Earlier rounds are not publicly disclosed in detail, but total funding suggests multiple prior institutional rounds; cumulative dilution from seed to Series D typically runs 60-70% for companies at this stage, implying founders and early employees may hold 30-40% of a $1B valuation. Preference stack analysis: at $1B valuation with $250M total raised, liquidation preference coverage is approximately 4x (250/1000 = 25% of valuation). In a down-round exit at $500M, preferred investors would receive approximately $125-187M (50-75% of exit proceeds depending on participation rights), creating meaningful dilution for common stockholders and early employees. This preference overhang increases the urgency of a $1B+ exit for employee retention and morale. Series D investors (StepStone Group, Schroders Capital, Industry Ventures) are financial investors without disclosed strategic acquirer relationships, limiting the probability of near-term M&A at premium valuations. An IPO at $400M+ ARR (likely 2028-2030) is the primary exit path, assuming continued growth and absence of material adverse events. [CV025, CV026, CV027, CV028, CV029, CV030]

8.5 Recommendation, Exit Readiness, and Final Diligence Asks

Recommendation: Conditional Explore with High Evidence Requirements. Cyberhaven represents a compelling category leader in AI-native data lineage DLP with a differentiated product, strong customer validation, and momentum into the agentic AI security wave. The $1B Series D entry is defensible if confirmed ARR growth and unit economics support the thesis. However, three conditions must be satisfied before investment: (1) obtain audited or board-verified financial statements showing NRR above 105% and gross margin above 70%; (2) obtain legal privilege-protected assessment of the class-action litigation with maximum quantified exposure below $20M; and (3) obtain engineering management confirmation that post-incident OAuth hardening and code-signing improvements materially reduce the probability of a repeat Chrome extension compromise. Exit readiness is currently Medium. Cyberhaven has the customer names and growth trajectory for an IPO storyline, but lacks the financial transparency (audited statements, CFO profile) that public markets require. A 2028-2030 IPO window is plausible if the company doubles ARR twice more from the current estimated $100M base. Strategic acquisition by CrowdStrike or Palo Alto Networks remains a plausible exit at $200-500M ARR if either company wants to add AI data-lineage DLP to its platform portfolio. Microsoft as acquirer is theoretically possible but unlikely given Microsoft's own Purview investment. The five final diligence asks are: NRR and gross margin disclosure; litigation exposure cap from legal counsel; OAuth/extension architecture security assessment; GCP infrastructure and uptime documentation; and customer ARR concentration (top 5 and top 10 customer share). [CV031, CV032, CV033, CV034, CV035, CV036]

8.6 Exhibits